Among the 26 debian patches available in version 2:4.22.3+dfsg-2 of the package, we noticed the following issues:
commit 0862d1efe9e49445de961a02c4d90b37738f411f Merge: b725f36ca 63b2dff1b Author: Michael Tokarev <mjt@debian.org> Date: Fri Jul 11 12:08:05 2025 +0300 Merge branch 'dbagnall-debian-master-panic-action' into 'master' debian/panic-action: steer users towards configuration and logs See merge request samba-team/samba!65 commit b725f36ca00cf81c7562a869ac9688d876f81553 Merge: a88e34b15 affb716bf Author: Michael Tokarev <mjt@debian.org> Date: Fri Jul 11 12:00:18 2025 +0300 Merge branch 'pam_winbind_fix_account' into 'master' winbind pam-config: fix account section See merge request samba-team/samba!66 commit affb716bfa4e2e03e4aec09acd05577c7e28816e Author: Sascha Lucas <sascha_lucas@web.de> Date: Fri May 9 10:41:52 2025 +0200 winbind pam-config: fix account section This fixes a bug[1], where the PAM "account" part will never be executed because the pam_unix usually return success due the presence of the nss-winbind library. The bug reporter points to sssd, how the problem is solved there, by making the account section of type "Additional". This way pam_winbind is always executed and i.e. enforces users with expired passwords to change it before logging in. [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907318 Signed-off-by: Sascha Lucas <sascha_lucas@web.de> commit 63b2dff1b5aea6c05578661317d44d04d150b8b6 Author: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Date: Fri Feb 7 12:11:36 2025 +1300 debian/panic-action: don't say "you" when "I" is meant Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> commit 9d93295044f66168358f2979448a8c712d9b01c6 Author: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Date: Fri Feb 7 11:55:37 2025 +1300 debian/panic-action: steer users towards configuration and logs In https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089853, a misconfiuration was mistaken for a segmentation fault, even after the reporter found the panic could be avoided by fixing the configuration. This is likely because the message mentions "segfault" and produces only a stacktrace as diagnostic evidence, which is enough to fool anyone. The smb_panic() call itself knows more, because it is given a message (in this case "open_sockets_smbd() failed", which may not help), and this is logged, as usually are a number of preceding related messages. We could with some effort allow the panic action to take a message in $2, but this will be a bit fiddly as we would need to move away from using system() to avoid shell escaping trouble. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
There is 1 open security issue in bookworm.
You can find information about how to handle this issue in the security team's documentation.