diff --git a/changelog/security/2023-11-01-samba-update.md b/changelog/security/2023-11-01-samba-update.md
new file mode 100644
index 0000000000..68e197c8ca
--- /dev/null
+++ b/changelog/security/2023-11-01-samba-update.md
@@ -0,0 +1 @@
+- samba ([CVE-2023-4091](https://nvd.nist.gov/vuln/detail/CVE-2023-4091))
diff --git a/changelog/updates/2023-11-01-samba-update.md b/changelog/updates/2023-11-01-samba-update.md
new file mode 100644
index 0000000000..8c16f70786
--- /dev/null
+++ b/changelog/updates/2023-11-01-samba-update.md
@@ -0,0 +1 @@
+- samba ([4.18.8](https://www.samba.org/samba/history/samba-4.18.8.html))
diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/Manifest b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/Manifest
index 5c0bcd7209..c102f302a3 100644
--- a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/Manifest
@@ -1 +1 @@
-DIST samba-4.18.4.tar.gz 41311410 BLAKE2B 1f1aab7eb933111b9b1c72af8c3dd379fe34014085129e9d5cc400b4e434742e1c08ad4fdf2a98291d6063ce9b2ddc811e9ab5dbb133a85e97f2158f83dd7c96 SHA512 bc8d792b510061556c07b6844a825801a4271eed45e01133a4718c1839d123e2908fa0e31e67af43098500e98a9082eb104052e711a8a034fac23d86e15c29ee
+DIST samba-4.18.8.tar.gz 41335959 BLAKE2B d25711f1e781ed16fc224476979a07a5362f92ac943dd0bccfdf445434d0e6838281d5ceae27963267f914720ad6db647078520dc0e78c6ae652faec7d773e73 SHA512 2924c360f6299129527457547b13c1b282e2907a0ecde1036dbca894c752935d693914b4846a9eab436b33798c53c9974692e51fd071301b1174598be944a246
diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba-4.18.4-bug-15418-windows-update-secure-channel.patch b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba-4.18.4-bug-15418-windows-update-secure-channel.patch
deleted file mode 100644
index 1d0d9777fe..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba-4.18.4-bug-15418-windows-update-secure-channel.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-https://bugs.gentoo.org/910306
-https://bugzilla.samba.org/show_bug.cgi?id=15418
-
- source3/rpc_server/netlogon/srv_netlog_nt.c   | 9 +++++----
- source4/rpc_server/netlogon/dcerpc_netlogon.c | 8 ++++----
- 2 files changed, 9 insertions(+), 8 deletions(-)
-
---- a/source3/rpc_server/netlogon/srv_netlog_nt.c
-+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
-@@ -2284,6 +2284,11 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p,
- 	struct netlogon_creds_CredentialState *creds;
- 	NTSTATUS status;
- 
-+	if (r->in.query_level != 1) {
-+		p->fault_state = DCERPC_NCA_S_FAULT_INVALID_TAG;
-+		return NT_STATUS_NOT_SUPPORTED;
-+	}
-+
- 	become_root();
- 	status = dcesrv_netr_creds_server_step_check(p->dce_call,
- 						p->mem_ctx,
-@@ -2296,10 +2301,6 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p,
- 		return status;
- 	}
- 
--	if (r->in.query_level != 1) {
--		return NT_STATUS_NOT_SUPPORTED;
--	}
--
- 	r->out.capabilities->server_capabilities = creds->negotiate_flags;
- 
- 	return NT_STATUS_OK;
---- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
-+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
-@@ -2364,6 +2364,10 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_c
- 	struct netlogon_creds_CredentialState *creds;
- 	NTSTATUS status;
- 
-+	if (r->in.query_level != 1) {
-+		DCESRV_FAULT(DCERPC_NCA_S_FAULT_INVALID_TAG);
-+	}
-+
- 	status = dcesrv_netr_creds_server_step_check(dce_call,
- 						     mem_ctx,
- 						     r->in.computer_name,
-@@ -2375,10 +2379,6 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_c
- 	}
- 	NT_STATUS_NOT_OK_RETURN(status);
- 
--	if (r->in.query_level != 1) {
--		return NT_STATUS_NOT_SUPPORTED;
--	}
--
- 	r->out.capabilities->server_capabilities = creds->negotiate_flags;
- 
- 	return NT_STATUS_OK;
diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/samba-4.18.4.ebuild b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/samba-4.18.8.ebuild
similarity index 98%
rename from sdk_container/src/third_party/coreos-overlay/net-fs/samba/samba-4.18.4.ebuild
rename to sdk_container/src/third_party/coreos-overlay/net-fs/samba/samba-4.18.8.ebuild
index 59014f5b8c..53a4f254e2 100644
--- a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/samba-4.18.4.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/samba-4.18.8.ebuild
@@ -109,7 +109,7 @@ COMMON_DEPEND="
 		sys-libs/tevent[python,${PYTHON_SINGLE_USEDEP}]
 	)
 	snapper? ( sys-apps/dbus )
-	system-heimdal? ( >=app-crypt/heimdal-1.5[-ssl,${MULTILIB_USEDEP}] )
+	system-heimdal? ( >=app-crypt/heimdal-1.5[-ssl(-),${MULTILIB_USEDEP}] )
 	system-mitkrb5? ( >=app-crypt/mit-krb5-1.19[${MULTILIB_USEDEP}] )
 	systemd? ( sys-apps/systemd:= )
 	unwind? (
@@ -149,7 +149,6 @@ BDEPEND="${PYTHON_DEPS}
 
 PATCHES=(
 	"${FILESDIR}"/${PN}-4.18.4-pam.patch
-	"${FILESDIR}"/${PN}-4.18.4-bug-15418-windows-update-secure-channel.patch
 	"${FILESDIR}"/ldb-2.5.2-skip-wav-tevent-check.patch
 )