Source: openssh Version: 1:10.2p1-5 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for openssh. CVE-2026-3497[0]: | Vulnerability in the OpenSSH GSSAPI delta included in various Linux | distributions. This vulnerability affects the GSSAPI patches added | by various Linux distributions and does not affect the OpenSSH | upstream project itself. The usage of sshpkt_disconnect() on an | error, which does not terminate the process, allows an attacker to | send an unexpected GSSAPI message type during the GSSAPI key | exchange to the server, which will call the underlying function and | continue the execution of the program without setting the related | connection variables. As the variables are not initialized to NULL | the code later accesses those uninitialized variables, accessing | random memory, which could lead to undefined behavior. The | recommended workaround is to use ssh_packet_disconnect() instead, | which does terminate the process. The impact of the vulnerability | depends heavily on the compiler flag hardening configuration. We ship debian/patches/gssapi.patch . A DSA for this issue look warranted, but we have not investigated how is the severity in our case. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-3497 https://www.cve.org/CVERecord?id=CVE-2026-3497 [1] https://www.openwall.com/lists/oss-security/2026/03/12/3 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
