It seems pretty clear that Debian's OpenSSH versions are vulnerable to
CVE-2026-3497, but I can't see any info about the circumstances necessry
for that vulnerability to manifest.
More specifically, AFAICT the default config disables GSSAPI support.
Does that mean that CVE-2026-3497 can bite only in those cases where
GSSAPIAuthentication yes
is added to the `sshd_config`?
I tried to look at the patch Debian uses, and it seems to suggests that
this is the case, but I'm not sufficiently familiar with that code to be
100% sure.
=== Stefan
