On Thu, Mar 19, 2026 at 09:11:49 -0400, Stefan Monnier wrote: > It seems pretty clear that Debian's OpenSSH versions are vulnerable to > CVE-2026-3497, but I can't see any info about the circumstances necessry > for that vulnerability to manifest.
The vulnerability is confirmed on <https://security-tracker.debian.org/tracker/CVE-2026-3497>. > More specifically, AFAICT the default config disables GSSAPI support. > Does that mean that CVE-2026-3497 can bite only in those cases where > > GSSAPIAuthentication yes > > is added to the `sshd_config`? I don't know. But the Debian page links to <https://www.openwall.com/lists/oss-security/2026/03/12/3> which recommends a really simple fix at the source code level. Given how simple the fix is, I'm a bit surprised we haven't already got an update. Maybe they're still testing it?
