On Thu, Mar 19, 2026 at 9:12 AM Stefan Monnier <[email protected]> wrote:
>
> It seems pretty clear that Debian's OpenSSH versions are vulnerable to
> CVE-2026-3497, but I can't see any info about the circumstances necessry
> for that vulnerability to manifest.
>
> More specifically, AFAICT the default config disables GSSAPI support.
> Does that mean that CVE-2026-3497 can bite only in those cases where
>
> GSSAPIAuthentication yes
>
> is added to the `sshd_config`?
>
> I tried to look at the patch Debian uses, and it seems to suggests that
> this is the case, but I'm not sufficiently familiar with that code to be
> 100% sure.
Based on my understanding and reading of OSS-Security [0], I believe
the answer is No.
GSSAPIAuthentication is from upstream OpenSSH. It is not vulnerable.
GSSAPIKeyExchange is from patches supplied by Debian and Fedora.
GSSAPIKeyExchange is off by default, so it is not vulnerable to CVE
2026-3497 by default. If GSSAPIKeyExchange is On, then Yes, CVE
2026-3497 applies.
Indeed, Red Hat's description of CVE 2026-3497 says [1]:
A flaw was found in the OpenSSH GSSAPI (Generic Security Service
Application Program Interface) delta patches, as included in various
Linux distributions.
Notice the "delta patches".
[0] https://www.openwall.com/lists/oss-security/2026/03/12/3
[1] https://access.redhat.com/security/cve/cve-2026-3497
Jeff
