Jeffrey Walton [2026-03-19 09:28:30] wrote: > Based on my understanding and reading of OSS-Security [0], I believe > the answer is No. > > GSSAPIAuthentication is from upstream OpenSSH. It is not vulnerable. > > GSSAPIKeyExchange is from patches supplied by Debian and Fedora. > GSSAPIKeyExchange is off by default, so it is not vulnerable to CVE > 2026-3497 by default. If GSSAPIKeyExchange is On, then Yes, CVE > 2026-3497 applies.
Aha, thanks. Even better. I wonder why https://security-tracker.debian.org/tracker/CVE-2026-3497 doesn't say something like that already. === Stefan
