On Thu Mar 19, 2026 at 1:28 PM GMT, Jeffrey Walton wrote:
GSSAPIAuthentication is from upstream OpenSSH. It is not vulnerable.GSSAPIKeyExchange is from patches supplied by Debian and Fedora. GSSAPIKeyExchange is off by default, so it is not vulnerable to CVE 2026-3497 by default. If GSSAPIKeyExchange is On, then Yes, CVE 2026-3497 applies.
The patch header has some nice history about the feature: <https://salsa.debian.org/ssh-team/openssh/-/blob/master/debian/patches/gssapi.patch?ref_type=heads� -- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ Jonathan Dowland ⢿⡄⠘⠷⠚⠋⠀ https://jmtd.net ⠈⠳⣄⠀⠀⠀⠀
signature.asc
Description: PGP signature
