On Thu, Mar 19, 2026 at 12:05 PM Jonathan Dowland <[email protected]> wrote: > > On Thu Mar 19, 2026 at 1:28 PM GMT, Jeffrey Walton wrote: > > GSSAPIAuthentication is from upstream OpenSSH. It is not vulnerable. > > > > GSSAPIKeyExchange is from patches supplied by Debian and Fedora. > > GSSAPIKeyExchange is off by default, so it is not vulnerable to CVE > > 2026-3497 by default. If GSSAPIKeyExchange is On, then Yes, CVE > > 2026-3497 applies. > > The patch header has some nice history about the feature: > <https://salsa.debian.org/ssh-team/openssh/-/blob/master/debian/patches/gssapi.patch?ref_type=heads�
Thank you sir!
