Your message dated Fri, 27 Mar 2026 18:48:53 +0000
with message-id <[email protected]>
and subject line Bug#1131206: fixed in openssh 1:10.2p1-6
has caused the Debian Bug report #1131206,
regarding openssh: Do not default to weak GSS-API exchange algorithms
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1131206: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131206
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: openssh
Severity: normal
Tags: patch
Dear Maintainer,
As per RFC 8732, gss-group14-sha1- and gss-gex-sha1- are considered
deprecated and should not be used [1].
Should we consider removing them from the default algorithms list?
I am proposing the attached patch to drop those algorithms in Ubuntu.
[1] https://www.rfc-editor.org/rfc/rfc8732#name-deprecated-algorithms
--
Athos Ribeiro
--- a/ssh-gss.h
+++ b/ssh-gss.h
@@ -80,9 +80,7 @@
KEX_GSS_GRP14_SHA256_ID "," \
KEX_GSS_GRP16_SHA512_ID "," \
KEX_GSS_NISTP256_SHA256_ID "," \
- KEX_GSS_C25519_SHA256_ID "," \
- KEX_GSS_GRP14_SHA1_ID "," \
- KEX_GSS_GEX_SHA1_ID
+ KEX_GSS_C25519_SHA256_ID
typedef struct {
char *filename;
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -1065,7 +1065,7 @@
.Ed
.Pp
The default is
-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,gss-curve25519-sha256-,gss-gex-sha1-,gss-group14-sha1- .
+.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,gss-curve25519-sha256- .
This option only applies to connections using GSSAPI.
.It Cm HashKnownHosts
Indicates that
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -815,7 +815,7 @@
.Ed
.Pp
The default is
-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,gss-curve25519-sha256-,gss-gex-sha1-,gss-group14-sha1- .
+.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,gss-curve25519-sha256- .
This option only applies to connections using GSSAPI.
.It Cm HostbasedAcceptedAlgorithms
Specifies the signature algorithms that will be accepted for hostbased
--- End Message ---
--- Begin Message ---
Source: openssh
Source-Version: 1:10.2p1-6
Done: Colin Watson <[email protected]>
We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <[email protected]> (supplier of updated openssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 27 Mar 2026 18:26:06 +0000
Source: openssh
Architecture: source
Version: 1:10.2p1-6
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <[email protected]>
Changed-By: Colin Watson <[email protected]>
Closes: 989906 1130595 1131206
Changes:
openssh (1:10.2p1-6) unstable; urgency=medium
.
* CVE-2026-3497: Fix incorrect GSS-API error handling; Replace incorrect
use of sshpkt_disconnect() with ssh_packet_disconnect(), and properly
initialize some variables (closes: #1130595; thanks, Marc Deslauriers).
* Do not default to weak GSS-API exchange algorithms (closes: #989906,
#1131206; LP: #2144812; thanks, Athos Ribeiro).
Checksums-Sha1:
610f94c16831361f03f71aff30ffd36f18f6efc2 3668 openssh_10.2p1-6.dsc
bd029b935a0c2316ef65536d4a53e60f604a9b42 200260 openssh_10.2p1-6.debian.tar.xz
c4ec5f7d24c2aa94ad54d04a18c2477d94a88ea8 49092260 openssh_10.2p1-6.git.tar.xz
fc7c90ae55d9d6620bf57b7446d2d2d48efe97d6 17335
openssh_10.2p1-6_source.buildinfo
Checksums-Sha256:
9626c4ff065fd1f2028fe2a9ad8cedf03960931c83513733e539f2289bc49d21 3668
openssh_10.2p1-6.dsc
c901bfeb0d1d6238e600c5121d7b93e008b867853ce39a0fce8c670000ef6f1b 200260
openssh_10.2p1-6.debian.tar.xz
bfccbf2b94ab99877c4eff8a787f1b85469539fbf07be772504898e8c9a919cc 49092260
openssh_10.2p1-6.git.tar.xz
58277d2b52fae6b3ab67eb0d803a197705a517baea134a5149fceb8810076fec 17335
openssh_10.2p1-6_source.buildinfo
Files:
dd3c13f6f9d5f456511558b72acd58f8 3668 net standard openssh_10.2p1-6.dsc
59e2eda39705bbd4901adf5cb8340934 200260 net standard
openssh_10.2p1-6.debian.tar.xz
0caa6d8a73061995d006b898d7c7f103 49092260 net standard
openssh_10.2p1-6.git.tar.xz
ccc6abc3a08522db6b0fc62b30ce8db6 17335 net standard
openssh_10.2p1-6_source.buildinfo
Git-Tag-Info: tag=77b7ab9718429862c6d2e8d9ee39cdf8a50f20a1
fp=ac0a4ff12611b6fccf01c111393587d97d86500b
Git-Tag-Tagger: Colin Watson <[email protected]>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmnGzJMACgkQYG0ITkaD
wHliCxAAr2IIcDfYfQD/kWlEDimFgNiR2MKyTESIKTe7FLi9ju+9XE3Qvs4ITl92
3UwJBmS6zIPav95GjxN+ZM3Xn8z9xEofRytlpUnURpWOuRf+m2tuHt9EuPhbiWcV
qx6eombW6fUAisRnLvz75RnsaNE7eFVujis045ArmxtpASVfZhhJpyldevxyK12O
h/i5omqlComqGuzmDuaZsxeTq4lFagIHB7ZeR0hl8rc3g3rMiz9ufgZhgG9DU9M3
1xLPwt0BMiU3vKWXbHaSSPx3DU9Rs6SzaiE7ugHg1pdguEpUzFOphQEfKqBwuNrz
edSCuW2uRICKjrKMx9C4W/HsIR4kzKdOzpVhmWv0zLw5r5mk6TCmSJEJOaQm2/oR
rIMUmt7Yokw9VWzweXrUxKYGcDRzMUrxPgHxOqClIqX+sCZknW+iStrYHx/PK2x+
u9ud0GklLc1JesbrSB4b2w4CfhY8ZSUERtz8TG7RbTebyF+BGz/OKT8C/ahae/S3
/lZwtJHXvgaED5voyAblJcGA9SoeCORiaUuRmdosecJPOe/w1ZAVI9LWLSOhj2Bh
6Gn34/kzi3+5WkMB7mWqiZALoShXghTZt+2Bib37uCuGJL0uIxqktElKxryDJlei
zkpBf61YXhQ9b6fZh7WXZgl78Pzopb1UYXsY14Mvcy6up6za9IM=
=4rbj
-----END PGP SIGNATURE-----
pgpncX4lOL6Sk.pgp
Description: PGP signature
--- End Message ---
