On Fri, Mar 13, 2026 at 01:55:00PM +0100, Salvatore Bonaccorso wrote:
The following vulnerability was published for openssh.
CVE-2026-3497[0]:
| Vulnerability in the OpenSSH GSSAPI delta included in various Linux
| distributions. This vulnerability affects the GSSAPI patches added
| by various Linux distributions and does not affect the OpenSSH
| upstream project itself. The usage of sshpkt_disconnect() on an
| error, which does not terminate the process, allows an attacker to
| send an unexpected GSSAPI message type during the GSSAPI key
| exchange to the server, which will call the underlying function and
| continue the execution of the program without setting the related
| connection variables. As the variables are not initialized to NULL
| the code later accesses those uninitialized variables, accessing
| random memory, which could lead to undefined behavior. The
| recommended workaround is to use ssh_packet_disconnect() instead,
| which does terminate the process. The impact of the vulnerability
| depends heavily on the compiler flag hardening configuration.
We ship debian/patches/gssapi.patch . A DSA for this issue look
warranted, but we have not investigated how is the severity in our
case.
Thanks. I'm not sure of the severity either, but the patch looks
reasonable. I've uploaded it to unstable and will work on corresponding
updates for trixie and bookworm.
--
Colin Watson (he/him) [[email protected]]
