Hi Colin, On Fri, Mar 27, 2026 at 06:31:05PM +0000, Colin Watson wrote: > On Fri, Mar 13, 2026 at 01:55:00PM +0100, Salvatore Bonaccorso wrote: > > The following vulnerability was published for openssh. > > > > CVE-2026-3497[0]: > > | Vulnerability in the OpenSSH GSSAPI delta included in various Linux > > | distributions. This vulnerability affects the GSSAPI patches added > > | by various Linux distributions and does not affect the OpenSSH > > | upstream project itself. The usage of sshpkt_disconnect() on an > > | error, which does not terminate the process, allows an attacker to > > | send an unexpected GSSAPI message type during the GSSAPI key > > | exchange to the server, which will call the underlying function and > > | continue the execution of the program without setting the related > > | connection variables. As the variables are not initialized to NULL > > | the code later accesses those uninitialized variables, accessing > > | random memory, which could lead to undefined behavior. The > > | recommended workaround is to use ssh_packet_disconnect() instead, > > | which does terminate the process. The impact of the vulnerability > > | depends heavily on the compiler flag hardening configuration. > > > > We ship debian/patches/gssapi.patch . A DSA for this issue look > > warranted, but we have not investigated how is the severity in our > > case. > > Thanks. I'm not sure of the severity either, but the patch looks > reasonable. I've uploaded it to unstable and will work on corresponding > updates for trixie and bookworm.
Thanks for your response! Thank you for reparing updates as well down to trixie and bookworm! Regards, Salvatore
