On Sat, Mar 14, 2026 at 3:51 PM Solar Designer <[email protected]> wrote: > > [...] > Red Hat has now acknowledged that RHEL 8, 9, 10 are also affected (but 6 > and 7 are not): > > https://access.redhat.com/security/cve/cve-2026-3497 > > They suggest setting "GSSAPIAuthentication no" to mitigate this, which I > find puzzling. Per the brief discussion we had on the distros list > pre-disclosure, it appeared that GSSAPIKeyExchange is the option, and > moreover it was said that GSSAPIKeyExchange could conceivably be used > without GSSAPIAuthentication. So which of these two options is/are > actually responsible for exposing the vulnerability? Does it maybe vary > by patch revision (Debian vs. Red Hat) or (more likely?) is this just an > error in the current Red Hat statement?
It might be worth mentioning that GSSAPIAuthentication is provided by upstream OpenSSH. GSSAPIKeyExchange is provided by Debian and Fedora patches. See <https://www.reddit.com/r/FreeIPA/comments/1ipjlgq/ssh_gssapikeyexchange_off_by_default/>. Jeff
