From: "Yoann Congal" <yoann.congal@smile.fr>
To: <sudumbha@cisco.com>, <openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core][Scarthgap][PATCH] openssh: set status for CVE-2026-3497
Date: Mon, 06 Jul 2026 23:34:36 +0200 [thread overview]
Message-ID: <DJRT7GZ90EZQ.1CCLVP0O2PBQZ@smile.fr> (raw)
In-Reply-To: <20260629154240.2293009-1-sudumbha@cisco.com>
On Mon Jun 29, 2026 at 5:42 PM CEST, Sudhir Dumbhare via lists.openembedded.org wrote:
> From: Sudhir Dumbhare <sudumbha@cisco.com>
>
> Analysis:
> - CVE-2026-3497 affects downstream OpenSSH GSSAPI Key Exchange patches.
> - The vulnerable code uses sshpkt_disconnect() in the GSSAPI KEX server path.
> - Upstream OpenSSH/OE-Core does not carry the vulnerable GSSAPI key-exchange delta.
> - Hence ignoring the CVE for this version.
>
> Reference:
> https://nvd.nist.gov/vuln/detail/CVE-2026-3497
> https://github.com/advisories/ghsa-wcpp-3x59-h8vp
> https://ubuntu.com/security/CVE-2026-3497
> https://security-tracker.debian.org/tracker/CVE-2026-3497
> https://www.openwall.com/lists/oss-security/2026/03/12/3
>
> Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
> ---
> meta/recipes-connectivity/openssh/openssh_9.6p1.bb | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
> index a1b5d4a553..40c27102d8 100644
> --- a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
> +++ b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
> @@ -49,6 +49,7 @@ Red Hat Enterprise Linux 7 and when running in a Kerberos environment"
>
> CVE_STATUS[CVE-2008-3844] = "not-applicable-platform: Only applies to some distributed RHEL binaries."
> CVE_STATUS[CVE-2023-51767] = "upstream-wontfix: It was demonstrated on modified sshd and does not exist in upstream openssh https://bugzilla.mindrot.org/show_bug.cgi?id=3656#c1."
> +CVE_STATUS[CVE-2026-3497] = "not-applicable-platform: Only affects GSSAPI Key Exchange patches used by some Linux distributions and does not exist in upstream openssh."
>
> PAM_SRC_URI = "file://sshd"
>
Hello,
That looks like this is needed on wrynose and master as well.
Can you send this to those branches and ping back here?
Thanks!
--
Yoann Congal
Smile ECS
prev parent reply other threads:[~2026-07-06 21:34 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-29 15:42 [OE-core][Scarthgap][PATCH] openssh: set status for CVE-2026-3497 Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-07-06 21:34 ` Yoann Congal [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DJRT7GZ90EZQ.1CCLVP0O2PBQZ@smile.fr \
--to=yoann.congal@smile.fr \
--cc=openembedded-core@lists.openembedded.org \
--cc=sudumbha@cisco.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.