* [OE-core][Scarthgap][PATCH] openssh: set status for CVE-2026-3497
@ 2026-06-29 15:42 Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-07-06 21:34 ` Yoann Congal
0 siblings, 1 reply; 4+ messages in thread
From: Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2026-06-29 15:42 UTC (permalink / raw)
To: openembedded-core
From: Sudhir Dumbhare <sudumbha@cisco.com>
Analysis:
- CVE-2026-3497 affects downstream OpenSSH GSSAPI Key Exchange patches.
- The vulnerable code uses sshpkt_disconnect() in the GSSAPI KEX server path.
- Upstream OpenSSH/OE-Core does not carry the vulnerable GSSAPI key-exchange delta.
- Hence ignoring the CVE for this version.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2026-3497
https://github.com/advisories/ghsa-wcpp-3x59-h8vp
https://ubuntu.com/security/CVE-2026-3497
https://security-tracker.debian.org/tracker/CVE-2026-3497
https://www.openwall.com/lists/oss-security/2026/03/12/3
Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
---
meta/recipes-connectivity/openssh/openssh_9.6p1.bb | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
index a1b5d4a553..40c27102d8 100644
--- a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
@@ -49,6 +49,7 @@ Red Hat Enterprise Linux 7 and when running in a Kerberos environment"
CVE_STATUS[CVE-2008-3844] = "not-applicable-platform: Only applies to some distributed RHEL binaries."
CVE_STATUS[CVE-2023-51767] = "upstream-wontfix: It was demonstrated on modified sshd and does not exist in upstream openssh https://bugzilla.mindrot.org/show_bug.cgi?id=3656#c1."
+CVE_STATUS[CVE-2026-3497] = "not-applicable-platform: Only affects GSSAPI Key Exchange patches used by some Linux distributions and does not exist in upstream openssh."
PAM_SRC_URI = "file://sshd"
--
2.35.6
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [OE-core][Scarthgap][PATCH] openssh: set status for CVE-2026-3497
2026-06-29 15:42 [OE-core][Scarthgap][PATCH] openssh: set status for CVE-2026-3497 Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco)
@ 2026-07-06 21:34 ` Yoann Congal
2026-07-09 5:35 ` [Scarthgap][PATCH] " Sudhir Dumbhare
0 siblings, 1 reply; 4+ messages in thread
From: Yoann Congal @ 2026-07-06 21:34 UTC (permalink / raw)
To: sudumbha, openembedded-core
On Mon Jun 29, 2026 at 5:42 PM CEST, Sudhir Dumbhare via lists.openembedded.org wrote:
> From: Sudhir Dumbhare <sudumbha@cisco.com>
>
> Analysis:
> - CVE-2026-3497 affects downstream OpenSSH GSSAPI Key Exchange patches.
> - The vulnerable code uses sshpkt_disconnect() in the GSSAPI KEX server path.
> - Upstream OpenSSH/OE-Core does not carry the vulnerable GSSAPI key-exchange delta.
> - Hence ignoring the CVE for this version.
>
> Reference:
> https://nvd.nist.gov/vuln/detail/CVE-2026-3497
> https://github.com/advisories/ghsa-wcpp-3x59-h8vp
> https://ubuntu.com/security/CVE-2026-3497
> https://security-tracker.debian.org/tracker/CVE-2026-3497
> https://www.openwall.com/lists/oss-security/2026/03/12/3
>
> Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
> ---
> meta/recipes-connectivity/openssh/openssh_9.6p1.bb | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
> index a1b5d4a553..40c27102d8 100644
> --- a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
> +++ b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
> @@ -49,6 +49,7 @@ Red Hat Enterprise Linux 7 and when running in a Kerberos environment"
>
> CVE_STATUS[CVE-2008-3844] = "not-applicable-platform: Only applies to some distributed RHEL binaries."
> CVE_STATUS[CVE-2023-51767] = "upstream-wontfix: It was demonstrated on modified sshd and does not exist in upstream openssh https://bugzilla.mindrot.org/show_bug.cgi?id=3656#c1."
> +CVE_STATUS[CVE-2026-3497] = "not-applicable-platform: Only affects GSSAPI Key Exchange patches used by some Linux distributions and does not exist in upstream openssh."
>
> PAM_SRC_URI = "file://sshd"
>
Hello,
That looks like this is needed on wrynose and master as well.
Can you send this to those branches and ping back here?
Thanks!
--
Yoann Congal
Smile ECS
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [Scarthgap][PATCH] openssh: set status for CVE-2026-3497
2026-07-06 21:34 ` Yoann Congal
@ 2026-07-09 5:35 ` Sudhir Dumbhare
2026-07-09 8:21 ` [OE-core] " Yoann Congal
0 siblings, 1 reply; 4+ messages in thread
From: Sudhir Dumbhare @ 2026-07-09 5:35 UTC (permalink / raw)
To: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 454 bytes --]
Hello Yoann,
Thank you for your review and for pointing this out.
I have submitted the patch for the master branch here:
[master][PATCH] openssh: set status for CVE-2026-3497 ( https://lists.openembedded.org/g/openembedded-core/message/240520 )
and the patch for the wrynose branch here:
[wrynose][PATCH] openssh: set status for CVE-2026-3497 ( https://lists.openembedded.org/g/openembedded-core/message/240521 )
Thanks and Regards,
Sudhir
[-- Attachment #2: Type: text/html, Size: 735 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [OE-core] [Scarthgap][PATCH] openssh: set status for CVE-2026-3497
2026-07-09 5:35 ` [Scarthgap][PATCH] " Sudhir Dumbhare
@ 2026-07-09 8:21 ` Yoann Congal
0 siblings, 0 replies; 4+ messages in thread
From: Yoann Congal @ 2026-07-09 8:21 UTC (permalink / raw)
To: sudumbha, openembedded-core
On Thu Jul 9, 2026 at 7:35 AM CEST, Sudhir Dumbhare via lists.openembedded.org wrote:
> Hello Yoann,
> Thank you for your review and for pointing this out.
>
> I have submitted the patch for the master branch here:
> [master][PATCH] openssh: set status for CVE-2026-3497 ( https://lists.openembedded.org/g/openembedded-core/message/240520 )
>
> and the patch for the wrynose branch here:
> [wrynose][PATCH] openssh: set status for CVE-2026-3497 ( https://lists.openembedded.org/g/openembedded-core/message/240521 )
Thanks, sounds good.
In the future, may I ask that you keep some context in the mail when you
answer? It would easier for me. For example, your "pointing this out" is
not clear without reaching for the previous mails in the thread.
Thanks!
>
> Thanks and Regards,
> Sudhir
--
Yoann Congal
Smile ECS
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-07-09 8:22 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-29 15:42 [OE-core][Scarthgap][PATCH] openssh: set status for CVE-2026-3497 Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-07-06 21:34 ` Yoann Congal
2026-07-09 5:35 ` [Scarthgap][PATCH] " Sudhir Dumbhare
2026-07-09 8:21 ` [OE-core] " Yoann Congal
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox