Your message dated Mon, 23 Mar 2026 09:05:06 +0000
with message-id <[email protected]>
and subject line Bug#1131482: fixed in php-phpseclib3 3.0.50-1
has caused the Debian Bug report #1131482,
regarding php-phpseclib3: CVE-2026-32935
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1131482: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131482
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: php-phpseclib3
Version: 3.0.49-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: clone -1 -2 -3
Control: reassign -2 src:php-phpseclib 2.0.51-1
Control: reassign -3 src:phpseclib 1.0.24-1
Control: retitle -2 php-phpseclib: CVE-2026-32935
Control: retitle -3 phpseclib: CVE-2026-32935
Hi,
The following vulnerability was published for phpseclib.
CVE-2026-32935[0]:
| phpseclib is a PHP secure communications library. Projects using
| versions 1.0.26 and below, 2.0.0 through 2.0.51, and 3.0.0 through
| 3.0.49 are vulnerable to a to padding oracle timing attack when
| using AES in CBC mode. This issue has been fixed in versions 1.0.27,
| 2.0.52 and 3.0.50.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-32935
https://www.cve.org/CVERecord?id=CVE-2026-32935
[1]
https://github.com/phpseclib/phpseclib/security/advisories/GHSA-94g3-g5v7-q4jg
[2]
https://github.com/phpseclib/phpseclib/commit/ccc21aef71eb170e9bf819b167e67d1fd9e6e788
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: php-phpseclib3
Source-Version: 3.0.50-1
Done: David Prévot <[email protected]>
We believe that the bug you reported is fixed in the latest version of
php-phpseclib3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
David Prévot <[email protected]> (supplier of updated php-phpseclib3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 22 Mar 2026 13:12:54 +0100
Source: php-phpseclib3
Architecture: source
Version: 3.0.50-1
Distribution: unstable
Urgency: medium
Maintainer: Debian PHP PEAR Maintainers <[email protected]>
Changed-By: David Prévot <[email protected]>
Closes: 1131482
Changes:
php-phpseclib3 (3.0.50-1) unstable; urgency=medium
.
[ terrafrost ]
* fix for PHP 8.5 BC breaking changes on 32-bit machines
* make unpadding constant time [CVE-2026-32935] (Closes: #1131482)
* X509: add support for organizationIdentifier
Checksums-Sha1:
263066c6e3ab90de241d57536c1a1f0444e65eef 1861 php-phpseclib3_3.0.50-1.dsc
f22a88911c93e7ea80fea1d3b79412d18cc0e286 581396
php-phpseclib3_3.0.50.orig.tar.xz
e7ee689081b2c80c27bf92443e650633a1029b45 19864
php-phpseclib3_3.0.50-1.debian.tar.xz
aae2edb739e1d0ff7d9d9e5fe0a63e542f7af3a5 7451
php-phpseclib3_3.0.50-1_amd64.buildinfo
Checksums-Sha256:
b1fb7f915ba02197434dd6931b121d983c6a146fa1b3c08f47251faae2d9645f 1861
php-phpseclib3_3.0.50-1.dsc
80fdb5e324d0c1f3853209bff38d96d2c076472c52d08389eb5e489a8712d130 581396
php-phpseclib3_3.0.50.orig.tar.xz
a96c3cb9fe67f73b456abb6c011a056aaf99faa64cf772df85b10096143ec99e 19864
php-phpseclib3_3.0.50-1.debian.tar.xz
aaad96c4ada88442c98d2f1528c0b5b0bac226f7b97cf584ec01029cb4129f52 7451
php-phpseclib3_3.0.50-1_amd64.buildinfo
Files:
958dbc4a75a07ebe47e67b009e524166 1861 php optional php-phpseclib3_3.0.50-1.dsc
385afff534fd10d87ee443a5b251074c 581396 php optional
php-phpseclib3_3.0.50.orig.tar.xz
ef2d3fb5862d06eb5560865a8e761263 19864 php optional
php-phpseclib3_3.0.50-1.debian.tar.xz
827ccb54194c5696375f39256a6199ad 7451 php optional
php-phpseclib3_3.0.50-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQFGBAEBCgAwFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAmnA/EgSHHRhZmZpdEBk
ZWJpYW4ub3JnAAoJEAWMHPlE9r08k2oH/1M76IGi7SM/307HqBCz9nhuIaGIVIyD
IgolfzNcccdOQzEKGXZhy+NpVYsbubEHjruTCjyOT2lMWFylWrTCufJFCmKXkP+/
DodhgDKazUsr1sLJP5S9vLc5+04E8bsagvhCg2nIDDxV9Dc+nZVY1r6mJ6LNe81Q
JnNCUS0il0hbwIKwHeV9aO8R/FuQ+KbifHFI1ZIpHMuew2htGJ27gCwxUPvVB0A8
mczcOUZtTszikvph5YLkxsSOIFIkE6amMNc0K2AFH8N+Fe5UtrtpmSuf+UW+L9Zq
O5CR8z+GyiphV0HXKF2IwrhFcqZCawbWYpuBwvu9RBTmuEC+m56kMAU=
=RSMm
-----END PGP SIGNATURE-----
pgpzCPyIwuWXH.pgp
Description: PGP signature
--- End Message ---
