Your message dated Mon, 23 Mar 2026 09:05:12 +0000
with message-id <[email protected]>
and subject line Bug#1131484: fixed in phpseclib 1.0.27-1
has caused the Debian Bug report #1131484,
regarding phpseclib: CVE-2026-32935
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1131484: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131484
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: php-phpseclib3
Version: 3.0.49-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: clone -1 -2 -3
Control: reassign -2 src:php-phpseclib 2.0.51-1
Control: reassign -3 src:phpseclib 1.0.24-1
Control: retitle -2 php-phpseclib: CVE-2026-32935
Control: retitle -3 phpseclib: CVE-2026-32935
Hi,
The following vulnerability was published for phpseclib.
CVE-2026-32935[0]:
| phpseclib is a PHP secure communications library. Projects using
| versions 1.0.26 and below, 2.0.0 through 2.0.51, and 3.0.0 through
| 3.0.49 are vulnerable to a to padding oracle timing attack when
| using AES in CBC mode. This issue has been fixed in versions 1.0.27,
| 2.0.52 and 3.0.50.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-32935
https://www.cve.org/CVERecord?id=CVE-2026-32935
[1]
https://github.com/phpseclib/phpseclib/security/advisories/GHSA-94g3-g5v7-q4jg
[2]
https://github.com/phpseclib/phpseclib/commit/ccc21aef71eb170e9bf819b167e67d1fd9e6e788
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: phpseclib
Source-Version: 1.0.27-1
Done: David Prévot <[email protected]>
We believe that the bug you reported is fixed in the latest version of
phpseclib, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
David Prévot <[email protected]> (supplier of updated phpseclib package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 22 Mar 2026 13:20:40 +0100
Source: phpseclib
Architecture: source
Version: 1.0.27-1
Distribution: unstable
Urgency: medium
Maintainer: Debian PHP PEAR Maintainers <[email protected]>
Changed-By: David Prévot <[email protected]>
Closes: 1131484
Changes:
phpseclib (1.0.27-1) unstable; urgency=medium
.
[ terrafrost ]
* SCP: fix some longstanding issues
* BigInteger: fix for PHP 8.5 deprecations for BCMath / toBytes()
* RSA: add support for OpenSSH pub keys with multiple spaces / tabs
* RSA: fix for PHP 8.5 deprecations for RSA / PSS
* BigInteger: another PHP 8.5 deprecation fix
* fix for PHP 8.5 BC breaking changes on 32-bit machines
* make unpadding constant time [CVE-2026-32935] (Closes: #1131484)
* X509: add support for organizationIdentifier
* CHANGELOG: add 1.0.27 release
Checksums-Sha1:
f63bdd4ad504940596e5b810e54c0fd2b2eb25de 1763 phpseclib_1.0.27-1.dsc
6a7fe7e626abe3ef51ce885b1249aa6c733c53fe 429768 phpseclib_1.0.27.orig.tar.xz
4ddce1cc5912151fa7c8cbc6a625a3d85d68ce4d 15520 phpseclib_1.0.27-1.debian.tar.xz
d133912dd412d99df99419f9083ed403dff02c11 7287
phpseclib_1.0.27-1_amd64.buildinfo
Checksums-Sha256:
e164f451d3bc1ff22054a9cea6abe6337b7e689650c620afdeba80611ed12ec7 1763
phpseclib_1.0.27-1.dsc
7303f3c5ead835c5241f8f838cf4bb1fed80f85f376838b127a6700ca6ec84d3 429768
phpseclib_1.0.27.orig.tar.xz
0e15fe4c9bac9c51e3ecdf5b1584df947c6912b2f83cbc058f0f25db29db935a 15520
phpseclib_1.0.27-1.debian.tar.xz
a7c7b737ae189cd12effb5b5cbf56c0f5d88f3616ce12f97dc95f7da97fe5f0f 7287
phpseclib_1.0.27-1_amd64.buildinfo
Files:
d6a763aa8b1bdc6927427114bdd6a73f 1763 php optional phpseclib_1.0.27-1.dsc
f9b4731f1bc2e1f4713422c203f817ad 429768 php optional
phpseclib_1.0.27.orig.tar.xz
b884a76b4ee3144459bd7a08e24fe745 15520 php optional
phpseclib_1.0.27-1.debian.tar.xz
88bcd917af3a4afb788dcec765ea113b 7287 php optional
phpseclib_1.0.27-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQFGBAEBCgAwFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAmnA/EYSHHRhZmZpdEBk
ZWJpYW4ub3JnAAoJEAWMHPlE9r087VoH/A+G89SH8zuFBCXlDXAfTUB+bRAGuv+q
95uNz1Uo39WFLYvWve6EQqDlLRiOnomcfhKtio1xcTG4m5li/X9OH+9FB+W0SJUN
Iwue9pJkd3vNAs6GHRgzWP4Z22wRxyga+8nIylgOj7DFE9t8N9Pr6VNTGbfY3Z1r
UfwY/tZq3XSDclD2CAwQiGHmwbO51JlGAlIY4+IIS29SFJZuU8I2t8hlWFn9mfLv
Us4lVQd66+wsjOmPQEDQc6WOimuiKRdx65897itQpYKNcRqGmIdCBqZGKLdJqbdZ
M5Pc9Gm3Z920dGrlcNNtlIbOTtqpy2za+hMWPQMjFMbFUhKool/sNFE=
=efBr
-----END PGP SIGNATURE-----
pgpBNvVmn5QYa.pgp
Description: PGP signature
--- End Message ---
