Your message dated Mon, 23 Mar 2026 09:05:01 +0000
with message-id <[email protected]>
and subject line Bug#1131483: fixed in php-phpseclib 2.0.52-1
has caused the Debian Bug report #1131483,
regarding php-phpseclib: CVE-2026-32935
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1131483: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131483
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: php-phpseclib3
Version: 3.0.49-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: clone -1 -2 -3
Control: reassign -2 src:php-phpseclib 2.0.51-1
Control: reassign -3 src:phpseclib 1.0.24-1
Control: retitle -2 php-phpseclib: CVE-2026-32935
Control: retitle -3 phpseclib: CVE-2026-32935
Hi,
The following vulnerability was published for phpseclib.
CVE-2026-32935[0]:
| phpseclib is a PHP secure communications library. Projects using
| versions 1.0.26 and below, 2.0.0 through 2.0.51, and 3.0.0 through
| 3.0.49 are vulnerable to a to padding oracle timing attack when
| using AES in CBC mode. This issue has been fixed in versions 1.0.27,
| 2.0.52 and 3.0.50.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-32935
https://www.cve.org/CVERecord?id=CVE-2026-32935
[1]
https://github.com/phpseclib/phpseclib/security/advisories/GHSA-94g3-g5v7-q4jg
[2]
https://github.com/phpseclib/phpseclib/commit/ccc21aef71eb170e9bf819b167e67d1fd9e6e788
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: php-phpseclib
Source-Version: 2.0.52-1
Done: David Prévot <[email protected]>
We believe that the bug you reported is fixed in the latest version of
php-phpseclib, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
David Prévot <[email protected]> (supplier of updated php-phpseclib package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 22 Mar 2026 13:06:47 +0100
Source: php-phpseclib
Architecture: source
Version: 2.0.52-1
Distribution: unstable
Urgency: medium
Maintainer: Debian PHP PEAR Maintainers <[email protected]>
Changed-By: David Prévot <[email protected]>
Closes: 1131483
Changes:
php-phpseclib (2.0.52-1) unstable; urgency=medium
.
[ terrafrost ]
* fix for PHP 8.5 BC breaking changes on 32-bit machines
* make unpadding constant time [CVE-2026-32935] (Closes: #1131483)
* X509: add support for organizationIdentifier
Checksums-Sha1:
0ee5b19ee7328c1938c9a918fcb4bd90d5e3dea5 1816 php-phpseclib_2.0.52-1.dsc
0d8dc4c98dc29a3d38ca224cba8c20e936843bfc 431460
php-phpseclib_2.0.52.orig.tar.xz
e182890a3f330937e3f658ba502ff9167dc9a5ee 17800
php-phpseclib_2.0.52-1.debian.tar.xz
83a2f0b9eb6a7726e0ea43313d427c82680c6604 7319
php-phpseclib_2.0.52-1_amd64.buildinfo
Checksums-Sha256:
1ca41ba6d3c15f011b3d077939ff8c2e7e3883f6072a069c23fd65789fa11b8c 1816
php-phpseclib_2.0.52-1.dsc
780e32d30f1ad15c373b531adf728378461268adcf0b5bcadc513407c54c4007 431460
php-phpseclib_2.0.52.orig.tar.xz
b3fdfe6bfe843c46db526bb093727db333324f6332a49d0abacb4565d5d828d9 17800
php-phpseclib_2.0.52-1.debian.tar.xz
0cfc45993032efb7e3712a0b96d07555e3a302187717ef2158ad3d721da37018 7319
php-phpseclib_2.0.52-1_amd64.buildinfo
Files:
cf5a3999b8955ec9d81903b6fe0d1cfb 1816 php optional php-phpseclib_2.0.52-1.dsc
6dc50d762069f667a6280d712b3bf35b 431460 php optional
php-phpseclib_2.0.52.orig.tar.xz
69583cac36da286b57264d2ae342a337 17800 php optional
php-phpseclib_2.0.52-1.debian.tar.xz
695733a510f23abcfae862b0bd709ef6 7319 php optional
php-phpseclib_2.0.52-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQFGBAEBCgAwFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAmnA/EcSHHRhZmZpdEBk
ZWJpYW4ub3JnAAoJEAWMHPlE9r085wYH/3hYBSe4XdAjWMiXouVKrkdRnG0cgAzw
E1X8p8uyJmmkswTlUau2tFNBkGhuFBrFOyuy/rz8VT7tcwiB0zBsHsmD6Xybbpy9
1rVsjEs8x03MjfJgQUWv9B6QTRIpn95P+KFFGF3X1zAk8rcukjO4reOi6WfiAhUo
1qRF/0CKnslTQsYUK3/Brfn9ICPQMrqBhQPj4vgpVEBmgFo0JL7aQfxBRQ21g5Dy
u5FMG9tbG7G7C36Szn51WnMIf2MZ5lo7Ii+SQNtIEi8trlVQR/ez+gQLeQIcPygR
uivaGYLQ/XSkY1jKauoQ2pGDkdxro8vFuuD4g9Znl4aCsmxCp5XIUvI=
=VRiE
-----END PGP SIGNATURE-----
pgp_hV2HbDoht.pgp
Description: PGP signature
--- End Message ---
