Source: php-phpseclib3 Version: 3.0.49-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]> Control: clone -1 -2 -3 Control: reassign -2 src:php-phpseclib 2.0.51-1 Control: reassign -3 src:phpseclib 1.0.24-1 Control: retitle -2 php-phpseclib: CVE-2026-32935 Control: retitle -3 phpseclib: CVE-2026-32935
Hi, The following vulnerability was published for phpseclib. CVE-2026-32935[0]: | phpseclib is a PHP secure communications library. Projects using | versions 1.0.26 and below, 2.0.0 through 2.0.51, and 3.0.0 through | 3.0.49 are vulnerable to a to padding oracle timing attack when | using AES in CBC mode. This issue has been fixed in versions 1.0.27, | 2.0.52 and 3.0.50. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-32935 https://www.cve.org/CVERecord?id=CVE-2026-32935 [1] https://github.com/phpseclib/phpseclib/security/advisories/GHSA-94g3-g5v7-q4jg [2] https://github.com/phpseclib/phpseclib/commit/ccc21aef71eb170e9bf819b167e67d1fd9e6e788 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
