[SECURITY] [DLA 4518-1] phpseclib security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 4518-1] phpseclib security update
From: Utkarsh Gupta <utkarsh@debian.org>
Date: Mon, 30 Mar 2026 20:50:11 +0530
Message-id: <[🔎] CAPP0f94PDtRxuZG092VZJRk0wMeeDK0_2W8pgXsqUGsaN-j6CQ@mail.gmail.com>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -----------------------------------------------------------------------
Debian LTS Advisory DLA-4518-1              debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Utkarsh Gupta
March 30, 2026                              https://wiki.debian.org/LTS
- -----------------------------------------------------------------------

Package        : phpseclib
Version        : 1.0.19-3+deb11u3
CVE ID         : CVE-2023-52892 CVE-2026-32935

Two vulnerabilities were discovered in phpseclib, a PHP Secure
Communications Library.

CVE-2023-52892

    Some characters in Subject Alternative Name fields in TLS
    certificates were incorrectly allowed to have a special meaning
    in regular expressions, leading to name confusion in X.509
    certificate host verification.

CVE-2026-32935

    The AES-CBC implementation was susceptible to a padding oracle
    timing attack due to the use of a short-circuiting logical
    operator in the unpadding function.

For Debian 11 bullseye, these problems have been fixed in version
1.0.19-3+deb11u3.

We recommend that you upgrade your phpseclib packages.

For the detailed security status of phpseclib please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/phpseclib

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmnKlJkACgkQgj6WdgbD
S5aG/g//fKI+c+XRsf/zK7qufVpKz/7vYlz5APaQiewYhg5j/8EjbTcCpxZF7YhN
HPPf3qX9cwEEC6sTzu2MFKfboTLebqeLvVP3RB8HISiHVm7X1NhgQhlj9VN3iXNw
8Rq94iZkevA6MeMkhy0QF0bV2kLMkpEY4trBLrXPzLHBVfcoUPjgGFY9mu5Y7204
t4dYMDMz8xlWBe44T32N32odt3xduneULWVevYWI+0sZYIXd3yafT4o26NQCC8Fp
6XDReAr5nirr++pHtOwCnSrVTH6ML29MHViL56F0KHE/Czvit3PbAYlZMowrX9LB
A4J7iVc1KJnIp6aV9UGp0pssrMloIul3NDBPUtfobMYkVTajqiELNWloytcEDHrn
hRlOPpPZhVopeGZ9b2Z4SxeYM/9NQbYtUqM1NDVmokuF9kCbCWNEQWjqfGh8j4M2
jb4w96rwwMhUWYTiWwznpCujH9UHPp0xAEr5qIVXNS4QBkamNgBql1fa5Usdk6UR
SX2ksDoNB7NSSX7Th+582Rx8mwF5raltCoNu1NqvPbFONPXA2gwj5PWr7igxEiYj
WNllZ9dJwAZNN2/yVdgXCTE4Jpcj+fGNGe4VsuLVWl1DU18qBalWZMpF0wh8dgdH
lkdOIvOKfoB7yR3H7Hv3vTvgKR7V8IzukMGPrsajCx0A7U1Ag34=
=XO/o
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 4517-1] roundcube security update
Next by Date: [SECURITY] [DLA 4519-1] netty security update
Previous by thread: [SECURITY] [DLA 4517-1] roundcube security update
Next by thread: [SECURITY] [DLA 4519-1] netty security update
Index(es):
- Date
- Thread