[SECURITY] [DSA 6186-1] php-phpseclib security update

To: debian-security-announce@lists.debian.org
Subject: [SECURITY] [DSA 6186-1] php-phpseclib security update
From: Moritz Muehlenhoff <jmm@debian.org>
Date: Sun, 29 Mar 2026 19:02:30 +0000
Message-id: <[🔎] acl3RhubvuX3oPvl@seger.debian.org>
Reply-to: debian-security-announce-request@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6186-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
March 29, 2026                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : php-phpseclib
CVE ID         : CVE-2026-32935

It was discovered that the AES-CBC implementation in the PHP Secure
Communications Library was susceptible to a padding oracle timing attack.

For the oldstable distribution (bookworm), these problems have been fixed
in version 2.0.42-1+deb12u3. This update also fixes CVE-2023-52892.

For the stable distribution (trixie), these problems have been fixed in
version 2.0.48-3+deb13u1.

We recommend that you upgrade your php-phpseclib packages.

For the detailed security status of php-phpseclib please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/php-phpseclib

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmnJdSAACgkQEMKTtsN8
Tjaufg/8DeFCl3NVKnxu+plpZw3BNmU5arR2JSfAYF+b7cGo/UkJ8tyJuGM8VzzH
8ijnT92Zfq6HNKwboQ0k1JGWm5rmQSQI2bU7EJkewqDXOe9qPSZVjF46ayTnByND
4+7bfCq1lg5FU2sEZF/5zZqnnI5p2ctWh+1rSYZVVJxCpEy43zkA9Yv5RLq0aHhb
Bp3E2i+jJlJjL25VmJLYVVl/JFgbvD4WCHYUXbkAsBMeHLuR4UfYrSvL1BrP22wG
lbsBWmbX82c1FkMuV+sgfFF+3cT+jawDo2AWgl8CDa0c/xX0m1u1KIHcDri/hJ4Z
Pbomx7fdPT0239YCk6GrnOQiNg1TYe7kKhTUgHnZkKZIta0p2K7rGJEhJ0jLCUWv
2esTIzMizokDkEPYjCTDdB1ggY9D77iixEX41V6UVZBioEympPCsIgnxCgf6pVOm
Vv3bUHMbVni81MaskvUQS+I1E/koWCwra6wrmOvGN8HyFLBEgV2oYDi7YD/KZYPL
PBN4cep2SBghuKJxmO/HEu9G18o+iLTagZz5TqzeYdZm2ZsUHyN75rnXDbCAcazn
qltCjRQhSYXgmuqksZcY652yTA0uckejBYc8fAGnsYNBt/xYsJES7KesfEuM+Ssn
IiR0R66Q3RTdZZ9bGVE7BSfyU/EOw09WwvxAarhzCyX/ZS18w0E=
=IEil
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DSA 6185-1] phpseclib security update
Next by Date: [SECURITY] [DSA 6187-1] php-phpseclib3 security update
Previous by thread: [SECURITY] [DSA 6185-1] phpseclib security update
Next by thread: [SECURITY] [DSA 6187-1] php-phpseclib3 security update
Index(es):
- Date
- Thread