diff -Nru php-phpseclib3-3.0.43/debian/changelog php-phpseclib3-3.0.43/debian/changelog
--- php-phpseclib3-3.0.43/debian/changelog	2026-03-24 08:15:58.000000000 +0100
+++ php-phpseclib3-3.0.43/debian/changelog	2026-04-19 11:32:40.000000000 +0200
@@ -1,3 +1,10 @@
+php-phpseclib3 (3.0.43-2+deb13u2) trixie; urgency=medium
+
+  * SSH2: use constant time string comparison in get_binary_packet()
+    [CVE-2026-40194]
+
+ -- David Prévot <taffit@debian.org>  Sun, 19 Apr 2026 11:32:40 +0200
+
 php-phpseclib3 (3.0.43-2+deb13u1) trixie-security; urgency=medium
 
   * make unpadding constant time [CVE-2026-32935] (Closes: #1131482)
diff -Nru php-phpseclib3-3.0.43/debian/patches/0009-Merge-branch-2.0-into-3.0.patch php-phpseclib3-3.0.43/debian/patches/0009-Merge-branch-2.0-into-3.0.patch
--- php-phpseclib3-3.0.43/debian/patches/0009-Merge-branch-2.0-into-3.0.patch	1970-01-01 01:00:00.000000000 +0100
+++ php-phpseclib3-3.0.43/debian/patches/0009-Merge-branch-2.0-into-3.0.patch	2026-04-19 11:32:03.000000000 +0200
@@ -0,0 +1,32 @@
+From: terrafrost <terrafrost@php.net>
+Date: Thu, 9 Apr 2026 19:59:48 -0500
+Subject: Merge branch '2.0' into 3.0
+
+SSH2: use constant time string comparison in get_binary_packet():
+
+Origin: upstream, https://github.com/phpseclib/phpseclib/commit/254140b34b8d738c53686f0362b22e2153d893ea
+Bug: https://github.com/phpseclib/phpseclib/security/advisories/GHSA-r854-jrxh-36qx
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2026-40194
+---
+ phpseclib/Net/SSH2.php | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/phpseclib/Net/SSH2.php b/phpseclib/Net/SSH2.php
+index 4f1a849..5946740 100644
+--- a/phpseclib/Net/SSH2.php
++++ b/phpseclib/Net/SSH2.php
+@@ -3709,12 +3709,12 @@ class SSH2
+                 substr($packet->raw, 0, -$this->hmac_size);
+             if (($this->hmac_check->getHash() & "\xFF\xFF\xFF\xFF") == 'umac') {
+                 $this->hmac_check->setNonce("\0\0\0\0" . pack('N', $this->get_seq_no));
+-                if ($hmac != $this->hmac_check->hash($reconstructed)) {
++                if (!hash_equals($hmac, $this->hmac_check->hash($reconstructed))) {
+                     $this->disconnect_helper(NET_SSH2_DISCONNECT_MAC_ERROR);
+                     throw new ConnectionClosedException('Invalid UMAC');
+                 }
+             } else {
+-                if ($hmac != $this->hmac_check->hash(pack('Na*', $this->get_seq_no, $reconstructed))) {
++                if (!hash_equals($hmac, $this->hmac_check->hash(pack('Na*', $this->get_seq_no, $reconstructed)))) {
+                     $this->disconnect_helper(NET_SSH2_DISCONNECT_MAC_ERROR);
+                     throw new ConnectionClosedException('Invalid HMAC');
+                 }
diff -Nru php-phpseclib3-3.0.43/debian/patches/series php-phpseclib3-3.0.43/debian/patches/series
--- php-phpseclib3-3.0.43/debian/patches/series	2026-03-24 08:15:58.000000000 +0100
+++ php-phpseclib3-3.0.43/debian/patches/series	2026-04-19 11:32:03.000000000 +0200
@@ -6,3 +6,4 @@
 0006-Drop-PHPUnit-compatibility-code.patch
 0007-Modernize-PHPUnit-syntax.patch
 0008-make-unpadding-constant-time.patch
+0009-Merge-branch-2.0-into-3.0.patch