diff -Nru php-phpseclib3-3.0.19/debian/changelog php-phpseclib3-3.0.19/debian/changelog
--- php-phpseclib3-3.0.19/debian/changelog	2026-03-24 08:34:55.000000000 +0100
+++ php-phpseclib3-3.0.19/debian/changelog	2026-04-19 11:29:51.000000000 +0200
@@ -1,3 +1,10 @@
+php-phpseclib3 (3.0.19-1+deb12u5) bookworm; urgency=medium
+
+  * SSH2: use constant time string comparison in get_binary_packet()
+    [CVE-2026-40194]
+
+ -- David Prévot <taffit@debian.org>  Sun, 19 Apr 2026 11:29:51 +0200
+
 php-phpseclib3 (3.0.19-1+deb12u4) bookworm-security; urgency=medium
 
   * make unpadding constant time [CVE-2026-32935] (Closes: #1131482)
diff -Nru php-phpseclib3-3.0.19/debian/patches/0019-Merge-branch-2.0-into-3.0.patch php-phpseclib3-3.0.19/debian/patches/0019-Merge-branch-2.0-into-3.0.patch
--- php-phpseclib3-3.0.19/debian/patches/0019-Merge-branch-2.0-into-3.0.patch	1970-01-01 01:00:00.000000000 +0100
+++ php-phpseclib3-3.0.19/debian/patches/0019-Merge-branch-2.0-into-3.0.patch	2026-04-19 11:27:25.000000000 +0200
@@ -0,0 +1,32 @@
+From: terrafrost <terrafrost@php.net>
+Date: Thu, 9 Apr 2026 19:59:48 -0500
+Subject: Merge branch '2.0' into 3.0
+
+SSH2: use constant time string comparison in get_binary_packet():
+
+Origin: upstream, https://github.com/phpseclib/phpseclib/commit/254140b34b8d738c53686f0362b22e2153d893ea
+Bug: https://github.com/phpseclib/phpseclib/security/advisories/GHSA-r854-jrxh-36qx
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2026-40194
+---
+ phpseclib/Net/SSH2.php | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/phpseclib/Net/SSH2.php b/phpseclib/Net/SSH2.php
+index 87a4c8d..2e5b30b 100644
+--- a/phpseclib/Net/SSH2.php
++++ b/phpseclib/Net/SSH2.php
+@@ -3500,12 +3500,12 @@ class SSH2
+                 $encrypted;
+             if (($this->hmac_check->getHash() & "\xFF\xFF\xFF\xFF") == 'umac') {
+                 $this->hmac_check->setNonce("\0\0\0\0" . pack('N', $this->get_seq_no));
+-                if ($hmac != $this->hmac_check->hash($reconstructed)) {
++                if (!hash_equals($hmac, $this->hmac_check->hash($reconstructed))) {
+                     $this->disconnect_helper(NET_SSH2_DISCONNECT_MAC_ERROR);
+                     throw new \RuntimeException('Invalid UMAC');
+                 }
+             } else {
+-                if ($hmac != $this->hmac_check->hash(pack('Na*', $this->get_seq_no, $reconstructed))) {
++                if (!hash_equals($hmac, $this->hmac_check->hash(pack('Na*', $this->get_seq_no, $reconstructed)))) {
+                     $this->disconnect_helper(NET_SSH2_DISCONNECT_MAC_ERROR);
+                     throw new \RuntimeException('Invalid HMAC');
+                 }
diff -Nru php-phpseclib3-3.0.19/debian/patches/series php-phpseclib3-3.0.19/debian/patches/series
--- php-phpseclib3-3.0.19/debian/patches/series	2026-03-24 08:34:51.000000000 +0100
+++ php-phpseclib3-3.0.19/debian/patches/series	2026-04-19 11:27:25.000000000 +0200
@@ -16,3 +16,4 @@
 0016-BigInteger-optimize-getLength.patch
 0017-make-unpadding-constant-time.patch
 0018-X509-fix-for-weird-characters-in-subjaltname.patch
+0019-Merge-branch-2.0-into-3.0.patch