[pkg-php-pear] Bug#1131482: php-phpseclib3: CVE-2026-32935
Salvatore Bonaccorso
carnil at debian.org
Sat Mar 21 19:11:50 GMT 2026
Source: php-phpseclib3
Version: 3.0.49-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Control: clone -1 -2 -3
Control: reassign -2 src:php-phpseclib 2.0.51-1
Control: reassign -3 src:phpseclib 1.0.24-1
Control: retitle -2 php-phpseclib: CVE-2026-32935
Control: retitle -3 phpseclib: CVE-2026-32935
Hi,
The following vulnerability was published for phpseclib.
CVE-2026-32935[0]:
| phpseclib is a PHP secure communications library. Projects using
| versions 1.0.26 and below, 2.0.0 through 2.0.51, and 3.0.0 through
| 3.0.49 are vulnerable to a to padding oracle timing attack when
| using AES in CBC mode. This issue has been fixed in versions 1.0.27,
| 2.0.52 and 3.0.50.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-32935
https://www.cve.org/CVERecord?id=CVE-2026-32935
[1] https://github.com/phpseclib/phpseclib/security/advisories/GHSA-94g3-g5v7-q4jg
[2] https://github.com/phpseclib/phpseclib/commit/ccc21aef71eb170e9bf819b167e67d1fd9e6e788
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the pkg-php-pear
mailing list