Version in base suite: 2.0.42-1+deb12u2

Base version: php-phpseclib_2.0.42-1+deb12u2
Target version: php-phpseclib_2.0.42-1+deb12u3
Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/php-phpseclib/php-phpseclib_2.0.42-1+deb12u2.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/p/php-phpseclib/php-phpseclib_2.0.42-1+deb12u3.dsc

 changelog                                                       |    7 
 patches/0016-make-unpadding-constant-time.patch                 |   25 +
 patches/0017-X509-fix-for-weird-characters-in-subjaltname.patch |  139 ++++++++++
 patches/0018-Tests-X509-updates-to-work-for-2.0-branch.patch    |   31 ++
 patches/series                                                  |    3 
 5 files changed, 205 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpafbkghin/php-phpseclib_2.0.42-1+deb12u2.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpafbkghin/php-phpseclib_2.0.42-1+deb12u3.dsc: no acceptable signature found
diff -Nru php-phpseclib-2.0.42/debian/changelog php-phpseclib-2.0.42/debian/changelog
--- php-phpseclib-2.0.42/debian/changelog	2024-02-26 22:23:19.000000000 +0000
+++ php-phpseclib-2.0.42/debian/changelog	2026-03-24 07:51:03.000000000 +0000
@@ -1,3 +1,10 @@
+php-phpseclib (2.0.42-1+deb12u3) bookworm-security; urgency=medium
+
+  * make unpadding constant time [CVE-2026-32935] (Closes: #1131483)
+  * X509: fix for weird characters in subjaltname [CVE-2023-52892]
+
+ -- David Prévot <taffit@debian.org>  Tue, 24 Mar 2026 08:51:03 +0100
+
 php-phpseclib (2.0.42-1+deb12u2) bookworm; urgency=medium
 
   * Backport upstream fixes
diff -Nru php-phpseclib-2.0.42/debian/patches/0016-make-unpadding-constant-time.patch php-phpseclib-2.0.42/debian/patches/0016-make-unpadding-constant-time.patch
--- php-phpseclib-2.0.42/debian/patches/0016-make-unpadding-constant-time.patch	1970-01-01 00:00:00.000000000 +0000
+++ php-phpseclib-2.0.42/debian/patches/0016-make-unpadding-constant-time.patch	2026-03-24 07:51:03.000000000 +0000
@@ -0,0 +1,25 @@
+From: terrafrost <terrafrost@php.net>
+Date: Fri, 13 Mar 2026 08:52:40 -0500
+Subject: make unpadding constant time
+
+Origin: upstream, https://github.com/phpseclib/phpseclib/commit/ccc21aef71eb170e9bf819b167e67d1fd9e6e788
+Bug: https://github.com/phpseclib/phpseclib/commit/ccc21aef71eb170e9bf819b167e67d1fd9e6e788
+Bug-Debian: https://bugs.debian.org/1131483
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2026-32935
+---
+ phpseclib/Crypt/Base.php | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/phpseclib/Crypt/Base.php b/phpseclib/Crypt/Base.php
+index 7bb357a..1db1320 100644
+--- a/phpseclib/Crypt/Base.php
++++ b/phpseclib/Crypt/Base.php
+@@ -2068,7 +2068,7 @@ abstract class Base
+ 
+         $length = ord($text[strlen($text) - 1]);
+ 
+-        if (!$length || $length > $this->block_size) {
++        if (!$length | ($length > $this->block_size)) {
+             return false;
+         }
+ 
diff -Nru php-phpseclib-2.0.42/debian/patches/0017-X509-fix-for-weird-characters-in-subjaltname.patch php-phpseclib-2.0.42/debian/patches/0017-X509-fix-for-weird-characters-in-subjaltname.patch
--- php-phpseclib-2.0.42/debian/patches/0017-X509-fix-for-weird-characters-in-subjaltname.patch	1970-01-01 00:00:00.000000000 +0000
+++ php-phpseclib-2.0.42/debian/patches/0017-X509-fix-for-weird-characters-in-subjaltname.patch	2026-03-24 07:51:03.000000000 +0000
@@ -0,0 +1,139 @@
+From: terrafrost <terrafrost@php.net>
+Date: Mon, 25 Sep 2023 10:31:33 -0500
+Subject: X509: fix for weird characters in subjaltname
+
+Origin: upstream, https://github.com/phpseclib/phpseclib/commit/6cd6e8ceab9f2b55c8cd81d2192bf98cbeaf4627
+Bug: https://github.com/phpseclib/phpseclib/issues/1943
+Bug: https://github.com/advisories/GHSA-ff7q-6vwh-v9m4
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2023-52892
+---
+ phpseclib/File/X509.php           |   3 +-
+ tests/Unit/File/X509/X509Test.php | 103 ++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 105 insertions(+), 1 deletion(-)
+
+diff --git a/phpseclib/File/X509.php b/phpseclib/File/X509.php
+index 73ecd25..b4e50ec 100644
+--- a/phpseclib/File/X509.php
++++ b/phpseclib/File/X509.php
+@@ -2066,7 +2066,8 @@ class X509
+         if ($names = $this->getExtension('id-ce-subjectAltName')) {
+             foreach ($names as $name) {
+                 foreach ($name as $key => $value) {
+-                    $value = str_replace(array('.', '*'), array('\.', '[^.]*'), $value);
++                    $value = preg_quote($value);
++                    $value = str_replace('\*', '[^.]*', $value);
+                     switch ($key) {
+                         case 'dNSName':
+                             /* From RFC2818 "HTTP over TLS":
+diff --git a/tests/Unit/File/X509/X509Test.php b/tests/Unit/File/X509/X509Test.php
+index 0de4588..3da08d4 100644
+--- a/tests/Unit/File/X509/X509Test.php
++++ b/tests/Unit/File/X509/X509Test.php
+@@ -959,4 +959,107 @@ BbNA6tFZAwLoX18R6yEmzHAQ+R2Eliiaz7mgQ+M2d0ec6qQJFoO7aJsX
+ 
+         $this->assertIsArray($r);
+     }
++
++    public function testWildcardCert()
++    {
++        $cert = '-----BEGIN CERTIFICATE-----
++MIIKqDCCCZCgAwIBAgIQAZ3dCTUFVNcaZ4TM/m6DFTANBgkqhkiG9w0BAQsFADBY
++MQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEuMCwGA1UE
++AxMlR2xvYmFsU2lnbiBBdGxhcyBSMyBEViBUTFMgQ0EgMjAyMyBRMzAeFw0yMzA5
++MTIxOTM4MDVaFw0yNDEwMTMxOTM4MDRaMBIxEDAOBgNVBAMMB2Nubi5jb20wggEi
++MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDsZniL9RpV7hDYPJvS4TGa39w5
++BLHGsPhi4lV4HVtyIme0/NMMmszIeNoY+aaDSM2dn0gw29GIq1prZSAQK8BgDU6a
++otU5mWG8J+xABnn75DQ1BHjXZFl4EfjL4mIhMaVY34O+0wG06owvFDUgxRzYnwlb
++y6WEJfTRyv70MF6EIq0zZxW2cMgfyuq8ZEtgYddSr4I/2/xVxACBUDFYNqYbr9AR
++qmJKvzglrSYULaBJ84oY3RnBnDCVUkMW3qYT1mIDop+Jz4wLyMyvHq0QA0wY/BhI
++ByhJTkdQy7xH2N8O2MohQmaVo6x6w01cqsZyIHND1JSL3lAJiMtU8aMl3+edAgMB
++AAGjggeyMIIHrjCCBGcGA1UdEQSCBF4wggRaggdjbm4uY29tgg0qLmFwaS5jbm4u
++Y29tggwqLmFwaS5jbm4uaW+CHSouYXBpLmVsZWN0aW9udHJhY2tlci5jbm4uY29t
++ghYqLmFwaS5wbGF0Zm9ybS5jbm4uY29tghAqLmFyYWJpYy5jbm4uY29tghQqLmFy
++dGVtaXMudHVybmVyLmNvbYIPKi5ibG9ncy5jbm4uY29tghgqLmNsaWVudC5hcHBs
++ZXR2LmNubi5jb22CCSouY25uLmNvbYIIKi5jbm4uaW+CDyouY25uYXJhYmljLmNv
++bYIOKi5jbm5tb25leS5jb22CESouY25ucG9saXRpY3MuY29tghYqLmNvbmZpZy5v
++dXR0dXJuZXIuY29tghEqLmRhdGEuYXBpLmNubi5pb4IRKi5lZGl0aW9uLmNubi5j
++b22CFyouZWRpdGlvbi5pLmNkbi5jbm4uY29tghwqLmVkaXRpb24uc3RhZ2UubmV4
++dC5jbm4uY29tgh0qLmVkaXRpb24uc3RhZ2UyLm5leHQuY25uLmNvbYIdKi5lZGl0
++aW9uLnN0YWdlMy5uZXh0LmNubi5jb22CEyouZWxlY3Rpb25zLmNubi5jb22CGSou
++ZWxlY3Rpb250cmFja2VyLmNubi5jb22CDCouZ28uY25uLmNvbYIPKi5pLmNkbi5j
++bm4uY29tghYqLm1hcmtldHMubW9uZXkuY25uLmlvgg8qLm1vbmV5LmNubi5jb22C
++DioubmV4dC5jbm4uY29tghYqLm9kbS5wbGF0Zm9ybS5jbm4uY29tgg8qLm91dHR1
++cm5lci5jb22CEioucGxhdGZvcm0uY25uLmNvbYIfKi5zZWN0aW9uLWNvbnRlbnQu
++bW9uZXkuY25uLmNvbYIUKi5zdGFnZS5uZXh0LmNubi5jb22CFSouc3RhZ2UyLm5l
++eHQuY25uLmNvbYIVKi5zdGFnZTMubmV4dC5jbm4uY29tghEqLnN0ZWxsYXIuY25u
++LmNvbYIUKi50ZXJyYS5uZXh0LmNubi5jb22CECoudHJhdmVsLmNubi5jb22CEyou
++d3d3LmkuY2RuLmNubi5jb22CD2FwaS5ldHAuY25uLmNvbYIWY2xpZW50LmFwcGxl
++dHYuY25uLmNvbYINY25uYXJhYmljLmNvbYIMY25ubW9uZXkuY29tgg9jbm5wb2xp
++dGljcy5jb22CDWRjZmFuZG9tZS5jb22CHGdyYXBocWwudmVydGljYWxzLmFwaS5j
++bm4uaW+CFGkuY2RuLnRyYXZlbC5jbm4uY29tghlwcmV2aWV3LmRldi5tb25leS5j
++bm4uY29tghhwcmV2aWV3LnFhLm1vbmV5LmNubi5jb22CGXByZXZpZXcucmVmLm1v
++bmV5LmNubi5jb22CG3ByZXZpZXcudHJhaW4ubW9uZXkuY25uLmNvbYIacHJldmll
++dzIucmVmLm1vbmV5LmNubi5jb22CD3VuZGVyc2NvcmVkLmNvbTAOBgNVHQ8BAf8E
++BAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBT9
++Fy8eFhWRk9UjmQVNdVD8lZEhFTBXBgNVHSAEUDBOMAgGBmeBDAECATBCBgorBgEE
++AaAyCgEDMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29t
++L3JlcG9zaXRvcnkvMAwGA1UdEwEB/wQCMAAwgZ4GCCsGAQUFBwEBBIGRMIGOMEAG
++CCsGAQUFBzABhjRodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9jYS9nc2F0bGFz
++cjNkdnRsc2NhMjAyM3EzMEoGCCsGAQUFBzAChj5odHRwOi8vc2VjdXJlLmdsb2Jh
++bHNpZ24uY29tL2NhY2VydC9nc2F0bGFzcjNkdnRsc2NhMjAyM3EzLmNydDAfBgNV
++HSMEGDAWgBTtoOYBBT40ghqkT1/FvRFBqt/zYTBIBgNVHR8EQTA/MD2gO6A5hjdo
++dHRwOi8vY3JsLmdsb2JhbHNpZ24uY29tL2NhL2dzYXRsYXNyM2R2dGxzY2EyMDIz
++cTMuY3JsMIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdQDuzdBk1dsazsVct520
++zROiModGfLzs3sNRSFlGcR+1mwAAAYqK5qvdAAAEAwBGMEQCIE08u4H1qqO/W1OP
++YxuxGftmdYvpngZDDBIKPJtwCB1qAiBjpQIgGnsX7H5wVWzxZtpff+gB6a9V+VGx
++YY6hTg5eSAB2AD8XS0/XIkdYlB1lHIS+DRLtkDd/H4Vq68G/KIXs+GRuAAABiorm
++rCoAAAQDAEcwRQIhAKgfE42oSB7890qz2OJXfydLzubHcsHtPNbO43Z3IsczAiBX
++bvuajpVoxMlYmMHhiVS4/qF9Wd1nACXQBy3KaTen8AB3AHb/iD8KtvuVUcJhzPWH
++ujS0pM27KdxoQgqf5mdMWjp0AAABiormrGkAAAQDAEgwRgIhAOCBs1ExXErb1s3+
++mI53aclpYutFJSWHmbnxbw5lULlEAiEAsrJQzWT2E4w5xcoeC0Zt+nMubTJG2BG7
++2KKQnHPiNlswDQYJKoZIhvcNAQELBQADggEBAGMUNah4Pw60DYWQbtlH0jFYdvNM
++s+Vsh27OQEYbhE2itGWs0JvvQUDst7Y+jMHPre5NZtdmr1RnmQFoVofTvwxQxtJ4
++VOqJfh2X1LTv4VrZI9m6lBLN729CDO/TKeVP9hiflVqe7faAXT8KBEFwPWE5If+z
++VqSx3vPmDx+RM7OXYrVzhEmhVVjRq7yANUF+oxW64zK4zsNzYGUAyp1gmInaXKN5
++XSRklj10ZrVHcd0XLuAME/9+54Bm7TvRfI46hfCfu6FbQPIX3gg+5j+MZJSdIuQJ
++dzXhMVAQYlpu27381/Ts2SuDx6v/cZ8lV8D5o/xTtCpWAnLxM2bxSyVnYbk=
++-----END CERTIFICATE-----';
++
++        $x509 = new File_X509();
++        $cert = $x509->loadX509($cert);
++
++        $this->assertTrue($x509->validateURL('https://asdf.cnn.com/'));
++        $this->assertFalse($x509->validateURL('https://asdf.cnn2.com/'));
++    }
++
++    /**
++     * @group github1943
++     */
++    public function testWeirdCharsCert()
++    {
++        $cert = '-----BEGIN CERTIFICATE-----
++MIIDtTCCAp2gAwIBAgICECEwDQYJKoZIhvcNAQELBQAwYzELMAkGA1UEBhMCVVMx
++ITAfBgNVBAoTGFRoZSBHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28g
++RGFkZHkgQ2xhc3MgMiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xNjAyMDcx
++NzI0MDBaFw0yNDAxMDYwNjQ0NThaMHkxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJD
++QTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEUMBIGA1UEChMLR29vZ2xlIEluYy4x
++GDAWBgNVBAsTD0dvb2dsZSBSZXNlYXJjaDEVMBMGA1UEAxQMKi5nb29nbGUuY29t
++MIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEAxUWTaM/RKjoA8urhPYXr
++Nh2Oz9HA88XkFIxhD3pm80wBlTTTnymSJJVWKpEJO7OyengVFRIv7U19VAFd8VCh
++TCiFl7a4hsiWWQi3zh/NYgj0BnweNriblknBKTze6te1DP8otZ22qBUmhCR27aER
++MWE9urWLwMIuJN/hxK234MljS9lBB3fv52RrZzSftga/P5zK34ZOlbnGcLbtoKR3
++p0uWakBZM8u/665hQ4u4+YkA2kJy5YSF6wXpYKl29/mj1w9ODJTUFj3KmliiGXeo
++2IhYLu4Pq52D7OKjDvKZRKK6tOM8Pii1c310ljlCewCuF/Oy/ygbNmaJG7J8/jTA
++pwIBA6NfMF0wDAYDVR0TAQH/BAIwADANBgNVHREEBjAEggJhKzAdBgNVHQ4EFgQU
++Zd/yRfldVXIxnAKzGaO6vZrb2XswHwYDVR0jBBgwFoAU4J1tAjJyIZ/+BvOatp4W
++N1Fo5MMwDQYJKoZIhvcNAQELBQADggEBAAcwSIxKQegRqCs7adDb3VbqP1Ld0dA6
++FydwendbN1P4NaqqdM89NhpOVZ5g60eM4sc08m5oZIMWqjwp3Gyf2pqM2FMQ02zi
++1lMRb+t9rtjtZXCdcTjuwySYXw7M7NM0Lxhv7yN9+Vben1RTBWFghk8y4t6sai5L
++68hFu+fkQzKIpHE/9cdBS+rtqyCrNit3kvqVhVpGECTS2flTBHnCe7mINojSTOsB
++JYhGgW6KsKViE0hzQB8dSAcNcfwQPSKzOd02crXdJ7uYvZZK9prN83Oe1iDaizeA
++1ntA2AzsC0OGg/ekAnAlxia3mzcJv0PgxRpSG7xjWSL+FVFTTs2I/wk=
++-----END CERTIFICATE-----';
++
++        $x509 = new File_X509();
++        $cert = $x509->loadX509($cert);
++
++        $this->assertFalse($x509->validateURL('https://aa'));
++    }
+ }
diff -Nru php-phpseclib-2.0.42/debian/patches/0018-Tests-X509-updates-to-work-for-2.0-branch.patch php-phpseclib-2.0.42/debian/patches/0018-Tests-X509-updates-to-work-for-2.0-branch.patch
--- php-phpseclib-2.0.42/debian/patches/0018-Tests-X509-updates-to-work-for-2.0-branch.patch	1970-01-01 00:00:00.000000000 +0000
+++ php-phpseclib-2.0.42/debian/patches/0018-Tests-X509-updates-to-work-for-2.0-branch.patch	2026-03-24 07:51:03.000000000 +0000
@@ -0,0 +1,31 @@
+From: terrafrost <terrafrost@php.net>
+Date: Mon, 25 Sep 2023 10:46:39 -0500
+Subject: Tests/X509: updates to work for 2.0 branch
+
+Origin: upstream, https://github.com/phpseclib/phpseclib/commit/a0abd3507b3426d3e445bc1be1953f0afb69700d
+---
+ tests/Unit/File/X509/X509Test.php | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tests/Unit/File/X509/X509Test.php b/tests/Unit/File/X509/X509Test.php
+index 3da08d4..d7b7043 100644
+--- a/tests/Unit/File/X509/X509Test.php
++++ b/tests/Unit/File/X509/X509Test.php
+@@ -1022,7 +1022,7 @@ XSRklj10ZrVHcd0XLuAME/9+54Bm7TvRfI46hfCfu6FbQPIX3gg+5j+MZJSdIuQJ
+ dzXhMVAQYlpu27381/Ts2SuDx6v/cZ8lV8D5o/xTtCpWAnLxM2bxSyVnYbk=
+ -----END CERTIFICATE-----';
+ 
+-        $x509 = new File_X509();
++        $x509 = new X509();
+         $cert = $x509->loadX509($cert);
+ 
+         $this->assertTrue($x509->validateURL('https://asdf.cnn.com/'));
+@@ -1057,7 +1057,7 @@ JYhGgW6KsKViE0hzQB8dSAcNcfwQPSKzOd02crXdJ7uYvZZK9prN83Oe1iDaizeA
+ 1ntA2AzsC0OGg/ekAnAlxia3mzcJv0PgxRpSG7xjWSL+FVFTTs2I/wk=
+ -----END CERTIFICATE-----';
+ 
+-        $x509 = new File_X509();
++        $x509 = new X509();
+         $cert = $x509->loadX509($cert);
+ 
+         $this->assertFalse($x509->validateURL('https://aa'));
diff -Nru php-phpseclib-2.0.42/debian/patches/series php-phpseclib-2.0.42/debian/patches/series
--- php-phpseclib-2.0.42/debian/patches/series	2024-02-26 22:23:19.000000000 +0000
+++ php-phpseclib-2.0.42/debian/patches/series	2026-03-24 07:51:03.000000000 +0000
@@ -13,3 +13,6 @@
 0013-Tests-updates-for-phpseclib-2.0.patch
 0014-BigInteger-phpseclib-2.0-updates.patch
 0015-BigInteger-fix-getLength.patch
+0016-make-unpadding-constant-time.patch
+0017-X509-fix-for-weird-characters-in-subjaltname.patch
+0018-Tests-X509-updates-to-work-for-2.0-branch.patch