Version in base suite: 3.0.43-2

Base version: php-phpseclib3_3.0.43-2
Target version: php-phpseclib3_3.0.43-2+deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/php-phpseclib3/php-phpseclib3_3.0.43-2.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/p/php-phpseclib3/php-phpseclib3_3.0.43-2+deb13u1.dsc

 changelog                                       |    7 +++++
 control                                         |    2 -
 gbp.conf                                        |    2 -
 patches/0008-make-unpadding-constant-time.patch |   29 ++++++++++++++++++++++++
 patches/series                                  |    1 
 5 files changed, 39 insertions(+), 2 deletions(-)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpyzx4tbur/php-phpseclib3_3.0.43-2.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpyzx4tbur/php-phpseclib3_3.0.43-2+deb13u1.dsc: no acceptable signature found
diff -Nru php-phpseclib3-3.0.43/debian/changelog php-phpseclib3-3.0.43/debian/changelog
--- php-phpseclib3-3.0.43/debian/changelog	2025-02-17 10:41:25.000000000 +0000
+++ php-phpseclib3-3.0.43/debian/changelog	2026-03-24 07:15:58.000000000 +0000
@@ -1,3 +1,10 @@
+php-phpseclib3 (3.0.43-2+deb13u1) trixie-security; urgency=medium
+
+  * make unpadding constant time [CVE-2026-32935] (Closes: #1131482)
+  * Track trixie
+
+ -- David Prévot <taffit@debian.org>  Tue, 24 Mar 2026 08:15:58 +0100
+
 php-phpseclib3 (3.0.43-2) unstable; urgency=medium
 
   * Modernize PHPUnit syntax
diff -Nru php-phpseclib3-3.0.43/debian/control php-phpseclib3-3.0.43/debian/control
--- php-phpseclib3-3.0.43/debian/control	2025-02-17 09:47:11.000000000 +0000
+++ php-phpseclib3-3.0.43/debian/control	2026-03-24 07:15:58.000000000 +0000
@@ -13,7 +13,7 @@
                phpunit
 Standards-Version: 4.7.0
 Homepage: https://phpseclib.sourceforge.net/
-Vcs-Git: https://salsa.debian.org/php-team/pear/phpseclib.git
+Vcs-Git: https://salsa.debian.org/php-team/pear/phpseclib.git -b debian/trixie
 Vcs-Browser: https://salsa.debian.org/php-team/pear/phpseclib
 Rules-Requires-Root: no
 
diff -Nru php-phpseclib3-3.0.43/debian/gbp.conf php-phpseclib3-3.0.43/debian/gbp.conf
--- php-phpseclib3-3.0.43/debian/gbp.conf	2025-02-17 09:47:11.000000000 +0000
+++ php-phpseclib3-3.0.43/debian/gbp.conf	2026-03-24 07:15:58.000000000 +0000
@@ -1,5 +1,5 @@
 [DEFAULT]
-debian-branch = debian/latest
+debian-branch = debian/trixie
 pristine-tar = True
 filter = [ '.gitattributes' ]
 upstream-vcs-tag = %(version%~%-)s
diff -Nru php-phpseclib3-3.0.43/debian/patches/0008-make-unpadding-constant-time.patch php-phpseclib3-3.0.43/debian/patches/0008-make-unpadding-constant-time.patch
--- php-phpseclib3-3.0.43/debian/patches/0008-make-unpadding-constant-time.patch	1970-01-01 00:00:00.000000000 +0000
+++ php-phpseclib3-3.0.43/debian/patches/0008-make-unpadding-constant-time.patch	2026-03-24 07:15:58.000000000 +0000
@@ -0,0 +1,29 @@
+From: terrafrost <terrafrost@php.net>
+Date: Fri, 13 Mar 2026 09:26:02 -0500
+Subject: make unpadding constant time
+
+Origin: backport, https://github.com/phpseclib/phpseclib/commit/ccc21aef71eb170e9bf819b167e67d1fd9e6e788
+
+Merge branch '2.0' into 3.0
+
+Origin: upstream, https://github.com/phpseclib/phpseclib/commit/1f6155623e2814c8a3e76f3490405bb6f5b4751e
+Bug: https://github.com/phpseclib/phpseclib/commit/ccc21aef71eb170e9bf819b167e67d1fd9e6e788
+Bug-Debian: https://bugs.debian.org/1131482
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2026-32935
+---
+ phpseclib/Crypt/Common/SymmetricKey.php | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/phpseclib/Crypt/Common/SymmetricKey.php b/phpseclib/Crypt/Common/SymmetricKey.php
+index 35d7a7d..e595707 100644
+--- a/phpseclib/Crypt/Common/SymmetricKey.php
++++ b/phpseclib/Crypt/Common/SymmetricKey.php
+@@ -2591,7 +2591,7 @@ abstract class SymmetricKey
+ 
+         $length = ord($text[strlen($text) - 1]);
+ 
+-        if (!$length || $length > $this->block_size) {
++        if (!$length | ($length > $this->block_size)) {
+             throw new BadDecryptionException("The ciphertext has an invalid padding length ($length) compared to the block size ({$this->block_size})");
+         }
+ 
diff -Nru php-phpseclib3-3.0.43/debian/patches/series php-phpseclib3-3.0.43/debian/patches/series
--- php-phpseclib3-3.0.43/debian/patches/series	2025-02-17 10:41:11.000000000 +0000
+++ php-phpseclib3-3.0.43/debian/patches/series	2026-03-24 07:15:58.000000000 +0000
@@ -5,3 +5,4 @@
 0005-Skip-test-failing-on-s390x-architecture.patch
 0006-Drop-PHPUnit-compatibility-code.patch
 0007-Modernize-PHPUnit-syntax.patch
+0008-make-unpadding-constant-time.patch