Version in base suite: 3.0.43-2
Version in overlay suite: 3.0.43-2+deb13u1

Base version: php-phpseclib3_3.0.43-2+deb13u1
Target version: php-phpseclib3_3.0.43-2+deb13u3
Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/php-phpseclib3/php-phpseclib3_3.0.43-2+deb13u1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/p/php-phpseclib3/php-phpseclib3_3.0.43-2+deb13u3.dsc

 changelog                                                               |   14 ++++
 patches/0009-Merge-branch-2.0-into-3.0.patch                            |   32 ++++++++++
 patches/0010-Revert-Tests-phpseclib-3.0-updates.patch                   |   24 +++++++
 patches/0011-ASN1-reduce-length-of-supported-OIDs-from-4096-bytes.patch |   26 ++++++++
 patches/series                                                          |    3 
 5 files changed, 99 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpv5do1on5/php-phpseclib3_3.0.43-2+deb13u1.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpv5do1on5/php-phpseclib3_3.0.43-2+deb13u3.dsc: no acceptable signature found
diff -Nru php-phpseclib3-3.0.43/debian/changelog php-phpseclib3-3.0.43/debian/changelog
--- php-phpseclib3-3.0.43/debian/changelog	2026-03-24 07:15:58.000000000 +0000
+++ php-phpseclib3-3.0.43/debian/changelog	2026-04-28 11:45:21.000000000 +0000
@@ -1,3 +1,17 @@
+php-phpseclib3 (3.0.43-2+deb13u3) trixie; urgency=medium
+
+  * ASN1: reduce length of supported OIDs from 4096 bytes to 128 bytes
+    [CVE-2024-27355]
+
+ -- David Prévot <taffit@debian.org>  Tue, 28 Apr 2026 13:45:21 +0200
+
+php-phpseclib3 (3.0.43-2+deb13u2) trixie; urgency=medium
+
+  * SSH2: use constant time string comparison in get_binary_packet()
+    [CVE-2026-40194]
+
+ -- David Prévot <taffit@debian.org>  Sun, 19 Apr 2026 11:32:40 +0200
+
 php-phpseclib3 (3.0.43-2+deb13u1) trixie-security; urgency=medium
 
   * make unpadding constant time [CVE-2026-32935] (Closes: #1131482)
diff -Nru php-phpseclib3-3.0.43/debian/patches/0009-Merge-branch-2.0-into-3.0.patch php-phpseclib3-3.0.43/debian/patches/0009-Merge-branch-2.0-into-3.0.patch
--- php-phpseclib3-3.0.43/debian/patches/0009-Merge-branch-2.0-into-3.0.patch	1970-01-01 00:00:00.000000000 +0000
+++ php-phpseclib3-3.0.43/debian/patches/0009-Merge-branch-2.0-into-3.0.patch	2026-04-28 11:44:19.000000000 +0000
@@ -0,0 +1,32 @@
+From: terrafrost <terrafrost@php.net>
+Date: Thu, 9 Apr 2026 19:59:48 -0500
+Subject: Merge branch '2.0' into 3.0
+
+SSH2: use constant time string comparison in get_binary_packet():
+
+Origin: upstream, https://github.com/phpseclib/phpseclib/commit/254140b34b8d738c53686f0362b22e2153d893ea
+Bug: https://github.com/phpseclib/phpseclib/security/advisories/GHSA-r854-jrxh-36qx
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2026-40194
+---
+ phpseclib/Net/SSH2.php | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/phpseclib/Net/SSH2.php b/phpseclib/Net/SSH2.php
+index 4f1a849..5946740 100644
+--- a/phpseclib/Net/SSH2.php
++++ b/phpseclib/Net/SSH2.php
+@@ -3709,12 +3709,12 @@ class SSH2
+                 substr($packet->raw, 0, -$this->hmac_size);
+             if (($this->hmac_check->getHash() & "\xFF\xFF\xFF\xFF") == 'umac') {
+                 $this->hmac_check->setNonce("\0\0\0\0" . pack('N', $this->get_seq_no));
+-                if ($hmac != $this->hmac_check->hash($reconstructed)) {
++                if (!hash_equals($hmac, $this->hmac_check->hash($reconstructed))) {
+                     $this->disconnect_helper(NET_SSH2_DISCONNECT_MAC_ERROR);
+                     throw new ConnectionClosedException('Invalid UMAC');
+                 }
+             } else {
+-                if ($hmac != $this->hmac_check->hash(pack('Na*', $this->get_seq_no, $reconstructed))) {
++                if (!hash_equals($hmac, $this->hmac_check->hash(pack('Na*', $this->get_seq_no, $reconstructed)))) {
+                     $this->disconnect_helper(NET_SSH2_DISCONNECT_MAC_ERROR);
+                     throw new ConnectionClosedException('Invalid HMAC');
+                 }
diff -Nru php-phpseclib3-3.0.43/debian/patches/0010-Revert-Tests-phpseclib-3.0-updates.patch php-phpseclib3-3.0.43/debian/patches/0010-Revert-Tests-phpseclib-3.0-updates.patch
--- php-phpseclib3-3.0.43/debian/patches/0010-Revert-Tests-phpseclib-3.0-updates.patch	1970-01-01 00:00:00.000000000 +0000
+++ php-phpseclib3-3.0.43/debian/patches/0010-Revert-Tests-phpseclib-3.0-updates.patch	2026-04-28 11:44:19.000000000 +0000
@@ -0,0 +1,24 @@
+From: =?utf-8?q?David_Pr=C3=A9vot?= <taffit@debian.org>
+Date: Tue, 28 Apr 2026 13:41:13 +0200
+Subject: Revert "Tests: phpseclib 3.0 updates"
+
+This reverts commit baba459ca1b2619b173805ca3dfedc4e5a88eac6.
+
+Origin: backport, https://github.com/phpseclib/phpseclib/commit/baba459ca1b2619b173805ca3dfedc4e5a88eac6
+---
+ phpseclib/File/ASN1.php | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/phpseclib/File/ASN1.php b/phpseclib/File/ASN1.php
+index c4b06a5..1bee591 100644
+--- a/phpseclib/File/ASN1.php
++++ b/phpseclib/File/ASN1.php
+@@ -1150,7 +1150,7 @@ abstract class ASN1
+         $len = strlen($content);
+         // see https://github.com/openjdk/jdk/blob/2deb318c9f047ec5a4b160d66a4b52f93688ec42/src/java.base/share/classes/sun/security/util/ObjectIdentifier.java#L55
+         if ($len > 4096) {
+-            //throw new \RuntimeException("Object identifier size is limited to 4096 bytes ($len bytes present)");
++            //user_error('Object Identifier size is limited to 4096 bytes');
+             return false;
+         }
+ 
diff -Nru php-phpseclib3-3.0.43/debian/patches/0011-ASN1-reduce-length-of-supported-OIDs-from-4096-bytes.patch php-phpseclib3-3.0.43/debian/patches/0011-ASN1-reduce-length-of-supported-OIDs-from-4096-bytes.patch
--- php-phpseclib3-3.0.43/debian/patches/0011-ASN1-reduce-length-of-supported-OIDs-from-4096-bytes.patch	1970-01-01 00:00:00.000000000 +0000
+++ php-phpseclib3-3.0.43/debian/patches/0011-ASN1-reduce-length-of-supported-OIDs-from-4096-bytes.patch	2026-04-28 11:44:19.000000000 +0000
@@ -0,0 +1,26 @@
+From: terrafrost <terrafrost@php.net>
+Date: Mon, 27 Apr 2026 01:00:37 -0500
+Subject: ASN1: reduce length of supported OIDs from 4096 bytes to 128 bytes
+
+Origin: upstream, https://github.com/phpseclib/phpseclib/commit/d53d2021bcb9f6a04d5d44ec99e6bbef219a71bc
+Bug: https://github.com/phpseclib/phpseclib/security/advisories/GHSA-2528-jw5q-ww88
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2024-27355
+---
+ phpseclib/File/ASN1.php | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/phpseclib/File/ASN1.php b/phpseclib/File/ASN1.php
+index 1bee591..91f1e6a 100644
+--- a/phpseclib/File/ASN1.php
++++ b/phpseclib/File/ASN1.php
+@@ -1149,8 +1149,8 @@ abstract class ASN1
+         $pos = 0;
+         $len = strlen($content);
+         // see https://github.com/openjdk/jdk/blob/2deb318c9f047ec5a4b160d66a4b52f93688ec42/src/java.base/share/classes/sun/security/util/ObjectIdentifier.java#L55
+-        if ($len > 4096) {
+-            //user_error('Object Identifier size is limited to 4096 bytes');
++        if ($len > 128) {
++            //user_error('Object Identifier size is limited to 128 bytes');
+             return false;
+         }
+ 
diff -Nru php-phpseclib3-3.0.43/debian/patches/series php-phpseclib3-3.0.43/debian/patches/series
--- php-phpseclib3-3.0.43/debian/patches/series	2026-03-24 07:15:58.000000000 +0000
+++ php-phpseclib3-3.0.43/debian/patches/series	2026-04-28 11:44:19.000000000 +0000
@@ -6,3 +6,6 @@
 0006-Drop-PHPUnit-compatibility-code.patch
 0007-Modernize-PHPUnit-syntax.patch
 0008-make-unpadding-constant-time.patch
+0009-Merge-branch-2.0-into-3.0.patch
+0010-Revert-Tests-phpseclib-3.0-updates.patch
+0011-ASN1-reduce-length-of-supported-OIDs-from-4096-bytes.patch