Version in base suite: 2.0.48-3 Base version: php-phpseclib_2.0.48-3 Target version: php-phpseclib_2.0.48-3+deb13u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/php-phpseclib/php-phpseclib_2.0.48-3.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/p/php-phpseclib/php-phpseclib_2.0.48-3+deb13u1.dsc changelog | 7 ++++++ control | 2 - gbp.conf | 2 - patches/0012-make-unpadding-constant-time.patch | 25 ++++++++++++++++++++++++ patches/series | 1 5 files changed, 35 insertions(+), 2 deletions(-) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpn3470n7i/php-phpseclib_2.0.48-3.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpn3470n7i/php-phpseclib_2.0.48-3+deb13u1.dsc: no acceptable signature found diff -Nru php-phpseclib-2.0.48/debian/changelog php-phpseclib-2.0.48/debian/changelog --- php-phpseclib-2.0.48/debian/changelog 2025-02-17 09:46:36.000000000 +0000 +++ php-phpseclib-2.0.48/debian/changelog 2026-03-24 07:44:18.000000000 +0000 @@ -1,3 +1,10 @@ +php-phpseclib (2.0.48-3+deb13u1) trixie-security; urgency=medium + + * Track trixie branch + * make unpadding constant time [CVE-2026-32935] (Closes: #1131483) + + -- David Prévot Tue, 24 Mar 2026 08:44:18 +0100 + php-phpseclib (2.0.48-3) unstable; urgency=medium * Modernize PHPUnit syntax diff -Nru php-phpseclib-2.0.48/debian/control php-phpseclib-2.0.48/debian/control --- php-phpseclib-2.0.48/debian/control 2025-02-17 09:45:52.000000000 +0000 +++ php-phpseclib-2.0.48/debian/control 2026-03-24 07:44:18.000000000 +0000 @@ -10,7 +10,7 @@ phpunit Standards-Version: 4.7.0 Homepage: https://phpseclib.sourceforge.net/ -Vcs-Git: https://salsa.debian.org/php-team/pear/phpseclib.git -b debian/2.x +Vcs-Git: https://salsa.debian.org/php-team/pear/phpseclib.git -b debian/trixie_2.x Vcs-Browser: https://salsa.debian.org/php-team/pear/phpseclib Rules-Requires-Root: no diff -Nru php-phpseclib-2.0.48/debian/gbp.conf php-phpseclib-2.0.48/debian/gbp.conf --- php-phpseclib-2.0.48/debian/gbp.conf 2025-02-16 11:47:20.000000000 +0000 +++ php-phpseclib-2.0.48/debian/gbp.conf 2026-03-24 07:44:18.000000000 +0000 @@ -1,5 +1,5 @@ [DEFAULT] -debian-branch = debian/2.x +debian-branch = debian/trixie_2.x upstream-branch = upstream-2.x pristine-tar = True filter = [ '.gitattributes' ] diff -Nru php-phpseclib-2.0.48/debian/patches/0012-make-unpadding-constant-time.patch php-phpseclib-2.0.48/debian/patches/0012-make-unpadding-constant-time.patch --- php-phpseclib-2.0.48/debian/patches/0012-make-unpadding-constant-time.patch 1970-01-01 00:00:00.000000000 +0000 +++ php-phpseclib-2.0.48/debian/patches/0012-make-unpadding-constant-time.patch 2026-03-24 07:44:18.000000000 +0000 @@ -0,0 +1,25 @@ +From: terrafrost +Date: Fri, 13 Mar 2026 08:52:40 -0500 +Subject: make unpadding constant time + +Origin: upstream, https://github.com/phpseclib/phpseclib/commit/ccc21aef71eb170e9bf819b167e67d1fd9e6e788 +Bug: https://github.com/phpseclib/phpseclib/commit/ccc21aef71eb170e9bf819b167e67d1fd9e6e788 +Bug-Debian: https://bugs.debian.org/1131483 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2026-32935 +--- + phpseclib/Crypt/Base.php | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/phpseclib/Crypt/Base.php b/phpseclib/Crypt/Base.php +index 2d4225a..1a3ecc2 100644 +--- a/phpseclib/Crypt/Base.php ++++ b/phpseclib/Crypt/Base.php +@@ -2069,7 +2069,7 @@ abstract class Base + + $length = ord($text[strlen($text) - 1]); + +- if (!$length || $length > $this->block_size) { ++ if (!$length | ($length > $this->block_size)) { + return false; + } + diff -Nru php-phpseclib-2.0.48/debian/patches/series php-phpseclib-2.0.48/debian/patches/series --- php-phpseclib-2.0.48/debian/patches/series 2025-02-17 09:45:52.000000000 +0000 +++ php-phpseclib-2.0.48/debian/patches/series 2026-03-24 07:44:18.000000000 +0000 @@ -9,3 +9,4 @@ 0009-Make-provider-classes-static-PHPUnit-11-fix.patch 0010-Group-nophpunit11-for-tests-failing-with-PHPUnit-11.patch 0011-Modernize-PHPUnit-syntax.patch +0012-make-unpadding-constant-time.patch