Version in base suite: 1.0.23-6 Base version: phpseclib_1.0.23-6 Target version: phpseclib_1.0.23-6+deb13u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/phpseclib/phpseclib_1.0.23-6.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/p/phpseclib/phpseclib_1.0.23-6+deb13u1.dsc changelog | 7 ++++++ control | 2 - gbp.conf | 2 - patches/0013-make-unpadding-constant-time.patch | 25 ++++++++++++++++++++++++ patches/series | 1 5 files changed, 35 insertions(+), 2 deletions(-) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpc3cn7ocp/phpseclib_1.0.23-6.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpc3cn7ocp/phpseclib_1.0.23-6+deb13u1.dsc: no acceptable signature found diff -Nru phpseclib-1.0.23/debian/changelog phpseclib-1.0.23/debian/changelog --- phpseclib-1.0.23/debian/changelog 2025-02-16 11:43:15.000000000 +0000 +++ phpseclib-1.0.23/debian/changelog 2026-03-24 07:55:43.000000000 +0000 @@ -1,3 +1,10 @@ +phpseclib (1.0.23-6+deb13u1) trixie-security; urgency=medium + + * Track trixie branch + * make unpadding constant time [CVE-2026-32935] (Closes: #1131485) + + -- David Prévot Tue, 24 Mar 2026 08:55:43 +0100 + phpseclib (1.0.23-6) unstable; urgency=medium * Modernize PHPUnit syntax diff -Nru phpseclib-1.0.23/debian/control phpseclib-1.0.23/debian/control --- phpseclib-1.0.23/debian/control 2025-02-16 11:40:05.000000000 +0000 +++ phpseclib-1.0.23/debian/control 2026-03-24 07:55:43.000000000 +0000 @@ -10,7 +10,7 @@ phpunit Standards-Version: 4.7.0 Homepage: https://phpseclib.sourceforge.net/ -Vcs-Git: https://salsa.debian.org/php-team/pear/phpseclib.git -b v1 +Vcs-Git: https://salsa.debian.org/php-team/pear/phpseclib.git -b debian/trixie_1.x Vcs-Browser: https://salsa.debian.org/php-team/pear/phpseclib Rules-Requires-Root: no diff -Nru phpseclib-1.0.23/debian/gbp.conf phpseclib-1.0.23/debian/gbp.conf --- phpseclib-1.0.23/debian/gbp.conf 2025-01-05 08:53:16.000000000 +0000 +++ phpseclib-1.0.23/debian/gbp.conf 2026-03-24 07:55:43.000000000 +0000 @@ -1,5 +1,5 @@ [DEFAULT] -debian-branch = v1 +debian-branch = debian/trixie_1.x pristine-tar = True upstream-branch = upstream-v1 filter = [ '.gitattributes' ] diff -Nru phpseclib-1.0.23/debian/patches/0013-make-unpadding-constant-time.patch phpseclib-1.0.23/debian/patches/0013-make-unpadding-constant-time.patch --- phpseclib-1.0.23/debian/patches/0013-make-unpadding-constant-time.patch 1970-01-01 00:00:00.000000000 +0000 +++ phpseclib-1.0.23/debian/patches/0013-make-unpadding-constant-time.patch 2026-03-24 07:55:43.000000000 +0000 @@ -0,0 +1,25 @@ +From: terrafrost +Date: Fri, 13 Mar 2026 08:52:40 -0500 +Subject: make unpadding constant time + +Origin: upstream, https://github.com/phpseclib/phpseclib/commit/ccc21aef71eb170e9bf819b167e67d1fd9e6e788 +Bug: https://github.com/phpseclib/phpseclib/commit/ccc21aef71eb170e9bf819b167e67d1fd9e6e788 +Bug-Debian: https://bugs.debian.org/1131484 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2026-32935 +--- + phpseclib/Crypt/Base.php | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/phpseclib/Crypt/Base.php b/phpseclib/Crypt/Base.php +index e88476b..d71d4db 100644 +--- a/phpseclib/Crypt/Base.php ++++ b/phpseclib/Crypt/Base.php +@@ -1999,7 +1999,7 @@ class Crypt_Base + + $length = ord($text[strlen($text) - 1]); + +- if (!$length || $length > $this->block_size) { ++ if (!$length | ($length > $this->block_size)) { + return false; + } + diff -Nru phpseclib-1.0.23/debian/patches/series phpseclib-1.0.23/debian/patches/series --- phpseclib-1.0.23/debian/patches/series 2025-02-16 11:40:06.000000000 +0000 +++ phpseclib-1.0.23/debian/patches/series 2026-03-24 07:55:43.000000000 +0000 @@ -10,3 +10,4 @@ 0010-Make-provider-classes-static-PHPUnit-11-fix.patch 0011-Group-nophpunit11-for-tests-failing-with-PHPUnit-11.patch 0012-Modernize-PHPUnit-syntax.patch +0013-make-unpadding-constant-time.patch