| Package | phpseclib |
|---|---|
| Version | 1.0.19-3~deb10u4 (buster) |
| Related CVEs | CVE-2023-52892 CVE-2026-32935 |
Two vulnerabilities were discovered in phpseclib, a PHP Secure Communications Library.
CVE-2023-52892
Some characters in Subject Alternative Name fields in TLS
certificates were incorrectly allowed to have a special meaning
in regular expressions, leading to name confusion in X.509
certificate host verification.
CVE-2026-32935
The AES-CBC implementation was susceptible to a padding oracle
timing attack due to the use of a short-circuiting logical
operator in the unpadding function.
For Debian 10 buster, these problems have been fixed in version 1.0.19-3~deb10u4.
We recommend that you upgrade your phpseclib packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.