[SECURITY] [DLA 3198-1] php-phpseclib security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 3198-1] php-phpseclib security update
From: Sylvain Beucler <beuc@beuc.net>
Date: Thu, 17 Nov 2022 17:49:59 +0100
Message-id: <[🔎] 20221117164959.GB30110@mail.beuc.net>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3198-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Sylvain Beucler
November 17, 2022                             https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : php-phpseclib
Version        : 2.0.30-2~deb10u1
CVE ID         : CVE-2021-30130

It was discovered that php-phpseclib, a pure-PHP implementation of
various cryptographic and arithmetic algorithms (v2), mishandles RSA
PKCS#1 v1.5 signature verification. An attacker may get invalid
signatures accepted, bypassing authorization control in specific
situations.

For Debian 10 buster, this problem has been fixed in version
2.0.30-2~deb10u1.

We recommend that you upgrade your php-phpseclib packages.

For the detailed security status of php-phpseclib please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/php-phpseclib

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmN2WioACgkQDTl9HeUl
XjApBA/8D1JVQMdHEZX6MpbgyKPCp8bdEd6ZjSrjaYhumjsTiXvcBXe8EYrfqzjs
HpL0DKn5jI7dMOiAIe2iGKRe2J2qhpEJGFrBTzR3F+WqdmSlcEJWj7xsfjUrZ5YF
K65rK5C7WbB+81ZE39lpwsnSiKPhbzz+V50ExAAt+CzS2/pojai+B2U4TzMLbttn
wNPimREKp8qxydyuUkNjlcDrrpPCV762qJPlZCJHyiaMMUvnkI5JMB3K80Bk7oST
YnCpCBBdTbkbLykDXDszLdZf+Lo89n6J3kMQqn0USy/sQvU2elfjPy+Z33XZ7XfG
Vf8L05DDXS7YqJ86wopUv5bwN2pXpu2VZSNi1oCHvRscgfw09kzHJVdlW2Euk3LF
txivRofXZVeQCBWCN3Ar/myQs6XE07gJ7dj80WZoRwWtyFtTzL82/nGAT8FzXkE1
fMsKsIKa2nObZ+81sjx4DmPobGXu6Sj81TUn4rOgywYpljhSRo/UhnyXx9qfRbLI
8Br0RSM7ZmZ9tbo6k2Hdf2R+fTpmNgAKdyxR/aFuk3BmgYSBc37yQs2n3e5acnyk
Rj4lxO6uddU98w0L4cohP3Q27a4uIzl59y7kybhjw3yvYQHmXXjb38RKbv+xuaQM
oSs+So4yiM4RbGG138RrMOcMZJPgK/rIKaZznS6i/UTk51fRJOc=
=fluQ
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 3197-1] phpseclib security update
Next by Date: [SECURITY] [DLA 3199-1] firefox-esr security update
Previous by thread: [SECURITY] [DLA 3197-1] phpseclib security update
Next by thread: [SECURITY] [DLA 3199-1] firefox-esr security update
Index(es):
- Date
- Thread