DLA-3198-1

Source
https://storage.googleapis.com/debian-osv/dla-osv/DLA-3198-1.json
Aliases
Published
2022-11-17T00:00:00Z
Modified
2022-11-17T18:34:04.828552Z
Details

It was discovered that php-phpseclib, a pure-PHP implementation of various cryptographic and arithmetic algorithms (v2), mishandles RSA PKCS#1 v1.5 signature verification. An attacker may get invalid signatures accepted, bypassing authorization control in specific situations.

For Debian 10 buster, this problem has been fixed in version 2.0.30-2~deb10u1.

We recommend that you upgrade your php-phpseclib packages.

For the detailed security status of php-phpseclib please refer to its security tracker page at: https://security-tracker.debian.org/tracker/php-phpseclib

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS

References

Affected packages

Debian:10 / php-phpseclib

php-phpseclib

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0
Fixed
2.0.30-2~deb10u1

Affected versions

2.*

2.0.14-1
2.0.15-1
2.0.17-1
2.0.18-1
2.0.19-1
2.0.20-1
2.0.21-1
2.0.21-2
2.0.21-3
2.0.22-1
2.0.23-1
2.0.23-2
2.0.25-1
2.0.26-1
2.0.27-1
2.0.28-1
2.0.29-1
2.0.29-2
2.0.30-1