Debian 10981 Published by

Debian released security updates for php8.2 on Debian 12 and php8.4 on Debian 13 trixie to fix a buffer overflow in the openssl extension's AES Key Wrap with Padding implementation that causes memory corruption. A vulnerability in Sympa allows attackers to bypass authentication using arbitrary email addresses when the generic SSO login feature is enabled, while php-phpseclib on Debian 11 received patches for five issues including hostname validation bypasses, timing side-channels, denial of service, and server-side request forgery. Package versions 8.2.32-1deb12u1, 8.4.23-1deb13u1, 6.2.70~dfsg-2+deb12u1, and 2.0.30-2+deb11u3 resolve the flaws in their respective distributions. System administrators should upgrade php8.2, php8.4, sympa, and php-phpseclib packages immediately to secure their environments against these disclosed risks.

[DLA 4669-1] php8.2 security update
[DLA 4668-1] sympa security update
[DSA 6377-1] php8.4 security update
[DLA 4670-1] php-phpseclib security update




[SECURITY] [DLA 4669-1] php8.2 security update


- -----------------------------------------------------------------------
Debian LTS Advisory DLA-4669-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Utkarsh Gupta
July 04, 2026 https://wiki.debian.org/LTS
- -----------------------------------------------------------------------

Package : php8.2
Version : 8.2.32-1~deb12u1
CVE ID : CVE-2026-14355

It was discovered that a buffer overflow in the implementation of AES
Key Wrap with Padding in the openssl extension of PHP, a widely-used
open source general purpose scripting language, could result in memory
corruption.

For Debian 12 bookworm, this problem has been fixed in version
8.2.32-1~deb12u1.

We recommend that you upgrade your php8.2 packages.

For the detailed security status of php8.2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/php8.2

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 4668-1] sympa security update


- -----------------------------------------------------------------------
Debian LTS Advisory DLA-4668-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Utkarsh Gupta
July 04, 2026 https://wiki.debian.org/LTS
- -----------------------------------------------------------------------

Package : sympa
Version : 6.2.70~dfsg-2+deb12u1
CVE ID : CVE-2024-55919
Debian Bug : 1090188

A flaw was found in Sympa’s web interface, a modern mailing list manager.
An attacker may bypass authentication by using an arbitrary e-mail
address when the generic SSO loging feature was enabled.

For Debian 12 bookworm, this problem has been fixed in version
6.2.70~dfsg-2+deb12u1.

We recommend that you upgrade your sympa packages.

For the detailed security status of sympa please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/sympa

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DSA 6377-1] php8.4 security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-6377-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
July 04, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : php8.4
CVE ID : CVE-2026-14355

It was discovered that a buffer overflow in the implementation of AES
Key Wrap with Padding in the openssl extension of PHP, a widely-used
open source general purpose scripting language, could result in memory
corruption.

For the stable distribution (trixie), this problem has been fixed in
version 8.4.23-1~deb13u1.

We recommend that you upgrade your php8.4 packages.

For the detailed security status of php8.4 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/php8.4

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


[SECURITY] [DLA 4670-1] php-phpseclib security update


- -----------------------------------------------------------------------
Debian LTS Advisory DLA-4670-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Utkarsh Gupta
July 05, 2026 https://wiki.debian.org/LTS
- -----------------------------------------------------------------------

Package : php-phpseclib
Version : 2.0.30-2+deb11u3
CVE ID : CVE-2023-52892 CVE-2026-32935 CVE-2026-40194
CVE-2026-44167 CVE-2026-55599
Debian Bug : 1131483

Several vulnerabilities were discovered in phpseclib, a PHP secure
communications library, which could result in hostname validation
bypass, timing side-channel attacks, denial of service, and
server-side request forgery (SSRF).

CVE-2023-52892

X509.php did not properly escape regular expression special
characters in a certificate's subjectAltName, allowing a crafted
certificate to bypass hostname validation in validateURL().

CVE-2026-32935

The block cipher unpadding routine in Crypt/Base.php used a
short-circuiting comparison, creating a timing side channel that
could aid padding-oracle-style attacks.

CVE-2026-40194

The SSH2 implementation compared incoming packet HMACs using a
variable-time string comparison, creating a timing side channel
on cryptographic material.

CVE-2026-44167

The ASN.1 decoder's 4096-byte Object Identifier limit (mitigating
CVE-2024-27355) was still large enough to allow an "OID
amplification" denial of service via crafted ASN.1 structures.

CVE-2026-55599

File_X509 could automatically fetch a URL from a certificate's
Authority Information Access extension without validating the
destination, allowing SSRF via a crafted certificate.

For Debian 11 bullseye, these problems have been fixed in version
2.0.30-2+deb11u3.

We recommend that you upgrade your php-phpseclib packages.

For the detailed security status of php-phpseclib please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/php-phpseclib

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS