[DLA 4669-1] php8.2 security update
[DLA 4668-1] sympa security update
[DSA 6377-1] php8.4 security update
[DLA 4670-1] php-phpseclib security update
[SECURITY] [DLA 4669-1] php8.2 security update
- -----------------------------------------------------------------------
Debian LTS Advisory DLA-4669-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Utkarsh Gupta
July 04, 2026 https://wiki.debian.org/LTS
- -----------------------------------------------------------------------
Package : php8.2
Version : 8.2.32-1~deb12u1
CVE ID : CVE-2026-14355
It was discovered that a buffer overflow in the implementation of AES
Key Wrap with Padding in the openssl extension of PHP, a widely-used
open source general purpose scripting language, could result in memory
corruption.
For Debian 12 bookworm, this problem has been fixed in version
8.2.32-1~deb12u1.
We recommend that you upgrade your php8.2 packages.
For the detailed security status of php8.2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/php8.2
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4668-1] sympa security update
- -----------------------------------------------------------------------
Debian LTS Advisory DLA-4668-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Utkarsh Gupta
July 04, 2026 https://wiki.debian.org/LTS
- -----------------------------------------------------------------------
Package : sympa
Version : 6.2.70~dfsg-2+deb12u1
CVE ID : CVE-2024-55919
Debian Bug : 1090188
A flaw was found in Sympa’s web interface, a modern mailing list manager.
An attacker may bypass authentication by using an arbitrary e-mail
address when the generic SSO loging feature was enabled.
For Debian 12 bookworm, this problem has been fixed in version
6.2.70~dfsg-2+deb12u1.
We recommend that you upgrade your sympa packages.
For the detailed security status of sympa please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/sympa
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DSA 6377-1] php8.4 security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-6377-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
July 04, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : php8.4
CVE ID : CVE-2026-14355
It was discovered that a buffer overflow in the implementation of AES
Key Wrap with Padding in the openssl extension of PHP, a widely-used
open source general purpose scripting language, could result in memory
corruption.
For the stable distribution (trixie), this problem has been fixed in
version 8.4.23-1~deb13u1.
We recommend that you upgrade your php8.4 packages.
For the detailed security status of php8.4 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/php8.4
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DLA 4670-1] php-phpseclib security update
- -----------------------------------------------------------------------
Debian LTS Advisory DLA-4670-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Utkarsh Gupta
July 05, 2026 https://wiki.debian.org/LTS
- -----------------------------------------------------------------------
Package : php-phpseclib
Version : 2.0.30-2+deb11u3
CVE ID : CVE-2023-52892 CVE-2026-32935 CVE-2026-40194
CVE-2026-44167 CVE-2026-55599
Debian Bug : 1131483
Several vulnerabilities were discovered in phpseclib, a PHP secure
communications library, which could result in hostname validation
bypass, timing side-channel attacks, denial of service, and
server-side request forgery (SSRF).
CVE-2023-52892
X509.php did not properly escape regular expression special
characters in a certificate's subjectAltName, allowing a crafted
certificate to bypass hostname validation in validateURL().
CVE-2026-32935
The block cipher unpadding routine in Crypt/Base.php used a
short-circuiting comparison, creating a timing side channel that
could aid padding-oracle-style attacks.
CVE-2026-40194
The SSH2 implementation compared incoming packet HMACs using a
variable-time string comparison, creating a timing side channel
on cryptographic material.
CVE-2026-44167
The ASN.1 decoder's 4096-byte Object Identifier limit (mitigating
CVE-2024-27355) was still large enough to allow an "OID
amplification" denial of service via crafted ASN.1 structures.
CVE-2026-55599
File_X509 could automatically fetch a URL from a certificate's
Authority Information Access extension without validating the
destination, allowing SSRF via a crafted certificate.
For Debian 11 bullseye, these problems have been fixed in version
2.0.30-2+deb11u3.
We recommend that you upgrade your php-phpseclib packages.
For the detailed security status of php-phpseclib please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/php-phpseclib
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS