[SECURITY] [DLA 3750-1] php-phpseclib security update

2024-03-0513:57:51

lists.debian.org

arbitrary-precision arithmetic

php library

security tracker

denial of service

debian 10

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.9

Confidence

High

EPSS

0.001

Percentile

41.1%

JSON

Debian LTS Advisory DLA-3750-1 [email protected]
https://www.debian.org/lts/security/ Guilhem Moulin
March 05, 2024 https://wiki.debian.org/LTS

Package : php-phpseclib
Version : 2.0.30-2~deb10u3
CVE ID : CVE-2024-27354 CVE-2024-27355

Security issues were discovered in php-phpseclib, a PHP library for
arbitrary-precision integer arithmetic, which could lead to Denial of
Service.

CVE-2024-27354

An attacker can construct a malformed certificate containing an
extremely large prime to cause a denial of service (CPU consumption
for an `isPrime` primality check).

This issue was introduced when attempting to fix CVE-2023-27560.

CVE-2024-27355

When processing the ASN.1 object identifier of a certificate, a sub
identifier may be provided that leads to a denial of service (CPU
consumption for `decodeOID`).

For Debian 10 buster, these problems have been fixed in version
2.0.30-2~deb10u3.

We recommend that you upgrade your php-phpseclib packages.

For the detailed security status of php-phpseclib please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/php-phpseclib

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: PGP signature

OSVersionArchitecturePackageVersionFilename
Debian11allphpseclib< 1.0.19-3+deb11u2phpseclib_1.0.19-3+deb11u2_all.deb
Debian12allphp-phpseclib3< 3.0.19-1+deb12u3php-phpseclib3_3.0.19-1+deb12u3_all.deb
Debian10allphp-phpseclib< 2.0.30-2~deb10u3php-phpseclib_2.0.30-2~deb10u3_all.deb
Debian12allphp-seclib< 1.0.20-1+deb12u2php-seclib_1.0.20-1+deb12u2_all.deb
Debian12allphpseclib< 1.0.20-1+deb12u2phpseclib_1.0.20-1+deb12u2_all.deb
Debian11allphp-seclib< 1.0.19-3+deb11u2php-seclib_1.0.19-3+deb11u2_all.deb
Debian10allphp-seclib< 1.0.19-3~deb10u3php-seclib_1.0.19-3~deb10u3_all.deb
Debian11allphp-phpseclib< 2.0.30-2+deb11u2php-phpseclib_2.0.30-2+deb11u2_all.deb
Debian10allphpseclib< 1.0.19-3~deb10u3phpseclib_1.0.19-3~deb10u3_all.deb
Debian12allphp-phpseclib< 2.0.42-1+deb12u2php-phpseclib_2.0.42-1+deb12u2_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	11	all	phpseclib	< 1.0.19-3+deb11u2	phpseclib_1.0.19-3+deb11u2_all.deb
Debian	12	all	php-phpseclib3	< 3.0.19-1+deb12u3	php-phpseclib3_3.0.19-1+deb12u3_all.deb
Debian	10	all	php-phpseclib	< 2.0.30-2~deb10u3	php-phpseclib_2.0.30-2~deb10u3_all.deb
Debian	12	all	php-seclib	< 1.0.20-1+deb12u2	php-seclib_1.0.20-1+deb12u2_all.deb
Debian	12	all	phpseclib	< 1.0.20-1+deb12u2	phpseclib_1.0.20-1+deb12u2_all.deb
Debian	11	all	php-seclib	< 1.0.19-3+deb11u2	php-seclib_1.0.19-3+deb11u2_all.deb
Debian	10	all	php-seclib	< 1.0.19-3~deb10u3	php-seclib_1.0.19-3~deb10u3_all.deb
Debian	11	all	php-phpseclib	< 2.0.30-2+deb11u2	php-phpseclib_2.0.30-2+deb11u2_all.deb
Debian	10	all	phpseclib	< 1.0.19-3~deb10u3	phpseclib_1.0.19-3~deb10u3_all.deb
Debian	12	all	php-phpseclib	< 2.0.42-1+deb12u2	php-phpseclib_2.0.42-1+deb12u2_all.deb