An issue was discovered in phpseclib 1.x before 1.0.23, 2.x before 2.0.47, and 3.x before 3.0.36. An attacker can construct a malformed certificate containing an extremely large prime to cause a denial of service (CPU consumption for an isPrime primality check). NOTE: this issue was introduced when attempting to fix CVE-2023-27560.
An issue was discovered in phpseclib 1.x before 1.0.23, 2.x before 2.0.47, and 3.x before 3.0.36. When processing the ASN.1 object identifier of a certificate, a sub identifier may be provided that leads to a denial of service (CPU consumption for decodeOID).
Release Notes
phpseclib/phpseclib (phpseclib/phpseclib)
### [`v2.0.47`](https://togithub.com/phpseclib/phpseclib/blob/HEAD/CHANGELOG.md#2047---2024-02-25)
[Compare Source](https://togithub.com/phpseclib/phpseclib/compare/2.0.46...2.0.47)
- BigInteger: add getLength() and getLengthInBytes() methods
- BigInteger: put guardrails on isPrime() and randomPrime() (CVE-2024-27354)
- ASN1: limit OID length (CVE-2024-27355)
### [`v2.0.46`](https://togithub.com/phpseclib/phpseclib/blob/HEAD/CHANGELOG.md#2046---2023-12-28)
[Compare Source](https://togithub.com/phpseclib/phpseclib/compare/2.0.45...2.0.46)
- SSH2: implement terrapin attack countermeasures ([#1972](https://togithub.com/phpseclib/phpseclib/issues/1972))
- SSH2: only capture login info once ([#1970](https://togithub.com/phpseclib/phpseclib/issues/1970))
- SSH2: add support for RFC8308 ([#1960](https://togithub.com/phpseclib/phpseclib/issues/1960))
- Rijndael: fix for PHP 8.3+ compatability ([#1944](https://togithub.com/phpseclib/phpseclib/issues/1944))
- Crypt/Base: improve ARM detection code ([#1949](https://togithub.com/phpseclib/phpseclib/issues/1949))
- X509: fix for weird characters in subjaltname ([#1943](https://togithub.com/phpseclib/phpseclib/issues/1943))
### [`v2.0.45`](https://togithub.com/phpseclib/phpseclib/blob/HEAD/CHANGELOG.md#2045---2023-09-15)
[Compare Source](https://togithub.com/phpseclib/phpseclib/compare/2.0.44...2.0.45)
- SFTP: make it so SFTP::RESUME also sets offset of local file ([#1921](https://togithub.com/phpseclib/phpseclib/issues/1921))
- SFTP: RESUME_START didn't work as described ([#1921](https://togithub.com/phpseclib/phpseclib/issues/1921))
- SFTP: fix SFTPv2 errors when logging errors ([#1933](https://togithub.com/phpseclib/phpseclib/issues/1933))
- SFTP: fix issue with get() downloading to files / streams ([#1934](https://togithub.com/phpseclib/phpseclib/issues/1934))
- Rijndael: fix E_DEPRECATED ([#1935](https://togithub.com/phpseclib/phpseclib/issues/1935))
- improve PHP32 compatibility ([#1931](https://togithub.com/phpseclib/phpseclib/issues/1931))
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
2.0.44
->2.0.47
GitHub Vulnerability Alerts
CVE-2024-27354
An issue was discovered in phpseclib 1.x before 1.0.23, 2.x before 2.0.47, and 3.x before 3.0.36. An attacker can construct a malformed certificate containing an extremely large prime to cause a denial of service (CPU consumption for an isPrime primality check). NOTE: this issue was introduced when attempting to fix CVE-2023-27560.
CVE-2024-27355
An issue was discovered in phpseclib 1.x before 1.0.23, 2.x before 2.0.47, and 3.x before 3.0.36. When processing the ASN.1 object identifier of a certificate, a sub identifier may be provided that leads to a denial of service (CPU consumption for decodeOID).
Release Notes
phpseclib/phpseclib (phpseclib/phpseclib)
### [`v2.0.47`](https://togithub.com/phpseclib/phpseclib/blob/HEAD/CHANGELOG.md#2047---2024-02-25) [Compare Source](https://togithub.com/phpseclib/phpseclib/compare/2.0.46...2.0.47) - BigInteger: add getLength() and getLengthInBytes() methods - BigInteger: put guardrails on isPrime() and randomPrime() (CVE-2024-27354) - ASN1: limit OID length (CVE-2024-27355) ### [`v2.0.46`](https://togithub.com/phpseclib/phpseclib/blob/HEAD/CHANGELOG.md#2046---2023-12-28) [Compare Source](https://togithub.com/phpseclib/phpseclib/compare/2.0.45...2.0.46) - SSH2: implement terrapin attack countermeasures ([#1972](https://togithub.com/phpseclib/phpseclib/issues/1972)) - SSH2: only capture login info once ([#1970](https://togithub.com/phpseclib/phpseclib/issues/1970)) - SSH2: add support for RFC8308 ([#1960](https://togithub.com/phpseclib/phpseclib/issues/1960)) - Rijndael: fix for PHP 8.3+ compatability ([#1944](https://togithub.com/phpseclib/phpseclib/issues/1944)) - Crypt/Base: improve ARM detection code ([#1949](https://togithub.com/phpseclib/phpseclib/issues/1949)) - X509: fix for weird characters in subjaltname ([#1943](https://togithub.com/phpseclib/phpseclib/issues/1943)) ### [`v2.0.45`](https://togithub.com/phpseclib/phpseclib/blob/HEAD/CHANGELOG.md#2045---2023-09-15) [Compare Source](https://togithub.com/phpseclib/phpseclib/compare/2.0.44...2.0.45) - SFTP: make it so SFTP::RESUME also sets offset of local file ([#1921](https://togithub.com/phpseclib/phpseclib/issues/1921)) - SFTP: RESUME_START didn't work as described ([#1921](https://togithub.com/phpseclib/phpseclib/issues/1921)) - SFTP: fix SFTPv2 errors when logging errors ([#1933](https://togithub.com/phpseclib/phpseclib/issues/1933)) - SFTP: fix issue with get() downloading to files / streams ([#1934](https://togithub.com/phpseclib/phpseclib/issues/1934)) - Rijndael: fix E_DEPRECATED ([#1935](https://togithub.com/phpseclib/phpseclib/issues/1935)) - improve PHP32 compatibility ([#1931](https://togithub.com/phpseclib/phpseclib/issues/1931))Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.