Skip to content

Instantly share code, notes, and snippets.

@katzj
Created February 29, 2024 20:05
Show Gist options
  • Save katzj/ee72f3c2a00590812b2ea3c0c8890e0b to your computer and use it in GitHub Desktop.
Save katzj/ee72f3c2a00590812b2ea3c0c8890e0b to your computer and use it in GitHub Desktop.

phpseclib has released versions 3.0.36, 2.0.47, and 1.0.23 to address problems related to maliciously formed certificates that could lead to a denial of service attack.

The first issue, CVE-2024-27354, can be triggered by a malformed certificate with an extremely large prime that is attempted to be read by phpseclib.

The second issue, CVE-2024-27355, can be triggered by a certificate with a very large ASN.1 sub-identifier.

Both affect versions >= 1.0.0 and <= 1.0.22 for the 1.x branch, >= 2.0.0 and <= 2.0.46 for the 2.x branch, and >= 3.0.0 and <= 3.0.35 for the 3.x branch

Both are resolved in the new releases at https://github.com/phpseclib/phpseclib/releases

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment