Headline
CVE-2021-30130: Release 2.0.31 · phpseclib/phpseclib
phpseclib before 2.0.31 and 3.x before 3.0.7 mishandles RSA PKCS#1 v1.5 signature verification.
- X509: always parse the first cert of a bundle (#1568)
- SSH2: behave like putty with broken publickey auth (#1572)
- SSH2: don’t close channel on unexpected response to channel request (#1631)
- RSA: support keys with PSS algorithm identifier (#1584)
- RSA: cleanup RSA PKCS#1 v1.5 signature verification (CVE-2021-30130)
- SFTP/Stream: make it so you can write past the end of a file (#1618)
- SFTP: fix undefined index notice in stream touch() (#1615)
- SFTP: digit only filenames were converted to integers by php (#1623)
- BigInteger: fix issue with toBits on 32-bit PHP 8 installs
- Crypt: use a custom error handler for mcrypt to avoid deprecation errors