[Security] Bump phpseclib/phpseclib from 2.0.17 to 2.0.32

[dependabot-preview]

Bumps phpseclib/phpseclib from 2.0.17 to 2.0.32. This update includes security fixes.

Vulnerabilities fixed

Sourced from The PHP Security Advisories Database.

Improper Certificate Validation in phpseclib

Affected versions: =3.0.0, <3.0.7

Sourced from The GitHub Security Advisory Database.

Improper Certificate Validation in phpseclib phpseclib before 2.0.31 and 3.x before 3.0.7 mishandles RSA PKCS#1 v1.5 signature verification.

Affected versions: < 2.0.31

Release notes

Sourced from phpseclib/phpseclib's releases.

2.0.32

• SSH2: add getAuthMethodsToContinue() method (#1648)
• SSH2: timeout would occasionally infinitely loop
• SSH2: fix PHP7.4 errors about accessing bool as string (#1656)
• SSH2: fix issue with key re-exchange (#1644)
• SFTP: reopen channel on channel closure (#1654)
• X509: extra characters before cert weren't being removed (#1659)
• ASN1: fix timezone issue when non-utc time is given (#1562)
• RSA: OAEP decryption didn't check labels correctly (#1669)

2.0.31

• X509: always parse the first cert of a bundle (#1568)
• SSH2: behave like putty with broken publickey auth (#1572)
• SSH2: don't close channel on unexpected response to channel request (#1631)
• RSA: support keys with PSS algorithm identifier (#1584)
• RSA: cleanup RSA PKCS#1 v1.5 signature verification (CVE-2021-30130)
• SFTP/Stream: make it so you can write past the end of a file (#1618)
• SFTP: fix undefined index notice in stream touch() (#1615)
• SFTP: digit only filenames were converted to integers by php (#1623)
• BigInteger: fix issue with toBits on 32-bit PHP 8 installs
• Crypt: use a custom error handler for mcrypt to avoid deprecation errors

2.0.30

• X509: don't attempt to parse multi-cert PEMs (#1542)
• SFTP: add stream to get method (#1546)
• SFTP: progress callback should report actual downloaded bytes (#1543)
• SSH2: end connection faster for algorithm mismatch
• SSH2: add setKeepAlive() method (#1529)
• ANSI: fix PHP8 compatibility issues

2.0.29

• SFTP: add enableDatePreservation() / disableDatePreservation() (#1496)
• SFTP: uploads on low speed networks could get in infinite loop (#1507)
• SSH2: when building algo list look at if crypto engine is set (#1500)
• X509: really looong base64 encoded strings broke extractBER() (#1486)

2.0.28

• SFTP: realpath('') produced an error (#1474)
• SFTP: if /path/to/file is a file then /path/to/file/whatever errors (#1475)
• SFTP: speed up uploads (by changing SFTP upload packet size from 4KB to 32KB)
• ANSI: fix "Number of elements can't be negative" error

2.0.27

• SFTP: change the mode with a SETSTAT instead of MKDIR (#1463)
• SFTP: make it so extending SFTP class doesn't cause a segfault (#1465)
• Random::string didn't always return all the requested bytes (#1466)

... (truncated)

Changelog

Sourced from phpseclib/phpseclib's changelog.

2.0.32 - 2021-06-13

• SSH2: add getAuthMethodsToContinue() method (#1648)
• SSH2: timeout would occasionally infinitely loop
• SSH2: fix PHP7.4 errors about accessing bool as string (#1656)
• SSH2: fix issue with key re-exchange (#1644)
• SFTP: reopen channel on channel closure (#1654)
• X509: extra characters before cert weren't being removed (#1659)
• ASN1: fix timezone issue when non-utc time is given (#1562)
• RSA: OAEP decryption didn't check labels correctly (#1669)

2.0.31 - 2021-04-06

• X509: always parse the first cert of a bundle (#1568)
• SSH2: behave like putty with broken publickey auth (#1572)
• SSH2: don't close channel on unexpected response to channel request (#1631)
• RSA: support keys with PSS algorithm identifier (#1584)
• RSA: cleanup RSA PKCS#1 v1.5 signature verification (CVE-2021-30130)
• SFTP/Stream: make it so you can write past the end of a file (#1618)
• SFTP: fix undefined index notice in stream touch() (#1615)
• SFTP: digit only filenames were converted to integers by php (#1623)
• BigInteger: fix issue with toBits on 32-bit PHP 8 installs
• Crypt: use a custom error handler for mcrypt to avoid deprecation errors

2.0.30 - 2020-12-16

• X509: don't attempt to parse multi-cert PEMs (#1542)
• SFTP: add stream to get method (#1546)
• SFTP: progress callback should report actual downloaded bytes (#1543)
• SSH2: end connection faster for algorithm mismatch
• SSH2: add setKeepAlive() method (#1529)
• ANSI: fix PHP8 compatibility issues

2.0.29 - 2020-09-07

• SFTP: add enableDatePreservation() / disableDatePreservation() (#1496)
• SFTP: uploads on low speed networks could get in infinite loop (#1507)
• SSH2: when building algo list look at if crypto engine is set (#1500)
• X509: really looong base64 encoded strings broke extractBER() (#1486)

2.0.28 - 2020-07-08

• SFTP: realpath('') produced an error (#1474)
• SFTP: if /path/to/file is a file then /path/to/file/whatever errors (#1475)
• SFTP: speed up uploads (by changing SFTP upload packet size from 4KB to 32KB)
• ANSI: fix "Number of elements can't be negative" error

2.0.27 - 2020-05-22

• SFTP: another attempt at speeding up uploads (#1455)

... (truncated)

Commits

• f5c4c19 Tests/RSA: update unit test for 2.0
• 451ddf4 Merge branch '1.0' into 2.0
• c3560c2 RSA: OAEP decryption didn't check labels correctly
• 333d2f9 Merge branch '1.0' into 2.0
• 0a2dc24 X509: extra characters before cert weren't being removed
• fe6a84a Merge branch '1.0' into 2.0
• 915d1d8 SSH2: fix PHP7.4 errors about accessing bool as string
• 94abf56 Merge branch '1.0' into 2.0
• 8204273 SSH2: fix issue with key re-exchange
• 0b4484a Merge branch '1.0' into 2.0
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)