[Security] Bump phpseclib/phpseclib from 2.0.21 to 2.0.31

[dependabot-preview]

Bumps phpseclib/phpseclib from 2.0.21 to 2.0.31. This update includes a security fix.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

Improper Certificate Validation in phpseclib phpseclib before 2.0.31 and 3.x before 3.0.7 mishandles RSA PKCS#1 v1.5 signature verification.

Affected versions: < 2.0.31

Release notes

Sourced from phpseclib/phpseclib's releases.

2.0.31

• X509: always parse the first cert of a bundle (#1568)
• SSH2: behave like putty with broken publickey auth (#1572)
• SSH2: don't close channel on unexpected response to channel request (#1631)
• RSA: support keys with PSS algorithm identifier (#1584)
• RSA: cleanup RSA PKCS#1 v1.5 signature verification (CVE-2021-30130)
• SFTP/Stream: make it so you can write past the end of a file (#1618)
• SFTP: fix undefined index notice in stream touch() (#1615)
• SFTP: digit only filenames were converted to integers by php (#1623)
• BigInteger: fix issue with toBits on 32-bit PHP 8 installs
• Crypt: use a custom error handler for mcrypt to avoid deprecation errors

2.0.30

• X509: don't attempt to parse multi-cert PEMs (#1542)
• SFTP: add stream to get method (#1546)
• SFTP: progress callback should report actual downloaded bytes (#1543)
• SSH2: end connection faster for algorithm mismatch
• SSH2: add setKeepAlive() method (#1529)
• ANSI: fix PHP8 compatibility issues

2.0.29

• SFTP: add enableDatePreservation() / disableDatePreservation() (#1496)
• SFTP: uploads on low speed networks could get in infinite loop (#1507)
• SSH2: when building algo list look at if crypto engine is set (#1500)
• X509: really looong base64 encoded strings broke extractBER() (#1486)

2.0.28

• SFTP: realpath('') produced an error (#1474)
• SFTP: if /path/to/file is a file then /path/to/file/whatever errors (#1475)
• SFTP: speed up uploads (by changing SFTP upload packet size from 4KB to 32KB)
• ANSI: fix "Number of elements can't be negative" error

2.0.27

• SFTP: change the mode with a SETSTAT instead of MKDIR (#1463)
• SFTP: make it so extending SFTP class doesn't cause a segfault (#1465)
• Random::string didn't always return all the requested bytes (#1466)

2.0.26

• SFTP: another attempt at speeding up uploads (#1455)
• SSH2: try logging in with none as an auth method first (#1454)
• ASN1: fix for malformed ASN1 strings (#1456)

2.0.25

• SFTP: re-add buffering (#1455)

2.0.24

... (truncated)

Changelog

Sourced from phpseclib/phpseclib's changelog.

2.0.31 - 2021-04-06

• X509: always parse the first cert of a bundle (#1568)
• SSH2: behave like putty with broken publickey auth (#1572)
• SSH2: don't close channel on unexpected response to channel request (#1631)
• RSA: support keys with PSS algorithm identifier (#1584)
• RSA: cleanup RSA PKCS#1 v1.5 signature verification (CVE-2021-30130)
• SFTP/Stream: make it so you can write past the end of a file (#1618)
• SFTP: fix undefined index notice in stream touch() (#1615)
• SFTP: digit only filenames were converted to integers by php (#1623)
• BigInteger: fix issue with toBits on 32-bit PHP 8 installs
• Crypt: use a custom error handler for mcrypt to avoid deprecation errors

2.0.30 - 2020-12-16

• X509: don't attempt to parse multi-cert PEMs (#1542)
• SFTP: add stream to get method (#1546)
• SFTP: progress callback should report actual downloaded bytes (#1543)
• SSH2: end connection faster for algorithm mismatch
• SSH2: add setKeepAlive() method (#1529)
• ANSI: fix PHP8 compatibility issues

2.0.29 - 2020-09-07

• SFTP: add enableDatePreservation() / disableDatePreservation() (#1496)
• SFTP: uploads on low speed networks could get in infinite loop (#1507)
• SSH2: when building algo list look at if crypto engine is set (#1500)
• X509: really looong base64 encoded strings broke extractBER() (#1486)

2.0.28 - 2020-07-08

• SFTP: realpath('') produced an error (#1474)
• SFTP: if /path/to/file is a file then /path/to/file/whatever errors (#1475)
• SFTP: speed up uploads (by changing SFTP upload packet size from 4KB to 32KB)
• ANSI: fix "Number of elements can't be negative" error

2.0.27 - 2020-05-22

• SFTP: another attempt at speeding up uploads (#1455)
• SSH2: try logging in with none as an auth method first (#1454)
• ASN1: fix for malformed ASN1 strings (#1456)

2.0.26 - 2020-03-22

• SFTP: another attempt at speeding up uploads (#1455)
• SSH2: try logging in with none as an auth method first (#1454)
• ASN1: fix for malformed ASN1 strings (#1456)

2.0.25 - 2020-02-25

... (truncated)

Commits

• 233a920 CHANGELOG: add 2.0.31 release
• 364704a Merge branch '1.0' into 2.0
• 05550b9 Merge pull request #1635 from terrafrost/moosa-1.0
• f95b039 Merge branch 'moosa-1.0' into moosa-2.0
• 149b4d2 RSA: fix for PHP8
• 74435e1 Merge branch 'moosa-1.0' into moosa-2.0
• 8af4280 RSA: misc fixes for 'without NULL' PKCS1 signature validation
• d70abb9 fix broken unit test
• 43eeb85 Merge branch 'moosa-1.0' into moosa-2.0
• 581fbdb CS adjustments
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Automerge options (never/patch/minor, and dev/runtime dependencies)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

[codecov]

Codecov Report

Merging #24 (8459533) into dev (e64f544) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##              dev      #24   +/-   ##
=======================================
  Coverage   38.46%   38.46%           
=======================================
  Files          22       22           
  Lines         247      247           
=======================================
  Hits           95       95           
  Misses        152      152           

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update e64f544...8459533. Read the comment docs.