| Package | php7.0 |
|---|---|
| Version | 7.0.33-0+deb9u17 (stretch) |
| Related CVEs | CVE-2024-2756 CVE-2024-3096 |
Two security problems were found in PHP, a widely-used open source general purpose scripting language, which could result in information disclosure or incorrect validation of password hashes.
CVE-2024-2756
Marco Squarcina discovered that network and same-site attackers can set a
standard insecure cookie in the victim's browser which is treated as a
`__Host-` or `__Secure-` cookie by PHP applications. This issue stems from
an incomplete fix to CVE-2022-31629.
CVE-2024-3096
Eric Stern discovered that if a password stored with password_hash() starts
with a null byte (\x00), testing a blank string as the password via
password_verify() incorrectly returns true. If a user were able to create
a password with a leading null byte (unlikely, but syntactically valid),
the issue would allow an attacker to trivially compromise the victim's
account by attempting to sign in with a blank string.
For Debian 9 stretch, these problems have been fixed in version 7.0.33-0+deb9u17.
We recommend that you upgrade your php7.0 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.