| Package | php5 |
|---|---|
| Version | 5.6.40+dfsg-0+deb8u19 (jessie) |
| Related CVEs | CVE-2024-2756 CVE-2024-3096 |
Two security problems were found in PHP, a widely-used open source general purpose scripting language, which could result in information disclosure or incorrect validation of password hashes.
CVE-2024-2756
Marco Squarcina discovered that network and same-site attackers can set a
standard insecure cookie in the victim's browser which is treated as a
`__Host-` or `__Secure-` cookie by PHP applications. This issue stems from
an incomplete fix to CVE-2022-31629.
CVE-2024-3096
Eric Stern discovered that if a password stored with password_hash() starts
with a null byte (\x00), testing a blank string as the password via
password_verify() incorrectly returns true. If a user were able to create
a password with a leading null byte (unlikely, but syntactically valid),
the issue would allow an attacker to trivially compromise the victim's
account by attempting to sign in with a blank string.
For Debian 8 jessie, these problems have been fixed in version 5.6.40+dfsg-0+deb8u19.
We recommend that you upgrade your php5 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.