Debian 10261 Published by

A php5 security update has been released for Debian GNU/Linux 8 Extended LTS to address an issue where an attacker can forge a cookie.



ELA-293-1 php5 security update

Package php5
Version 5.6.40+dfsg-0+deb8u13
Related CVEs CVE-2020-7070

A vulnerability was discovered in PHP, a server-side, HTML-embedded scripting language. When PHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like __Host confused with cookies that decode to such prefix, thus leading to an attacker being able to forge a cookie which is supposed to be secure.

For Debian 8 jessie, these problems have been fixed in version 5.6.40+dfsg-0+deb8u13.

We recommend that you upgrade your php5 packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

  ELA-293-1 php5 security update