A php5 security update has been released for Debian GNU/Linux 8 Extended LTS to address an issue where an attacker can forge a cookie.
ELA-293-1 php5 security update
Package php5
ELA-293-1 php5 security update
Version 5.6.40+dfsg-0+deb8u13
Related CVEs CVE-2020-7070
A vulnerability was discovered in PHP, a server-side, HTML-embedded scripting language. When PHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like __Host confused with cookies that decode to such prefix, thus leading to an attacker being able to forge a cookie which is supposed to be secure.
For Debian 8 jessie, these problems have been fixed in version 5.6.40+dfsg-0+deb8u13.
We recommend that you upgrade your php5 packages.
Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/
