Debian 10228 Published by

The following PHP security updates are available for Debian GNU/Linux:

Debian GNU/Linux 8 (Jessie) Extended LTS:
ELA-1091-1 php5 security update

Debian GNU/Linux 9 (Stretch) Extended LTS:
ELA-1092-1 php7.0 security update



ELA-1092-1 php7.0 security update

Package : php7.0
Version : 7.0.33-0+deb9u17 (stretch)

Related CVEs :
CVE-2024-2756
CVE-2024-3096

Two security problems were found in PHP, a widely-used open source general
purpose scripting language, which could result in information disclosure or
incorrect validation of password hashes.

CVE-2024-2756
Marco Squarcina discovered that network and same-site attackers can set a
standard insecure cookie in the victim's browser which is treated as a
`__Host-` or `__Secure-` cookie by PHP applications. This issue stems from
an incomplete fix to CVE-2022-31629.

CVE-2024-3096
Eric Stern discovered that if a password stored with password_hash() starts
with a null byte (\x00), testing a blank string as the password via
password_verify() incorrectly returns true. If a user were able to create
a password with a leading null byte (unlikely, but syntactically valid),
the issue would allow an attacker to trivially compromise the victim's
account by attempting to sign in with a blank string.

ELA-1092-1 php7.0 security update


ELA-1091-1 php5 security update

Package : php5
Version : 5.6.40+dfsg-0+deb8u19 (jessie)

Related CVEs :
CVE-2024-2756
CVE-2024-3096

Two security problems were found in PHP, a widely-used open source general
purpose scripting language, which could result in information disclosure or
incorrect validation of password hashes.
CVE-2024-2756
Marco Squarcina discovered that network and same-site attackers can set a
standard insecure cookie in the victim's browser which is treated as a
`__Host-` or `__Secure-` cookie by PHP applications. This issue stems from
an incomplete fix to CVE-2022-31629.

CVE-2024-3096
Eric Stern discovered that if a password stored with password_hash() starts
with a null byte (\x00), testing a blank string as the password via
password_verify() incorrectly returns true. If a user were able to create
a password with a leading null byte (unlikely, but syntactically valid),
the issue would allow an attacker to trivially compromise the victim's
account by attempting to sign in with a blank string.

ELA-1091-1 php5 security update