A vulnerability was discovered in PHP, a server-side, HTML-embedded scripting language. When PHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like __Host confused with cookies that decode to such prefix, thus leading to an attacker being able to forge a cookie which is supposed to be secure.
For Debian 8 jessie, these problems have been fixed in version 5.6.40+dfsg-0+deb8u13.
We recommend that you upgrade your php5 packages.
Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/