ELA-293-1 php5 security update

insecure decoding of cookie names

2020-10-07
Packagephp5
Version5.6.40+dfsg-0+deb8u13
Related CVEs CVE-2020-7070

A vulnerability was discovered in PHP, a server-side, HTML-embedded scripting language. When PHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like __Host confused with cookies that decode to such prefix, thus leading to an attacker being able to forge a cookie which is supposed to be secure.

For Debian 8 jessie, these problems have been fixed in version 5.6.40+dfsg-0+deb8u13.

We recommend that you upgrade your php5 packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/