------------------------------------------------------------------------- Debian LTS Advisory DLA-3810-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin May 07, 2024 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : php7.3 Version : 7.3.31-1~deb10u6 CVE ID : CVE-2024-2756 CVE-2024-3096 Security issues were found in PHP, a widely-used open source general purpose scripting language, which could result in information disclosure or incorrect validation of password hashes. CVE-2024-2756 Marco Squarcina discovered that network and same-site attackers can set a standard insecure cookie in the victim's browser which is treated as a `__Host-` or `__Secure-` cookie by PHP applications. This issue stems from an incomplete fix to CVE-2022-31629. CVE-2024-3096 Eric Stern discovered that if a password stored with password_hash() starts with a null byte (\x00), testing a blank string as the password via password_verify() incorrectly returns true. If a user were able to create a password with a leading null byte (unlikely, but syntactically valid), the issue would allow an attacker to trivially compromise the victim's account by attempting to sign in with a blank string. For Debian 10 buster, these problems have been fixed in version 7.3.31-1~deb10u6. We recommend that you upgrade your php7.3 packages. For the detailed security status of php7.3 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/php7.3 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: PGP signature