[SECURITY] [DLA 3810-1] php7.3 security update

Debian LTS Advisory DLA-3810-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin May 07, 2024 https://wiki.debian.org/LTS Package : php7.3 Version : 7.3.31-1~deb10u6 CVE ID : CVE-2024-2756 CVE-2024-3096 Security issues were found in PHP, a widely-used open source general purpose scripting language, which could result in information disclosure or incorrect validation of password hashes. CVE-2024-2756 Marco Squarcina discovered that network and same-site attackers can set a standard insecure cookie in the victim's browser which is treated as a `__Host-` or `__Secure-` cookie by PHP applications. This issue stems from an incomplete fix to CVE-2022-31629. CVE-2024-3096 Eric Stern discovered that if a password stored with password_hash() starts with a null byte (x00), testing a blank string as the password via password_verify() incorrectly returns true. If a user were able to create a password with a leading null byte (unlikely, but syntactically valid), the issue would allow an attacker to trivially compromise the victim's account by attempting to sign in with a blank string. For Debian 10 buster, these problems have been fixed in version 7.3.31-1~deb10u6. We recommend that you upgrade your php7.3 packages. For the detailed security status of php7.3 please refer to its security tracker page at:…Read More