------------------------------------------------------------------------- Debian LTS Advisory DLA-2397-1 [email protected] https://www.debian.org/lts/security/ Roberto C. Sánchez October 06, 2020 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : php7.0 Version : 7.0.33-0+deb9u10 CVE ID : CVE-2020-7070 A vulnerability was discovered in PHP, a server-side, HTML-embedded scripting language. When PHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like __Host confused with cookies that decode to such prefix, thus leading to an attacker being able to forge a cookie which is supposed to be secure. For Debian 9 stretch, this problem has been fixed in version 7.0.33-0+deb9u10. We recommend that you upgrade your php7.0 packages. For the detailed security status of php7.0 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/php7.0 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: PGP signature