Debian Long Term Support / LTS Security Information / 2020 / Security Information -- DLA-2188-1 php5

Debian Security Advisory

DLA-2188-1 php5 -- LTS security update

Date Reported:

26 Apr 2020

Affected Packages:

php5

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2020-7064, CVE-2020-7066, CVE-2020-7067.

More information:

Three issues have been found in php5, a server-side, HTML-embedded scripting language.

• CVE-2020-7064

  A one byte out-of-bounds read, which could potentially lead to information disclosure or crash.

• CVE-2020-7066

  An URL containing zero (\0) character will be truncated at it, which may cause some software to make incorrect assumptions and possibly send some information to a wrong server.

• CVE-2020-7067

  Using a malformed url-encoded string an Out-of-Bounds read can occur.

  For Debian 8 Jessie, these problems have been fixed in version 5.6.40+dfsg-0+deb8u11.

  We recommend that you upgrade your php5 packages.

  Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS