Debian Security Advisory

DLA-2188-1 php5 -- LTS security update

Date Reported:
26 Apr 2020
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2020-7064, CVE-2020-7066, CVE-2020-7067.
More information:

Three issues have been found in php5, a server-side, HTML-embedded scripting language.

  • CVE-2020-7064

    A one byte out-of-bounds read, which could potentially lead to information disclosure or crash.

  • CVE-2020-7066

    An URL containing zero (\0) character will be truncated at it, which may cause some software to make incorrect assumptions and possibly send some information to a wrong server.

  • CVE-2020-7067

    Using a malformed url-encoded string an Out-of-Bounds read can occur.

    For Debian 8 Jessie, these problems have been fixed in version 5.6.40+dfsg-0+deb8u11.

    We recommend that you upgrade your php5 packages.

    Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: