ClickCease Multiple PHP 7.4 Vulnerabilities Addressed in Debian 11

Content Table

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Multiple PHP 7.4 Vulnerabilities Addressed in Debian 11

Rohan Timalsina

April 29, 2024 - TuxCare expert team

Debian 11 was first released on August 14th, 2021 with PHP version 7.4, which has already reached the end of life. This means PHP 7.4 will no longer receive official updates and security fixes from the PHP development team. However, the Debian security team provides fixes for PHP 7.4 as Debian 11 still uses PHP 7.4 as the default version. Recently, multiple PHP 7.4 vulnerabilities have been addressed in Debian 11, which could result in secure cookie bypass, XXE attacks, or incorrect validation of password hashes.


Recent PHP 7.4 Vulnerabilities Fixed


CVE-2023-3823 (CVSS v3 Score: 7.5 High)

In PHP, various XML functions depend on the libxml global state to manage configuration variables, such as the loading of external entities. This state is typically assumed to remain unchanged unless specifically modified by the user through appropriate function calls. However, because this state is shared across the entire process, other modules like ImageMagick, which also utilize the same library within the same process, may inadvertently alter this global state for their own internal needs. Consequently, the global state might be left in a state where loading external entities is enabled.

This scenario can result in the unintended parsing of external XML files with loaded external entities, potentially exposing local files accessible to PHP. This vulnerability may persist across multiple requests within the same process until the process is terminated.


CVE-2023-3824 (CVSS v3 Score: 9.8 Critical)

When loading a Phar file and reading PHAR directory entries, inadequate length checking could result in a stack buffer overflow. This PHP 7.4 vulnerability could potentially lead to memory corruption or remote code execution (RCE).


CVE-2024-2756 (CVSS v3 Score: 6.5 Medium)

This issue stems from PHP’s handling of HTTP variable names. An attacker can exploit this by setting a standard insecure cookie in the victim’s browser, which PHP applications mistakenly interpret as a __Host- or __Secure- cookie. It’s worth noting that this vulnerability persists due to an incomplete fix for #VU67756 (CVE-2022-31629).


CVE-2024-3096 (CVSS v3 Score: 4.8 Medium)

The vulnerability arises from an error within the password_verify() function, potentially leading to incorrect true returns. Exploiting this flaw, a remote attacker could circumvent implemented authentication mechanisms relying on this vulnerable function, thus gaining unauthorized access to the web application.


Mitigation Measures


Despite PHP 7.4 reaching its end-of-life status, Debian continues to utilize it as the default PHP version. The good news is that the Debian security team has addressed PHP 7.4 vulnerabilities in Debian 11 through version 7.4.33-1+deb11u5. Upgrading your PHP 7.4 packages to this patched version is highly recommended to ensure your system’s security.


Securing Your End-of-Life Linux Systems


These vulnerabilities not only affect PHP 7.4 version, but also other different PHP versions. These include PHP versions used in end-of-life operating systems, such as CentOS (6, 7, and 8), Ubuntu 16.04, Ubuntu 18.04, CloudLinux 6, and Oracle Linux 6. To secure these systems, you can utilize TuxCare’s Extended Lifecycle Support which provides security patches for additional years after the EOL. Also, these issues have been already fixed in Extended Lifecycle Support. For more information about vulnerabilities and their patch status, you can visit

TuxCare also provides security patching for end-of-life PHP versions so that your applications can run smoothly and securely without massive code refactoring. Learn more about Extended Lifecycle Support for PHP.


Source: DSA 5660-1

Multiple PHP 7.4 Vulnerabilities Addressed in Debian 11
Article Name
Multiple PHP 7.4 Vulnerabilities Addressed in Debian 11
Learn about critical vulnerabilities found in PHP 7.4 and how to patch them. Explore security risks, solutions, and Debian's updates.
Publisher Name
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started




Linux & Open Source

Subscribe to
our newsletter