CVE-2024-2756 (https://github.com/php/php-src/security/advisories/GHSA-wpj3-hf5j-x4v4): Due to an incomplete fix to CVE-2022-31629, network and same-site attackers can set a standard insecure cookie in the victim's browser which is treated as a __Host- or __Secure- cookie by PHP applications. CVE-2024-2757 (https://github.com/php/php-src/security/advisories/GHSA-fjp9-9hwx-59fq): Certain inputs provided to mb_encode_mimeheader trigger an endless loop. CVE-2024-3096 (https://github.com/php/php-src/security/advisories/GHSA-h746-cjrr-wfmr): If a password stored with password_hash starts with a null byte (\x00), testing a blank string as the password via password_verify will incorrectly return true. If a user were able to create a password with a leading null byte (unlikely, but syntactically valid), an attacker could trivially compromise the victim's account by attempting to sign in with a blank string. The above are fixed in: 8.1.28, 8.2.18, 8.3.6 with CVE-2024-2757 only being fixed in 8.3.6.
*** This bug has been marked as a duplicate of bug 929929 ***