[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE Request -- yaws -- Directory traversal flaw
From: Kurt Seifried <kseifried () redhat ! com>
Date: 2011-11-25 20:24:37
Message-ID: 4ECFF985.7030202 () redhat ! com
[Download RAW message or body]
On 11/25/2011 10:39 AM, Jan Lieskovsky wrote:
> Hello Kurt, Steve, vendors,
>
> a directory traversal flaw was found in the way yaws, web server
> for dynamic content written in Erlang, processed certain URLs. A
> remote, authenticated yaws user could use this flaw to obtain content
> of arbitrary local file, available to the yaws server user via
> specially-crafted URL request.
>
> References:
> [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=650009
> [2] https://github.com/klacke/yaws/issues/69
> [3] https://bugzilla.redhat.com/show_bug.cgi?id=757181
>
> Could you allocate a CVE id for this?
>
> Thank you && Regards, Jan.
> --
> Jan iankko Lieskovsky / Red Hat Security Response Team
>
> P.S.: As of right now, according to [2], there doesn't seem
> to be an upstream patch for this issue available yet.
Please use CVE-2011-4350 for this issue
>Hey,
>This looks a lot like CVE-2010-4181, just a later version of yaws.
Thoughts?
> -Rob
Yes, however this is a different version so new a CVE is warranted, had
these been released at the same time then they would have been merged
according to ADT4.
--
-Kurt Seifried / Red Hat Security Response Team
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic