[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE Request -- yaws -- Directory traversal flaw
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2011-11-25 20:24:37
Message-ID: 4ECFF985.7030202 () redhat ! com
[Download RAW message or body]

On 11/25/2011 10:39 AM, Jan Lieskovsky wrote:
> Hello Kurt, Steve, vendors,
>
>   a directory traversal flaw was found in the way yaws, web server
> for dynamic content written in Erlang, processed certain URLs. A
> remote, authenticated yaws user could use this flaw to obtain content
> of arbitrary local file, available to the yaws server user via
> specially-crafted URL request.
>
> References:
> [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=650009
> [2] https://github.com/klacke/yaws/issues/69
> [3] https://bugzilla.redhat.com/show_bug.cgi?id=757181
>
> Could you allocate a CVE id for this?
>
> Thank you && Regards, Jan.
> -- 
> Jan iankko Lieskovsky / Red Hat Security Response Team
>
> P.S.: As of right now, according to [2], there doesn't seem
>       to be an upstream patch for this issue available yet.

Please use CVE-2011-4350 for this issue

>Hey,
>This looks a lot like CVE-2010-4181, just a later version of yaws.
Thoughts?
> -Rob

Yes, however this is a different version so new a CVE is warranted, had
these been released at the same time then they would have been merged
according to ADT4.


-- 

-Kurt Seifried / Red Hat Security Response Team

[prev in list] [next in list] [prev in thread] [next in thread]