Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 25 Nov 2011 13:24:37 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Jan Lieskovsky <jlieskov@...hat.com>,
        "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE Request -- yaws -- Directory traversal flaw

On 11/25/2011 10:39 AM, Jan Lieskovsky wrote:
> Hello Kurt, Steve, vendors,
>
>   a directory traversal flaw was found in the way yaws, web server
> for dynamic content written in Erlang, processed certain URLs. A
> remote, authenticated yaws user could use this flaw to obtain content
> of arbitrary local file, available to the yaws server user via
> specially-crafted URL request.
>
> References:
> [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=650009
> [2] https://github.com/klacke/yaws/issues/69
> [3] https://bugzilla.redhat.com/show_bug.cgi?id=757181
>
> Could you allocate a CVE id for this?
>
> Thank you && Regards, Jan.
> -- 
> Jan iankko Lieskovsky / Red Hat Security Response Team
>
> P.S.: As of right now, according to [2], there doesn't seem
>       to be an upstream patch for this issue available yet.

Please use CVE-2011-4350 for this issue

>Hey,
>This looks a lot like CVE-2010-4181, just a later version of yaws.
Thoughts?
> -Rob

Yes, however this is a different version so new a CVE is warranted, had
these been released at the same time then they would have been merged
according to ADT4.


-- 

-Kurt Seifried / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.