|
Message-ID: <4ECFF985.7030202@redhat.com> Date: Fri, 25 Nov 2011 13:24:37 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Jan Lieskovsky <jlieskov@...hat.com>, "Steven M. Christey" <coley@...us.mitre.org> Subject: Re: CVE Request -- yaws -- Directory traversal flaw On 11/25/2011 10:39 AM, Jan Lieskovsky wrote: > Hello Kurt, Steve, vendors, > > a directory traversal flaw was found in the way yaws, web server > for dynamic content written in Erlang, processed certain URLs. A > remote, authenticated yaws user could use this flaw to obtain content > of arbitrary local file, available to the yaws server user via > specially-crafted URL request. > > References: > [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=650009 > [2] https://github.com/klacke/yaws/issues/69 > [3] https://bugzilla.redhat.com/show_bug.cgi?id=757181 > > Could you allocate a CVE id for this? > > Thank you && Regards, Jan. > -- > Jan iankko Lieskovsky / Red Hat Security Response Team > > P.S.: As of right now, according to [2], there doesn't seem > to be an upstream patch for this issue available yet. Please use CVE-2011-4350 for this issue >Hey, >This looks a lot like CVE-2010-4181, just a later version of yaws. Thoughts? > -Rob Yes, however this is a different version so new a CVE is warranted, had these been released at the same time then they would have been merged according to ADT4. -- -Kurt Seifried / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.