Several security issues were fixed in Yaws.
Software Description:
- yaws: High performance HTTP 1.1 webserver written in Erlang
Details:
It was discovered that Yaws did not properly sanitize XML input. A remote
attacker could use this vulnerability to execute an XML External Entity
(XXE) injection attack. (CVE-2020-24379)
It was discovered that Yaws mishandled certain input when running CGI
scripts. A remote attacker could use this vulnerability to execute
arbitrary commands. (CVE-2020-24916)
The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS: erlang-yapp 2.0.4+dfsg-2ubuntu0.1 erlang-yaws 2.0.4+dfsg-2ubuntu0.1 yaws 2.0.4+dfsg-2ubuntu0.1 yaws-mail 2.0.4+dfsg-2ubuntu0.1 In general, a standard system update will make all the necessary changes.
https://ubuntu.com/security/notices/USN-4569-1
CVE-2020-24379, CVE-2020-24916
Get the latest Linux and open source security news straight to your inbox.