USN-4569-1: Yaws vulnerabilities

05 October 2020

Several security issues were fixed in Yaws.

Releases

Packages

  • yaws - High performance HTTP 1.1 webserver written in Erlang

Details

It was discovered that Yaws did not properly sanitize XML input. A remote
attacker could use this vulnerability to execute an XML External Entity
(XXE) injection attack. (CVE-2020-24379)

It was discovered that Yaws mishandled certain input when running CGI
scripts. A remote attacker could use this vulnerability to execute
arbitrary commands. (CVE-2020-24916)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04

In general, a standard system update will make all the necessary changes.