Bug#650009: marked as done (yaws vulnerable to directory traversal using ..\\)

[Debian Bug Tracking System]

Your message dated Sat, 26 Nov 2011 16:04:26 +0000
with message-id <e1rukjq-0002ar...@franck.debian.org>
and subject line Bug#650009: fixed in yaws 1.91-2
has caused the Debian Bug report #650009,
regarding yaws vulnerable to directory traversal using ..\\
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
650009: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=650009
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: yaws
Version: 1.91-1
Severity: critical
Tags: security upstream sid

Hi,

A directory traversal vulnerability in yaws has been discovered and
disclosed at [1].

At least the version of yaws currently in sid (1.91) is affected. One
can reproduce the issue by running:

curl 'http://localhost:8080/..\\..\\..\\..\\/etc/passwd'

against a fresh install of the yaws package with default config.

This will return a copy of the /etc/passwd file. The default config
only binds yaws to the localhost ip, but the vulnerability is the same
if you run it on public addresses (as one would in many typical
installations, it is a webserver). 


I was not able to reproduce the issue in the version of the package in
squeeze, with the above GET request, but I have not done a thorough
investigation.


Upstream has promised a fix in the linked bug report, but there is no
official patch yet.



  Fabian


[1]: https://github.com/klacke/yaws/issues/69

--- End Message ---

--- Begin Message ---

Source: yaws
Source-Version: 1.91-2

We believe that the bug you reported is fixed in the latest version of
yaws, which is due to be installed in the Debian FTP archive:

erlang-yaws_1.91-2_i386.deb
  to main/y/yaws/erlang-yaws_1.91-2_i386.deb
yaws-chat_1.91-2_all.deb
  to main/y/yaws/yaws-chat_1.91-2_all.deb
yaws-doc_1.91-2_all.deb
  to main/y/yaws/yaws-doc_1.91-2_all.deb
yaws-mail_1.91-2_all.deb
  to main/y/yaws/yaws-mail_1.91-2_all.deb
yaws-wiki_1.91-2_all.deb
  to main/y/yaws/yaws-wiki_1.91-2_all.deb
yaws-yapp_1.91-2_all.deb
  to main/y/yaws/yaws-yapp_1.91-2_all.deb
yaws_1.91-2.diff.gz
  to main/y/yaws/yaws_1.91-2.diff.gz
yaws_1.91-2.dsc
  to main/y/yaws/yaws_1.91-2.dsc
yaws_1.91-2_all.deb
  to main/y/yaws/yaws_1.91-2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 650...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sergei Golovan <sgolo...@debian.org> (supplier of updated yaws package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 26 Nov 2011 19:34:12 +0400
Source: yaws
Binary: yaws erlang-yaws yaws-doc yaws-chat yaws-mail yaws-wiki yaws-yapp
Architecture: source i386 all
Version: 1.91-2
Distribution: unstable
Urgency: high
Maintainer: Debian Erlang Packagers <pkg-erlang-de...@lists.alioth.debian.org>
Changed-By: Sergei Golovan <sgolo...@debian.org>
Description: 
 erlang-yaws - Erlang application which implements HTTP webserver
 yaws       - High performance HTTP 1.1 webserver written in Erlang
 yaws-chat  - Chat application for Yaws web server
 yaws-doc   - Documentation and examples for Yaws web server
 yaws-mail  - Webmail application for Yaws web server
 yaws-wiki  - Wiki application for Yaws web server
 yaws-yapp  - Provides an easy way to deploy applications for Yaws web server
Closes: 650009
Changes: 
 yaws (1.91-2) unstable; urgency=high
 .
   * Added patch by Uwe Dauernheim which fixes directory traversal bug
     (closes: #650009).
Checksums-Sha1: 
 1959a626d484ef0c8072fa00d761967da618d773 1661 yaws_1.91-2.dsc
 cd753f0e489e520097031dd3e47e060c278795a6 22269 yaws_1.91-2.diff.gz
 f6f7a24a69f880166c4689ab31aed8b5de675313 336938 erlang-yaws_1.91-2_i386.deb
 c476227621123dfac118b9c83068302545475ced 73728 yaws_1.91-2_all.deb
 3e6d308d1a05b0a686f26cf4eb8a7f06a5db6d5e 614944 yaws-doc_1.91-2_all.deb
 a3e1197bd5dac15ad887fd526a4eecc242d3e9e9 66304 yaws-chat_1.91-2_all.deb
 04f9b22925a3a4f7faf42af82177051f8c10d618 160256 yaws-mail_1.91-2_all.deb
 6823001b2d08b7ec5a81a1c6979d91a2736128fa 201894 yaws-wiki_1.91-2_all.deb
 ca1d0d1c5ef0d587c19fa46e235b9c0bf2f0265f 68846 yaws-yapp_1.91-2_all.deb
Checksums-Sha256: 
 8c2d27f6542415c71009f78cb5fc0058960a3dd2f6f6dfb848b99bf692c679f9 1661 
yaws_1.91-2.dsc
 29ba8d2414b646c4712b2234a11eacb858378dcf328d7f72ceb8764e4c46f74d 22269 
yaws_1.91-2.diff.gz
 9729a8ab891bf0e4ad19ba9e237033a9cf76412ce6545fdc27edfda73d7d8ff5 336938 
erlang-yaws_1.91-2_i386.deb
 67f229d001cbec0c07b67767b00f50f3805b2b2207dfb04d49807d283ceaa275 73728 
yaws_1.91-2_all.deb
 683bc64ec3a05ff358454b074ec6dd290ac49a372b57331ee4fb8bd70837bb5c 614944 
yaws-doc_1.91-2_all.deb
 b46b1b24c162e1b859ed8c0fb1995f8fcec9aa11064e06d83b9babe9c7824ef0 66304 
yaws-chat_1.91-2_all.deb
 8ff1832d3fa82cdec4aa477c0d1f51a06254257cc281e6b9798d7eb12dcce671 160256 
yaws-mail_1.91-2_all.deb
 96c162bd5edd9218d411fff9a9022a1b0fffc5d861c61bb4747e1251be989293 201894 
yaws-wiki_1.91-2_all.deb
 02741c2f692d90e062851e0be8cac2088aeb8dfcaa5c822c4b154cf9e2e6ca64 68846 
yaws-yapp_1.91-2_all.deb
Files: 
 11822fba157c3ad5134fc7c70da3933e 1661 httpd optional yaws_1.91-2.dsc
 42b3a182fa4b25e93a88c444882af741 22269 httpd optional yaws_1.91-2.diff.gz
 198693b6455f6837cdad8b10d3561d93 336938 httpd optional 
erlang-yaws_1.91-2_i386.deb
 27970515d4fbae9a610b946c85f36d55 73728 httpd optional yaws_1.91-2_all.deb
 62366b228608b717c180d50d41294134 614944 doc optional yaws-doc_1.91-2_all.deb
 cad1430673d85b880d5ec7e1fb5f9c11 66304 web optional yaws-chat_1.91-2_all.deb
 c3e20e5f591c5e1871e961fac8f9f18f 160256 web optional yaws-mail_1.91-2_all.deb
 b08adc2dc9581fc66efbe1ee5d57ca9f 201894 web optional yaws-wiki_1.91-2_all.deb
 d6fdc4139460d680187de42f44b50bcd 68846 web optional yaws-yapp_1.91-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iD8DBQFO0QuvIcdH02pGEFIRAmyRAKCPEjsBC2d7LPqnKC3j01QMrbdT4QCaAk6E
9N0+BZHTJe6wBGVxnWC80bU=
=a7/W
-----END PGP SIGNATURE-----

--- End Message ---