On Sat, Nov 26, 2011 at 12:36 AM, Sergei Golovan <sgolo...@nes.ru> wrote: > On Fri, Nov 25, 2011 at 7:04 PM, Fabian Linzberger <e...@lefant.net> wrote: >> >> A directory traversal vulnerability in yaws has been discovered and >> disclosed at [1]. >> >> At least the version of yaws currently in sid (1.91) is affected. One >> can reproduce the issue by running: >> >> curl 'http://localhost:8080/..\\..\\..\\..\\/etc/passwd' > > The bug is reproducible... So, I'll try to look into it also.
Both 1.77 (in oldstable) and 1.88 (in stable) do not recognize \\ as a path separator, so they aren't vulnerable. Cheers! -- Sergei Golovan -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org