security advisories on yaws?
Ulf Wiger (AL/EAB)
Tue Jan 17 10:08:48 CET 2006
As much as it pains me to say anything good about
a Nortel product, I did come across this:
During the period 2003-2006, only one security
advisory was identified by Secunia on the
Nortel Alteon SSL Accelerator 4.x, which uses
Yaws, if I'm not mistaken. The one identified
security hole was labeled "moderately critical",
and has been fixed.
Yaws 1.x also has a reported vulnerability(*)
Moderately critical, and fixed. According to
the logs, it seems to have been identified
2005-06-01, and a patch was issued on the
16th. The advisory was published on the 17th.
(*) ...leading me to guess that the first issue
was really not a Yaws vulnerability. Further
digging revealed that it was due to insufficient
input validation in the web interface, in
combination with a cryptographically signed
Apache 2.x, which of course is used a lot more,
has had 28 advisories during the same time,
out of which 2 remain unpatched.
IIS 5.x has had 9 advisories during the same
time - one extremely critical, and two each
of 'highly critical', 'moderately', 'less'
and 'not'. Two remain unpatched. IIS 6.x
has had two (1 less and 1 not critical), both
Secunia warns against using their statistics to
compare different products. Suffice it then to
say that their statistics give no indication that
Yaws would be any _less_ secure than the more
established web servers.
More information about the erlang-questions