security advisories on yaws?

Ulf Wiger (AL/EAB) ulf.wiger@REDACTED
Tue Jan 17 10:08:48 CET 2006

As much as it pains me to say anything good about
a Nortel product, I did come across this:

During the period 2003-2006, only one security
advisory was identified by Secunia on the 
Nortel Alteon SSL Accelerator 4.x, which uses
Yaws, if I'm not mistaken. The one identified 
security hole was labeled "moderately critical",
and has been fixed.

Yaws 1.x also has a reported vulnerability(*)
Moderately critical, and fixed. According to 
the logs, it seems to have been identified 
2005-06-01, and a patch was issued on the 
16th. The advisory was published on the 17th.

(*) ...leading me to guess that the first issue 
was really not a Yaws vulnerability. Further 
digging revealed that it was due to insufficient 
input validation in the web interface, in 
combination with a cryptographically signed 
Java applet.

Apache 2.x, which of course is used a lot more,
has had 28 advisories during the same time,
out of which 2 remain unpatched.

IIS 5.x has had 9 advisories during the same
time - one extremely critical, and two each
of 'highly critical', 'moderately', 'less'
and 'not'. Two remain unpatched. IIS 6.x
has had two (1 less and 1 not critical), both

Secunia warns against using their statistics to
compare different products. Suffice it then to 
say that their statistics give no indication that
Yaws would be any _less_ secure than the more 
established web servers.


More information about the erlang-questions mailing list