Debian Security Advisory

DLA-2384-1 yaws -- LTS security update

Date Reported:
26 Sep 2020
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2020-24379, CVE-2020-24916.
More information:

Two issues have been found in yaws, a high performance HTTP 1.1 webserver written in Erlang.

  • CVE-2020-24379

    Reject external resource requests in DAV in order to avoid XML External Entity (XXE) attackes.

  • CVE-2020-24916

    Sanitize CGI executable in order to avoid command injection via CGI requests.

    For Debian 9 stretch, these problems have been fixed in version 2.0.4+dfsg-1+deb9u1.

    We recommend that you upgrade your yaws packages.

    For the detailed security status of yaws please refer to its security tracker page at:

    Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: