Two issues have been found in yaws, a high performance HTTP 1.1 webserver written in Erlang.
Reject external resource requests in DAV in order to avoid XML External Entity (XXE) attackes.
Sanitize CGI executable in order to avoid command injection via CGI requests.
For Debian 9 stretch, these problems have been fixed in version 2.0.4+dfsg-1+deb9u1.
We recommend that you upgrade your yaws packages.
For the detailed security status of yaws please refer to its security tracker page at: https://security-tracker.debian.org/tracker/yaws
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS