dan
/
jekyll
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add Release Post for v3.6.3, v3.7.4 and v3.8.4 (#7259) 

Merge pull request 7259
This commit is contained in:
Ashwin Maroli 2018-09-27 18:08:30 +05:30 committed by jekyllbot
parent 353574307a
commit 00311d2638
1 changed files with 24 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
docs/_posts/2018-09-19-security-fixes-for-3-6-3-7-3-8.markdown Normal file
View File

@ -0,0 +1,24 @@
---
title: "Security Fixes for series 3.6, 3.7 and 3.8"
date: 2018-09-19 18:00:00 +0530
author: ashmaroli
categories: [release]
---
Hi Jekyllers,
We have patched a **critical vulnerability** reported to GitHub a couple of weeks ago and have released a set of new gems to
bring that patch to you. The vulnerability allowed arbitrary file reads with the cunning use of the `include:` setting in the
config file.
By simply including a symlink in the `include` array allowed the symlinked file to be read into the build when they shouldn't
actually be read in any circumstance. <br/>
Further details regarding the patch can be viewed at the [pull request URL]({{ site.repository }}/pull/7224)
The patch has been released as versions `3.6.3`, `3.7.4` and `3.8.4`.<br/>
`v3.7.4` was released a couple of weeks prior and has been bundled with `github-pages-v192`.
Please keep in mind that this issue affects _all previously released Jekyll versions_. If you have not had
a good reason to upgrade to `3.6`, `3.7` or `3.8` yet, we advise that you do so at your earliest.
As always, Happy Jekylling! :sparkles: