From 00311d2638d594c890d606376ca8c8e70903dfb6 Mon Sep 17 00:00:00 2001 From: Ashwin Maroli Date: Thu, 27 Sep 2018 18:08:30 +0530 Subject: [PATCH] Add Release Post for v3.6.3, v3.7.4 and v3.8.4 (#7259) Merge pull request 7259 --- ...19-security-fixes-for-3-6-3-7-3-8.markdown | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 docs/_posts/2018-09-19-security-fixes-for-3-6-3-7-3-8.markdown diff --git a/docs/_posts/2018-09-19-security-fixes-for-3-6-3-7-3-8.markdown b/docs/_posts/2018-09-19-security-fixes-for-3-6-3-7-3-8.markdown new file mode 100644 index 00000000..ac68177e --- /dev/null +++ b/docs/_posts/2018-09-19-security-fixes-for-3-6-3-7-3-8.markdown @@ -0,0 +1,24 @@ +--- +title: "Security Fixes for series 3.6, 3.7 and 3.8" +date: 2018-09-19 18:00:00 +0530 +author: ashmaroli +categories: [release] +--- + +Hi Jekyllers, + +We have patched a **critical vulnerability** reported to GitHub a couple of weeks ago and have released a set of new gems to +bring that patch to you. The vulnerability allowed arbitrary file reads with the cunning use of the `include:` setting in the +config file. + +By simply including a symlink in the `include` array allowed the symlinked file to be read into the build when they shouldn't +actually be read in any circumstance.
+Further details regarding the patch can be viewed at the [pull request URL]({{ site.repository }}/pull/7224) + +The patch has been released as versions `3.6.3`, `3.7.4` and `3.8.4`.
+`v3.7.4` was released a couple of weeks prior and has been bundled with `github-pages-v192`. + +Please keep in mind that this issue affects _all previously released Jekyll versions_. If you have not had +a good reason to upgrade to `3.6`, `3.7` or `3.8` yet, we advise that you do so at your earliest. + +As always, Happy Jekylling! :sparkles: