diff --git a/History.markdown b/History.markdown index f57a3da1..fc8d4486 100644 --- a/History.markdown +++ b/History.markdown @@ -77,6 +77,11 @@ GitHub (#1940) * Update `docs/sites.md` link to GitHub Training materials (#1949) +## 1.4.3 / 2014-01-13 + +### Bug Fixes + * Patch show-stopping security vulnerabilities (#1944) + ## 1.4.2 / 2013-12-16 ### Bug Fixes diff --git a/jekyll.gemspec b/jekyll.gemspec index 1608ce76..e3d74185 100644 --- a/jekyll.gemspec +++ b/jekyll.gemspec @@ -24,7 +24,7 @@ Gem::Specification.new do |s| s.rdoc_options = ["--charset=UTF-8"] s.extra_rdoc_files = %w[README.markdown LICENSE] - s.add_runtime_dependency('liquid', "~> 2.5.2") + s.add_runtime_dependency('liquid', "~> 2.5.5") s.add_runtime_dependency('classifier', "~> 1.3") s.add_runtime_dependency('listen', "~> 1.3") s.add_runtime_dependency('maruku', "~> 0.7.0") @@ -128,6 +128,8 @@ Gem::Specification.new do |s| lib/site_template/css/syntax.css lib/site_template/index.html script/bootstrap + script/branding + script/cibuild site/.gitignore site/CNAME site/README @@ -167,6 +169,9 @@ Gem::Specification.new do |s| site/_posts/2013-11-04-jekyll-1-3-0-released.markdown site/_posts/2013-11-26-jekyll-1-3-1-released.markdown site/_posts/2013-12-07-jekyll-1-4-0-released.markdown + site/_posts/2013-12-09-jekyll-1-4-1-released.markdown + site/_posts/2013-12-16-jekyll-1-4-2-released.markdown + site/_posts/2014-01-13-jekyll-1-4-3-released.markdown site/css/screen.css site/docs/configuration.md site/docs/contributing.md @@ -195,6 +200,7 @@ Gem::Specification.new do |s| site/docs/upgrading.md site/docs/usage.md site/docs/variables.md + site/docs/windows.md site/favicon.png site/feed.xml site/freenode.txt @@ -221,6 +227,7 @@ Gem::Specification.new do |s| test/source/_data/languages.yml test/source/_data/members.yaml test/source/_data/products.yml + test/source/_includes/include.html test/source/_includes/params.html test/source/_includes/sig.markdown test/source/_layouts/default.html @@ -260,6 +267,8 @@ Gem::Specification.new do |s| test/source/_posts/2013-05-10-number-category.textile test/source/_posts/2013-07-22-post-excerpt-with-layout.markdown test/source/_posts/2013-08-01-mkdn-extension.mkdn + test/source/_posts/2013-12-17-include-variable-filters.markdown + test/source/_posts/2013-12-20-properties.text test/source/_posts/es/2008-11-21-nested.textile test/source/about.html test/source/category/_posts/2008-9-23-categories.textile @@ -271,6 +280,7 @@ Gem::Specification.new do |s| test/source/foo/_posts/bar/2008-12-12-topical-post.textile test/source/index.html test/source/products.yml + test/source/properties.html test/source/sitemap.xml test/source/symlink-test/_data test/source/symlink-test/symlinked-dir diff --git a/site/_posts/2014-01-13-jekyll-1-4-3-released.markdown b/site/_posts/2014-01-13-jekyll-1-4-3-released.markdown new file mode 100644 index 00000000..a97bcec4 --- /dev/null +++ b/site/_posts/2014-01-13-jekyll-1-4-3-released.markdown @@ -0,0 +1,26 @@ +--- +layout: news_item +title: 'Jekyll 1.4.3 Released' +date: 2014-01-13 17:43:32 -0800 +author: benbalter +version: 1.4.3 +categories: [release] +--- + +Jekyll 1.4.3 contains two **critical** security fixes. If you run Jekyll locally +and do not run Jekyll in "safe" mode (e.g. you do not build Jekyll sites on behalf +of others), you are not affected and are not required to update at this time. +([See pull request.]({{ site.repository }}/pull/1944)) + +Versions of Jekyll prior to 1.4.3 and greater than 1.2.0 may allow malicious +users to expose the content of files outside the source directory in the +generated output via improper symlink sanitization, potentially resulting in an +inadvertent information disclosure. + +Versions of Jekyll prior to 1.4.3 may also allow malicious users to write +arbitrary `.html` files outside of the destination folder via relative path +traversal, potentially overwriting otherwise-trusted content with arbitrary HTML +or Javascript depending on your server's configuration. + +*Maintainer's note: Many thanks to @gregose and @charliesome for discovering +these vulnerabilities, and to @BenBalter and @alindeman for writing the patch.*