Merge pull request #1947 from jekyll/1-4-3-release-info

History.markdown

@@ -77,6 +77,11 @@
     GitHub (#1940)
   * Update `docs/sites.md` link to GitHub Training materials (#1949)
 
+## 1.4.3 / 2014-01-13
+
+### Bug Fixes
+  * Patch show-stopping security vulnerabilities (#1944)
+
 ## 1.4.2 / 2013-12-16
 
 ### Bug Fixes

jekyll.gemspec

@@ -24,7 +24,7 @@ Gem::Specification.new do |s|
   s.rdoc_options = ["--charset=UTF-8"]
   s.extra_rdoc_files = %w[README.markdown LICENSE]
 
-  s.add_runtime_dependency('liquid', "~> 2.5.2")
+  s.add_runtime_dependency('liquid', "~> 2.5.5")
   s.add_runtime_dependency('classifier', "~> 1.3")
   s.add_runtime_dependency('listen', "~> 1.3")
   s.add_runtime_dependency('maruku', "~> 0.7.0")
@@ -128,6 +128,8 @@ Gem::Specification.new do |s|
     lib/site_template/css/syntax.css
     lib/site_template/index.html
     script/bootstrap
+    script/branding
+    script/cibuild
     site/.gitignore
     site/CNAME
     site/README
@@ -167,6 +169,9 @@ Gem::Specification.new do |s|
     site/_posts/2013-11-04-jekyll-1-3-0-released.markdown
     site/_posts/2013-11-26-jekyll-1-3-1-released.markdown
     site/_posts/2013-12-07-jekyll-1-4-0-released.markdown
+    site/_posts/2013-12-09-jekyll-1-4-1-released.markdown
+    site/_posts/2013-12-16-jekyll-1-4-2-released.markdown
+    site/_posts/2014-01-13-jekyll-1-4-3-released.markdown
     site/css/screen.css
     site/docs/configuration.md
     site/docs/contributing.md
@@ -195,6 +200,7 @@ Gem::Specification.new do |s|
     site/docs/upgrading.md
     site/docs/usage.md
     site/docs/variables.md
+    site/docs/windows.md
     site/favicon.png
     site/feed.xml
     site/freenode.txt
@@ -221,6 +227,7 @@ Gem::Specification.new do |s|
     test/source/_data/languages.yml
     test/source/_data/members.yaml
     test/source/_data/products.yml
+    test/source/_includes/include.html
     test/source/_includes/params.html
     test/source/_includes/sig.markdown
     test/source/_layouts/default.html
@@ -260,6 +267,8 @@ Gem::Specification.new do |s|
     test/source/_posts/2013-05-10-number-category.textile
     test/source/_posts/2013-07-22-post-excerpt-with-layout.markdown
     test/source/_posts/2013-08-01-mkdn-extension.mkdn
+    test/source/_posts/2013-12-17-include-variable-filters.markdown
+    test/source/_posts/2013-12-20-properties.text
     test/source/_posts/es/2008-11-21-nested.textile
     test/source/about.html
     test/source/category/_posts/2008-9-23-categories.textile
@@ -271,6 +280,7 @@ Gem::Specification.new do |s|
     test/source/foo/_posts/bar/2008-12-12-topical-post.textile
     test/source/index.html
     test/source/products.yml
+    test/source/properties.html
     test/source/sitemap.xml
     test/source/symlink-test/_data
     test/source/symlink-test/symlinked-dir

site/_posts/2014-01-13-jekyll-1-4-3-released.markdown

@@ -0,0 +1,26 @@
+---
+layout: news_item
+title: 'Jekyll 1.4.3 Released'
+date: 2014-01-13 17:43:32 -0800
+author: benbalter
+version: 1.4.3
+categories: [release]
+---
+
+Jekyll 1.4.3 contains two **critical** security fixes. If you run Jekyll locally
+and do not run Jekyll in "safe" mode (e.g. you do not build Jekyll sites on behalf
+of others), you are not affected and are not required to update at this time.
+([See pull request.]({{ site.repository }}/pull/1944))
+
+Versions of Jekyll prior to 1.4.3 and greater than 1.2.0 may allow malicious
+users to expose the content of files outside the source directory in the
+generated output via improper symlink sanitization, potentially resulting in an
+inadvertent information disclosure.
+
+Versions of Jekyll prior to 1.4.3 may also allow malicious users to write
+arbitrary `.html` files outside of the destination folder via relative path
+traversal, potentially overwriting otherwise-trusted content with arbitrary HTML
+or Javascript depending on your server's configuration.
+
+*Maintainer's note: Many thanks to @gregose and @charliesome for discovering
+these vulnerabilities, and to @BenBalter and @alindeman for writing the patch.*