From a1afe8918d1e85ede2f95cb8694166013e88fdff Mon Sep 17 00:00:00 2001 From: Ben Balter Date: Thu, 25 Jul 2013 09:33:45 -0400 Subject: [PATCH 1/4] Write blog posts for humans * Polish blog-post language for a less-technical crowd * Emphasize that it's not a core issue * Emphasize that it doesn't affect sites without plugins * Break into paragraphs for easier skimability * Explain that it affects users with access to templates, not just plugin authors --- site/_posts/2013-07-25-jekyll-1-0-4-released.markdown | 10 +++++----- site/_posts/2013-07-25-jekyll-1-1-2-released.markdown | 10 +++++----- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/site/_posts/2013-07-25-jekyll-1-0-4-released.markdown b/site/_posts/2013-07-25-jekyll-1-0-4-released.markdown index 7228b5ac..815d611a 100644 --- a/site/_posts/2013-07-25-jekyll-1-0-4-released.markdown +++ b/site/_posts/2013-07-25-jekyll-1-0-4-released.markdown @@ -7,11 +7,11 @@ version: 1.0.4 categories: [release] --- -This version contains a [very important security patch][230] for `Liquid::Drop` plugins -which granted access to all non-`Drop` entities within a `Drop`, which may include your -Rack configuration settings and many more pieces of private information which could be -used to exploit your system. We recommend you upgrade to v1.0.4 as quickly as possible if -you use `Liquid::Drop` plugins in your site. +Version 1.0.4 fixes a minor, but none-the-less important security vulnerablity affecting several third-party Jekyll plugins. If your Jekyll site does not use plugins, you are may, but are not required to upgrade at this time. + +Community and custom plugins extending the `Liquid::Drop` class may inadvertantly disclose some system information such as directory structure or software configuration to users with access to the Liquid templating system. + +We recommend you upgrade to Jekyll v1.0.4 immediately if you use `Liquid::Drop` plugins on your Jekyll site. Many thanks for [Ben Balter](http://github.com/benbalter) for alerting us to the problem and [submitting a patch][1349] so quickly. diff --git a/site/_posts/2013-07-25-jekyll-1-1-2-released.markdown b/site/_posts/2013-07-25-jekyll-1-1-2-released.markdown index 723787d9..ffaa3b0f 100644 --- a/site/_posts/2013-07-25-jekyll-1-1-2-released.markdown +++ b/site/_posts/2013-07-25-jekyll-1-1-2-released.markdown @@ -7,11 +7,11 @@ version: 1.1.2 categories: [release] --- -This version contains a [very important security patch][230] for `Liquid::Drop` plugins -which granted access to all non-`Drop` entities within a `Drop`, which may include your -Rack configuration settings and many more pieces of private information which could be -used to exploit your system. We recommend you upgrade to v1.1.2 as quickly as possible if -you use `Liquid::Drop` plugins in your site. +Version 1.1.2 fixes a minor, but none-the-less important security vulnerablity affecting several third-party Jekyll plugins. If your Jekyll site does not use plugins, you are may, but are not required to upgrade at this time. + +Community and custom plugins extending the `Liquid::Drop` class may inadvertantly disclose some system information such as directory structure or software configuration to users with access to the Liquid templating system. + +We recommend you upgrade to Jekyll v1.1.2 immediately if you use `Liquid::Drop` plugins on your Jekyll site. Many thanks for [Ben Balter](http://github.com/benbalter) for alerting us to the problem and [submitting a patch][1349] so quickly. From 2b56f0dd7c76120b5cbf1e01f0554c318e1c091a Mon Sep 17 00:00:00 2001 From: Ben Balter Date: Thu, 25 Jul 2013 09:36:47 -0400 Subject: [PATCH 2/4] :lipstick: --- site/_posts/2013-07-25-jekyll-1-0-4-released.markdown | 6 +++--- site/_posts/2013-07-25-jekyll-1-1-2-released.markdown | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/site/_posts/2013-07-25-jekyll-1-0-4-released.markdown b/site/_posts/2013-07-25-jekyll-1-0-4-released.markdown index 815d611a..ae0d1cb9 100644 --- a/site/_posts/2013-07-25-jekyll-1-0-4-released.markdown +++ b/site/_posts/2013-07-25-jekyll-1-0-4-released.markdown @@ -7,11 +7,11 @@ version: 1.0.4 categories: [release] --- -Version 1.0.4 fixes a minor, but none-the-less important security vulnerablity affecting several third-party Jekyll plugins. If your Jekyll site does not use plugins, you are may, but are not required to upgrade at this time. +Version 1.1.2 fixes a minor, but nonetheless important security vulnerability affecting several third-party Jekyll plugins. If your Jekyll site does not use plugins, you are may, but are not required to upgrade at this time. -Community and custom plugins extending the `Liquid::Drop` class may inadvertantly disclose some system information such as directory structure or software configuration to users with access to the Liquid templating system. +Community and custom plugins extending the `Liquid::Drop` class may inadvertently disclose some system information such as directory structure or software configuration to users with access to the Liquid templating system. -We recommend you upgrade to Jekyll v1.0.4 immediately if you use `Liquid::Drop` plugins on your Jekyll site. +We recommend you upgrade to Jekyll v1.1.2 immediately if you use `Liquid::Drop` plugins on your Jekyll site. Many thanks for [Ben Balter](http://github.com/benbalter) for alerting us to the problem and [submitting a patch][1349] so quickly. diff --git a/site/_posts/2013-07-25-jekyll-1-1-2-released.markdown b/site/_posts/2013-07-25-jekyll-1-1-2-released.markdown index ffaa3b0f..10d843c7 100644 --- a/site/_posts/2013-07-25-jekyll-1-1-2-released.markdown +++ b/site/_posts/2013-07-25-jekyll-1-1-2-released.markdown @@ -7,9 +7,9 @@ version: 1.1.2 categories: [release] --- -Version 1.1.2 fixes a minor, but none-the-less important security vulnerablity affecting several third-party Jekyll plugins. If your Jekyll site does not use plugins, you are may, but are not required to upgrade at this time. +Version 1.1.2 fixes a minor, but nonetheless important security vulnerability affecting several third-party Jekyll plugins. If your Jekyll site does not use plugins, you are may, but are not required to upgrade at this time. -Community and custom plugins extending the `Liquid::Drop` class may inadvertantly disclose some system information such as directory structure or software configuration to users with access to the Liquid templating system. +Community and custom plugins extending the `Liquid::Drop` class may inadvertently disclose some system information such as directory structure or software configuration to users with access to the Liquid templating system. We recommend you upgrade to Jekyll v1.1.2 immediately if you use `Liquid::Drop` plugins on your Jekyll site. From 7d4a442cbf58a86b10b3853afcb3b98ed3043230 Mon Sep 17 00:00:00 2001 From: Ben Balter Date: Thu, 25 Jul 2013 09:37:57 -0400 Subject: [PATCH 3/4] get the version # right --- site/_posts/2013-07-25-jekyll-1-0-4-released.markdown | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/site/_posts/2013-07-25-jekyll-1-0-4-released.markdown b/site/_posts/2013-07-25-jekyll-1-0-4-released.markdown index ae0d1cb9..775763d9 100644 --- a/site/_posts/2013-07-25-jekyll-1-0-4-released.markdown +++ b/site/_posts/2013-07-25-jekyll-1-0-4-released.markdown @@ -7,11 +7,11 @@ version: 1.0.4 categories: [release] --- -Version 1.1.2 fixes a minor, but nonetheless important security vulnerability affecting several third-party Jekyll plugins. If your Jekyll site does not use plugins, you are may, but are not required to upgrade at this time. +Version 1.0.4 fixes a minor, but nonetheless important security vulnerability affecting several third-party Jekyll plugins. If your Jekyll site does not use plugins, you are may, but are not required to upgrade at this time. Community and custom plugins extending the `Liquid::Drop` class may inadvertently disclose some system information such as directory structure or software configuration to users with access to the Liquid templating system. -We recommend you upgrade to Jekyll v1.1.2 immediately if you use `Liquid::Drop` plugins on your Jekyll site. +We recommend you upgrade to Jekyll v1.0.4 immediately if you use `Liquid::Drop` plugins on your Jekyll site. Many thanks for [Ben Balter](http://github.com/benbalter) for alerting us to the problem and [submitting a patch][1349] so quickly. From f2481cf6c0796df11dd75b8da1f2a61177d0215d Mon Sep 17 00:00:00 2001 From: Ben Balter Date: Thu, 25 Jul 2013 09:44:28 -0400 Subject: [PATCH 4/4] s/you are may/you may/ --- site/_posts/2013-07-25-jekyll-1-0-4-released.markdown | 2 +- site/_posts/2013-07-25-jekyll-1-1-2-released.markdown | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/site/_posts/2013-07-25-jekyll-1-0-4-released.markdown b/site/_posts/2013-07-25-jekyll-1-0-4-released.markdown index 775763d9..6ef686c2 100644 --- a/site/_posts/2013-07-25-jekyll-1-0-4-released.markdown +++ b/site/_posts/2013-07-25-jekyll-1-0-4-released.markdown @@ -7,7 +7,7 @@ version: 1.0.4 categories: [release] --- -Version 1.0.4 fixes a minor, but nonetheless important security vulnerability affecting several third-party Jekyll plugins. If your Jekyll site does not use plugins, you are may, but are not required to upgrade at this time. +Version 1.0.4 fixes a minor, but nonetheless important security vulnerability affecting several third-party Jekyll plugins. If your Jekyll site does not use plugins, you may, but are not required to upgrade at this time. Community and custom plugins extending the `Liquid::Drop` class may inadvertently disclose some system information such as directory structure or software configuration to users with access to the Liquid templating system. diff --git a/site/_posts/2013-07-25-jekyll-1-1-2-released.markdown b/site/_posts/2013-07-25-jekyll-1-1-2-released.markdown index 10d843c7..c27922c4 100644 --- a/site/_posts/2013-07-25-jekyll-1-1-2-released.markdown +++ b/site/_posts/2013-07-25-jekyll-1-1-2-released.markdown @@ -7,7 +7,7 @@ version: 1.1.2 categories: [release] --- -Version 1.1.2 fixes a minor, but nonetheless important security vulnerability affecting several third-party Jekyll plugins. If your Jekyll site does not use plugins, you are may, but are not required to upgrade at this time. +Version 1.1.2 fixes a minor, but nonetheless important security vulnerability affecting several third-party Jekyll plugins. If your Jekyll site does not use plugins, you may, but are not required to upgrade at this time. Community and custom plugins extending the `Liquid::Drop` class may inadvertently disclose some system information such as directory structure or software configuration to users with access to the Liquid templating system.