From a1afe8918d1e85ede2f95cb8694166013e88fdff Mon Sep 17 00:00:00 2001 From: Ben Balter Date: Thu, 25 Jul 2013 09:33:45 -0400 Subject: [PATCH] Write blog posts for humans * Polish blog-post language for a less-technical crowd * Emphasize that it's not a core issue * Emphasize that it doesn't affect sites without plugins * Break into paragraphs for easier skimability * Explain that it affects users with access to templates, not just plugin authors --- site/_posts/2013-07-25-jekyll-1-0-4-released.markdown | 10 +++++----- site/_posts/2013-07-25-jekyll-1-1-2-released.markdown | 10 +++++----- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/site/_posts/2013-07-25-jekyll-1-0-4-released.markdown b/site/_posts/2013-07-25-jekyll-1-0-4-released.markdown index 7228b5ac..815d611a 100644 --- a/site/_posts/2013-07-25-jekyll-1-0-4-released.markdown +++ b/site/_posts/2013-07-25-jekyll-1-0-4-released.markdown @@ -7,11 +7,11 @@ version: 1.0.4 categories: [release] --- -This version contains a [very important security patch][230] for `Liquid::Drop` plugins -which granted access to all non-`Drop` entities within a `Drop`, which may include your -Rack configuration settings and many more pieces of private information which could be -used to exploit your system. We recommend you upgrade to v1.0.4 as quickly as possible if -you use `Liquid::Drop` plugins in your site. +Version 1.0.4 fixes a minor, but none-the-less important security vulnerablity affecting several third-party Jekyll plugins. If your Jekyll site does not use plugins, you are may, but are not required to upgrade at this time. + +Community and custom plugins extending the `Liquid::Drop` class may inadvertantly disclose some system information such as directory structure or software configuration to users with access to the Liquid templating system. + +We recommend you upgrade to Jekyll v1.0.4 immediately if you use `Liquid::Drop` plugins on your Jekyll site. Many thanks for [Ben Balter](http://github.com/benbalter) for alerting us to the problem and [submitting a patch][1349] so quickly. diff --git a/site/_posts/2013-07-25-jekyll-1-1-2-released.markdown b/site/_posts/2013-07-25-jekyll-1-1-2-released.markdown index 723787d9..ffaa3b0f 100644 --- a/site/_posts/2013-07-25-jekyll-1-1-2-released.markdown +++ b/site/_posts/2013-07-25-jekyll-1-1-2-released.markdown @@ -7,11 +7,11 @@ version: 1.1.2 categories: [release] --- -This version contains a [very important security patch][230] for `Liquid::Drop` plugins -which granted access to all non-`Drop` entities within a `Drop`, which may include your -Rack configuration settings and many more pieces of private information which could be -used to exploit your system. We recommend you upgrade to v1.1.2 as quickly as possible if -you use `Liquid::Drop` plugins in your site. +Version 1.1.2 fixes a minor, but none-the-less important security vulnerablity affecting several third-party Jekyll plugins. If your Jekyll site does not use plugins, you are may, but are not required to upgrade at this time. + +Community and custom plugins extending the `Liquid::Drop` class may inadvertantly disclose some system information such as directory structure or software configuration to users with access to the Liquid templating system. + +We recommend you upgrade to Jekyll v1.1.2 immediately if you use `Liquid::Drop` plugins on your Jekyll site. Many thanks for [Ben Balter](http://github.com/benbalter) for alerting us to the problem and [submitting a patch][1349] so quickly.