dan
/
jekyll
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
jekyll/docs/_posts/2018-09-19-security-fixes-f...

27 lines
1.1 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
title: "Security Fixes for series 3.6, 3.7 and 3.8"
date: 2018-09-19 18:00:00 +0530
author: ashmaroli
category: release
version: 3.8.4
---
Hi Jekyllers,
We have patched a **critical vulnerability** reported to GitHub a couple of weeks ago and have released a set of new gems to
bring that patch to you. The vulnerability allowed arbitrary file reads with the cunning use of the `include:` setting in the
config file.
By simply including a symlink in the `include` array allowed the symlinked file to be read into the build when they shouldn't
actually be read in any circumstance.  
Further details regarding the patch can be viewed at the [pull request URL]({{ site.repository }}/pull/7224)
The patch has been released as versions `3.6.3`, `3.7.4` and `3.8.4`.  
Thanks to @parkr `v3.7.4` was released a couple of weeks prior and has been bundled with `github-pages-v192`.
Please keep in mind that this issue affects _all previously released Jekyll versions_. If you have not had
a good reason to upgrade to `3.6`, `3.7` or `3.8` yet, we advise that you do so at the earliest.
As always, Happy Jekylling! :sparkles:
Reference in New Issue View Git Blame Copy Permalink