dan
/
jekyll
1
0
Fork 0
Código Issues Pull requests Pacotes Projetos Versões Wiki Atividade
jekyll/docs/_posts/2018-09-19-security-fixes-f...

27 linhas
1.1 KiB
Markdown
Original Anotar Histórico

Este arquivo contém caracteres Unicode invisíveis

Este arquivo contém caracteres Unicode invisíveis que são indistinguíveis para humanos, mas que podem ser processados de forma diferente por um computador. Se você acha que isso é intencional, pode ignorar esse aviso com segurança. Use o botão Escapar para revelá-los

---
title: "Security Fixes for series 3.6, 3.7 and 3.8"
date: 2018-09-19 18:00:00 +0530
author: ashmaroli
category: release
version: 3.8.4
---
Hi Jekyllers,
We have patched a **critical vulnerability** reported to GitHub a couple of weeks ago and have released a set of new gems to
bring that patch to you. The vulnerability allowed arbitrary file reads with the cunning use of the `include:` setting in the
config file.
By simply including a symlink in the `include` array allowed the symlinked file to be read into the build when they shouldn't
actually be read in any circumstance.  
Further details regarding the patch can be viewed at the [pull request URL]({{ site.repository }}/pull/7224)
The patch has been released as versions `3.6.3`, `3.7.4` and `3.8.4`.  
Thanks to @parkr `v3.7.4` was released a couple of weeks prior and has been bundled with `github-pages-v192`.
Please keep in mind that this issue affects _all previously released Jekyll versions_. If you have not had
a good reason to upgrade to `3.6`, `3.7` or `3.8` yet, we advise that you do so at the earliest.
As always, Happy Jekylling! :sparkles:
Referência em uma nova issue Ver Git Blame Copiar Link Permanente