Hi Jekyllers,
We have patched a critical vulnerability reported to GitHub a couple of weeks ago and have released a set of new gems to
bring that patch to you. The vulnerability allowed arbitrary file reads with the cunning use of the include:
setting in the
config file.
By simply including a symlink in the include
array allowed the symlinked file to be read into the build when they shouldn’t
actually be read in any circumstance.
Further details regarding the patch can be viewed at the pull request URL
The patch has been released as versions 3.6.3
, 3.7.4
and 3.8.4
.
Thanks to @parkr v3.7.4
was released a couple of weeks prior and has been bundled with github-pages-v192
.
Please keep in mind that this issue affects all previously released Jekyll versions. If you have not had
a good reason to upgrade to 3.6
, 3.7
or 3.8
yet, we advise that you do so at the earliest.
As always, Happy Jekylling!