We have patched a critical vulnerability reported to GitHub a couple of weeks ago and have released a set of new gems to
bring that patch to you. The vulnerability allowed arbitrary file reads with the cunning use of the
include: setting in the
By simply including a symlink in the
include array allowed the symlinked file to be read into the build when they shouldn’t
actually be read in any circumstance.
Further details regarding the patch can be viewed at the pull request URL
The patch has been released as versions
Thanks to @parkr
v3.7.4 was released a couple of weeks prior and has been bundled with
Please keep in mind that this issue affects all previously released Jekyll versions. If you have not had
a good reason to upgrade to
3.8 yet, we advise that you do so at the earliest.
As always, Happy Jekylling!