Fix security vulnerability in jekyll

octopusinvitro · octopusinvitro · commit 23d24b42fef9 · 2018-10-06T18:15:51.000+01:00
The Jekyll gem was updated from 3.5.2 to 3.6.3 to fix a security vulnerability described in https://nvd.nist.gov/vuln/detail/CVE-2018-17567 Summary of the issue: CVE-2018-17567 - Moderate severity Jekyll through 3.6.2, 3.7.x through 3.7.3, and 3.8.x through 3.8.3 allows attackers to access arbitrary files by specifying a symlink in the "include" key in the "_config.yml" file. Gemfile.lock update suggested: jekyll ~> 3.6.3 This fix incidentally updated the ffi gem from 1.9.18 to 1.9.25 which fixes another security issue described in https://nvd.nist.gov/vuln/detail/CVE-2018-1000201 Summary of the issue: CVE-2018-1000201 - Moderate severity ruby-ffi version 1.9.23 and earlier has a DLL loading issue which can be hijacked on Windows OS, when a Symbol is used as DLL name instead of a String This vulnerability appears to have been fixed in v1.9.24 and later. Gemfile.lock update suggested: ffi ~> 1.9.24
diff --git a/Gemfile b/Gemfile
@@ -1,6 +1,6 @@
 source 'https://rubygems.org'
 
-gem 'jekyll', '3.5.2' # https://pages.github.com/versions/
+gem 'jekyll', '~> 3.6.3' # https://pages.github.com/versions/
 
 group :jekyll_plugins do
   gem 'jekyll-livereload'
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -1,49 +1,49 @@
 GEM
   remote: https://rubygems.org/
   specs:
-    addressable (2.5.1)
-      public_suffix (~> 2.0, >= 2.0.2)
+    addressable (2.5.2)
+      public_suffix (>= 2.0.2, < 4.0)
     colorator (1.1.0)
     em-websocket (0.5.1)
       eventmachine (>= 0.12.9)
       http_parser.rb (~> 0.6.0)
     eventmachine (1.2.5)
-    ffi (1.9.18)
+    ffi (1.9.25)
     forwardable-extended (2.6.0)
     http_parser.rb (0.6.0)
-    jekyll (3.5.2)
+    jekyll (3.6.3)
       addressable (~> 2.4)
       colorator (~> 1.0)
       jekyll-sass-converter (~> 1.0)
       jekyll-watch (~> 1.1)
-      kramdown (~> 1.3)
+      kramdown (~> 1.14)
       liquid (~> 4.0)
       mercenary (~> 0.3.3)
       pathutil (~> 0.9)
-      rouge (~> 1.7)
+      rouge (>= 1.7, < 3)
       safe_yaml (~> 1.0)
     jekyll-livereload (0.2.2)
       em-websocket (~> 0.5)
       jekyll (~> 3.0)
-    jekyll-sass-converter (1.5.0)
+    jekyll-sass-converter (1.5.2)
       sass (~> 3.4)
-    jekyll-watch (1.5.0)
-      listen (~> 3.0, < 3.1)
-    kramdown (1.14.0)
+    jekyll-watch (1.5.1)
+      listen (~> 3.0)
+    kramdown (1.17.0)
     liquid (4.0.0)
-    listen (3.0.8)
-      rb-fsevent (~> 0.9, >= 0.9.4)
-      rb-inotify (~> 0.9, >= 0.9.7)
+    listen (3.1.1)
+      rb-fsevent (>= 0.9.3)
+      rb-inotify (>= 0.9.7)
     mercenary (0.3.6)
-    pathutil (0.14.0)
+    pathutil (0.16.1)
       forwardable-extended (~> 2.6)
-    public_suffix (2.0.5)
-    rb-fsevent (0.10.2)
+    public_suffix (3.0.3)
+    rb-fsevent (0.10.3)
     rb-inotify (0.9.10)
       ffi (>= 0.5.0, < 2)
-    rouge (1.11.1)
+    rouge (2.2.1)
     safe_yaml (1.0.4)
-    sass (3.5.1)
+    sass (3.6.0)
       sass-listen (~> 4.0.0)
     sass-listen (4.0.0)
       rb-fsevent (~> 0.9, >= 0.9.4)
@@ -53,8 +53,8 @@ PLATFORMS
   ruby
 
 DEPENDENCIES
-  jekyll (= 3.5.2)
+  jekyll (~> 3.6.3)
   jekyll-livereload
 
 BUNDLED WITH
-   1.10.6
+   1.16.6
