CVE-2018-17567

NameCVE-2018-17567
DescriptionJekyll through 3.6.2, 3.7.x through 3.7.3, and 3.8.x through 3.8.3 allows attackers to access arbitrary files by specifying a symlink in the "include" key in the "_config.yml" file.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1541-1
Debian Bugs909933

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
jekyll (PTS)jessie2.2.0+dfsg-2vulnerable
jessie (security)2.2.0+dfsg-2+deb8u1fixed
stretch3.1.6+dfsg-3vulnerable
buster, sid3.8.3+dfsg-3vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
jekyllsource(unstable)(unfixed)low909933
jekyllsourcejessie2.2.0+dfsg-2+deb8u1DLA-1541-1

Notes

[stretch] - jekyll <no-dsa> (Minor issue)
https://github.com/jekyll/jekyll/pull/7224
https://jekyllrb.com/news/2018/09/19/security-fixes-for-3-6-3-7-3-8/

Search for package or bug name: Reporting problems