CVE-2018-17567

NameCVE-2018-17567
DescriptionJekyll through 3.6.2, 3.7.x through 3.7.3, and 3.8.x through 3.8.3 allows attackers to access arbitrary files by specifying a symlink in the "include" key in the "_config.yml" file.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1541-1
NVD severitymedium (attack range: remote)
Debian Bugs909933

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
jekyll (PTS)jessie2.2.0+dfsg-2vulnerable
jessie (security)2.2.0+dfsg-2+deb8u1fixed
stretch3.1.6+dfsg-3vulnerable
buster3.8.3+dfsg-4fixed
bullseye, sid3.8.3+dfsg-6fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
jekyllsource(unstable)3.8.3+dfsg-3.1low909933
jekyllsourcejessie2.2.0+dfsg-2+deb8u1mediumDLA-1541-1

Notes

[stretch] - jekyll <no-dsa> (Minor issue)
https://github.com/jekyll/jekyll/pull/7224
https://jekyllrb.com/news/2018/09/19/security-fixes-for-3-6-3-7-3-8/
Search for package or bug name: Reporting problems