Upgrade rubyzip to version 1.3.0 or later

benbalter / jekyll-remote-theme

Jekyll plugin for building Jekyll sites with any GitHub-hosted theme

MIT License

291 stars 78 forks source link

Upgrade rubyzip to version 1.3.0 or later #62

Closed alxddh closed 5 years ago

alxddh commented 5 years ago

In Rubyzip before 1.3.0, a crafted ZIP file can bypass application checks on ZIP entry sizes because data about the uncompressed size can be spoofed. This allows attackers to cause a denial of service (disk consumption).

-- https://nvd.nist.gov/vuln/detail/CVE-2019-16892

welcome[bot] commented 5 years ago

Welcome! Congrats on your first pull request to Jekyll Remote Theme. If you haven't already, please be sure to check out the contributing guidelines.

welcome[bot] commented 5 years ago

Congrats on getting your first pull request to Jekyll Remote Theme merged! Without amazing humans like you submitting pull requests, we couldn’t run this project. You rock! :tada:

If you're interested in tackling another bug or feature, take a look at the open issues, especially those labeled help wanted.