CVE-2018-17567 - Moderate severity
Jekyll through 3.6.2, 3.7.x through 3.7.3, and 3.8.x through
3.8.3 allows attackers to access arbitrary files by specifying a
symlink in the "include" key in the "_config.yml" file.
Gemfile.lock update suggested:
jekyll ~> 3.6.3
Fix security vulnerability in ffi
This fix incidentally updated the ffi gem from 1.9.18 to 1.9.25
which fixes another security issue described in
CVE-2018-1000201 - Moderate severity
ruby-ffi version 1.9.23 and earlier has a DLL loading issue
which can be hijacked on Windows OS, when a Symbol is used as
DLL name instead of a String This vulnerability appears to have
been fixed in v1.9.24 and later.
Fix security vulnerability in Jekyll
The Jekyll gem was updated from 3.5.2 to 3.6.3 to fix a security vulnerability described in
https://nvd.nist.gov/vuln/detail/CVE-2018-17567
Summary of the issue:
Gemfile.lock update suggested:
jekyll ~> 3.6.3
Fix security vulnerability in ffi
This fix incidentally updated the ffi gem from 1.9.18 to 1.9.25 which fixes another security issue described in
https://nvd.nist.gov/vuln/detail/CVE-2018-1000201
Summary of the issue:
Gemfile.lock update suggested:
ffi ~> 1.9.24