Fix security vulnerabilities in Rack, FFI, and Jekyll #105
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
We upgraded Jekyll to 2.6.3 (a minor version upgrade from 2.4.3) to fix a security vulnerability, but the entire 2.6.x line has a bug with how URLs are handled in the built-in web server. (Fixed here: jekyll/jekyll#6459 and jekyll/jekyll#6475, originally introduced in the fix to jekyll/jekyll#6222 (comment)). Anyway, 2.8.5 includes a fix and generates an identical `_site` directory on disk, so should be all good.
|
NOTE: If we are running this in production with a live server, someone will need to make sure it’s updated after merging this. |
|
Reviewed this PR and happy to merge, don't think a redeploy is essential as we only upload the static site files. That said, I don't have access to redeploy to production any more (@lightandluck -- it is thru Namecheap), and it might be a nice flow for the folks with that responsibility to review and merge? |
dcwalk
approved these changes
Feb 7, 2019
|
I'm working on getting Jonathan access to the namecheap cPanel, and will walk through the instructions together with him so there's multiple people who will be able to do this |
|
Oh yeah, this would be a perfect use-case for him walking through all that :D |
|
Redeployed successfully 🚀 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This fixes CVE-2018-16471 (a vulnerability in Rack), CVE-2018-1000201 (a vulnerability in FFI), and CVE-2018-17567 (a vulnerability in Jekyll) by upgrading all those gems.
I’m not really sure whether we are actually vulnerable to those (we have setup for running a live server on Heroku, which would be vulnerable, and a description for serving static files, which would not), so it seemed worth updating just in case. I verified that the generated static file bundle is identical to what I get when building the
masterbranch, so this should be OK.NOTE: I upgraded Jekyll to the latest, rather than just what was needed to address the vulnerability, since the 2.6.x line, which would have been the minimal update, breaks our URLs (Fixed here: jekyll/jekyll#6459 and jekyll/jekyll#6475, originally introduced in the fix to jekyll/jekyll#6222 (comment)). Everything works correctly in 2.8.x again.