I’m curious about recent vulnerabilities in jekyll, rubyzip, and ffi. I built a site with Jekyll that I’m not planning on updating any time soon, and it’s on a production CDN right now. Do I have to address these vulnerabilities?
My gut tells me “no” since it’s a static site… but my code it on Github so maybe my GitHub account can be attacked? I’m not really a developer so I’m confused about what these alerts mean. I thought a primary advantage of static vs dynamic sites was that static sites don’t require security patches or software packages.
I’m wondering addressing these vulnerabilities would only be necessary if I’m running Jekyll on a public server as part of a larger app or publishing workflow?
The “include symlink” was a major concern for GitHub as one could access for instance /etc/password on your server through that vulnerability. we had to report the issue to let know all companies (CloudCannon, SiteLeaf, Netlify, and al) and people hosting jekyll websites about this security issue.
You could host your repo on GitHub and host your Jekyll’s site elsewhere, so GitHub has to warn you. If you run Jekyll on GitHub Pages, you are fine as they patched and bump gems to latest versions. GitHub Pages ignores your Gemfile during build anyway.
If you run Jekyll on your server you should be concerned though.
I’m in a similar position to the OP - non-developer hosting a simple static site on Github - and I got the following security warnings from Github this morning:
As there’s no breaking change, only bug fixes in v3.8.5, it looks like you can safely update your gems.
If you don’t use symlinks, feel free to ignore the patched version, though bundle makes it easy to upgrade,
I just wanted to say thanks again for the help as I’ve now updated my site on Github. I’ve actually been meaning to get back into Jekyll so, in a funny kind of way, this problem came at the right time:)
