Recent vulnerabilities in Jekyll and Jekyll dependencies


#1

I’m curious about recent vulnerabilities in jekyll, rubyzip, and ffi. I built a site with Jekyll that I’m not planning on updating any time soon, and it’s on a production CDN right now. Do I have to address these vulnerabilities?

My gut tells me “no” since it’s a static site… but my code it on Github so maybe my GitHub account can be attacked? I’m not really a developer so I’m confused about what these alerts mean. I thought a primary advantage of static vs dynamic sites was that static sites don’t require security patches or software packages.


#2

I’m wondering addressing these vulnerabilities would only be necessary if I’m running Jekyll on a public server as part of a larger app or publishing workflow?


#3

The “include symlink” was a major concern for GitHub as one could access for instance /etc/password on your server through that vulnerability. we had to report the issue to let know all companies (CloudCannon, SiteLeaf, Netlify, and al) and people hosting jekyll websites about this security issue.

You could host your repo on GitHub and host your Jekyll’s site elsewhere, so GitHub has to warn you. If you run Jekyll on GitHub Pages, you are fine as they patched and bump gems to latest versions. GitHub Pages ignores your Gemfile during build anyway.

If you run Jekyll on your server you should be concerned though.


#4

OK, thanks for the context.