💾 Archived View for gemi.dev › gemlog › 2022-02-03-update-gemserv-now.gmi captured on 2022-04-28 at 17:33:04. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2022-03-01)

➡️ Next capture (2022-07-16)

-=-=-=-=-=-=-

Public Service Announcement: Update to gemserv 0.6.4 now!

2022-02-03 | #security

If you use gemserv, please update to 0.6.4 immediately.

https://git.sr.ht/~int80h/gemserv

This is the security vulnerability I wrote about a few days ago. My thanks to int 80h for their quick response to fix this issue.

What is the issue?

All version of gemserv before 0.6.4 have a serious security vulnerability that allows attackers to trick gemserv into reading and returning files or directories on the server outside of the root of the capsule, like this:

Accessing private files in a pubnix user's home directory

There are currently ~50 capsules in all of Gemini space running vulnerable versions exposing the files of their users that need to update. I'll give people some time to update before I discuss the vulnerability in depth, and lessons we can learn from it.

Please update to 0.6.4 as quickly as possible.