💾 Archived View for rawtext.club › ~sloum › geminilist › 006648.gmi captured on 2023-12-28 at 16:17:26. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2021-11-30)

-=-=-=-=-=-=-

<-- back to the mailing list

[tech] Agate server: path traversal error security advisory

Johann Galle johann+gemini at qwertqwefsday.eu

Tue Jun 8 08:19:04 BST 2021

- - - - - - - - - - - - - - - - - - - 

Hi everyone,

there is a security vulnerability in all Agate versions prior to 3.1.0, which has been discovered by Matthew Ingwersen.

It has been fixed in the new version which is available on crates.io, prebuilt binaries are also available: <https://qwertqwefsday.eu/agate/v3.1.0/> or <https://github.com/mbrubeck/agate/releases/tag/v3.1.0>

Percent-encoded slashes were misunderstood, possibly allowing arbitrary files to be accessed. This can be an issue depending on with which permissions and/or user you are running the server. Therefore an update is highly recommended.

Regards,-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256

Johann Galle2021-06-08T09:20+02:00-----BEGIN PGP SIGNATURE-----

iQJMBAEBCAA2FiEEgUUY5bKEh6t2GZ3upO/MWmF0+w8FAmC/GW0YHGpvaGFubkBxd2VydHF3ZWZzZGF5LmV1AAoJEKTvzFphdPsPvrAQAL1fTRaLngA4/un96kxyca/bh1d78a5lFnhiqQlSyqg7al4qin/M/WG2AUdMFNH3YitZJy+IhZhPOyRbXplFo+dUTf/lLkWMGSW2i+3kkbL3LqMGSzsW0CxVYKj3XmFHq0yqMenerDoK8IeL7t1CZQ0Dwol0TIwsq1NA2jBIa6IRBCW9m4vn761bav/1WJnlNbz4ViI+vMTkaoU76XnVgtFWB0lvbyWG/z63U86e67g345pSrBNZzrGD5zeBfZ82eBt4A+RE+Zv5rZJgaV1E21xDhgdKwqFDHM+Sm6gZovH/3e6qjNkF4A14g+EI475NJyUm/0f04v6Pf+4Rea4irQZwlZIv6cneWIJRS8RuhbwhUrKW3eZ9no/9qtAqx2jZ2ZYlS9jWQCu3EY4YINxS6gX+HXMQRgTlLTM5qzFwVF3vgJWbr5d0oAbWNmpfWTPEA7rngFt01H1rB+lKNUHWp/wvGTrjMlSYDaknjz8tFzIrbqyp7bfW6owtzdkHzS/4jCFu94ck7A/nWTXgpE/rcTsJnqzj3V9r88RK4bPgsr7VSKcSAcxtUr087ZvXd28ySSK2HE5mJY1eLuI055aelVpJvDUBVpMumXsrDC4qeZN9y53g5O2rJJ5Ts5EsM7BtxUtBVRl9AWEI7egXADMnMiv170yb31+SJm5mVZXzDpyq=4bXq-----END PGP SIGNATURE-----