2022-02-03 | #security
If you use gemserv, please update to 0.6.4 immediately.
https://git.sr.ht/~int80h/gemserv
This is the security vulnerability I wrote about a few days ago. My thanks to int 80h for their quick response to fix this issue.
All version of gemserv before 0.6.4 have a serious security vulnerability that allows attackers to trick gemserv into reading and returning files or directories on the server outside of the root of the capsule, like this:
Accessing private files in a pubnix user's home directory
There are currently ~50 capsules in all of Gemini space running vulnerable versions exposing the files of their users that need to update. I'll give people some time to update before I discuss the vulnerability in depth, and lessons we can learn from it.
Please update to 0.6.4 as quickly as possible.
