Johann Galle johann+gemini at qwertqwefsday.eu
Tue Jun 8 08:19:04 BST 2021
- - - - - - - - - - - - - - - - - - -
Hi everyone,
there is a security vulnerability in all Agate versions prior to 3.1.0, which has been discovered by Matthew Ingwersen.
It has been fixed in the new version which is available on crates.io, prebuilt binaries are also available: <https://qwertqwefsday.eu/agate/v3.1.0/> or <https://github.com/mbrubeck/agate/releases/tag/v3.1.0>
Percent-encoded slashes were misunderstood, possibly allowing arbitrary files to be accessed. This can be an issue depending on with which permissions and/or user you are running the server. Therefore an update is highly recommended.
Regards,-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256
Johann Galle2021-06-08T09:20+02:00-----BEGIN PGP SIGNATURE-----
iQJMBAEBCAA2FiEEgUUY5bKEh6t2GZ3upO/MWmF0+w8FAmC/GW0YHGpvaGFubkBxd2VydHF3ZWZzZGF5LmV1AAoJEKTvzFphdPsPvrAQAL1fTRaLngA4/un96kxyca/bh1d78a5lFnhiqQlSyqg7al4qin/M/WG2AUdMFNH3YitZJy+IhZhPOyRbXplFo+dUTf/lLkWMGSW2i+3kkbL3LqMGSzsW0CxVYKj3XmFHq0yqMenerDoK8IeL7t1CZQ0Dwol0TIwsq1NA2jBIa6IRBCW9m4vn761bav/1WJnlNbz4ViI+vMTkaoU76XnVgtFWB0lvbyWG/z63U86e67g345pSrBNZzrGD5zeBfZ82eBt4A+RE+Zv5rZJgaV1E21xDhgdKwqFDHM+Sm6gZovH/3e6qjNkF4A14g+EI475NJyUm/0f04v6Pf+4Rea4irQZwlZIv6cneWIJRS8RuhbwhUrKW3eZ9no/9qtAqx2jZ2ZYlS9jWQCu3EY4YINxS6gX+HXMQRgTlLTM5qzFwVF3vgJWbr5d0oAbWNmpfWTPEA7rngFt01H1rB+lKNUHWp/wvGTrjMlSYDaknjz8tFzIrbqyp7bfW6owtzdkHzS/4jCFu94ck7A/nWTXgpE/rcTsJnqzj3V9r88RK4bPgsr7VSKcSAcxtUr087ZvXd28ySSK2HE5mJY1eLuI055aelVpJvDUBVpMumXsrDC4qeZN9y53g5O2rJJ5Ts5EsM7BtxUtBVRl9AWEI7egXADMnMiv170yb31+SJm5mVZXzDpyq=4bXq-----END PGP SIGNATURE-----