-- Leo's gemini proxy
-- Connecting to gemi.dev:1965...
-- Connected
-- Sending request
-- Meta line: 20 text/gemini
2022-02-03 | #security | @Acidus
If you use gemserv, please update to 0.6.4 immediately.
This is the security vulnerability I wrote about a few days ago. My thanks to int 80h for their quick response to fix this issue.
All version of gemserv before 0.6.4 have a serious security vulnerability that allows attackers to trick gemserv into reading and returning files or directories on the server outside of the root of the capsule, like this:
There are currently ~50 capsules in all of Gemini space running vulnerable versions exposing the files of their users that need to update. I'll give people some time to update before I discuss the vulnerability in depth, and lessons we can learn from it.
Please update to 0.6.4 as quickly as possible.
-- Response ended
-- Page fetched on Tue May 21 20:20:42 2024
