Public Service Announcement: Update to gemserv 0.6.5 now!

2022-02-15 | #security | @Acidus

Déjà vu time. If you use gemserv, please update to version 0.6.5 immediately.

https://git.sr.ht/~int80h/gemserv

~int80h has patched another, different directory transversal security bug in gemserv This is awesome that people are looking more into fixing their own servers, and this makes 2 different critical security holes that were patched in less than 2 weeks, which is amazing work! 👏👏👏

Unfortunately, it also means that anyone who upgrade to 0.6.4 in the last week or so needs to do it again, and upgrade to 0.6.5. Currently there are ~48 capsules running a vulnerable version of gemserv (anything before 0.6.5)

What is the issue?

All version of gemserv before 0.6.5 are vulnerable to multiple variations of a serious security flaw called a directory transversal vulnerability. These allow attackers to trick gemserv into reading and returning files or directories on the server outside of the root of the capsule, like this:

Accessing private files in a pubnix user's home directory

You can learn more about directory transversal attacks here:

Robust Defence Against Directory Transversal attacks

Security is harder than you think

In my "Robust Defence Against Directory Transversal attacks" post, I said this:

> Behold the 75 CVE entries for directory transversal attacks against Apache or its components in the last 20 years. So yeah. Protecting against directory transversal is surprisingly more difficult than you would think.

I'm not trying to put int80 on the spot. They did an awesome job. But them needing to issue a 2nd update a few days later to defend against another attack variant should reenforce that quote above. Directory transversal vulnerabilities **ARE** surprisingly hard to fix, and to fix in a way you know will be secure going forward.

If you run a capsule using gemserv, please update to 0.6.5 as quickly as possible.

If you are a developer who has written a gemini server, please test it and secure it against directory transversal attacks as discussed in "Robust Defence Against Directory Transversal attacks."