Re: dezhemini (aka dʒɛmɪni) security announcement
almaember at disroot.org
Sat May 15 12:09:36 BST 2021
On 13/05/2021 07:46, Remco wrote:
> A couple of days ago I've found and fix a path traversal issue in the
> dezhemini (aka dʒɛmɪni) gemini server software. A specially crafted URL
> will allow an attacker to read arbitrary files from the host file
> The issue is fixed in commit 2dba1ee1c875b07ca2e04f8bf2d03bfc5b2afc5f.
> All versions prior to this commit are vulnerable to this type of
Thanks for notifying everyone! This seems to be a common security issue
with Gemini servers.
A question to everybody reading the list, how badly would it break the
spec to simply block any request whose URLs contain ".." as a standalone
More information about the Gemini