@adob reported an issue that could have allowed an attacker to instantiate arbitrary Ruby objects on the servers used to generate GitHub Pages sites. GitHub Pages had recently upgraded to a newer version of Jekyll that disabled safe_yaml support for monkey patching
YAML#load to be secure by default. An attacker could commit a malicious
_config.yml file to their Pages repository that would cause an arbitrary object to be deserialized, possibly leading to remote code execution on the server. We addressed the vulnerability by explicitly enabling the
safe_yaml gem for all of GitHub Pages.