Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security leak in _.template, please update #2915

Closed
jgonggrijp opened this issue Mar 15, 2021 · 4 comments · Fixed by #2917
Closed

Security leak in _.template, please update #2915

jgonggrijp opened this issue Mar 15, 2021 · 4 comments · Fixed by #2917
Labels
bug fixed

Comments

@jgonggrijp
Copy link
Collaborator

We were notified of a security issue in _.template, which appears to have existed since Underscore version 1.3.2. The bug was fixed in version 1.12.1 and 1.13.0-2, which I just published. If using NPM, please upgrade to underscore@latest or underscore@preview.
@jgonggrijp jgonggrijp mentioned this issue Mar 15, 2021
Closed
@eviljeff eviljeff mentioned this issue Mar 16, 2021
Merged
1 task
@willdurand
Copy link

@jgonggrijp where is the 1.12.1 tag?

@jgonggrijp
Copy link
Collaborator Author

@willdurand I intentionally postponed pushing that in order to give people who want to exploit the leak less to go on. I'll let you know when I push it.

@willdurand
Copy link

thanks

@richardlau richardlau mentioned this issue Mar 22, 2021
Merged
@jgonggrijp jgonggrijp mentioned this issue Mar 29, 2021
Merged
@jgonggrijp jgonggrijp linked a pull request Mar 29, 2021 that will close this issue
Security fix for _.template variable parameter (CVE-2021-23358) #2917
Merged
jgonggrijp added a commit that referenced this issue Mar 29, 2021
@jgonggrijp
Mention CVE-2021-23358 in code, test and documentation (#2915)
c627e38
@jgonggrijp
Copy link
Collaborator Author

@willdurand The tag is online now.

@wickedest wickedest mentioned this issue Mar 31, 2021
Closed
@ttc229 ttc229 mentioned this issue Apr 23, 2021
Closed
ttc229 pushed a commit to ttc229/spritesheet-templates that referenced this issue Apr 26, 2021
Update underscore version to avoid security vulnerabilities
d261874 
Our project flagged a Security Vulnerability in the underscore dependency jashkenas/underscore#2915 which is hoisted via spritesheet-templates.

The current package.json uses "underscore": "~1.4.2". The fix for the underscore vulnerability is in versions 1.12.1,1.13.0-2.
@ttc229 ttc229 mentioned this issue Apr 26, 2021
Merged
twolfson pushed a commit to twolfson/spritesheet-templates that referenced this issue Apr 27, 2021
@ttc229
Update underscore version to avoid security vulnerabilities (#61)
068119c 
Our project flagged a Security Vulnerability in the underscore dependency jashkenas/underscore#2915 which is hoisted via spritesheet-templates.

The current package.json uses "underscore": "~1.4.2". The fix for the underscore vulnerability is in versions 1.12.1,1.13.0-2.
@mcab mcab mentioned this issue Jun 14, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug fixed
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Security fix for _.template variable parameter (CVE-2021-23358) jgonggrijp/underscore
2 participants
@willdurand @jgonggrijp