From d04a868615ec50d4cfb41b2b090e34d169432537 Mon Sep 17 00:00:00 2001 From: Robert Jackson Date: Fri, 7 Feb 2014 17:15:12 -0500 Subject: [PATCH] Add blog post for CVE-2014-0046. --- .../2014-02-07-ember-security-releases.md | 48 +++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 source/blog/2014-02-07-ember-security-releases.md diff --git a/source/blog/2014-02-07-ember-security-releases.md b/source/blog/2014-02-07-ember-security-releases.md new file mode 100644 index 0000000000..7eef5af168 --- /dev/null +++ b/source/blog/2014-02-07-ember-security-releases.md @@ -0,0 +1,48 @@ +--- +title: Security Releases - Ember 1.2.2, and 1.3.2 +author: Robert Jackson +tags: Releases, Security, Recent Posts +--- + +Because developers trust Ember.js to handle sensitive customer data in +production, we take the security of the project extremely seriously. In +fact, we're one of the few JavaScript projects that has a [clearly +outlined security policy](http://emberjs.com/security/) and a +[low-traffic mailing list exclusively for security +announcements](https://groups.google.com/forum/#!forum/ember-security). + +Today we are announcing the release of Ember.js 1.2.2, +1.3.2, and 1.4.0-beta.6 that contain an important security fix: + +* 1.4.0-beta.6 -- [Compare View](https://github.com/emberjs/ember.js/compare/v1.4.0-beta.5...v1.4.0-beta.6) +* 1.3.2 -- [Compare View](https://github.com/emberjs/ember.js/compare/v1.3.1...v1.3.2) +* 1.2.2 -- [Compare View](https://github.com/emberjs/ember.js/compare/v1.2.1...v1.2.2) + +These releases contain the fix for an XSS vulnerability that +you can learn more about on our security mailing list: + +* [CVE-2014-0046](https://groups.google.com/forum/#!topic/ember-security/1h6FRgr8lXQ) + +It is recommended that you update immediately. In order to ease +upgrading, the only major change in each release is the security fix +(other than 1.4.0-beta.6, which is a normal beta channel release with +the fix rolled in). + +We would like to thank Hyder Ali of [Zoho](https://www.zoho.com) +for responsibly disclosing and working with us on the patch +and the advisory. + +If you discover what you believe may be a security issue in Ember.js, we +ask that you follow our [responsible disclosure +policy](http://emberjs.com/security/). + +If you are using Ember.js in production, please consider subscribing to +our [security announcements mailing +list](https://groups.google.com/forum/#!forum/ember-security). It is +extremely low-traffic and only contains announcements such as these. + +## Additional Reading + +* [Ember.js Security Policy Announcement](http://emberjs.com/blog/2013/04/05/announcing-the-ember-security-policy.html) +* [Ember.js Security Policy](http://emberjs.com/security/) +* [Ember.js Security Group](https://groups.google.com/forum/#!forum/ember-security)