Ember 1.0 RC6.1, RC5.1, RC4.1, RC3.1, RC2.1 RC1.1 Released
Because many Ember.js apps allow users to interact with private data, we take security issues very seriously.
In fact, we're one of the few JavaScript projects that has a clearly outlined security policy and a low-traffic mailing list exclusively for security announcements.
We want developers to know that they can trust Ember enough to build their businesses on top of it.
In that spirit, today we are announcing the release of Ember.js 1.0 RC6.1, RC5.1, RC4.1, RC3.1, RC2.1 and RC1.1. These are all security releases that address a potential XSS security issue you can learn more about by following this link:
It is recommended that you update immediately. In order to ease upgrading, the only major change in each release is the security fix.
We would like to thank Mario Heiderich of Cure53 for responsibly disclosing this issue, working with us on the patch and the advisory, and having patience while we went through our security procedure for the first time.
Like a smoke detector or fire extinguisher, having a security procedure is something that you hope that you don't need; but when you need it, you're glad you have it.
We hope that we can set an example for other projects in the JavaScript world when it comes to taking security seriously. Initiatives like the Node Security Project are a step in the right direction.
We are very fortunate that this security issue is low severity. Due to the sandboxed nature of the web browser, there are far fewer possible exploit vectors for a JavaScript MVC framework to worry about than a traditional server-side framework.
That being said, we will remain vigilant in ensuring that even small security issues are taken care of properly. If you discover what you believe may be a security issue in Ember.js, we ask that you follow our responsible disclosure policy.
Lastly, thanks to Yehuda Katz, Stefan Penner and Kris Selden, who donated their valuable time to reviewing the patch, auditing other code for similar vulnerabilities, and preparing the new releases.