Closed smockle closed 6 years ago
75lb
commented
6 years ago there must be 6 or 7 closed issues and PRs on this subject, which you haven't checked.. i will reopen if you can give me a genuine, realistic case where a hacker could use this exploit to cause damage. Thanks.
smockle
commented
6 years ago Thank you for your consideration @75lb.
To future contributors: https://github.com/jsdoc2md/dmd/pull/45 is a good place to start. It outlines a few of the Handlebars 4 changes that affect dmd.
75lb
commented
6 years ago thanks for highlighting that PR, it does have a lot of info.. however, given no-one has yet been able to explain how an external hacker could execute malicious code on a machine with jsdoc2md installed as a command-line tool, I'd recommend that people stop worrying about this security issue entirely, which doesn't exist.
Security is not an issue.
75lb
commented
6 years ago handlebars upgraded in the latest release of dmd (v3.0.7).
Resolves CVE-2015-8861.
handlebarsdepends onuglify-js. Updatinghandlebarsto version4.xbumpsuglify-jsfrom version2.3.6to version2.8.29. So, this PR also resolves CVE-2015-8858 and CVE-2015-8857.