Closed smockle closed 6 years ago
there must be 6 or 7 closed issues and PRs on this subject, which you haven't checked.. i will reopen if you can give me a genuine, realistic case where a hacker could use this exploit to cause damage. Thanks.
Thank you for your consideration @75lb.
To future contributors: https://github.com/jsdoc2md/dmd/pull/45 is a good place to start. It outlines a few of the Handlebars 4 changes that affect dmd.
thanks for highlighting that PR, it does have a lot of info.. however, given no-one has yet been able to explain how an external hacker could execute malicious code on a machine with jsdoc2md installed as a command-line tool, I'd recommend that people stop worrying about this security issue entirely, which doesn't exist.
Security is not an issue.
handlebars upgraded in the latest release of dmd (v3.0.7).
Resolves CVE-2015-8861.
handlebars
depends onuglify-js
. Updatinghandlebars
to version4.x
bumpsuglify-js
from version2.3.6
to version2.8.29
. So, this PR also resolves CVE-2015-8858 and CVE-2015-8857.