Security Releases - Ember 1.0.1, 1.1.3, 1.2.1, and 1.3.1

Because developers trust Ember.js to handle sensitive customer data in production, we take the security of the project extremely seriously. In fact, we're one of the few JavaScript projects that has a clearly outlined security policy and a low-traffic mailing list exclusively for security announcements.

Today we are announcing the release of Ember.js 1.0.1, 1.1.3, 1.2.1, 1.3.1, and 1.4.0-beta.2 that contain important security fixes:

These releases contain fixes for two potential XSS vulnerabilities that you can learn more about by following these links:

It is recommended that you update immediately. In order to ease upgrading, the only major change in each release is the security fix (other than 1.4.0-beta.2, which is a normal beta channel release with the fixes rolled in).

We would like to thank Edward Faulkner of CleriCare for responsibly disclosing CVE-2014-0014 and working with us on the patch and the advisory.

Additionally, I would like to extend a very deep thanks to Robert Jackson of DockYard who dedicated his weekend and significant amounts of time to auditing related code (which lead to the discovery of CVE-2014-0013) and preparing the advisories, patches, releases and this blog post.

I have always said that one of my favorite aspects of Ember.js is that it is a truly community-driven project, and we all owe Robert a significant debt of gratitude for helping us resolve this issue with the diligence and attention to detail we've come to expect from him. Robert: thank you.

If you discover what you believe may be a security issue in Ember.js, we ask that you follow our responsible disclosure policy.

If you are using Ember.js in production, please consider subscribing to our security announcements mailing list. It is extremely low-traffic and only contains announcements such as these.

Additional Reading