diff -Nru underscore-1.8.3~dfsg/debian/changelog underscore-1.8.3~dfsg/debian/changelog
--- underscore-1.8.3~dfsg/debian/changelog	2016-08-30 22:53:15.000000000 +0000
+++ underscore-1.8.3~dfsg/debian/changelog	2021-04-07 11:56:00.000000000 +0000
@@ -1,3 +1,11 @@
+underscore (1.8.3~dfsg-1ubuntu0.1) bionic-security; urgency=medium
+
+  * SECURITY UPDATE: Arbitrary code execution
+    - debian/patches/CVE-2021-23358.patch: fix an arbitrary code exec in underscore.js.
+    - CVE-2021-23358
+
+ -- Leonidas Da Silva Barbosa <leo.barbosa@canonical.com>  Wed, 07 Apr 2021 08:56:00 -0300
+
 underscore (1.8.3~dfsg-1) unstable; urgency=medium
 
   [ upstream ]
diff -Nru underscore-1.8.3~dfsg/debian/control underscore-1.8.3~dfsg/debian/control
--- underscore-1.8.3~dfsg/debian/control	2016-08-30 22:53:04.000000000 +0000
+++ underscore-1.8.3~dfsg/debian/control	2021-04-07 11:56:00.000000000 +0000
@@ -1,7 +1,8 @@
 Source: underscore
 Section: web
 Priority: optional
-Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
 Uploaders: Jonas Smedegaard <dr@jones.dk>
  , David Paleino <dapal@debian.org>
 Build-Depends: cdbs,
diff -Nru underscore-1.8.3~dfsg/debian/control.in underscore-1.8.3~dfsg/debian/control.in
--- underscore-1.8.3~dfsg/debian/control.in	2016-08-30 22:51:59.000000000 +0000
+++ underscore-1.8.3~dfsg/debian/control.in	2021-04-07 11:56:00.000000000 +0000
@@ -1,7 +1,8 @@
 Source: underscore
 Section: web
 Priority: optional
-Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
 Uploaders: Jonas Smedegaard <dr@jones.dk>
  , David Paleino <dapal@debian.org>
 Build-Depends: @cdbs@
diff -Nru underscore-1.8.3~dfsg/debian/patches/CVE-2021-23358.patch underscore-1.8.3~dfsg/debian/patches/CVE-2021-23358.patch
--- underscore-1.8.3~dfsg/debian/patches/CVE-2021-23358.patch	1970-01-01 00:00:00.000000000 +0000
+++ underscore-1.8.3~dfsg/debian/patches/CVE-2021-23358.patch	2021-04-07 11:55:49.000000000 +0000
@@ -0,0 +1,63 @@
+Description: fix arbitrary code execution
+Author: Julian Gonggrijp <dev@juliangonggrijp.com>
+Origin: upstream, https://github.com/jashkenas/underscore/commit/4c73526d
+Bug: https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984
+Bug-Debian: https://bugs.debian.org/986171
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard <yadd@debian.org>
+Last-Update: 2021-03-30
+
+diff --git a/underscore.js b/underscore.js
+index b29332f..286f385 100644
+--- a/underscore.js
++++ b/underscore.js
+@@ -1408,6 +1408,13 @@
+     return '\\' + escapes[match];
+   };
+ 
++  // In order to prevent third-party code injection through
++  // `_.templateSettings.variable`, we test it against the following regular
++  // expression. It is intentionally a bit more liberal than just matching valid
++  // identifiers, but still prevents possible loopholes through defaults or
++  // destructuring assignment.
++  var bareIdentifier = /^\s*(\w|\$)+\s*$/;
++
+   // JavaScript micro-templating, similar to John Resig's implementation.
+   // Underscore templating handles arbitrary delimiters, preserves whitespace,
+   // and correctly escapes quotes within interpolated code.
+@@ -1443,15 +1450,24 @@
+     });
+     source += "';\n";
+ 
+-    // If a variable is not specified, place data values in local scope.
+-    if (!settings.variable) source = 'with(obj||{}){\n' + source + '}\n';
++    var argument = settings.variable;
++    if (argument) {
++      // Insure against third-party code injection.
++      if (!bareIdentifier.test(argument)) throw new Error(
++        'variable is not a bare identifier: ' + argument
++      );
++    } else {
++      // If a variable is not specified, place data values in local scope.
++      source = 'with(obj||{}){\n' + source + '}\n';
++      argument = 'obj';
++    }
+ 
+     source = "var __t,__p='',__j=Array.prototype.join," +
+       "print=function(){__p+=__j.call(arguments,'');};\n" +
+       source + 'return __p;\n';
+ 
+     try {
+-      var render = new Function(settings.variable || 'obj', '_', source);
++      render = new Function(argument, '_', source);
+     } catch (e) {
+       e.source = source;
+       throw e;
+@@ -1462,7 +1478,6 @@
+     };
+ 
+     // Provide the compiled source as a convenience for precompilation.
+-    var argument = settings.variable || 'obj';
+     template.source = 'function(' + argument + '){\n' + source + '}';
+ 
+     return template;
diff -Nru underscore-1.8.3~dfsg/debian/patches/series underscore-1.8.3~dfsg/debian/patches/series
--- underscore-1.8.3~dfsg/debian/patches/series	1970-01-01 00:00:00.000000000 +0000
+++ underscore-1.8.3~dfsg/debian/patches/series	2021-04-07 11:55:49.000000000 +0000
@@ -0,0 +1 @@
+CVE-2021-23358.patch