It was brought to our attention today that Review Board 1.5.x and 1.6.x had a security vulnerability involving browser-side script injection in the diff viewer and screenshot pages. We take such things seriously, and are putting out a couple of releases to fix it. We strongly advise everyone to update, especially if you're running a public server.

Review Board 1.5.7 and 1.6.3 have been released. If you're running 1.6.x, just upgrade as normal, but if you're running 1.5.x, you need to upgrade by doing:

$ sudo easy_install -U ReviewBoard==1.5.7

Otherwise, you'll automatically upgrade to 1.6.x.

Thanks to Damian Johnson for letting us know about this vulnerability and providing a patch to fix it.

An announcement was made yesterday that the Django 1.0.3 and 1.1 releases contained a security vulnerability that may impact some users. We recommend that users upgrade to the latest version of Django immediately. This is especially important to open source projects with public Review Board servers.If you're running an older Review Board server with Django 1.0.x, you should download Django 1.0.4 and install it. If you're running a newer version, you can upgrade by typing:

easy_install -U Django

Once you've upgraded, re-run rb-site upgrade on your installed Review Board sites.