Review Board 2.0.31 Release Notes¶
Release date: September 12, 2017
This release fixes two security vulnerabilities. Thanks to Dylan Ayrey for reporting and discussing these issues with us.
URLs beginning with
We now force all file attachments to download when clicking Download or when accessing its URL directly in the browser. This applies only to new and existing Apache-based installs. If using Nginx or a custom server configuration, you will need to ensure that all uploaded media files are served with a Content-Disposition: attachment header.
We also fixed an issue that could cause uploaded file security checks in the Security Checklist page to fail.
We recommend that everyone upgrade at their earliest convenience in order to stay secure. Please also view the Security Checklist in the administration UI once you have upgraded and make sure that all tests have passed.
Reporting Security Vulnerabilities¶
Security vulnerabilities can be reported by filing a bug and choosing Security issue or by e-mailing firstname.lastname@example.org. Patches can be sent by posting a review request to https://reviews.reviewboard.org and choosing only the “security” review group. These methods ensure security vulnerabilities are sent safely and confidentially to the Review Board team.
To upgrade to Review Board 2.0.31, run:
pip install ReviewBoard==2.0.31
- Christian Hammond
- Dylan Ayrey