Jump to >

Review Board 3.0.21 Release Notes

Release date: April 14, 2021


Security Fixes

This release fixes a XSS vulnerability in Markdown rendering, which could allow an attacker to craft a link that executes arbitrary JavaScript code when clicked.

The attacker would need to be someone who already has legitimate access to your server, and can perform reviews or otherwise access your code.

We recommend that everyone (especially those running public servers) upgrades to address this vulnerability, though the seriousness of the issue will vary from company to company.

Thanks to Matt Schmidt for the security report.

New Features

Official Docker Support

We now have an official Docker image for Review Board. Going forward, all releases (including betas) will come with a Docker image, ready for testing or deployment in your network.

For now, the Docker image is also a beta. Please read the documentation on setting up a container with our Docker image.

With this, Review Board can now be run via Gunicorn and other independent WSGI application servers by making use of a new reviewboard.wsgi module. The old htdocs/reviewboard.wsgi script on new installs will make use of this module. Existing versions won’t be upgraded in 3.0.x (but will be in 4.0).


  • Added a --allowed-host option to rb-site-install to specify additional hostnames for the server.

    This can be specified multiple times.

  • Improved checks and error messages when failing to install a new site directory at a specified location.

    There’s no longer a generic error shown if the site directory can’t be written to or contains existing files. The error is now tailored based on what failed.

Deprecated Features

  • The dumpdb and loaddb management commands have been deprecated, and will be removed in Review Board 4.0.

    These commands, and the data generated by dumpdb, are not compatible with the version of Django used for Review Board 4.0. These were never really intended for use outside of development setups to begin with, and end up causing more trouble than they’re worth.

    We recommend that people use their database’s native SQL dump/restore tools.

    We’re also working on a successor to these tools in Power Pack

Bug Fixes


  • Fixed having to manually run resolve a “static-media” check after installing a new site.

  • Added a warning in the terminal that extensions are disabled if there’s a pending upgrade required for a site directory.

    It was otherwise confusing why management commands provided by extensions couldn’t be run.


  • Christian Hammond
  • Matt Schmidt