Review Board 2.0.30 Release Notes¶
Release date: August 1, 2017
Security Updates¶
This release fixes two security vulnerabilities, found in-house and by partners.
The Quick Search API allowed information on otherwise-inaccessible review requests to be returned in the results. This affected setups using private repositories or invite-only review groups.
If you’re not making use of these access controls, this bug won’t impact you, but for those that do, we recommend upgrading to stay secure.
A URL could be crafted for the diff viewer page allowing the execution of arbitrary JavaScript on the user’s behalf.
We recommend that everyone upgrade at their earliest convenience in order to stay secure.
Reporting Security Vulnerabilities¶
Security vulnerabilities can be reported by filing a bug and choosing Security issue or by e-mailing security@beanbaginc.com. Patches can be sent by posting a review request to https://reviews.reviewboard.org and choosing only the “security” review group. These methods ensure security vulnerabilities are sent safely and confidentially to the Review Board team.
Upgrade Instructions¶
To upgrade to Review Board 2.0.30, run:
pip install ReviewBoard==2.0.30
or:
easy_install ReviewBoard==2.0.30
Contributors¶
Barret Rennie
Christian Hammond