Review Board 2.5.16 Release Notes¶
Release date: September 12, 2017
This release fixes two security vulnerabilities. Thanks to Dylan Ayrey for reporting and discussing these issues with us.
URLs beginning with
We now force all file attachments to download when clicking Download or when accessing its URL directly in the browser. This applies only to new and existing Apache-based installs. If using Nginx or a custom server configuration, you will need to ensure that all uploaded media files are served with a Content-Disposition: attachment header.
We also fixed an issue that could cause uploaded file security checks in the Security Checklist page to fail.
We recommend that everyone upgrade at their earliest convenience in order to stay secure. Please also view the Security Checklist in the administration UI once you have upgraded and make sure that all tests have passed.
Reporting Security Vulnerabilities¶
Security vulnerabilities can be reported by filing a bug and choosing Security issue or by e-mailing firstname.lastname@example.org. Patches can be sent by posting a review request to https://reviews.reviewboard.org and choosing only the “security” review group. These methods ensure security vulnerabilities are sent safely and confidentially to the Review Board team.
Fixed viewing diffs of files on GitLab that contain Unicode characters.
Fixed HTTP 502 Bad Gateway errors when authenticating or communication with GitLab in some configurations.
Errors viewing the commit list when talking to a Subversion repository are now captured and shown on the page, instead of triggering crashes and error e-mails.