Django released the versions 2.2.4, 2.1.11, and 1.11.23 today, fixing a handful of security issues. You can see their announcement for the list of issues addressed.

We maintain security-hardened builds of Django 1.6.11, the version series we use for Review Board 2.0 through 3.0. We've put out a new Django 1.6.11.8 release that contains these fixes, plus some additional backports from newer releases.

To upgrade to this release, run:

$ pip install -U https://downloads.reviewboard.org/releases/Django/1.6/Django-1.6.11.8.tar.gz

Or:

$ easy_install -U http://downloads.reviewboard.org/releases/Django/1.6/Django-1.6.11.8.tar.gz

You can always keep up on the latest Review Board security announcements by subscribing to our Official Announcements mailing list, joining our Subreddit, or following us on Twitter.

Power Pack 3.0.2 improves integration with Microsoft's Team Foundation Server:

• Copied files containing non-ASCII filenames can now be diffed
• Compatibility between various versions of Review Board, Python, and Team Foundation Server has improved

There's also several behind-the-scenes changes preparing Power Pack for new features we have in the works, and for the upcoming Review Board 4.0 release.

Update Today

Power Pack 3.0.2 is recommended for all Power Pack users reviewing code over Team Foundation Server.

To upgrade, or to install for the first time, see the installation instructions.

On June 11, 2019, Bitbucket removed an API that Review Board required in order to upload or view diffs. This caught us by surprise, and if you use Bitbucket, you may have had a rough day. Us too.

We've worked around this in today's release, restoring full Bitbucket compatibility. We've also fixed some regressions introduced by changes to Bitbucket's webhook payloads (used to auto-close review requests).

Going forward, Review Board 3.0.15 or higher is required to use Bitbucket.

By the way, to keep track of important issues like this, follow us on Twitter.

Along with the Bitbucket fixes, we've added some polish to other parts of the product:

• Some sort of avatar will now always show up, no matter your configuration. If you've disabled all avatar services, we'll make sure the fallback avatar service is used.
• Using emojis shortcodes? You've probably noticed they've been looking... a bit strange. A CDN changed on us, so we've updated to use the new one.
• Very, very large images (high-DPI images, screenshots) shown in comments and other text fields would expand far outside their container, but no longer.
• People sometimes like to paste URLs or other text in the Depends On field for review requests, which just sort of failed with an error. Now you'll see something more helpful.
• If you've tried updating access lists for repositories lately, you may have noticed your changes weren't always saving. *ahem* We've taken care of that.
• Writing custom extensions? Adding new review request actions? Callbacks registered with RB.ReviewRequestActionHook will now do what they're supposed to do, instead of crashing.

See the release notes for everything in 3.0.15.

Improved Python 3 Support

RBTools 1.0 introduced support for Python 3, and since then many more of our users have switched over and sent us patches to improve that support. We've also improved our testing, helping us to maintain a more stable Python 3 codebase.

Two-Factor Auth for RBCommons

The support for Two-Factor Authentication in RBCommons has been completely redone to avoid login rate limit issues, missing headers, and trouble logging in.

Going forward, RBTools 1.0.2 will be the minimum version required for RBCommons accounts using Two-Factor Authentication.

Git Improvements

We've improved upon the smart tracking branch detection logic introduced in RBTools 1.0, which is designed to find the right tracking branch for your local changes. It now does a better job of finding a suitable branch if your repository doesn't have an origin remote, and gives priority to the one provided in --tracking-branch.

Support for disabling Git file rename detection has also been added, for those cases where Git is getting too aggressive and making for bad diffs. Simply pass --no-renames to rbt post or rbt diff to generate a diff without renamed files.

A Step Toward Better Error Messages

We've working to improve error messages throughout our products, to help guide people when things go wrong.

If RBTools is pointing to a bad Review Board URL, it no longer just fails with an HTTP status code or cryptic error message. RBTools will now inspect the URL to determine what may have gone wrong, and offer guidance on resolving the problem.

Error messages in our API and other commands have also been fixed. We'll be making further improvements in future releases.

Plus More

• Perforce diffs now contain information on binary files
• Aliases invoking shell commands now preserve their quotes and escape sequences
• Patches from users with private profiles enabled can now be applied to new commits without crashing

See the release notes for the full list of changes.

Today's release of Review Board 3.0.14 fixes a handful of bugs that may be plaguing you, and introduces some long-overdue UI improvements for integrations and avatars.

Fallback Avatars

Review Board now displays a default avatar when no other avatar service is available for the user.

This avoids those annoying blank avatars and ugly log messages when users have opted out of all other types of avatars.

A Better Integrations Experience

Integrations configuration has been completely redone, making it easier to see what integrations you already have and which are available to install.

RBCommons will be receiving support for integrations very soon. We're beta-testing this now, so if you're interested in trying it out, let us know!

Plus...

• A regression with using integrations bound to repositories and review groups has been fixed.
• The bubble shown on the Review Request page when there are updates doesn't sometimes list the wrong reviewer name anymore.
• Our close-on-push hooks for GitHub, Bitbucket, and other services no longer crash when encountering invalid review request IDs in commit messages.
• We've bumped up the version of Less, the language used for our CSS, from 2.6 to 3.9. Extensions can now make use of all the latest Less CSS features.
• The Users API now supports optional rendering of avatars, supporting all Review Board and in-house avatar services.

See the release notes for all the changes in this release.

Today's release is the second in a series of releases built to improve the speed of the product, reducing the database work required in most pages and in the API. That's not all, though. We've fixed a few bugs, including an API regression from 2.0.12, and added a few new user-facing and administrative features.

More Fine-Tuning

We've further reduced the database work required by Review Board, particularly when it comes to loading and saving user-specific data, something we do on nearly every HTTP request.

Behind the scenes, we've made several improvements to our API testing infrastructure that will help us make the API more lean in future releases.

The Follow Menu

We've added a new menu to the top-right of Review Board that helps users find the Review Board News feed, Twitter, Facebook page, Subreddit, and YouTube channel. This is intended to help users follow the latest Review Board and RBTools updates and to read, watch, or discuss both code review tips and Review Board in general.

Improved E-Mail Support

If you're dealing with "this e-mail is suspicious" warnings in your e-mail client, you're running into problems with how Review Board sends e-mail on behalf of users.

While this can generally be corrected through proper domain records, you can now change how Review Board generates e-mails through a new option in the E-Mail Settings page.

Plus Some Other Improvements

• We've fixed a regression in the review request draft API that caused unwanted groups to appear when emptying the field.

• Those using custom X.509-based authentication schemes can now specify a custom username field without forking any code.

• Search results now contain inactive users and closed review requests.

• Condition fields for integrations no longer show any archived/hidden repositories or hidden groups, resulting in less noise when setting things up on older installations.

See the release notes for all the changes in 3.0.13.

The new major release of Power Pack 3.0 brings the ability to diff PDF documents, comparing how the text of the document changes between revisions, and makes it easier to manage your license subscriptions.

Viewing Differences in PDFs

This can drastically cut down on the time needed to read through documents as the author takes in suggested edits from reviewers. Just like a code diff, any text changes made in a document are shown inline in the PDF, color-coded for easier viewing.

A handy new sidebar view catalogues all the changes made throughout the document, so there's no need to carefully scrutinize as you scroll.

If you do need to scroll, a new "Lock scroll" checkbox gives you control over whether the documents should scroll in sync, or scroll individually.

In order to enable diffing support for PDFs, you will need a PDF document that contains text information embedded in the document (such as when printing to PDF or using OCR on a scanned document). It's also important to update the existing PDF file attachment with the new document, instead of creating a brand new upload.

Easier License Management

We've revamped the Power Pack configuration page to better show the status and health of your license, how quickly the expiration date is coming up or whether you're hitting your user cap.

The new "Manage your license" button takes you straight to our license portal where you can renew your license, convert to a yearly subscription, add additional users, and more.

Power Pack now checks for updates to your license automatically when viewing the Power Pack configuration page, and will install any new license it finds. You no longer need to download and install new license files from the license portal yourself.

Plus the Usual Bug Fixes

We've sorted out some crashes and visual glitches in reports, as well as a compatibility problem with AWS CodeCommit. The full list of changes are in the release notes.

Get started today with a 30 day trial license. After 30 days, enjoy a complimentary license for up to 2 users forever, or purchase a license for the rest of your organization.

Today’s release of Review Board is the first in a series of releases focusing on performance. We’re going through the product with a fine-toothed comb, looking for places where we can make things faster so your servers can be happier and your developers more productive — or vice-versa.

Working Toward a Faster Review Board

Review Board 3.0.12 reduces the amount of database work required when updating or publishing review request drafts, loading extensions, processing integrations, and working with the API in general.

It also lays the groundwork for further improvements coming in 3.0.13 and beyond, helping ensure faster database reads and writes across the product.

And don't worry — no database upgrades are required for this release.

Improving the API

We've reworked two of the APIs to help customers building their Review Board integrations. The review request draft API now handles concurrent updates to the same draft from multiple clients far better than before, preventing fields from being overwritten unintentionally.

The repository API has also been rewritten, making it easier to archive repositories, adding better validation, and getting things ready for creating and updating repositories backed by hosting services (coming soon).

Plus a Few Other Fixes

We've also fixed a crash that could occur when sorting non-sortable Dashboard columns in the URL, the length of archived repository names, and over-zealous access restrictions in the Diff Context API.

See the release notes for more details on everything that's in 3.0.12.

Today's release of Review Board 3.0.11 features a security fix in the API, compatibility with modern Bitbucket WebHooks, and other improvements. We've also put out an accompanying 2.5.18 security release, for those who haven't yet upgraded to 3.0.

Diff Validation Security Fix

The Diff Validation API allowed for private repositories to be specified when validating a new diff. This did not leak any file contents whatsoever, but could expose whether a particular file at a revision did or did not exist, or whether an uploaded patch could be applied against those files.

This is only an issue for servers making use of private repositories, and it does not apply to Local Site access control. Still, we recommend that everyone updates to this release.

Modern Bitbucket WebHooks

Bitbucket removed support for their legacy WebHooks, which broke Review Board's ability to auto-close review requests when commits are pushed.

The 3.0.11 release adds compatibility with the newer WebHooks. Follow the instructions to re-add any hooks you had set before in Bitbucket.

Other Fixes and Improvements

• Repository names can now be up to 255 characters long, giving you enough room to generate names based on URLs or some other identifier
• Errors finding the GitLab API version (usually caused by domain resolution or SSL certificate trust issues) now contain enough information to help you locate the real problem
• Fixed crashes with sending WebHook payloads when certain data types were involved

See the Review Board 3.0.11 and 2.5.18 release notes for the full list of changes.

Security fixes

Review Board 3.0.10 addresses a security vulnerability found in-house that could allow for malicious JavaScript from a user profile to execute when rendering avatars. This bug was originally introduced in 3.0.7 and does not affect any prior releases.

Although there are no known exploits found in the wild, we do recommend that everyone upgrades to this release.

Plus several bug fixes, including

• A regression introduced in 3.0.9 with sending WebHooks
• An upgrade bug that could occur when upgrading to 3.0.x for the first time
• Conflicts between extensions when installing or upgrading multiple ones at a time
• URLs not always linking in comments and text fields

And other improvements

• The New Review Request page confirms that you want to post commits for review, in case you click the wrong thing
• Review request e-mails now show the branch information

That's not all. Check out the release notes for the rest of the changes.