We have two new security releases for you today, both fixing security issues reported to us by security researcher Dylan Ayrey. There's also a few bug fixes for GitLab and Subversion, and some improvements for the Administration UI's Security Checklist.

Security Fixes

Dylan reported two vulnerabilities that could be used to execute JavaScript code on a user's behalf:

1. If a text field contains a plain-text javascript: URL, it would be turned into a link that, when clicked, would execute JavaScript on the user's behalf. These links would be pretty long and were easily identifiable, making it less likely that users would be tricked into clicking them (and could not be masked using Markdown links). We've altered the linking behavior to only link certain known types of safe URLs.

2. When clicking Download on a file attachment, the browser may choose to render certain file types in the browser. This includes SVG files, which can include JavaScript. If the media files are served up on the same domain used for Review Board (which is the default behavior), as opposed to a CDN or dedicated domain, then users could be at risk when downloading SVG files.

   We now generate Apache configuration files that add a Content-Disposition: attachment header to all media files, forcing them to download. If you're not using a standard Apache setup, you may need to modify your configuration to add this header.

   You can visit the Security Checklist to make sure this header is being set.

GitLab and Subversion Fixes

Review Board 2.0.31 and 2.5.16 include fixes for working with changes on GitLab. Both fix issues viewing diffs against files containing Unicode characters, and 2.5.16 includes a fix for creating/modifying repositories for self-hosted GitLab servers.

2.5.16 also includes a fix for the New Review Request page when there are problems talking to Subversion repositories. Errors are now reported, instead of the page reporting a generic "Internal Server Error."

See the 2.0.31 and 2.5.16 release notes for more information on these releases, along with upgrade instructions.

Today's release of Review Board 2.5.15 is a small bug fix release taking care of a problem that came up in last week's release of 2.5.14, along with fixing an annoyance some users have hit when loading diffs in the diff viewer.

In last week's release, we made some changes to the Quick Search field and API for security purposes. One of the changes resulted in a crash that could occur using the API, breaking the Quick Search field in the process. If you were bit by this in 2.5.14, an upgrade should fix this for good.

We also fixed a bug in the diff viewer where attempting to switch diff revisions while still loading diffs would result in a crash and a failure to load the new revision.

It's a pretty small release. As always, release notes are available.

We have two new releases for you today, both fixing a couple of undisclosed security bugs, along with providing other bug fixes and feature enhancements.

Security fixes

We discovered an information leak in one of our APIs, allowing a request to be crafted that would reveal some details of review requests otherwise intended to be private. This affects you if you use invite-only review groups or private repositories for access control.

We were also informed of a XSS vulnerability allowing a particular URL to be crafted that would execute JavaScript on your user's behalf.

Both of these issues have been fixed, and additional unit tests have been added to ensure these never regress. We recommend that everyone upgrade to this release at their earliest convenience.

If you locate a security problem in Review Board, please contact security@beanbaginc.com, or file a bug and choosing "Security issue".

New Markdown table support

Review Board 2.5.14 introduces support for GitHub-Flavored Markdown tables. You can now provide tabular data in review request descriptions or in comments.

Commit IDs are now searchable

If you're running Review Board 2.5.14 and have search enabled, you'll now be able to search for review requests based on their commit ID, which is useful if you're using Git or Bitbucket.

This will require a full re-index after upgrade.

And a handful of other fixes in 2.5.14

• Keyboard navigation in the diff viewer should no longer get stuck or fail to navigate to file headers.
• A regression in extension building/packaging when using LessCSS and UglifyJS has been fixed.
• Failure to load files from a repository when viewing diffs no longer results in huge entries in the log files.
• Sending test e-mails should now properly report any errors that come up when communicating with the mail server.
• The styling for buttons on Firefox should now be more consistent.

See the 2.0.30 and 2.5.14 release notes for more information on the release, along with upgrade instructions.

Hello, everyone! Christian Hammond here, one of the founders of Review Board and Beanbag.

We have a webinar coming up on Upgrading Your Team's Code Review Experience using Review Board, hosted by Bitnami. We'll be going over the importance and benefits of code review, how Review Board can help save you time and sanity during the code and document review process (did you know that you can review documents and images?), and we'll talk about some of the upcoming features of Review Board 3.0 that you're going to like.

There will also be a demo followed by a Q&A. This is a great opportunity to ask us anything you might want to know about Review Board.

The webinar starts on July 12th at 9AM PST (4PM UTC). Join us! You can register for the webinar if you want to attend or see the recording once it's over. If you have teammates, managers, or friends who might be interested, please forward this along to them and ask them to register as well. It helps us to have a good head count.

Hope to see you there!

— Christian

Updated: We had a breaking bug in these packages, so we've put out 2.0.29.1 and 2.5.13.1 releases that fix it. You'll want to upgrade to these instead.

We have two new releases for you today, both fixing a security vulnerability discovered in-house that affects self-installed Review Board servers that make use of private repositories, invite-only review groups, or Local Sites. This vulnerability allowed a URL to be crafted that could expose portions of a diff commented on in other review requests. There are no known cases of this vulnerability being used in the wild.

This vulnerability affects all 2.0.x and 2.5.x releases. Older releases may also be impacted, but those still using 1.7.x or older should upgrade to 2.5.x to continue receiving security updates.

Both releases also now display additional help when encountering a Version Mismatch error page after an upgrade, which can occur when switching from one package installer (such as yum, pip, or easy_install) to another, or when upgrading the version of Python on the system.

Along with this, 2.5.13 now allows credentials to be specified in WebHook URLs, and 2.0.29 includes a performance optimization for the Diff Size column in the dashboard.

See the 2.0.29 and 2.5.13 release notes for more information and installation instructions.

We identified a pretty major regression in 2.5.11, and wanted to quickly get a follow-up release out for you. Some changes to our repository communication code resulted in a crash when forming a HTTP header used for several hosting services. This has been fixed, and things should work well once again.

We've also fixed an issue that could occur when sending e-mails for review requests that modify large numbers of files. We send a X-ReviewBoard-Diff-For header that lists the files, for filtering purposes, but some e-mail servers had issues with the length of this header. We've now capped this to ensure e-mails are sent reliably.

It's a small release, but the release notes are available.

If you missed it, check out the 2.5.11 release notes for all the performance improvements, bug fixes, and features we shipped last night.

We spent the past month going through Review Board and finding ways we could make the product faster and feel smoother. Posting and reviewing changes, being the sole purpose of the product, seemed like a pretty good place to start, so we got cracking.

Along the way, we've improved our support for LDAP, Perforce, and touchscreens, and fixed a handful of bugs.

Faster diff uploads

With today's release of Review Board 2.5.11, we've rewritten our diff parsers to be able to handle very large diffs (10 megabytes in size) in a second or two, using less memory in the process. This used to take a lot longer for some diffs. These performance benefits of course extend to smaller diffs as well.

If you're posting existing commits for review in the New Review Request page, you'll find that what used to take seconds is now nearly instantaneous. We've substantially cut down on the work needed here.

Using Perforce? We've changed how we're managing login sessions and fetching information about files in the repository. On larger Perforce installations, you'll see a huge performance benefit here.

A faster, smoother diff viewer

We've polished up the diff viewer, fixing a lot of perceived and actual performance problems. Large diffs that used to swamp the browser can now be viewed without problems. Resizing the window, which used to feel choppy in some browsers, is now silky-smooth.

Firefox users will especially notice an improvement here, as we've cut down on the work the browser needs to do in order to render the page.

Faster search indexing

Some nasty performance bugs in search indexing have been squashed. Indexes that used to take 30 minutes may now only take 2-5 minutes.

Fixed touchscreen support when reviewing changes

We've fixed a lot of bugs with our touchscreen support. Using an iPad or another tablet, you can now make comments spanning multiple lines of a diff, position and resize the comment dialog, and leave comments without triggering key bindings (oops).

And there's plenty more

• Better support for Assembla repositories
• Fixes for user lookups on LDAP
• API improvements
• Performance and usability enhancements in the dashboard
• Fixes for regressions in the search field
• Stability fixes for extensions and repository communication
• Fixed issues upgrading from Review Board 1.7 or older

See the release notes for the entire list of changes, and let us know how the release is working out for you!

Today's release of RBTools 0.7.10 some important compatibility fixes for macOS, Git, Subversion, Team Foundation Server, ClearCase.

macOS and Browser Windows

macOS users who have upgraded to recent releases of Sierra lost the ability to run rbt post --open (to open the posted review request in a browser window) due to a Python/AppleScript bug. This is Python bug #30392, for those who are interested.

We've worked around this. Your default browser will work once again. Thanks to those who pointed this out!

There's also a whole new macOS installer coming that should actually work on all setups. We'll have this on the Downloads page once it gets a little more testing.

Git and Git-SVN

Git-SVN users should no longer encounter crashes when trying to post changes for review. That was pretty disruptive.

Git repositories with submodules containing pending changes no longer cause warnings about dirty repositories when posting changes. They're not included anyway, and just added to the confusion.

Crazy Subversion Diffs

If you had a line of code being deleted that happened to look like a diff header (say, --- XX (YY)), it could cause some code we have for fixing up diffs to get very confused. That, unfortunately, could lead to lines being excluded from the diff, breaking when you try viewing it in the diff viewer.

We've rewritten this code to be very careful about these lines. It won't get confused again.

Team Foundation Server and Visual Studio 2017

Team Foundation Server users who have upgraded to Visual Studio 2017 can once again post changes. TFS has had a nasty habit of changing their file formats, APIs, and command line options, but after much tearing out of the hair, we've restored compatibility.

All versions from Visual Studio 2011 onward should work just fine, so no need to upgrade to 2017 just to use this release.

We've also fixed a regression when using the Team Explorer Everywhere adapter.

ClearCase and Cross-Platform VOB Lookups

ClearCase users can now name their repositories in Review Board based on a component of a VOB path, instead of naming it based on the entire VOB path. This helps with the differences in how ClearCase represents VOB paths on different platforms. For instance, a VOB path of /vobs/MyVOB or C:\vobs\MyVOB will now match a repository name of MyVOB.

There are also some performance improvements for looking up VOBs.

And Other Such Things

There are improvements to the Python API, such as not prematurely exiting the process, plus compatibility fixes for Review Board 3.0. We've also added a new config option to disable certain warnings in RBTools, which would be especially useful for repository hook scripts.

For the complete list of changes, see the release notes.

To upgrade RBTools, visit the downloads page.

Django released a new set of security releases that protect against malicious redirect URLs when serving static media (on development servers) and when logging in. See their announcement for the details on the fixes.

We maintain security-hardened builds of Django 1.6.x, the version series we use for Review Board 2.0 through 2.5. We've put out a new Django 1.6.11.6 release that contains these two fixes.

To upgrade to this release, run:

$ pip install -U https://downloads.reviewboard.org/releases/Django/1.6/Django-1.6.11.6.tar.gz

Or:

$ easy_install -U http://downloads.reviewboard.org/releases/Django/1.6/Django-1.6.11.6.tar.gz

You can always keep up on the latest Review Board security announcements by subscribing to our Official Announcements mailing list.

We have two new releases for you today, focusing on a security fix, bug fixes, and compatibility improvements.

Security Fix

A XSS vulnerability was reported and patched today in the review request page. This allowed an attacker to craft a URL that would execute JavaScript on the user's behalf.

This was a publicly-disclosed vulnerability, so there's no CVE number or non-Python packages currently available.

This affects Review Board 1.7.x, 2.0.x, 2.5.x, and the 3.0 beta 1. We are no longer providing any support for Review Board 1.7.x, and 3.0 beta 1 is not intended for any production use, so security releases are only available for 2.0.x and 2.5.x at this time.

To report security vulnerabilities, please file a security bug on our bug tracker. If you have a security patch to contribute, you should post to https://reviews.reviewboard.org and post only to the "security" review group.

Compatibility Improvements

We've made some improvements to our Bazaar, Bitbucket, Mercurial, and Subversion support, improving compatibility across the board.

Our Bazaar support has been rewritten to avoid licensing and Python versioning issues. Mercurial was also susceptible to Python versioning issues.

Subversion diffs generated by IDEs such as WebStorm can now be parsed.

The Bitbucket support now uses their 2.0 API, which solves many of the random bugs and bad error reporting people have encountered in the past. This rewrite is only available for Review Board 2.5.10.

Better Move Detection

We've made a large number of improvements to move detection, helping to resolve issues with lots of overlapping or colliding moved ranges.

More updates for move detection, along with fixes for interdiffs and performance improvements for diff parsing and viewing, should be coming in the next 2.5.x release.

And More

See the full release notes to see all the changes going into this release, along with upgrade instructions for 2.0.28:

• 2.5.10 release notes
• 2.0.28 release notes