It was brought to our attention today that Review Board 1.5.x and 1.6.x had a security vulnerability involving browser-side script injection in the diff viewer and screenshot pages. We take such things seriously, and are putting out a couple of releases to fix it. We strongly advise everyone to update, especially if you're running a public server.

Review Board 1.5.7 and 1.6.3 have been released. If you're running 1.6.x, just upgrade as normal, but if you're running 1.5.x, you need to upgrade by doing:

$ sudo easy_install -U ReviewBoard==1.5.7

Otherwise, you'll automatically upgrade to 1.6.x.

Thanks to Damian Johnson for letting us know about this vulnerability and providing a patch to fix it.