Today, Django released new security patches for 1.7.x and 1.8.x, and 1.9. These fix a possible settings leak in the
date template filter, enabling a user to steal settings like a database password if they're able to construct their own date format string.
We've put out a corresponding 184.108.40.206 release, which backports this fix to the version of Django used by Review Board 1.7.x through 2.5.x. While this vulnerability does not affect Review Board, we nevertheless suggest that you upgrade.
To upgrade to Django 220.127.116.11, you can run:
$ sudo easy_install \ -f https://s3.amazonaws.com/downloads.reviewboard.org/releases/Django/1.6/index.html \ Django==18.104.22.168
or, using pip:
$ sudo pip install \ -f https://s3.amazonaws.com/downloads.reviewboard.org/releases/Django/1.6/index.html \ Django==22.214.171.124
Unfortunately, due to restrictions in the design of pip, we will not be able to automatically upgrade to these versions of Django in Review Board. We are working on a solution for this. However, for now, it will be up to you to handle this.
For information on what's in this security release, see the Django's announcement.
Please note that Django 1.6.x is the last version to support Python 2.6.x, which has also end-of-lifed. We will be dropping support for Python 2.6 in Review Board 2.6, so we recommend moving to Python 2.7 at your earliest convenience.