Jump to >
New Django 1.6.11.2 security releases

Today, Django released new security patches for 1.7.x and 1.8.x, and 1.9. These fix a possible settings leak in the date template filter, enabling a user to steal settings like a database password if they're able to construct their own date format string.

We've put out a corresponding 1.6.11.2 release, which backports this fix to the version of Django used by Review Board 1.7.x through 2.5.x. While this vulnerability does not affect Review Board, we nevertheless suggest that you upgrade.

The latest security releases can always be downloaded here. We announce new releases on our Official Announcements mailing list and on our community support forum.

To upgrade to Django 1.6.11.2, you can run:

$ sudo easy_install \
    -f https://s3.amazonaws.com/downloads.reviewboard.org/releases/Django/1.6/index.html \
    Django==1.6.11.2

or, using pip:

$ sudo pip install \
    -f https://s3.amazonaws.com/downloads.reviewboard.org/releases/Django/1.6/index.html \
    Django==1.6.11.2

Unfortunately, due to restrictions in the design of pip, we will not be able to automatically upgrade to these versions of Django in Review Board. We are working on a solution for this. However, for now, it will be up to you to handle this.

For information on what's in this security release, see the Django's announcement.

Please note that Django 1.6.x is the last version to support Python 2.6.x, which has also end-of-lifed. We will be dropping support for Python 2.6 in Review Board 2.6, so we recommend moving to Python 2.7 at your earliest convenience.

Review Board 2.5.1 is out!

Last week's release of Review Board 2.5.1 was a huge hit, and we've had a lot of people quickly upgrading to try out all our new features. If you haven't had a chance to see the release yet, check out our video introduction.

However, it wasn't a perfect release, and many of our Python 2.6 users noted that summaries were no longer showing in the dashboard, due to a compatibility issue introduced in 2.5. We've addressed this and several other issues in today's release of 2.5.1.

Along with the bug fixes, we've made improvements to diff display and for posting new commits for review.

You can see the full list of changes in the release notes.

Thanks to everyone for testing the release, sharing it with others, and providing great feedback!

Updated November 3, 2015 23:40 PST: We've released 2.5.1.1, which temporarily reverts the new feature from 2.5.1 for including branch information in posted commits, due to some breakages that resulted.