New Review Board 1.7.29/2.0.22/2.5.3 security releases

We have three new major Review Board releases for you today. Each of these have a mixture of bug fixes and feature additions for users, administrators, and extension authors alike. However, they also have security fixes for a vulnerability we discovered with private review requests.

Security Fixes

We discovered a vulnerability where a user with access to a review request can craft URLs to view file attachments, legacy screenshots, or metadata on review request updates for review requests that are private (those using invite-only review groups, private repositories, or Local Site server partitioning). This either requires knowledge if the specific database IDs from those review requests, or requires brute-forcing a range of IDs to scan for content.

If you don't use private review requests on your server, you have nothing to worry about, but we still recommend updating anyway.

Also, while not a vulnerability, it's important to note that if you're an extension author writing JavaScript-side extensions, any extension settings are provided client-side to your JavaScript code. We recently learned of a case where this caused some problems, so we've given extension authors more control here. More on that below.

If you run a public Review Board server, and want to be on a pre-notification list for security vulnerabilities, please contact us.

New Additions and Fixes

We've put some small feature additions into 2.0.22 and 2.5.3:

  • Extension authors writing JavaScript-side code can now control what settings data is passed to the client by overriding JSExtension.get_settings. By default, this returns all the extension's settings, but you can return whatever you like here.
  • We've improved error feedback when things go wrong while posting a diff using rbt post.
  • Mobile styles have had some tweaks for better display on certain pages.
  • You can now use memcached servers listening over UNIX sockets.

And some bug fixes:

  • "Are you sure want to leave the page?" confirmations should no longer appear on Firefox if you haven't actually changed anything.
  • Legacy screenshots from older releases should now display just fine on 2.5.3.
  • Webhooks containing diff payloads aren't so broken on 2.5.3.

There's more, and we also have some backported bug fixes and feature changes for 1.7.29. (This will likely be the last 1.7.x release.)

See the release notes for more information:

Announcing Power Pack 1.4 for Review Board and Bitnami

We're here today with an all-new release of Power Pack. Power Pack provides PDF document review and management reporting capabilities, along with support for GitHub Enterprise, Microsoft Team Foundation Server, and improved multi-server scalability.

This release makes it easier for new users to get started with Power Pack, and gives administrators more control over the Power Pack features available on their system. It's available today for Review Board and, for the first time ever, comes pre-installed when you download from Bitnami.

Get started without a license

Power Pack no longer needs a license to run. Instead, when you first install Power Pack, it'll be immediately available for up to two users of your choice.

This gives you time to try out Power Pack and get it set up before downloading a license for a server-wide 30 day trial. One that trial runs out, Power Pack will continue working for up to two users.

Automate license management and configuration

If you're automated deployment of production and test servers, you'll love our new management commands for working with licenses and configuration.

Power Pack now offers new commands for configuring license settings, adding users to the license, and removing users from the license. You can take advantage of these in any automated deployments to help you get up and running faster.

Lock down your Power Pack features

Your Power Pack license covers all the features we offer, but if you need to turn some of them off, we've got you covered.

The Power Pack configuration page now shows you a list of all features enabled by your license. You can disable any of these to turn off that functionality, and re-enable when you want it back.

Now available with Bitnami

Review Board has been part of the Bitnami family of products for a long time. Bitnami makes it easy to get going quickly with Review Board on Windows or Linux through dedicated installers, virtual machines, and Docker containers.

Today, we're happy to announce that Bitnami now bundles Power Pack with Review Board. You can read the announcement or download today! You can also spin up a free 1-hour demo in the cloud with just a few clicks.

If you use Review Board on Bitnami, please leave a review. We'd love to hear how things went!

Get it today!

Power Pack 1.4 is out now! You can read our release notes for the full details, or install or upgrade to it at any time.

After your trial, if you're ready to buy, head over to our purchase page. We'll help you get a license that's right for you.

Hitting a problem? Have a feature you want to see included? Let us know!