We have a new batch of security updates today.
Django put out a few new security releases this morning that focus on fixing two security issues. The first fixes a flaw that allowed malicious URLs to be considered "safe" when they shouldn't be. The second hardens the method by which passwords are stored so that older accounts will gain the security benefits when they next log in.
See their announcement for more details.
We maintain security-hardened builds of Django 1.6.x, the version series we use for all currently-supported releases of Review Board. We have put out a 18.104.22.168 release containing these security fixes.
If you're using a modern pip, you can upgrade to this release by running:
pip install -U https://downloads.reviewboard.org/releases/Django/1.6/Django-22.214.171.124.tar.gz
easy_install -U https://s3.amazonaws.com/downloads.reviewboard.org/releases/Django/1.6/Django-126.96.36.199.tar.gz
We immediately fixed this and prepared new releases of Djblets, which you'll want to install depending on your version of Review Board:
- Review Board 1.7.x: Djblets 0.7.33
- Review Board 2.0.x: Djblets 0.8.25
- Review Board 2.5.x: Djblets 0.9.2
If you're running a modern version of Pip, you can upgrade Djblets by running:
pip install Djblets==<version>
Or you can upgrade with:
You can also verify the signatures of the builds against our PGP key, to confirm authenticity.
Thanks to Jose Carlos Exposito Bueno (0xlabs) for reporting this!