Earlier today, Django released a new set of security releases that address issues when running unit tests against Oracle databases and when running a Django-based application when setting
DEBUG = True and
ALLOWED_HOSTS =  in a server's settings file.
Review Board should not be impacted by the Oracle issue (which would not occur in production), and we don't recommend running with
DEBUG = True (plus, new sites created with Review Board 2.0+ will have a safe default for
ALLOWED_HOSTS, keeping you safe). Still, we recommend that you always update to the latest Django 1.6.11.x security release anyway.
We maintain security-hardened builds of Django 1.6.x, the version series we use for Review Board 2.0 through 2.5. We've put out a new Django 126.96.36.199 release that contains these two fixes.
To upgrade to this release, run:
$ pip install -U https://downloads.reviewboard.org/releases/Django/1.6/Django-188.8.131.52.tar.gz
$ easy_install -U https://downloads.reviewboard.org/releases/Django/1.6/Django-184.108.40.206.tar.gz
We then recommend that you visit your Administration -> Security Checklist page to ensure that your
ALLOWED_HOSTS and other security settings are correct.
You can always keep up on the latest Review Board security announcements by subscribing to our Official Announcements mailing list.