New Django Security Releases

Django released a new set of security releases that protect against malicious redirect URLs when serving static media (on development servers) and when logging in. See their announcement for the details on the fixes.

We maintain security-hardened builds of Django 1.6.x, the version series we use for Review Board 2.0 through 2.5. We've put out a new Django release that contains these two fixes.

To upgrade to this release, run:

$ pip install -U


$ easy_install -U

You can always keep up on the latest Review Board security announcements by subscribing to our Official Announcements mailing list.

New Review Board 2.0.28 and 2.5.10 security/bug fix releases

We have two new releases for you today, focusing on a security fix, bug fixes, and compatibility improvements.

Security Fix

A XSS vulnerability was reported and patched today in the review request page. This allowed an attacker to craft a URL that would execute JavaScript on the user's behalf.

This was a publicly-disclosed vulnerability, so there's no CVE number or non-Python packages currently available.

This affects Review Board 1.7.x, 2.0.x, 2.5.x, and the 3.0 beta 1. We are no longer providing any support for Review Board 1.7.x, and 3.0 beta 1 is not intended for any production use, so security releases are only available for 2.0.x and 2.5.x at this time.

To report security vulnerabilities, please file a security bug on our bug tracker. If you have a security patch to contribute, you should post to and post only to the "security" review group.

Compatibility Improvements

We've made some improvements to our Bazaar, Bitbucket, Mercurial, and Subversion support, improving compatibility across the board.

Our Bazaar support has been rewritten to avoid licensing and Python versioning issues. Mercurial was also susceptible to Python versioning issues.

Subversion diffs generated by IDEs such as WebStorm can now be parsed.

The Bitbucket support now uses their 2.0 API, which solves many of the random bugs and bad error reporting people have encountered in the past. This rewrite is only available for Review Board 2.5.10.

Better Move Detection

We've made a large number of improvements to move detection, helping to resolve issues with lots of overlapping or colliding moved ranges.

More updates for move detection, along with fixes for interdiffs and performance improvements for diff parsing and viewing, should be coming in the next 2.5.x release.

And More

See the full release notes to see all the changes going into this release, along with upgrade instructions for 2.0.28: