Django released a new set of security releases that protect against malicious redirect URLs when serving static media (on development servers) and when logging in. See their announcement for the details on the fixes.
We maintain security-hardened builds of Django 1.6.x, the version series we use for Review Board 2.0 through 2.5. We've put out a new Django 1.6.11.6 release that contains these two fixes.
To upgrade to this release, run:
$ pip install -U https://downloads.reviewboard.org/releases/Django/1.6/Django-1.6.11.6.tar.gz
Or:
$ easy_install -U http://downloads.reviewboard.org/releases/Django/1.6/Django-1.6.11.6.tar.gz
You can always keep up on the latest Review Board security announcements by subscribing to our Official Announcements mailing list.