New Review Board 2.0.29 and 2.5.13 security releases

Updated: We had a breaking bug in these packages, so we've put out and releases that fix it. You'll want to upgrade to these instead.

We have two new releases for you today, both fixing a security vulnerability discovered in-house that affects self-installed Review Board servers that make use of private repositories, invite-only review groups, or Local Sites. This vulnerability allowed a URL to be crafted that could expose portions of a diff commented on in other review requests. There are no known cases of this vulnerability being used in the wild.

This vulnerability affects all 2.0.x and 2.5.x releases. Older releases may also be impacted, but those still using 1.7.x or older should upgrade to 2.5.x to continue receiving security updates.

Both releases also now display additional help when encountering a Version Mismatch error page after an upgrade, which can occur when switching from one package installer (such as yum, pip, or easy_install) to another, or when upgrading the version of Python on the system.

Along with this, 2.5.13 now allows credentials to be specified in WebHook URLs, and 2.0.29 includes a performance optimization for the Diff Size column in the dashboard.

See the 2.0.29 and 2.5.13 release notes for more information and installation instructions.