Today’s new releases fix a (rare) security issue when using older insecure LDAP servers. There are also installation improvements and a handful of bug fixes.
LDAP Security Fix
A security bug was found that enables a user to log in as another user when LDAP is configured. This vulnerability only exists when:
- Using very old LDAP servers that contain a credential verification security bug; and
- Enabling anonymous binds; and
- Logging in as a user not present in LDAP
Under these conditions, a combination of an invalid LDAP username and a non-empty password can result in LDAP claiming the credentials are valid. If that user exists in Review Board as a local user, Review Board will see that the login was “successful” in LDAP and log the user in.
Most users should never hit this issue. So far it’s only been found in an old version of Active Directory, and only when using our “LDAP” backend instead of the recommended “Active Directory.”
We've tightened the code path and added additional checks to safeguard this on our end. All of today’s releases include the fix.
If you use LDAP, we recommend upgrading to this release, ensuring your LDAP servers are up-to-date, and disabling anonymous binds if you don't need them.
New Supported Web Servers
Review Board works well with just about any modern web server, but we’ve only ever provided sample configurations for Apache.
Now, when installing a new site, sample configurations are auto-generated for these often-requested web servers:
- Apache + mod_wsgi
- Nginx + Gunicorn
- Nginx + uWSGI
See our Web Server documentation for these sample configuration files and additional instructions.
Many Bug Fixes
We’ve stomped out several bugs in this release, including:
- Problems marking a SSH key or SSL certificate as trusted when configuring a repository
- Communicating with repositories over SSH in some setups
- Performing manual runs of automated reviews when multiple configurations for the same tool are present
- Workarounds for environment issues during installation on Ubuntu 20.04 LTS
We’ve also reworked much of our documentation. Some highlights include:
- Streamlined installation steps for Linux
- A guide on configuring SELinux
- Enhanced instructions for using docker-compose
- Modernized techniques for optimizing and scaling your deployment
- An overview of using automated code review
For the full list of changes, see:
- Review Board 5.0.3 release notes
- Review Board 4.0.12 release notes
- Review Board 3.0.25 release notes
If you need assistance with your server, we can help under a support contract.