We've just released two new versions of Review Board: 2.0.23 and 2.5.4. Both contain a number of bug fixes and other improvements, along with fixes for two small self-XSS vulnerabilities.
These were caused by a bad timing issue that resulted in user-inputted text being briefly considered as safe HTML. A user is unlikely to hit this, and likely will only hit it accidentally, but we recommend that everyone updates to this release as a precaution.
Thanks to "Secfathy" for reporting the self-XSS in the review dialog! We take security seriously, so if you find a vulnerability, please report it responsibly!
New Additions and Fixes
Security fixes aside, we've made a number of improvements in both of these releases:
- Settings for configuring the static media URL.
- Support for using modern versions of stunnel with Perforce.
- Compatibility fixes for Subversion with Beanstalk
- Stale cache fixes for Git diffs when changing the raw file URL mask.
- Information on support options and the current active support contract (if any) in the administration dashboard.
Those are just a few of the improvements! See the release notes for the rest: