What's New in Review Board

We've just released Power Pack 1.4.1 for Review Board. Power Pack provides PDF document review and management reporting capabilities, along with support for GitHub Enterprise, Microsoft Team Foundation Server, and improved multi-server scalability.

Team Foundation Server Improvements

This release focuses on improving support for Microsoft Team Foundation Server:

• Added support for browsing child branches in the New Review Request page.
• Added support for branch/copy operations (requires RBTools 0.7.6 or newer).
• Fixed showing information on new files added in a diff.
• Fixed problems in some configurations when looking up files, which caused diffs to break for some users.

Installation with pip

Power Pack can also now be installed using pip (8.1 or higher recommended) by typing:

pip install -U ReviewBoardPowerPack

Get it today!

Power Pack 1.4.1 is out now! You can read our release notes for the full details, or install or upgrade at any time.

After your trial, if you're ready to buy, head over to our purchase page. We'll help you get a license that's right for you.

Hitting a problem? Have a feature you want to see included? Let us know!

Today's all-new release of RBTools 0.7.6 comes with over a dozen improvements, from Mercurial and Perforce fixes to new Team Foundation Server capabilities to automation enhancements.

We've fixed some character set compatibility bugs with Team Foundation Server. There's also new support for posting branched/copied files for review (this requires the upcoming Power Pack 1.4.1 or higher), excluding files using --exclude, and specifying a custom path to tf.exe.

Perforce users should see more stability in edge cases, like posting deleted symbolic links for review or when dealing with Unicode mismatches between review requests and changesets.

Mercurial users can now safely use relative, negative, or short revisions when specifying commits to post for review.

We've improved RBTools's behavior when running in a non-interactive console, allowed rbt api-get to be used outside of a source tree, and made it easier to work with paginated responses in the Python API.

Performance has been improved when looking up repositories on ClearCase and Subversion.

These are just some of the improvements made in RBTools 0.7.6. For the complete list, see the release notes.

To upgrade RBTools, visit the downloads page.

We've just released two new versions of Review Board: 2.0.23 and 2.5.4. Both contain a number of bug fixes and other improvements, along with fixes for two small self-XSS vulnerabilities.

Security Fixes

The self-XSS vulnerabilities can cause a user to intentionally or unintentionally execute JavaScript code by crafting just the right kind of text in the review request or review dialog fields. These do not persist, cannot be triggered by external users, and cannot affect other users.

These were caused by a bad timing issue that resulted in user-inputted text being briefly considered as safe HTML. A user is unlikely to hit this, and likely will only hit it accidentally, but we recommend that everyone updates to this release as a precaution.

Thanks to "Secfathy" for reporting the self-XSS in the review dialog! We take security seriously, so if you find a vulnerability, please report it responsibly!

New Additions and Fixes

Security fixes aside, we've made a number of improvements in both of these releases:

• Support for JavaScript unit tests for extensions
• Settings for configuring the static media URL.
• Support for using modern versions of stunnel with Perforce.
• Compatibility fixes for Subversion with Beanstalk
• Stale cache fixes for Git diffs when changing the raw file URL mask.
• Information on support options and the current active support contract (if any) in the administration dashboard.

Those are just a few of the improvements! See the release notes for the rest:

• 2.0.23 release notes
• 2.5.4 release notes

We have a new batch of security updates today.

Django

Django put out a few new security releases this morning that focus on fixing two security issues. The first fixes a flaw that allowed malicious URLs to be considered "safe" when they shouldn't be. The second hardens the method by which passwords are stored so that older accounts will gain the security benefits when they next log in.

See their announcement for more details.

We maintain security-hardened builds of Django 1.6.x, the version series we use for all currently-supported releases of Review Board. We have put out a 1.6.11.3 release containing these security fixes.

If you're using a modern pip, you can upgrade to this release by running:

pip install -U https://downloads.reviewboard.org/releases/Django/1.6/Django-1.6.11.3.tar.gz

Or:

easy_install -U https://s3.amazonaws.com/downloads.reviewboard.org/releases/Django/1.6/Django-1.6.11.3.tar.gz

Djblets

We received a security report last night detailing how an attacker could craft a URL to a user's dashboard (or other similar pages) with a column sorting identifier containing JavaScript code. If the user visited that URL and subsequently clicked that column, the code would execute.

We immediately fixed this and prepared new releases of Djblets, which you'll want to install depending on your version of Review Board:

• Review Board 1.7.x: Djblets 0.7.33
• Review Board 2.0.x: Djblets 0.8.25
• Review Board 2.5.x: Djblets 0.9.2

If you're running a modern version of Pip, you can upgrade Djblets by running:

pip install Djblets==<version>

Or you can upgrade with:

easy_install Djblets==<version>

You can also verify the signatures of the builds against our PGP key, to confirm authenticity.

Thanks to Jose Carlos Exposito Bueno (0xlabs) for reporting this!

We have three new major Review Board releases for you today. Each of these have a mixture of bug fixes and feature additions for users, administrators, and extension authors alike. However, they also have security fixes for a vulnerability we discovered with private review requests.

Security Fixes

We discovered a vulnerability where a user with access to a review request can craft URLs to view file attachments, legacy screenshots, or metadata on review request updates for review requests that are private (those using invite-only review groups, private repositories, or Local Site server partitioning). This either requires knowledge if the specific database IDs from those review requests, or requires brute-forcing a range of IDs to scan for content.

If you don't use private review requests on your server, you have nothing to worry about, but we still recommend updating anyway.

Also, while not a vulnerability, it's important to note that if you're an extension author writing JavaScript-side extensions, any extension settings are provided client-side to your JavaScript code. We recently learned of a case where this caused some problems, so we've given extension authors more control here. More on that below.

If you run a public Review Board server, and want to be on a pre-notification list for security vulnerabilities, please contact us.

New Additions and Fixes

We've put some small feature additions into 2.0.22 and 2.5.3:

• Extension authors writing JavaScript-side code can now control what settings data is passed to the client by overriding JSExtension.get_settings. By default, this returns all the extension's settings, but you can return whatever you like here.
• We've improved error feedback when things go wrong while posting a diff using rbt post.
• Mobile styles have had some tweaks for better display on certain pages.
• You can now use memcached servers listening over UNIX sockets.

And some bug fixes:

• "Are you sure want to leave the page?" confirmations should no longer appear on Firefox if you haven't actually changed anything.
• Legacy screenshots from older releases should now display just fine on 2.5.3.
• Webhooks containing diff payloads aren't so broken on 2.5.3.

There's more, and we also have some backported bug fixes and feature changes for 1.7.29. (This will likely be the last 1.7.x release.)

See the release notes for more information:

• 2.5.3 release notes
• 2.0.22 release notes
• 1.7.29 release notes

We're here today with an all-new release of Power Pack. Power Pack provides PDF document review and management reporting capabilities, along with support for GitHub Enterprise, Microsoft Team Foundation Server, and improved multi-server scalability.

This release makes it easier for new users to get started with Power Pack, and gives administrators more control over the Power Pack features available on their system. It's available today for Review Board and, for the first time ever, comes pre-installed when you download from Bitnami.

Get started without a license

Power Pack no longer needs a license to run. Instead, when you first install Power Pack, it'll be immediately available for up to two users of your choice.

This gives you time to try out Power Pack and get it set up before downloading a license for a server-wide 30 day trial. One that trial runs out, Power Pack will continue working for up to two users.

Automate license management and configuration

If you're automated deployment of production and test servers, you'll love our new management commands for working with licenses and configuration.

Power Pack now offers new commands for configuring license settings, adding users to the license, and removing users from the license. You can take advantage of these in any automated deployments to help you get up and running faster.

Lock down your Power Pack features

Your Power Pack license covers all the features we offer, but if you need to turn some of them off, we've got you covered.

The Power Pack configuration page now shows you a list of all features enabled by your license. You can disable any of these to turn off that functionality, and re-enable when you want it back.

Now available with Bitnami

Review Board has been part of the Bitnami family of products for a long time. Bitnami makes it easy to get going quickly with Review Board on Windows or Linux through dedicated installers, virtual machines, and Docker containers.

Today, we're happy to announce that Bitnami now bundles Power Pack with Review Board. You can read the announcement or download today! You can also spin up a free 1-hour demo in the cloud with just a few clicks.

If you use Review Board on Bitnami, please leave a review. We'd love to hear how things went!

Get it today!

Power Pack 1.4 is out now! You can read our release notes for the full details, or install or upgrade to it at any time.

After your trial, if you're ready to buy, head over to our purchase page. We'll help you get a license that's right for you.

Hitting a problem? Have a feature you want to see included? Let us know!

We have another release for you today. Review Board 2.0.21 is out, adding support for Assembla repositories (already available in 2.5), e-mail improvements, extension enhancements, and several bug fixes.

Many of these enhancements and fixes were backported from 2.5. For example, e-mails will now show "Fix it, then Ship It!" if a reviewer submits a "Ship It!" review with issues opened.

Extension authors now have more control over the display of fields added to a review request, and can tap into the review request approval states in JavaScript (especially useful when defining custom approval hooks.

There are several bug fixes you'll also enjoy:

• Viewing an interdiff containing a draft diff and then updating that draft diff no longer shows the old interdiff.
• Updating a review request when it and another review request depend on each other no longer results in errors.
• Commits against a local GitLab server no longer fail to post.
• Default reviewers are now applied when posting an existing commit for review on the New Review Request page.
• Database upgrades from older versions of Review Board should now work consistently.

There are also numerous visual improvements and other small fixes here and there. Check out the release notes for more details.

Please note that in order to upgrade to 2.0.21, you must do:

$ pip install ReviewBoard==2.0.21

or:

$ easy_install ReviewBoard==2.0.21

If you don't specify a version, you'll get the latest 2.5.2 release instead.

Don't forget to upgrade to our Django 1.6.x security updates build. This can't be done automatically just yet. See our announcement for more information.

Review Board 2.5.2 has been released for your downloading pleasure, featuring a couple feature changes and several bug fixes for e-mail, image/PDF review, GitLab, webhooks, and more.

First off, we've made it easier for administrators to figure out how to set up GitHub Enterprise and Microsoft Team Foundation Server repositories. These require an installation of Power Pack, but that wasn't immediately obvious to those unfamiliar with that option. Now, both GitHub Enterprise and TFS are always listed when configuring a repository, and if Power Pack is not installed, it will point administrators in the right direction.

We've also fixed:

• Issues upgrading from certain older releases.
• Missing "Ship It!" and "Fix it, then Ship It!" indicators in review e-mails.
• Payload errors for comments on review replies in webhooks.
• Problems posting existing commits on self-hosted GitLab repositories.
• Interaction and performance issues with moving draft comment regions on images and PDFs.
• Compatibility issues with current releases of Power Pack when it comes to clicking on comment regions on PDFs.
• Inability to double-click to select text in a diff.
• Bad output and annoying (but harmless) crashes when running the condensediffs management command, used to reduce database size.

See the release notes for more details.

As a reminder, you should also install our build for the latest Django 1.6.x security updates. See our announcement for more information on this.

Today, Django released new security patches for 1.7.x and 1.8.x, and 1.9. These fix a possible settings leak in the date template filter, enabling a user to steal settings like a database password if they're able to construct their own date format string.

We've put out a corresponding 1.6.11.2 release, which backports this fix to the version of Django used by Review Board 1.7.x through 2.5.x. While this vulnerability does not affect Review Board, we nevertheless suggest that you upgrade.

The latest security releases can always be downloaded here. We announce new releases on our Official Announcements mailing list and on our community support forum.

To upgrade to Django 1.6.11.2, you can run:

$ sudo easy_install \
    -f https://s3.amazonaws.com/downloads.reviewboard.org/releases/Django/1.6/index.html \
    Django==1.6.11.2

or, using pip:

$ sudo pip install \
    -f https://s3.amazonaws.com/downloads.reviewboard.org/releases/Django/1.6/index.html \
    Django==1.6.11.2

Unfortunately, due to restrictions in the design of pip, we will not be able to automatically upgrade to these versions of Django in Review Board. We are working on a solution for this. However, for now, it will be up to you to handle this.

For information on what's in this security release, see the Django's announcement.

Please note that Django 1.6.x is the last version to support Python 2.6.x, which has also end-of-lifed. We will be dropping support for Python 2.6 in Review Board 2.6, so we recommend moving to Python 2.7 at your earliest convenience.

Last week's release of Review Board 2.5.1 was a huge hit, and we've had a lot of people quickly upgrading to try out all our new features. If you haven't had a chance to see the release yet, check out our video introduction.

However, it wasn't a perfect release, and many of our Python 2.6 users noted that summaries were no longer showing in the dashboard, due to a compatibility issue introduced in 2.5. We've addressed this and several other issues in today's release of 2.5.1.

Along with the bug fixes, we've made improvements to diff display and for posting new commits for review.

You can see the full list of changes in the release notes.

Thanks to everyone for testing the release, sharing it with others, and providing great feedback!

Updated November 3, 2015 23:40 PST: We've released 2.5.1.1, which temporarily reverts the new feature from 2.5.1 for including branch information in posted commits, due to some breakages that resulted.