What's New in Review Board

HTTPoxy is an old, but recently-discussed security vulnerability affecting CGI-backed web applications (and certain client-side libraries). It allows an attacker to send a Proxy HTTP header to a vulnerable web server, and have that translate into a HTTP_PROXY environment variable, which may then be used to specify an HTTP Proxy server for use by HTTP requests initiated from the server. This happens because CGI-based web applications are provided the client's HTTP headers as environment variables, converted to uppercase and prefixed with HTTP_. This is normally not a problem, but

Effectively, HTTPoxy allows an attacker to Man-in-the-Middle HTTP requests made by the web application, intercepting traffic or returning bad data.

Don't worry, Review Board is safe!

Review Board is not vulnerable to HTTPoxy, as it doesn't use CGI. Most Review Board installs use WSGI, and some older installs use mod_python or FastCGI. None of these implementations are vulnerable (despite the "CGI" in the name "FastCGI").

We'd still recommend fine-tuning your server's settings to work around the HTTPoxy vulnerability, as a precaution, particularly if you're running anything else on the server. See the HTTPoxy Mitigation instructions for further details.

Today's release of Power Pack brings a brand new feature: Support for Visual Studio Team Services.

Formerly known as Visual Studio Online, this service provided by Microsoft allows you and your team to easily set up and work with Team Foundation Server repositories. Now, using Power Pack, you can add your repositories to Review Board and take advantage of all of our enhanced code review capabilities. See the documentation for more information on getting set up.

We've also improved the UI for PDF Review. Previously, the PDF Review UI would appear as its own independent box, separate from the rest of the review request page (including the header with the "Close," "Review," etc. actions). Now, when using Review Board 2.0 or higher, it will fit in more naturally with the rest of the page.

There are also a handful of other bug fixes for TFS-Git, anonymous users, and more. See the release notes for more information.

Review Board 2.5.6 shipped in a bit of a broken state, due to a packaging error that wasn't caught by our automated tests. This led to JavaScript failures on certain pages, like the New Review Request page.

Review Board 2.5.6.1 is out now and fixes the error. If 2.5.6 broke you, just install 2.5.6.1 and you'll be back up and running.

We're expanding our automated testing to ensure this particular problem won't happen again. Sorry for the trouble, and thanks for using Review Board!

We have a couple of new releases for you today, mostly focused on bug and compatibility fixes.

Both releases have important fixes for GitLab and compatibility fixes for Subversion 1.9 diffs, both of which we've received numerous bug reports about.

Review Board 2.5.6 also has an important dependency update for django-haystack. If you recently installed Review Board 2.5.x on a new server and had issues creating a site, this should take care of it.

Review Board 2.0.24 now has the improved support for Codebase HQ, which we previously introduced in Review Board 2.5.5. This allows you to work with Subversion and Mercurial repositories hosted there.

Both releases contain several other bug fixes that are worth getting. See the release notes for more information:

• 2.0.24 release notes
• 2.5.6 release notes

Also remember that if you're upgrading to 2.0.24, you need to follow the instructions in the release notes to ensure you're getting the right version.

We have a new release for you all today that introduces a couple of new features and fixes some important bugs. In particular, if you're a PostgreSQL user and are running an earlier 2.5.x release, you'll want to upgrade today.

Here are some of the highlights:

Improved Codebase HQ support

We've enhanced our support for repositories hosted on Codebase, adding on Mercurial and Subversion support, along with improving support for Git. If you use Codebase already, you'll be prompted to supply new credentials the next time you create or edit a repository.

PostgreSQL diff condensing improvements

A critical defect was found in the condensediffs command when being run against a PostgreSQL database that could cause data loss. This was introduced in 2.5. We haven't received any reports to date about data loss, but have witnessed it in-house. If you're using 2.5.x on PostgreSQL, please update immediately.

Usability regression fixes

There's also a fix for a usability regression introduced in a previous release for the Review Groups configuration page. The user membership selector was replaced with a text field containing internal database IDs for users. This was based on an attempt to work around a performance defect on very large servers. We've reverted back to the user selector for this release, and will be introducing a new selector that increases usability and fixes performance problems in a future 2.5.x release.

If this was a problem for you, and you are not bitten by the PostgreSQL bug, you may want to stay on 2.5.4 for now.

E-mails for API tokens

In order to enhance security and help with audit trails, we've introduced e-mail notifications when creating, deleting, or modifying API tokens. If someone manages to gain access to your account and create an API token, or tricks you into creating one in some way, you'll be notified.

There's also a handful of other fixes. See the release notes for all the details.

We've just released Power Pack 1.4.1 for Review Board. Power Pack provides PDF document review and management reporting capabilities, along with support for GitHub Enterprise, Microsoft Team Foundation Server, and improved multi-server scalability.

Team Foundation Server Improvements

This release focuses on improving support for Microsoft Team Foundation Server:

• Added support for browsing child branches in the New Review Request page.
• Added support for branch/copy operations (requires RBTools 0.7.6 or newer).
• Fixed showing information on new files added in a diff.
• Fixed problems in some configurations when looking up files, which caused diffs to break for some users.

Installation with pip

Power Pack can also now be installed using pip (8.1 or higher recommended) by typing:

pip install -U ReviewBoardPowerPack

Get it today!

Power Pack 1.4.1 is out now! You can read our release notes for the full details, or install or upgrade at any time.

After your trial, if you're ready to buy, head over to our purchase page. We'll help you get a license that's right for you.

Hitting a problem? Have a feature you want to see included? Let us know!

Today's all-new release of RBTools 0.7.6 comes with over a dozen improvements, from Mercurial and Perforce fixes to new Team Foundation Server capabilities to automation enhancements.

We've fixed some character set compatibility bugs with Team Foundation Server. There's also new support for posting branched/copied files for review (this requires the upcoming Power Pack 1.4.1 or higher), excluding files using --exclude, and specifying a custom path to tf.exe.

Perforce users should see more stability in edge cases, like posting deleted symbolic links for review or when dealing with Unicode mismatches between review requests and changesets.

Mercurial users can now safely use relative, negative, or short revisions when specifying commits to post for review.

We've improved RBTools's behavior when running in a non-interactive console, allowed rbt api-get to be used outside of a source tree, and made it easier to work with paginated responses in the Python API.

Performance has been improved when looking up repositories on ClearCase and Subversion.

These are just some of the improvements made in RBTools 0.7.6. For the complete list, see the release notes.

To upgrade RBTools, visit the downloads page.

We've just released two new versions of Review Board: 2.0.23 and 2.5.4. Both contain a number of bug fixes and other improvements, along with fixes for two small self-XSS vulnerabilities.

Security Fixes

The self-XSS vulnerabilities can cause a user to intentionally or unintentionally execute JavaScript code by crafting just the right kind of text in the review request or review dialog fields. These do not persist, cannot be triggered by external users, and cannot affect other users.

These were caused by a bad timing issue that resulted in user-inputted text being briefly considered as safe HTML. A user is unlikely to hit this, and likely will only hit it accidentally, but we recommend that everyone updates to this release as a precaution.

Thanks to "Secfathy" for reporting the self-XSS in the review dialog! We take security seriously, so if you find a vulnerability, please report it responsibly!

New Additions and Fixes

Security fixes aside, we've made a number of improvements in both of these releases:

• Support for JavaScript unit tests for extensions
• Settings for configuring the static media URL.
• Support for using modern versions of stunnel with Perforce.
• Compatibility fixes for Subversion with Beanstalk
• Stale cache fixes for Git diffs when changing the raw file URL mask.
• Information on support options and the current active support contract (if any) in the administration dashboard.

Those are just a few of the improvements! See the release notes for the rest:

• 2.0.23 release notes
• 2.5.4 release notes

We have a new batch of security updates today.

Django

Django put out a few new security releases this morning that focus on fixing two security issues. The first fixes a flaw that allowed malicious URLs to be considered "safe" when they shouldn't be. The second hardens the method by which passwords are stored so that older accounts will gain the security benefits when they next log in.

See their announcement for more details.

We maintain security-hardened builds of Django 1.6.x, the version series we use for all currently-supported releases of Review Board. We have put out a 1.6.11.3 release containing these security fixes.

If you're using a modern pip, you can upgrade to this release by running:

pip install -U https://downloads.reviewboard.org/releases/Django/1.6/Django-1.6.11.3.tar.gz

Or:

easy_install -U https://s3.amazonaws.com/downloads.reviewboard.org/releases/Django/1.6/Django-1.6.11.3.tar.gz

Djblets

We received a security report last night detailing how an attacker could craft a URL to a user's dashboard (or other similar pages) with a column sorting identifier containing JavaScript code. If the user visited that URL and subsequently clicked that column, the code would execute.

We immediately fixed this and prepared new releases of Djblets, which you'll want to install depending on your version of Review Board:

• Review Board 1.7.x: Djblets 0.7.33
• Review Board 2.0.x: Djblets 0.8.25
• Review Board 2.5.x: Djblets 0.9.2

If you're running a modern version of Pip, you can upgrade Djblets by running:

pip install Djblets==<version>

Or you can upgrade with:

easy_install Djblets==<version>

You can also verify the signatures of the builds against our PGP key, to confirm authenticity.

Thanks to Jose Carlos Exposito Bueno (0xlabs) for reporting this!

We have three new major Review Board releases for you today. Each of these have a mixture of bug fixes and feature additions for users, administrators, and extension authors alike. However, they also have security fixes for a vulnerability we discovered with private review requests.

Security Fixes

We discovered a vulnerability where a user with access to a review request can craft URLs to view file attachments, legacy screenshots, or metadata on review request updates for review requests that are private (those using invite-only review groups, private repositories, or Local Site server partitioning). This either requires knowledge if the specific database IDs from those review requests, or requires brute-forcing a range of IDs to scan for content.

If you don't use private review requests on your server, you have nothing to worry about, but we still recommend updating anyway.

Also, while not a vulnerability, it's important to note that if you're an extension author writing JavaScript-side extensions, any extension settings are provided client-side to your JavaScript code. We recently learned of a case where this caused some problems, so we've given extension authors more control here. More on that below.

If you run a public Review Board server, and want to be on a pre-notification list for security vulnerabilities, please contact us.

New Additions and Fixes

We've put some small feature additions into 2.0.22 and 2.5.3:

• Extension authors writing JavaScript-side code can now control what settings data is passed to the client by overriding JSExtension.get_settings. By default, this returns all the extension's settings, but you can return whatever you like here.
• We've improved error feedback when things go wrong while posting a diff using rbt post.
• Mobile styles have had some tweaks for better display on certain pages.
• You can now use memcached servers listening over UNIX sockets.

And some bug fixes:

• "Are you sure want to leave the page?" confirmations should no longer appear on Firefox if you haven't actually changed anything.
• Legacy screenshots from older releases should now display just fine on 2.5.3.
• Webhooks containing diff payloads aren't so broken on 2.5.3.

There's more, and we also have some backported bug fixes and feature changes for 1.7.29. (This will likely be the last 1.7.x release.)

See the release notes for more information:

• 2.5.3 release notes
• 2.0.22 release notes
• 1.7.29 release notes