Jump to >
New Review Board Security Releases: 1.5.7 and 1.6.3

It was brought to our attention today that Review Board 1.5.x and 1.6.x had a security vulnerability involving browser-side script injection in the diff viewer and screenshot pages. We take such things seriously, and are putting out a couple of releases to fix it. We strongly advise everyone to update, especially if you're running a public server.

Review Board 1.5.7 and 1.6.3 have been released. If you're running 1.6.x, just upgrade as normal, but if you're running 1.5.x, you need to upgrade by doing:

$ sudo easy_install -U ReviewBoard==1.5.7

Otherwise, you'll automatically upgrade to 1.6.x.

Thanks to Damian Johnson for letting us know about this vulnerability and providing a patch to fix it.

Review Board 1.6.2 released

Review Board 1.6.2 is out. It's a bug fix release that takes care of several issues people have hit. In particular, it should have a proper Apache WSGI configuration for subdirectory installs out of the box, some SCM integration fixes, browser compatibility improvements, and various other things.

We also have a couple bits of new API for those who want to automate review group creation, or archive deprecated repositories.Check out the release notes for the full list.

RBTools 0.3.4 released

RBTools 0.3.4 is out. It features an authentication fix for users on RBCommons, fixes for --guess-summary with newlines on Git, solves diff uploading problems on Python 2.7, and adds a new --change-description parameter.

Full release notes are available.

Review Board 1.6.1 released

Hot on the tails of 1.6, we have an important security update and bug fix release. 1.6.1 bumps our required Django version to 1.3.1, which contains a number of important security fixes.

It also fixes the counters bug that many people have noticed in the dashboard, where the number of review requests is listed as 0 or a negative number. This was caused by an incorrect default value set when upgrading. Upgrading to 1.6.1 will fix this default, and reset the counts for all users. You should see correct values the next time you use the dashboard.

Release notes are available.

Fixing the Dashboard counters

Those who have upgraded to Review Board 1.6.0 have no doubt noticed some problems with a few of the counters on the side of the Dashboard. Several may be set to 0, or in the negatives. This is an annoying bug, and many have reported it to us.

Don't worry, though, we were prepared for such things! You can reset your counters by typing:

rb-site manage /path/to/site fixreviewcounts

The counters should fix themselves the next time you're signed on. Now, any users who haven't logged in since the upgrade may find themselves hitting this bug again. Just re-run the same command and it'll solve it.

The upcoming 1.6.1 release will fix the bug and will perform a counter reset on your install. This should take care of it for everybody. You can expect that this weekend.

Review Board 1.6 released

That's a wrap, people. Review Board 1.6 is done, and ready to be installed.

1.6 is a major release, which focuses on better review workflows, faster reviews, access control, generic file attachments, speed improvements, and much, much more. The entire list of features are covered in our release notes.

Before upgrading, we recommend that you back up your database and your site directory, in case anything goes wrong. If you do have problems, you can reach us on our mailing list.

From here on out, we'll be focusing on Review Board 1.6.x releases alongside the upcoming 2.0 release, which will feature support for using third party extensions.

Note: If you're staying with Review Board 1.5.x releases, you will need to be careful how you upgrade to new 1.5.x releases. Instead of the usual:

$easy_install -U ReviewBoard
You will need to do:
$ easy_install -U ReviewBoard==version

Where version would be 1.5.6 or whatever version you're upgrading to. Otherwise, you will end up upgrading to Review Board 1.6.

Again, let us know if you hit any issues. A lot has changed in this release, and we'll probably be shaking out a few bugs with the new features over the next few point releases.

Review Board 1.5.6 released

Review Board 1.5.6 is out the door, packed with some good fixes and a couple small feature additions. Many of these are fixes backported from the in-development 1.6 releases.

Of note are fixes for caching large diffs/files, fixes for screenshot captions on drafts, performance improvements in syntax highlighting (if you haven't installed recently or upgraded Pygments), and support for Fedora Hosted as a hosting service.

See the release notes for the complete list.

RBTools 0.3.3 released

RBTools 0.3.3 is out the door, and it's a biggie. There's fixes and goodies for pretty much everybody.

Git received a lot of fixes in this release, as did post-review itself. One of the biggest set of changes, though, that I'd like to call to attention is Jan Koprowski's wonderful work in rewriting our Clear Case support. He put in a lot of effort and fixed a number of problems with the old implementation. Thanks Jan!

We're hard at work on some large-scale changes to RBTools. The 0.4.0 release is in progress, and it'll form the foundation of the 1.0 release. Soon we'll have a new set of tools that can be used to interact with Review Board, and a Python API that developers can use to talk to Review Board. Exciting stuff! Stay tuned.

For now, see the release notes for the full list of changes.

Where is Review Board 1.6?

Those paying close attention may have noticed we haven't released Review Board 1.6 yet. And you may have wondered what's holding the release up. Well, there are two main things.

First, some of our users have hit problems upgrading to Review Board 1.6 RC2 from previous 1.6 betas. This seems to be limited to some subset of our users, and it's not clear whether it's a bug on our end or not, but I want to understand the circumstances surrounding this problem before we perform the actual release.

Second, the 1.6 manual isn't finished yet. We try to fully update the manual before the release, but this does inevitably delay things. We're working on getting someone who can in the future help out on documentation updates, in order to speed up the releases.

Once we're satisfied with the above items, we'll do a release. In the meantime, if you're looking to start using 1.6 sooner, you certainly can! The RC 2 release is largely what we're shipping in 1.6, excluding a couple of small fixes. However, please do a test upgrade on a copy of the database to ensure you don't run into the problem above. And if you do run into it, let us know! More data will help us to solve this faster.

Review Board 1.6 RC2 released!

So.. close..

Review Board 1.6 RC2 is out the door and packed full of fixes, polish, and a few new features that snuck in.

Yes, we may have done a bit more in this release than we anticipated, but it's turned out really well, and will make for a strong final 1.6. We've fixed a number of usability problems (losing changes when leaving the page or accidentally canceling), added some great new features, improving the API, and fixing a good handful of bugs.

Some of the new features include:

  • File attachment drag-and-drop. Files can now be dragged and dropped onto the page and uploaded as either screenshots or file attachments. The UI for drag-and-drop has greatly improved.

  • Close descriptions. After discarding a review request or marking it as submitted, you can leave a description. You can use this to tell what revision it was committed in, or why the change was discarded. Up to you!
  • Confirmation before accidentally losing changes. Ever accidentally hit cancel or navigate away from a page when typing a new description? Now you'll be prompted before you lose what you worked on.

Those are a few of the user-facing improvements made, but there are many improvements for administrators as well, including HTTP Basic Auth support when accessing Git repositories, Perforce stunnel support, and better instructions when things go wrong (new Manual Updates pages).

For the full list, see the release notes.

We're frozen at this point for the final release. Only critical bug fixes will go in. Otherwise, we're working on docs, and should be done with the release soon. So if you're planning to upgrade to 1.6, please give RC2 a try, because it won't be much different from the final 1.6.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 pages