What's New in Review Board

Review Board 1.6.19 and 1.7.15 fix a few issues in the API where users could access certain data they should not have been able to access, if using the Local Sites feature, invite-only groups, or private repositories. It also fixes cases with invite-only groups where the group name and list of private review requests would show up on some pages (though the review requests themselves were not accessible).

These issues do not affect most of the installations out there, but we strongly recommend upgrading anyway. There are no known cases of anyone exploiting these bugs, and in fact we discovered these internally while building new tools to test for security vulnerabilities in our codebase.

There are also some other bug fixes, and important changes needed for extensions that provide their own REST APIs.

See the 1.6.19 and 1.7.15 release notes for more details on these releases.

We're up in Toronto today for the final day of the UCOSP Winter 2013 Sprint. Through UCOSP, we get to meet and work with bright and enthusiastic students pursuing careers in the software industry for a whole semester. Our students work on Review Board, building cool projects and getting a feel for what it's like in the industry. It's pretty awesome.

This semester, we have five new students: Allisa, Behzad, Edward, Elaine, and Natasha.

Allisa got into development at age 13 when she started writing custom maps for Neverwinter Nights. Now she's making it easy to do a security check of your Review Board installation to make sure you're safe from known configuration-related vulnerabilities.

Behzad got his start writing and modifying scripts for mIRC when he was 11. For this term, he's making our hidden trophy support less hidden by giving you a nice trophy case on your user page, showing every trophy you've earned. It'll even support the development of new types of trophies, even under extensions. (One may make the association between fish slaps and fish trophies?)

Edward's background was in systems engineering, until he found .NET and fell in love with programming. That led him toward going back for a CS degree. He's now taking a role on RBTools, adding some nice improvements. This includes extending 'rb patch' to be able to commit under the contributor's name (useful for open source projects) and adding a command to guide the setup of a new source tree.

Elaine used to want to be a writer, but found she liked writing code more than stories. She's working on an extension to help out when using checklists for code review.

Natasha got into CS after her first programming class in high school, because it fed her love of puzzles and problem solving. It also goes well with her coffee addiction. Her project's goal is to automatically suggest reviewers based on who has reviewed similar code in the past.

We were also joined by a former student yesterday, Yazan, who fixed a bug for us, and just generally hung around helping out.

UCOSP is a fantastic program, and we look forward to it every semester. We're super lucky to get such great students, and I'm really excited to see how far this new team will take the project.

Special thanks to Steven MacLeod and Mike Conley, our wonderful co-mentors who help make this happen every semester; UCOSP, who provide the opportunity for us to participate and meet such great students; and Mozilla, who provided the space for the sprint.

As we noted previously, there was a major Django security release announced. We're following that up with a new Review Board 1.7.14 release.

Along with updating to the latest Django release, we're also fixing a security issue in the API that affects those using access control on repositories and groups. It's possible to craft an API request that fetches reviews and some other information on review requests that shouldn't be accessible.

There's also support for Team accounts on Bitbucket, and a small handful of bug fixes.

See the release notes for more information.

The Django project just released an important security update that affects all Review Board 1.7.x servers, particularly public ones. It allows an attacker to perform a Denial-of-Service attack on the server through the authentication mechanism.

We recommend that everybody running a Review Board 1.7.x release immediately updates to Django 1.4.8. We will be putting out new releases of Review Board today, as well.

Please see the Django security announcement for more information.

Until now, we've been running two separate beta programs for PDF Review and "Review Board Enterprise". We've decided to merge these together into a single product that we're calling the "Review Board Power Pack."

The major features of the combined package are:

• Review PDF documents that are attached to review requests, commenting directly on the text, all in the browser with no extra plug-ins.
• GitHub Enterprise support.
• The ability to add capacity to your Review Board server by adding additional front-end servers.

Changes in the new preview

In addition to merging together the features of our two previous beta packages, there are some improvements and bug fixes for PDF Review in this release:

• The outline mode in the sidebar now shows the tree structure of the table of contents.
• When a document has a table of contents, the sidebar now allows switching between either the outline mode or the pages mode.
• Scrolling behavior when using the mouse wheel or touch-pad gestures has improved significantly, making it easier to get all the way to the bottom of the document.
• Non-PDF documents like .docx are no longer detected as PDF.
• When attaching a PDF file with drag-and-drop, you can now click on the thumbnail to jump to the review UI to preview the document.
• Several issues with PDF rendering have been fixed.
• A fair amount of visual design polish.

Getting the Power Pack

If you already signed up for the beta, you should have an email explaining how to install it (or upgrade from the first beta). If you haven’t signed up, but would like to participate, please fill out our sign-up form and we’ll be in touch.

Once we have a final release, these features will be available on RBCommons.com for our larger tiers.

Review Board 1.7.13 is released, and brings with it support for Beanstalk and Bitbucket Git.

Beanstalk is a code hosting and development service with support for Git and Subversion. It integrates with a variety of services and offers easy deployment to servers.

We had support for Bitbucket with Mercurial, but due to some missing API, we couldn't integrate with Git. That's been solved in 1.7.13, if you also use RBTools 0.5.2.

There's also a handful of other fixes and improvements in this release.

While you're upgrading, we recommend making some additional changes to your Apache configuration. See the updates on our guide to securing file attachments.

See the release notes for more information on what's in 1.7.13.

RBTools 0.5.2 is released, with a handful of new features and some nice fixes.

First off, along with the upcoming Review Board 1.7.13 release, you'll be able to post changes to Beanstalk and Bitbucket Git repositories. This should be helpful to a lot of you looking to use these services.

We've also made the tools a bit more friendly. The --help argument is back for all tools, and can be placed before or after the rbt sub-command (for example, rbt --help post or rbt post --help).

There's a new rbt get tool for scripts that want to talk more directly to our API, or those who want to experiment with the API without writing a script.

On top of all that, there's git-p4 support, improved Subversion support, and more.

See the release notes for the full list.

We're happy to announce a couple new releases of Review Board tonight.

Both 1.6.18 and 1.7.12 focus on further security lockdowns and fixes. We've had some great testing and reports from a couple of our very security-savvy users, and we'll be continuing to put out new releases as they find more.

Those running public installs should update, and should also read our guide on securing file attachments.

None of the issues found have been seen in the wild. We've also been in contact with administrators of some of the larger public Review Board installations about our findings. If you run a public install and would like to be kept informed of any new security updates, please let us know.

Now, that's not all that 1.7.12 brings. We also have some new improvements for extension writers that are helpful to those writing larger extensions. This is all in preparation for some major improvements coming in 1.8. There's also a few bug fixes, such as a much-requested fix to the "Show Whitespace Changes" toggle.

See the 1.6.18 and 1.7.12 release notes for more details.

Review Board 1.7.11 is released. It's a small release that just fixes a visual issue with the drop-down menus on IE9, and a compatibility issue with Python 2.5.

If you're primarily using non-IE browsers, and using something newer than Python 2.5, you don't need to upgrade to 1.7.11.

For those using Python 2.5, we recommend planning an upgrade to Python 2.7 soon. Review Board 1.8 will stop supporting Python 2.5, and 2.7 is your best bet for longer-term compatibility.

Release notes are available.

We have a pair of releases today for users of Review Board 1.6.x and 1.7.x. Both contain important security updates, and we recommend updating immediately.

This security vulnerability allows attackers to execute JavaScript under certain conditions. There are no known vulnerabilities in the wild. The latest 1.6.x and 1.7.x releases are susceptible to the flaw. We have released 1.6.x and 1.7.x updates. We recommend that all users upgrade their install to a modern release, particularly if you are running a version prior to 1.6.

Along with the security updates, Review Board 1.7.10 provides some new bug fixes, API enhancements (for comments and screenshots), and UI refinement.

See the 1.6.17 and 1.7.10 releases for more info.