Jump to >
Review Board 2.0.23/2.5.4 released with security fixes and more

We've just released two new versions of Review Board: 2.0.23 and 2.5.4. Both contain a number of bug fixes and other improvements, along with fixes for two small self-XSS vulnerabilities.

Security Fixes

The self-XSS vulnerabilities can cause a user to intentionally or unintentionally execute JavaScript code by crafting just the right kind of text in the review request or review dialog fields. These do not persist, cannot be triggered by external users, and cannot affect other users.

These were caused by a bad timing issue that resulted in user-inputted text being briefly considered as safe HTML. A user is unlikely to hit this, and likely will only hit it accidentally, but we recommend that everyone updates to this release as a precaution.

Thanks to "Secfathy" for reporting the self-XSS in the review dialog! We take security seriously, so if you find a vulnerability, please report it responsibly!

New Additions and Fixes

Security fixes aside, we've made a number of improvements in both of these releases:

  • Support for JavaScript unit tests for extensions
  • Settings for configuring the static media URL.
  • Support for using modern versions of stunnel with Perforce.
  • Compatibility fixes for Subversion with Beanstalk
  • Stale cache fixes for Git diffs when changing the raw file URL mask.
  • Information on support options and the current active support contract (if any) in the administration dashboard.

Those are just a few of the improvements! See the release notes for the rest:

New Django and Djblets Security Releases

We have a new batch of security updates today.

Django

Django put out a few new security releases this morning that focus on fixing two security issues. The first fixes a flaw that allowed malicious URLs to be considered "safe" when they shouldn't be. The second hardens the method by which passwords are stored so that older accounts will gain the security benefits when they next log in.

See their announcement for more details.

We maintain security-hardened builds of Django 1.6.x, the version series we use for all currently-supported releases of Review Board. We have put out a 1.6.11.3 release containing these security fixes.

If you're using a modern pip, you can upgrade to this release by running:

pip install -U https://downloads.reviewboard.org/releases/Django/1.6/Django-1.6.11.3.tar.gz

Or:

easy_install -U https://s3.amazonaws.com/downloads.reviewboard.org/releases/Django/1.6/Django-1.6.11.3.tar.gz

Djblets

We received a security report last night detailing how an attacker could craft a URL to a user's dashboard (or other similar pages) with a column sorting identifier containing JavaScript code. If the user visited that URL and subsequently clicked that column, the code would execute.

We immediately fixed this and prepared new releases of Djblets, which you'll want to install depending on your version of Review Board:

If you're running a modern version of Pip, you can upgrade Djblets by running:

pip install Djblets==<version>

Or you can upgrade with:

easy_install Djblets==<version>

You can also verify the signatures of the builds against our PGP key, to confirm authenticity.

Thanks to Jose Carlos Exposito Bueno (0xlabs) for reporting this!

New Review Board 1.7.29/2.0.22/2.5.3 security releases

We have three new major Review Board releases for you today. Each of these have a mixture of bug fixes and feature additions for users, administrators, and extension authors alike. However, they also have security fixes for a vulnerability we discovered with private review requests.

Security Fixes

We discovered a vulnerability where a user with access to a review request can craft URLs to view file attachments, legacy screenshots, or metadata on review request updates for review requests that are private (those using invite-only review groups, private repositories, or Local Site server partitioning). This either requires knowledge if the specific database IDs from those review requests, or requires brute-forcing a range of IDs to scan for content.

If you don't use private review requests on your server, you have nothing to worry about, but we still recommend updating anyway.

Also, while not a vulnerability, it's important to note that if you're an extension author writing JavaScript-side extensions, any extension settings are provided client-side to your JavaScript code. We recently learned of a case where this caused some problems, so we've given extension authors more control here. More on that below.

If you run a public Review Board server, and want to be on a pre-notification list for security vulnerabilities, please contact us.

New Additions and Fixes

We've put some small feature additions into 2.0.22 and 2.5.3:

  • Extension authors writing JavaScript-side code can now control what settings data is passed to the client by overriding JSExtension.get_settings. By default, this returns all the extension's settings, but you can return whatever you like here.
  • We've improved error feedback when things go wrong while posting a diff using rbt post.
  • Mobile styles have had some tweaks for better display on certain pages.
  • You can now use memcached servers listening over UNIX sockets.

And some bug fixes:

  • "Are you sure want to leave the page?" confirmations should no longer appear on Firefox if you haven't actually changed anything.
  • Legacy screenshots from older releases should now display just fine on 2.5.3.
  • Webhooks containing diff payloads aren't so broken on 2.5.3.

There's more, and we also have some backported bug fixes and feature changes for 1.7.29. (This will likely be the last 1.7.x release.)

See the release notes for more information:

Announcing Power Pack 1.4 for Review Board and Bitnami

We're here today with an all-new release of Power Pack. Power Pack provides PDF document review and management reporting capabilities, along with support for GitHub Enterprise, Microsoft Team Foundation Server, and improved multi-server scalability.

This release makes it easier for new users to get started with Power Pack, and gives administrators more control over the Power Pack features available on their system. It's available today for Review Board and, for the first time ever, comes pre-installed when you download from Bitnami.

Get started without a license

Power Pack no longer needs a license to run. Instead, when you first install Power Pack, it'll be immediately available for up to two users of your choice.

This gives you time to try out Power Pack and get it set up before downloading a license for a server-wide 30 day trial. One that trial runs out, Power Pack will continue working for up to two users.

Automate license management and configuration

If you're automated deployment of production and test servers, you'll love our new management commands for working with licenses and configuration.

Power Pack now offers new commands for configuring license settings, adding users to the license, and removing users from the license. You can take advantage of these in any automated deployments to help you get up and running faster.

Lock down your Power Pack features

Your Power Pack license covers all the features we offer, but if you need to turn some of them off, we've got you covered.

The Power Pack configuration page now shows you a list of all features enabled by your license. You can disable any of these to turn off that functionality, and re-enable when you want it back.

Now available with Bitnami

Review Board has been part of the Bitnami family of products for a long time. Bitnami makes it easy to get going quickly with Review Board on Windows or Linux through dedicated installers, virtual machines, and Docker containers.

Today, we're happy to announce that Bitnami now bundles Power Pack with Review Board. You can read the announcement or download today! You can also spin up a free 1-hour demo in the cloud with just a few clicks.

If you use Review Board on Bitnami, please leave a review. We'd love to hear how things went!

Get it today!

Power Pack 1.4 is out now! You can read our release notes for the full details, or install or upgrade to it at any time.

After your trial, if you're ready to buy, head over to our purchase page. We'll help you get a license that's right for you.

Hitting a problem? Have a feature you want to see included? Let us know!

Review Board 2.0.21 is out!

We have another release for you today. Review Board 2.0.21 is out, adding support for Assembla repositories (already available in 2.5), e-mail improvements, extension enhancements, and several bug fixes.

Many of these enhancements and fixes were backported from 2.5. For example, e-mails will now show "Fix it, then Ship It!" if a reviewer submits a "Ship It!" review with issues opened.

Extension authors now have more control over the display of fields added to a review request, and can tap into the review request approval states in JavaScript (especially useful when defining custom approval hooks.

There are several bug fixes you'll also enjoy:

  • Viewing an interdiff containing a draft diff and then updating that draft diff no longer shows the old interdiff.
  • Updating a review request when it and another review request depend on each other no longer results in errors.
  • Commits against a local GitLab server no longer fail to post.
  • Default reviewers are now applied when posting an existing commit for review on the New Review Request page.
  • Database upgrades from older versions of Review Board should now work consistently.

There are also numerous visual improvements and other small fixes here and there. Check out the release notes for more details.

Please note that in order to upgrade to 2.0.21, you must do:

$ pip install ReviewBoard==2.0.21

or:

$ easy_install ReviewBoard==2.0.21

If you don't specify a version, you'll get the latest 2.5.2 release instead.

Don't forget to upgrade to our Django 1.6.x security updates build. This can't be done automatically just yet. See our announcement for more information.

Review Board 2.5.2 is out!

Review Board 2.5.2 has been released for your downloading pleasure, featuring a couple feature changes and several bug fixes for e-mail, image/PDF review, GitLab, webhooks, and more.

First off, we've made it easier for administrators to figure out how to set up GitHub Enterprise and Microsoft Team Foundation Server repositories. These require an installation of Power Pack, but that wasn't immediately obvious to those unfamiliar with that option. Now, both GitHub Enterprise and TFS are always listed when configuring a repository, and if Power Pack is not installed, it will point administrators in the right direction.

We've also fixed:

  • Issues upgrading from certain older releases.
  • Missing "Ship It!" and "Fix it, then Ship It!" indicators in review e-mails.
  • Payload errors for comments on review replies in webhooks.
  • Problems posting existing commits on self-hosted GitLab repositories.
  • Interaction and performance issues with moving draft comment regions on images and PDFs.
  • Compatibility issues with current releases of Power Pack when it comes to clicking on comment regions on PDFs.
  • Inability to double-click to select text in a diff.
  • Bad output and annoying (but harmless) crashes when running the condensediffs management command, used to reduce database size.

See the release notes for more details.

As a reminder, you should also install our build for the latest Django 1.6.x security updates. See our announcement for more information on this.

New Django 1.6.11.2 security releases

Today, Django released new security patches for 1.7.x and 1.8.x, and 1.9. These fix a possible settings leak in the date template filter, enabling a user to steal settings like a database password if they're able to construct their own date format string.

We've put out a corresponding 1.6.11.2 release, which backports this fix to the version of Django used by Review Board 1.7.x through 2.5.x. While this vulnerability does not affect Review Board, we nevertheless suggest that you upgrade.

The latest security releases can always be downloaded here. We announce new releases on our Official Announcements mailing list and on our community support forum.

To upgrade to Django 1.6.11.2, you can run:

$ sudo easy_install \
    -f https://s3.amazonaws.com/downloads.reviewboard.org/releases/Django/1.6/index.html \
    Django==1.6.11.2

or, using pip:

$ sudo pip install \
    -f https://s3.amazonaws.com/downloads.reviewboard.org/releases/Django/1.6/index.html \
    Django==1.6.11.2

Unfortunately, due to restrictions in the design of pip, we will not be able to automatically upgrade to these versions of Django in Review Board. We are working on a solution for this. However, for now, it will be up to you to handle this.

For information on what's in this security release, see the Django's announcement.

Please note that Django 1.6.x is the last version to support Python 2.6.x, which has also end-of-lifed. We will be dropping support for Python 2.6 in Review Board 2.6, so we recommend moving to Python 2.7 at your earliest convenience.

Review Board 2.5.1 is out!

Last week's release of Review Board 2.5.1 was a huge hit, and we've had a lot of people quickly upgrading to try out all our new features. If you haven't had a chance to see the release yet, check out our video introduction.

However, it wasn't a perfect release, and many of our Python 2.6 users noted that summaries were no longer showing in the dashboard, due to a compatibility issue introduced in 2.5. We've addressed this and several other issues in today's release of 2.5.1.

Along with the bug fixes, we've made improvements to diff display and for posting new commits for review.

You can see the full list of changes in the release notes.

Thanks to everyone for testing the release, sharing it with others, and providing great feedback!

Updated November 3, 2015 23:40 PST: We've released 2.5.1.1, which temporarily reverts the new feature from 2.5.1 for including branch information in posted commits, due to some breakages that resulted.

Review Board 2.5 is here!

We are proud to announce the immediate availability of Review Board 2.5. You’ve helped make Review Board a hugely popular tool, with hundreds of thousands of users worldwide, and we think you’re going to love 2.5!

We really pushed ourselves to improve the tool’s extensibility, to give you even more ways to make Review Board a reliable, hassle-free part of your workflow. We’ve incorporated feedback from our users around things like mobile support, improved collaboration capabilities and usability improvements that make developers’ jobs easier.

Here are some of the highlights:

Productivity Boosters

  • A cleaner, more polished look and feel

    A cleaner Review Board is a friendlier Review Board. We've removed a lot of the noise and cruft, and helped bring your attention to what matters most.

  • Work on the go with new mobile support

    On a train? Out to lunch? No problem! Review Board 2.5 is mobile-friendly, so developers can contribute to reviews while away from their desk.

  • Review faster with Expandable Diff Fragments

    Instantly see more context for a comment. One click expands the diff right in the review.

  • Stay focused by muting and archiving review requests

    For all the Inbox Zero types, you can now archive old review requests and mute any that don’t require your attention.

  • Auto-version and diff your file attachments

    Just upload a new version of an attachment and Review Board will track its version, letting everyone see all the changes made. Images and text-based attachments can even be diffed!

  • See more at a glance with Live HD Thumbnails

    Hover over file attachment thumbnails and watch as more of it scrolls into view, giving you a better picture of what's in the file.

Integrations to Power Your Workflow

  • Share your credentials securely with API Tokens

    Third-party tools/services and custom scripts can now securely log in as a Review Board user. No need to give out passwords, and the access can be tightly restricted. This paves the way for future integrations with things like third-party automated code review services.

  • Hook into other services with Webhooks

    Review Board 2.5 can notify other services, such as collaboration and CI tools, in a format they understand when posting or updating review requests and reviews.

  • Deeper integration with bug trackers

    Connecting your JIRA, Bugzilla, or GitHub bug trackers to Review Board lets you see more detail about the bugs on your review requests.

You can see some of this in action by watching the video below:

For the entire list of changes, see the release notes.

Tell Your Friends!

We hope you're as excited about 2.5 as we are! Want to help us spread the word over Twitter or Facebook? We've even prepared a little something you can start with:

Looking forward to using @ReviewBoard 2.5’s new UI, mobile support, webhooks, and more! http://bit.ly/1MUZPv2 #devops

You can also find the announcement on Hacker News and Reddit.

Some Thoughts From Our Beta Users

"As both a heavy Review Board user and a contributor, I’m very excited about release 2.5," said Stephen Gallagher of the Fedora Project. "The Beanbag team and entire Review Board upstream open source project exemplify all the ideals of the open source movement: agility, collaboration and community. The interface improvements in 2.5 really make Review Board feel like a tool for today’s developer. And as I’m increasingly away from my desk, mobile support to keep up with reviews on the go is critical."

Griffin Myers, a developer with a leading maker of high performance signal processing applications, added "Review Board is an indispensable part of our development process. It helps increase collaboration within our team, improves code quality, and provides a pathway for new team members to become assimilated with a large existing code base. The Beanbag team has cultivated an active user community and is incredibly responsive to, and receptive of, user feedback. I’m most excited about 2.5’s restyled UI, improved mobile support, and expandable diff fragments. We also love the enhancements to Markdown rendering, e-mail and dashboard management, all of which have their roots in user requests."

RBTools 0.7.5 is here!

RBTools 0.7.5 is now out and ready to install.

This is largely a bug fix release, focusing in part on improved compatibility with Windows, Git, Subversion, Mercurial, Perforce, and Team Foundation Server.

On Windows, RBTools will now first look in %HOME% to find any custom .reviewboardrc files, instead of only looking in the Application Data directory, which will be quite helpful with many system configurations. There are also fixes for using Mercurial on Windows.

Non-Git user? You've probably seen that annoying but harmless command not found: git error when posting a change. That's gone now!

For Perforce users, posting submitted changes or files outside of the client view now work. This had regressed in an earlier release, but you should be in good shape now.

Subversion has seen some more Unicode fixes, plus fixes for rbt post --svn-show-copies-as-adds.

Along with all this, we've added a new feature for setting a custom search path for .reviewboardrc. You can set your $RBTOOLS_CONFIG_PATH to a list of paths to search, allowing you to make your version in $HOME take precedence over what's in your repository, and allowing you to work with centralized collections of aliases in your organization.

See the release notes for the complete list of changes.

One more thing: We've simplified installation for those of you using pip to install. Our builds are now directly hosted on PyPI, meaning all you now need to do to upgrade is run:

$ pip install -U RBTools
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 pages