New Review Board 2.0.29 and 2.5.13 security releases

Updated: We had a breaking bug in these packages, so we've put out 2.0.29.1 and 2.5.13.1 releases that fix it. You'll want to upgrade to these instead.

We have two new releases for you today, both fixing a security vulnerability discovered in-house that affects self-installed Review Board servers that make use of private repositories, invite-only review groups, or Local Sites. This vulnerability allowed a URL to be crafted that could expose portions of a diff commented on in other review requests. There are no known cases of this vulnerability being used in the wild.

This vulnerability affects all 2.0.x and 2.5.x releases. Older releases may also be impacted, but those still using 1.7.x or older should upgrade to 2.5.x to continue receiving security updates.

Both releases also now display additional help when encountering a Version Mismatch error page after an upgrade, which can occur when switching from one package installer (such as yum, pip, or easy_install) to another, or when upgrading the version of Python on the system.

Along with this, 2.5.13 now allows credentials to be specified in WebHook URLs, and 2.0.29 includes a performance optimization for the Diff Size column in the dashboard.

See the 2.0.29 and 2.5.13 release notes for more information and installation instructions.

Review Board 2.5.12 is out, fixing a regression in 2.5.11

We identified a pretty major regression in 2.5.11, and wanted to quickly get a follow-up release out for you. Some changes to our repository communication code resulted in a crash when forming a HTTP header used for several hosting services. This has been fixed, and things should work well once again.

We've also fixed an issue that could occur when sending e-mails for review requests that modify large numbers of files. We send a X-ReviewBoard-Diff-For header that lists the files, for filtering purposes, but some e-mail servers had issues with the length of this header. We've now capped this to ensure e-mails are sent reliably.

It's a small release, but the release notes are available.

If you missed it, check out the 2.5.11 release notes for all the performance improvements, bug fixes, and features we shipped last night.

Review Board 2.5.11 is out, and it's fast!

We spent the past month going through Review Board and finding ways we could make the product faster and feel smoother. Posting and reviewing changes, being the sole purpose of the product, seemed like a pretty good place to start, so we got cracking.

Along the way, we've improved our support for LDAP, Perforce, and touchscreens, and fixed a handful of bugs.

Faster diff uploads

With today's release of Review Board 2.5.11, we've rewritten our diff parsers to be able to handle very large diffs (10 megabytes in size) in a second or two, using less memory in the process. This used to take a lot longer for some diffs. These performance benefits of course extend to smaller diffs as well.

If you're posting existing commits for review in the New Review Request page, you'll find that what used to take seconds is now nearly instantaneous. We've substantially cut down on the work needed here.

Using Perforce? We've changed how we're managing login sessions and fetching information about files in the repository. On larger Perforce installations, you'll see a huge performance benefit here.

A faster, smoother diff viewer

We've polished up the diff viewer, fixing a lot of perceived and actual performance problems. Large diffs that used to swamp the browser can now be viewed without problems. Resizing the window, which used to feel choppy in some browsers, is now silky-smooth.

Firefox users will especially notice an improvement here, as we've cut down on the work the browser needs to do in order to render the page.

Faster search indexing

Some nasty performance bugs in search indexing have been squashed. Indexes that used to take 30 minutes may now only take 2-5 minutes.

Fixed touchscreen support when reviewing changes

We've fixed a lot of bugs with our touchscreen support. Using an iPad or another tablet, you can now make comments spanning multiple lines of a diff, position and resize the comment dialog, and leave comments without triggering key bindings (oops).

And there's plenty more

  • Better support for Assembla repositories
  • Fixes for user lookups on LDAP
  • API improvements
  • Performance and usability enhancements in the dashboard
  • Fixes for regressions in the search field
  • Stability fixes for extensions and repository communication
  • Fixed issues upgrading from Review Board 1.7 or older

See the release notes for the entire list of changes, and let us know how the release is working out for you!

RBTools 0.7.10 is now out

Today's release of RBTools 0.7.10 some important compatibility fixes for macOS, Git, Subversion, Team Foundation Server, ClearCase.

macOS and Browser Windows

macOS users who have upgraded to recent releases of Sierra lost the ability to run rbt post --open (to open the posted review request in a browser window) due to a Python/AppleScript bug. This is Python bug #30392, for those who are interested.

We've worked around this. Your default browser will work once again. Thanks to those who pointed this out!

There's also a whole new macOS installer coming that should actually work on all setups. We'll have this on the Downloads page once it gets a little more testing.

Git and Git-SVN

Git-SVN users should no longer encounter crashes when trying to post changes for review. That was pretty disruptive.

Git repositories with submodules containing pending changes no longer cause warnings about dirty repositories when posting changes. They're not included anyway, and just added to the confusion.

Crazy Subversion Diffs

If you had a line of code being deleted that happened to look like a diff header (say, --- XX (YY)), it could cause some code we have for fixing up diffs to get very confused. That, unfortunately, could lead to lines being excluded from the diff, breaking when you try viewing it in the diff viewer.

We've rewritten this code to be very careful about these lines. It won't get confused again.

Team Foundation Server and Visual Studio 2017

Team Foundation Server users who have upgraded to Visual Studio 2017 can once again post changes. TFS has had a nasty habit of changing their file formats, APIs, and command line options, but after much tearing out of the hair, we've restored compatibility.

All versions from Visual Studio 2011 onward should work just fine, so no need to upgrade to 2017 just to use this release.

We've also fixed a regression when using the Team Explorer Everywhere adapter.

ClearCase and Cross-Platform VOB Lookups

ClearCase users can now name their repositories in Review Board based on a component of a VOB path, instead of naming it based on the entire VOB path. This helps with the differences in how ClearCase represents VOB paths on different platforms. For instance, a VOB path of /vobs/MyVOB or C:\vobs\MyVOB will now match a repository name of MyVOB.

There are also some performance improvements for looking up VOBs.

And Other Such Things

There are improvements to the Python API, such as not prematurely exiting the process, plus compatibility fixes for Review Board 3.0. We've also added a new config option to disable certain warnings in RBTools, which would be especially useful for repository hook scripts.

For the complete list of changes, see the release notes.

To upgrade RBTools, visit the downloads page.

New Django 1.6.11.6 Security Releases

Django released a new set of security releases that protect against malicious redirect URLs when serving static media (on development servers) and when logging in. See their announcement for the details on the fixes.

We maintain security-hardened builds of Django 1.6.x, the version series we use for Review Board 2.0 through 2.5. We've put out a new Django 1.6.11.6 release that contains these two fixes.

To upgrade to this release, run:

$ pip install -U https://downloads.reviewboard.org/releases/Django/1.6/Django-1.6.11.6.tar.gz

Or:

$ easy_install -U http://downloads.reviewboard.org/releases/Django/1.6/Django-1.6.11.6.tar.gz

You can always keep up on the latest Review Board security announcements by subscribing to our Official Announcements mailing list.

New Review Board 2.0.28 and 2.5.10 security/bug fix releases

We have two new releases for you today, focusing on a security fix, bug fixes, and compatibility improvements.

Security Fix

A XSS vulnerability was reported and patched today in the review request page. This allowed an attacker to craft a URL that would execute JavaScript on the user's behalf.

This was a publicly-disclosed vulnerability, so there's no CVE number or non-Python packages currently available.

This affects Review Board 1.7.x, 2.0.x, 2.5.x, and the 3.0 beta 1. We are no longer providing any support for Review Board 1.7.x, and 3.0 beta 1 is not intended for any production use, so security releases are only available for 2.0.x and 2.5.x at this time.

To report security vulnerabilities, please file a security bug on our bug tracker. If you have a security patch to contribute, you should post to https://reviews.reviewboard.org and post only to the "security" review group.

Compatibility Improvements

We've made some improvements to our Bazaar, Bitbucket, Mercurial, and Subversion support, improving compatibility across the board.

Our Bazaar support has been rewritten to avoid licensing and Python versioning issues. Mercurial was also susceptible to Python versioning issues.

Subversion diffs generated by IDEs such as WebStorm can now be parsed.

The Bitbucket support now uses their 2.0 API, which solves many of the random bugs and bad error reporting people have encountered in the past. This rewrite is only available for Review Board 2.5.10.

Better Move Detection

We've made a large number of improvements to move detection, helping to resolve issues with lots of overlapping or colliding moved ranges.

More updates for move detection, along with fixes for interdiffs and performance improvements for diff parsing and viewing, should be coming in the next 2.5.x release.

And More

See the full release notes to see all the changes going into this release, along with upgrade instructions for 2.0.28:

Review Board 3.0 beta 1 is here!

The next generation of Review Board has arrived! Well, the beta, anyway.

Review Board 3.0 is being built to take the code review experience further, integrating with other tools and services you use (such as Slack), adding support for automated code reviews, and introducing new features to better craft quality reviews.

Let's dive into some of the features in Review Board 3.0 beta 1.

Third-Party Integrations (Hi Slack!)

Review Board 3.0 supports a new integrations model, allowing administrators to connect Review Board to other third-party tools and services. Integrations can have multiple configurations governed by rules, allowing you to, for instance, post changes/discussion from different groups to different Slack channels, or sending code changes on different repositories to different Continuous Integration services.

Beta 1 ships with Slack support! You can make as many Slack configurations as you like to help follow updates and discussions on your review request without having to check e-mail.

Slack Integration

We're working on adding integrations for HipChat, Asana, Travis CI, iDoneThis, and more for future releases.

Automated Code Review and Status Updates

Beta 1 introduces a new API for attaching status updates on a review request. These can be used to indicate whether there are automated checks in progress (builds, lintian checks, etc.), if they've succeeded, or if they've failed (along with a review opening issues for each of the failures). This helps take the load off of users, letting automated tools do more of the work.

Status Updates

Third-party services, extensions, or in-house scripts can use this API today. We'll be releasing updates to RBTools in the future to help record status updates from shell scripts.

We're also working toward an official release of Review Bot, an automated code review tool for Review Board that makes use of various command line lintian tools to help check your code for problems and report them through the new API.

Improvements for Reviewers

General Comments

Beta 1 introduces General Comments, which are not tied to any file or line of code. You can file a General Comment about anything: Missing files, feedback about the review request's description, requests for screenshots, or anything else. Like other comments, these can open issues, ensuring your comment is resolved. General Comments can be added by clicking "Add Comment" on the review request or in the review dialog.

General Comments

Better File Attachment Navigation

When working your way through a large number of file attachments, it's annoying to have to go back to the review request each time to click the next thumbnail. Instead, the file attachment pages now have navigation buttons to the previous or next file attachment.

File Attachment Navigation

Uploaded Images in Comments

Ever review a UI or artwork change and want to show how you would do it? You can now drag-and-drop images right into the text field (if using Markdown). They'll upload to Review Board and become available in your comment.

This also works for other text fields, such as the review request description or in replies to reviews.

High-DPI Image Review

Working with High-DPI images, like @2x or @3x images? Review Board will now scale the image down during review, instead of presenting you with a gigantic image to look at. You can also change the zoom level for any image file, helping you see as much or as little as you want at once.

It also does a better job of showing other large images, giving you a scrollable area to look at instead of overflowing the page.

And So Much More!

  • Elasticsearch is now available as a search backend.
  • Users can upload their own avatars, instead of using Gravatars, and extensions can provide custom avatar backends.
  • Optional desktop notifications when there's new activity on any review requests you have opened in your browser.
  • Ownership of a review request can be re-assigned to another user.
  • The content of deleted files can now be viewed in the diff viewer.
  • User infoboxes (shown when hovering over a username) are cleaner and can be enhanced by extensions.
  • Pasting a review request URL in services like Slack now shows detailed information on the review request, including any uploaded screenshots.
  • Numerous enhancements for our API and extension capabilities.

That's still not everything. You can read through the complete list of changes in the release notes.

Installing 3.0 Beta 1

Want to give beta 1 a try? Great! You can install it by running:

$ sudo pip install \
    --trusted-host downloads.reviewboard.org \
    -f http://downloads.reviewboard.org/releases/Djblets/0.10/ \
    -f http://downloads.reviewboard.org/releases/ReviewBoard/3.0/ \
    -f http://downloads.reviewboard.org/releases/rbintegrations/0.5/ \
    --pre -U ReviewBoard

Or:

$ sudo easy_install \
    -f http://downloads.reviewboard.org/releases/Djblets/0.10/ \
    -f http://downloads.reviewboard.org/releases/ReviewBoard/3.0/ \
    -f http://downloads.reviewboard.org/releases/rbintegrations/0.5/ \
    -U ReviewBoard

Make sure you're deploying on a test server with a copy of your database in case anything goes wrong! You can't downgrade.

What's Next?

We're already working hard on features for Beta 2, including:

  • A new review experience, helping first-time users and making the review process smoother and more informative.
  • Some clever improvements to navigation in the diff viewer.
  • OAuth2 support, letting other services talk to Review Board on your behalf, safely.
  • Private review requests.
  • On-the-fly search indexing.
  • Many more integrations.

If you try Review Board 3.0 beta 1 and have any feedback, please reach out to us on the community support forum or our bug tracker.

Power Pack 1.4.3 is out, with numerous compatibility fixes

Power Pack 1.4.3 is out, with several important fixes and compatibility improvements for Microsoft Team Foundation Server, Visual Studio Team Services, PDF document review, Review Board compatibility, and more.

Visual Studio Team Services and Team Foundation Server

We've added new support for using Git repositories hosted on Visual Studio Team Services, for those of you who are moving off of TFS repositories or using Git alongside those repositories.

Using Team Foundation Services in your network? We've fixed some bugs with post-commit review (selecting an existing commit to put up for review), improved error information when authentication fails, and fixed *.snp files being mistakenly reported as binary files.

Better PDF Document Review

PDF document review received a handful of fixes for PDF compatibility. Along with this, we've fixed some CORS (Cross Resource Origin Sharing) errors when hosting uploaded PDFs on a CDN when Review Board is in debug mode, and fixed the display of commented regions from a PDF in e-mails.

Licenses and Review Board Compatibility

User license management has received fixes as well. If a user previously added to your license is deleted from the database, it will no longer take up a seat in your license. If you have any stale deleted users in your license from before, you can now remove them without problems.

And finally, we've added compatibility for the in-development Review Board 3.0 release. Speaking of that, expect a beta very soon!

See the release notes for the full list of changes.

Ready to upgrade?

Just run:

$ pip install -U ReviewBoardPowerPack

Or:

$ easy_install -U ReviewBoardPowerPack

Restart your web server to complete the upgrade.

Review Board 2.0.27 and 2.5.9 are out!

We have two new Review Board releases for you today, containing some large bug fixes and a couple new features.

Last week, we released Review Board 2.0.26 and 2.5.8, which had quite a number of important bug fixes for the product. Unfortunately, some of those fixes regressed other features, and we didn't want to go too long without fixing those. Specifically, we broke support for API tokens and we unintentionally altered the ordering of comments in drafts from the API.

These releases fix both of these problems, along with a handful of other bugs we've fixed during the week:

  • Text selection in the diff viewer once again works properly on Firefox.
  • We've worked around a bug in Python's logging.exception() (fixed in Python 2.7.6) that resulted in crashes for users on older systems.
  • Extensions adding forms to the My Account page will no longer have problems setting the forms as invisible.
  • Bumped up our minimum required version of pytz, to fix compatibility issues on older systems.

Along with this, Review Board 2.5.9 adds a few new features:

  • Mercurial users can now browse and post existing commits in the New Review Request page (requires Mercurial 3.9 or higher).
  • Extension authors are now given the old status of a review request that's been reopened in the review_request_reopened signal.
  • API users can now view and query for inactive (disabled) users.

See the release notes for the full details and installation instructions:

Review Board 2.0.26 and 2.5.8 are out!

We have two new Review Board releases for you today, full of bug fixes, new features, and a security fix.

An Important Security Fix

Both the 2.0.x and 2.5.x series had a bug in one of our APIs that could overload a server. We weren't properly limiting the amount of data being fetched and serialized in one case.

While this doesn't result in any form of access to the system or leaked information from the database, it can cause crashes on the server. We recommend that everyone upgrades to 2.0.26 or 2.5.8 to prevent this problem.

Some New Features

Review Board 2.5.8 introduces a number of improvements for repository configuration:

  • We've made it easier to get started and resolve problems with Bitbucket repositories.
  • Self-hosted Gitorious servers are now supported.
  • Bug trackers on Codebase are now supported.
  • It's easier to set up repositories hosted on GitLab.com.

We've also made a few other improvements across the product:

  • E-mail addresses are accepted as usernames in the API. These were already accepted in the web UI.
  • Extensions can add content to review e-mails.
  • The "New Updates" dashboard column is now available on the All Review Requests page.

Lots of Bug Fixes

Both 2.0.26 and 2.5.8 contain many bug fixes for repository compatibility, the API, administrative settings, usability, and more.

The full details, plus installation/upgrade instructions, can be found in the release notes:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 pages