Jump to >
Review Board 4.0.2 and 3.0.24: Security and Bug Fixes

Today's releases of Review Board 3.0.24 and 4.0.2 fix a handful of bugs and one security issue, and introduces support for defining safe URL protocols for Markdown text.

Security Fix for Markdown Review UI

Attackers could post a Markdown document for review that contained bad links that, when clicked, could invoke JavaScript code. We fixed a similar issue in 3.0.21, but this is specific to the Markdown Review UI.

Though this is a pretty small attack vector, we do strongly recommend that everyone upgrades as a precaution.

Custom URL Protocols

Administrators can now set a list of URL protocols (like eclipse://. ftp://, gopher://, etc.) they consider safe for their environment by modifying conf/settings_local.py: These will then be preserved when building links. For example:

ALLOWED_MARKDOWN_URL_PROTOCOLS = ['eclipse', 'ftp', 'gopher']

Bug Fixes

There are also fixes for:

  • Marking session and CSRF cookies as secure
  • Handling Subversion diffs with (nonexistent) revisions
  • Markdown rendering of e-mail addresses
  • Connecting to GitLab (in Review Board 4.0.2)

See the 3.0.24 release notes and 4.0.2 release notes for the full lists of changes.

Note: If you're upgrading to 3.0.24, please follow the installation instructions in the release notes so you don't end up on 4.0.2.

Review Board 3.0.21 and 4.0 RC 2: Security Fixes, Bug Fixes, and Docker

Review Board 3.0.21 and 4.0 RC 2 are out. These releases fix a security vulnerability, along with other bug fixes.

3.0.21 also introduces Docker support.

Security Fix

Both releases fix a XSS vulnerability in Markdown rendering, which could allow an attacker to craft a link that executes arbitrary JavaScript code when clicked.

The attacker would need to be someone who already has legitimate access to your server, and can perform reviews or otherwise access your code.

We recommend that everyone (especially those running public servers) upgrades to address this vulnerability, though the seriousness of the issue will vary from company to company.

Docker Support

Review Board 3.0.21 ships with new Docker support, helping you set up and deploy servers quickly without need to manually install anything.

This is still young. If you hit any issues, please report them to us.

Going forward, all Review Board 3.x and higher releases will include Docker images.

Compatibility and Bug Fixes

Both releases fix installation issues on Python 2.7, along with a handful of bug fixes and improvements.

See the 3.0.21 release notes and 4.0 RC 2 release notes for the full lists of changes.

New Django 1.6.11.9 Security Releases

Django released versions 2.2.13 and 3.0.7 today, fixing a couple of security issues. You can see their announcement for the issues addressed.

We maintain security-hardened builds of Django 1.6.11, the version series we use for Review Board 2.0 through 3.0. We've put out a new Django 1.6.11.9 release that contains these fixes.

To upgrade to this release, run:

$ pip install -U https://downloads.reviewboard.org/releases/Django/1.6/Django-1.6.11.9.tar.gz

Or:

$ easy_install -U http://downloads.reviewboard.org/releases/Django/1.6/Django-1.6.11.9.tar.gz

You can always keep up on the latest Review Board security announcements by subscribing to our Official Announcements mailing list, joining our Subreddit, or following us on Twitter.

New Django 1.6.11.8 Security Releases

Django released the versions 2.2.4, 2.1.11, and 1.11.23 today, fixing a handful of security issues. You can see their announcement for the list of issues addressed.

We maintain security-hardened builds of Django 1.6.11, the version series we use for Review Board 2.0 through 3.0. We've put out a new Django 1.6.11.8 release that contains these fixes, plus some additional backports from newer releases.

To upgrade to this release, run:

$ pip install -U https://downloads.reviewboard.org/releases/Django/1.6/Django-1.6.11.8.tar.gz

Or:

$ easy_install -U http://downloads.reviewboard.org/releases/Django/1.6/Django-1.6.11.8.tar.gz

You can always keep up on the latest Review Board security announcements by subscribing to our Official Announcements mailing list, joining our Subreddit, or following us on Twitter.

Review Board 3.0.11 and 2.5.18 Security and Bug Fix Releases

Today's release of Review Board 3.0.11 features a security fix in the API, compatibility with modern Bitbucket WebHooks, and other improvements. We've also put out an accompanying 2.5.18 security release, for those who haven't yet upgraded to 3.0.

Diff Validation Security Fix

The Diff Validation API allowed for private repositories to be specified when validating a new diff. This did not leak any file contents whatsoever, but could expose whether a particular file at a revision did or did not exist, or whether an uploaded patch could be applied against those files.

This is only an issue for servers making use of private repositories, and it does not apply to Local Site access control. Still, we recommend that everyone updates to this release.

Modern Bitbucket WebHooks

Bitbucket removed support for their legacy WebHooks, which broke Review Board's ability to auto-close review requests when commits are pushed.

The 3.0.11 release adds compatibility with the newer WebHooks. Follow the instructions to re-add any hooks you had set before in Bitbucket.

Other Fixes and Improvements

  • Repository names can now be up to 255 characters long, giving you enough room to generate names based on URLs or some other identifier
  • Errors finding the GitLab API version (usually caused by domain resolution or SSL certificate trust issues) now contain enough information to help you locate the real problem
  • Fixed crashes with sending WebHook payloads when certain data types were involved

See the Review Board 3.0.11 and 2.5.18 release notes for the full list of changes.

Review Board 3.0.10: Security and bug fixes

Security fixes

Review Board 3.0.10 addresses a security vulnerability found in-house that could allow for malicious JavaScript from a user profile to execute when rendering avatars. This bug was originally introduced in 3.0.7 and does not affect any prior releases.

Although there are no known exploits found in the wild, we do recommend that everyone upgrades to this release.

Plus several bug fixes, including

  • A regression introduced in 3.0.9 with sending WebHooks
  • An upgrade bug that could occur when upgrading to 3.0.x for the first time
  • Conflicts between extensions when installing or upgrading multiple ones at a time
  • URLs not always linking in comments and text fields

And other improvements

  • The New Review Request page confirms that you want to post commits for review, in case you click the wrong thing
  • Review request e-mails now show the branch information

That's not all. Check out the release notes for the rest of the changes.

New Django 1.6.11.7 Security Releases

Django released a new set of security releases that protect against swamping a server when passing certain strings to a few different functions used for building URLs and truncating content. See their announcement for the details on the fixes.

We maintain security-hardened builds of Django 1.6.x, the version series we use for Review Board 2.0 through 3.0. We've put out a new Django 1.6.11.7 release that contains these fixes.

To upgrade to this release, run:

$ pip install -U https://downloads.reviewboard.org/releases/Django/1.6/Django-1.6.11.7.tar.gz

Or:

$ easy_install -U http://downloads.reviewboard.org/releases/Django/1.6/Django-1.6.11.7.tar.gz

You can always keep up on the latest Review Board security announcements by subscribing to our Official Announcements mailing list, joining our Subreddit, or following us on Twitter.

New Review Board 2.0.30 and 2.5.14 security/bug fix releases

We have two new releases for you today, both fixing a couple of undisclosed security bugs, along with providing other bug fixes and feature enhancements.

Security fixes

We discovered an information leak in one of our APIs, allowing a request to be crafted that would reveal some details of review requests otherwise intended to be private. This affects you if you use invite-only review groups or private repositories for access control.

We were also informed of a XSS vulnerability allowing a particular URL to be crafted that would execute JavaScript on your user's behalf.

Both of these issues have been fixed, and additional unit tests have been added to ensure these never regress. We recommend that everyone upgrade to this release at their earliest convenience.

If you locate a security problem in Review Board, please contact security@beanbaginc.com, or file a bug and choosing "Security issue".

New Markdown table support

Review Board 2.5.14 introduces support for GitHub-Flavored Markdown tables. You can now provide tabular data in review request descriptions or in comments.

Commit IDs are now searchable

If you're running Review Board 2.5.14 and have search enabled, you'll now be able to search for review requests based on their commit ID, which is useful if you're using Git or Bitbucket.

This will require a full re-index after upgrade.

And a handful of other fixes in 2.5.14

  • Keyboard navigation in the diff viewer should no longer get stuck or fail to navigate to file headers.
  • A regression in extension building/packaging when using LessCSS and UglifyJS has been fixed.
  • Failure to load files from a repository when viewing diffs no longer results in huge entries in the log files.
  • Sending test e-mails should now properly report any errors that come up when communicating with the mail server.
  • The styling for buttons on Firefox should now be more consistent.

See the 2.0.30 and 2.5.14 release notes for more information on the release, along with upgrade instructions.

New Django 1.6.11.6 Security Releases

Django released a new set of security releases that protect against malicious redirect URLs when serving static media (on development servers) and when logging in. See their announcement for the details on the fixes.

We maintain security-hardened builds of Django 1.6.x, the version series we use for Review Board 2.0 through 2.5. We've put out a new Django 1.6.11.6 release that contains these two fixes.

To upgrade to this release, run:

$ pip install -U https://downloads.reviewboard.org/releases/Django/1.6/Django-1.6.11.6.tar.gz

Or:

$ easy_install -U http://downloads.reviewboard.org/releases/Django/1.6/Django-1.6.11.6.tar.gz

You can always keep up on the latest Review Board security announcements by subscribing to our Official Announcements mailing list.

New Django 1.6.11.5 Security Releases

Earlier today, Django released a new set of security releases that address issues when running unit tests against Oracle databases and when running a Django-based application when setting DEBUG = True and ALLOWED_HOSTS = [] in a server's settings file.

Review Board should not be impacted by the Oracle issue (which would not occur in production), and we don't recommend running with DEBUG = True (plus, new sites created with Review Board 2.0+ will have a safe default for ALLOWED_HOSTS, keeping you safe). Still, we recommend that you always update to the latest Django 1.6.11.x security release anyway.

We maintain security-hardened builds of Django 1.6.x, the version series we use for Review Board 2.0 through 2.5. We've put out a new Django 1.6.11.5 release that contains these two fixes.

To upgrade to this release, run:

$ pip install -U https://downloads.reviewboard.org/releases/Django/1.6/Django-1.6.11.5.tar.gz

Or:

$ easy_install -U https://downloads.reviewboard.org/releases/Django/1.6/Django-1.6.11.5.tar.gz

We then recommend that you visit your Administration -> Security Checklist page to ensure that your ALLOWED_HOSTS and other security settings are correct.

You can always keep up on the latest Review Board security announcements by subscribing to our Official Announcements mailing list.

1 2 3 pages