Today's release of Review Board 3.0.11 features a security fix in the API, compatibility with modern Bitbucket WebHooks, and other improvements. We've also put out an accompanying 2.5.18 security release, for those who haven't yet upgraded to 3.0.
Diff Validation Security Fix
The Diff Validation API allowed for private repositories to be specified when validating a new diff. This did not leak any file contents whatsoever, but could expose whether a particular file at a revision did or did not exist, or whether an uploaded patch could be applied against those files.
This is only an issue for servers making use of private repositories, and it does not apply to Local Site access control. Still, we recommend that everyone updates to this release.
Modern Bitbucket WebHooks
Bitbucket removed support for their legacy WebHooks, which broke Review Board's ability to auto-close review requests when commits are pushed.
The 3.0.11 release adds compatibility with the newer WebHooks. Follow the instructions to re-add any hooks you had set before in Bitbucket.
Other Fixes and Improvements
- Repository names can now be up to 255 characters long, giving you enough room to generate names based on URLs or some other identifier
- Errors finding the GitLab API version (usually caused by domain resolution or SSL certificate trust issues) now contain enough information to help you locate the real problem
- Fixed crashes with sending WebHook payloads when certain data types were involved