What's New in Review Board

Today's releases fix an important security vulnerability we've found in-house, and improve stability overall in Review Board 6.

API Security Fix

We discovered a security issue with two of our APIs while performing an in-house performance audit of our code. This allows a user with legitimate access to a Review Board server to craft a specific API request that returns diff content they wouldn't normally have permission to access (draft diffs or published diffs associated with a private repository or invite-only review group).

Users cannot exploit this bug without legitimate access to the Review Board server (or the Local Site server partition, if used).

We aren't aware of this vulnerability being used in the wild. It requires making use of an optional header when accessing these APIs, plus knowledge of internal database APIs for published diffs.

As part of fixing this security issue, we've done the following:

1. We sent patches (and custom builds as needed) to our customers with Premium Support contracts.
2. We audited the remainder of our APIs. This type of issue was not found anywhere else.
3. We improved our testing infrastructure so that this type of issue would be found automatically going forward.

We recommend that everyone upgrade to the appropriate release of Review Board.

Review Board 6 Stability

We've addressed a few regressions introduced in Review Board 6.0:

• Manually uploading diffs (either to new or existing review requests) should now work on all types of repositories.
• Batch publishing will now work when using Local Site server partitions.
• Empty reviews will no longer be posted if creating a review, leaving comments, and then deleting the comments.
• Switching between search engine backends no longer require restarting the web server.
• Logging in from the Log Out page now takes you to the dashboard, instead of logging you back out.
• Some minor UI issues in the Administration UI have been fixed.

Upgrading

If you're using our official releases, follow the upgrade instructions in the release notes below:

• Review Board 6.0.2
• Review Board 5.0.7
• Review Board 4.0.13
• Review Board 3.0.26

If you're using releases provided by your Linux distribution or a third-party, you will need to inquire with them about your upgrade options and support.

If you need assistance with your server, we can help under a support contract. This entitles you to on-going support for your server, custom builds, backported fixes, pre-release security patches, and solutions tailored for your company's needs.

Today’s new releases fix a (rare) security issue when using older insecure LDAP servers. There are also installation improvements and a handful of bug fixes.

LDAP Security Fix

A security bug was found that enables a user to log in as another user when LDAP is configured. This vulnerability only exists when:

1. Using very old LDAP servers that contain a credential verification security bug; and
2. Enabling anonymous binds; and
3. Logging in as a user not present in LDAP

Under these conditions, a combination of an invalid LDAP username and a non-empty password can result in LDAP claiming the credentials are valid. If that user exists in Review Board as a local user, Review Board will see that the login was “successful” in LDAP and log the user in.

Most users should never hit this issue. So far it’s only been found in an old version of Active Directory, and only when using our “LDAP” backend instead of the recommended “Active Directory.”

We've tightened the code path and added additional checks to safeguard this on our end. All of today’s releases include the fix.

If you use LDAP, we recommend upgrading to this release, ensuring your LDAP servers are up-to-date, and disabling anonymous binds if you don't need them.

New Supported Web Servers

Review Board works well with just about any modern web server, but we’ve only ever provided sample configurations for Apache.

Now, when installing a new site, sample configurations are auto-generated for these often-requested web servers:

• Apache + mod_wsgi
• Nginx + Gunicorn
• Nginx + uWSGI

See our Web Server documentation for these sample configuration files and additional instructions.

Many Bug Fixes

We’ve stomped out several bugs in this release, including:

• Problems marking a SSH key or SSL certificate as trusted when configuring a repository
• Communicating with repositories over SSH in some setups
• Performing manual runs of automated reviews when multiple configurations for the same tool are present
• Workarounds for environment issues during installation on Ubuntu 20.04 LTS

New Documentation

We’ve also reworked much of our documentation. Some highlights include:

• Streamlined installation steps for Linux
• A guide on configuring SELinux
• Enhanced instructions for using docker-compose
• Modernized techniques for optimizing and scaling your deployment
• An overview of using automated code review

For the full list of changes, see:

• Review Board 5.0.3 release notes
• Review Board 4.0.12 release notes
• Review Board 3.0.25 release notes

To learn more about upgrading your server, see our upgrade instructions. You can also use our official Docker images.

If you need assistance with your server, we can help under a support contract.

Today's releases of Review Board 3.0.24 and 4.0.2 fix a handful of bugs and one security issue, and introduces support for defining safe URL protocols for Markdown text.

Security Fix for Markdown Review UI

Attackers could post a Markdown document for review that contained bad links that, when clicked, could invoke JavaScript code. We fixed a similar issue in 3.0.21, but this is specific to the Markdown Review UI.

Though this is a pretty small attack vector, we do strongly recommend that everyone upgrades as a precaution.

Custom URL Protocols

Administrators can now set a list of URL protocols (like eclipse://. ftp://, gopher://, etc.) they consider safe for their environment by modifying conf/settings_local.py: These will then be preserved when building links. For example:

ALLOWED_MARKDOWN_URL_PROTOCOLS = ['eclipse', 'ftp', 'gopher']

Bug Fixes

There are also fixes for:

• Marking session and CSRF cookies as secure
• Handling Subversion diffs with (nonexistent) revisions
• Markdown rendering of e-mail addresses
• Connecting to GitLab (in Review Board 4.0.2)

See the 3.0.24 release notes and 4.0.2 release notes for the full lists of changes.

Note: If you're upgrading to 3.0.24, please follow the installation instructions in the release notes so you don't end up on 4.0.2.

Review Board 3.0.21 and 4.0 RC 2 are out. These releases fix a security vulnerability, along with other bug fixes.

3.0.21 also introduces Docker support.

Security Fix

Both releases fix a XSS vulnerability in Markdown rendering, which could allow an attacker to craft a link that executes arbitrary JavaScript code when clicked.

The attacker would need to be someone who already has legitimate access to your server, and can perform reviews or otherwise access your code.

We recommend that everyone (especially those running public servers) upgrades to address this vulnerability, though the seriousness of the issue will vary from company to company.

Docker Support

Review Board 3.0.21 ships with new Docker support, helping you set up and deploy servers quickly without need to manually install anything.

This is still young. If you hit any issues, please report them to us.

Going forward, all Review Board 3.x and higher releases will include Docker images.

Compatibility and Bug Fixes

Both releases fix installation issues on Python 2.7, along with a handful of bug fixes and improvements.

See the 3.0.21 release notes and 4.0 RC 2 release notes for the full lists of changes.

Django released versions 2.2.13 and 3.0.7 today, fixing a couple of security issues. You can see their announcement for the issues addressed.

We maintain security-hardened builds of Django 1.6.11, the version series we use for Review Board 2.0 through 3.0. We've put out a new Django 1.6.11.9 release that contains these fixes.

To upgrade to this release, run:

$ pip install -U https://downloads.reviewboard.org/releases/Django/1.6/Django-1.6.11.9.tar.gz

Or:

$ easy_install -U http://downloads.reviewboard.org/releases/Django/1.6/Django-1.6.11.9.tar.gz

You can always keep up on the latest Review Board security announcements by subscribing to our Official Announcements mailing list, joining our Subreddit, or following us on Twitter.

Django released the versions 2.2.4, 2.1.11, and 1.11.23 today, fixing a handful of security issues. You can see their announcement for the list of issues addressed.

We maintain security-hardened builds of Django 1.6.11, the version series we use for Review Board 2.0 through 3.0. We've put out a new Django 1.6.11.8 release that contains these fixes, plus some additional backports from newer releases.

To upgrade to this release, run:

$ pip install -U https://downloads.reviewboard.org/releases/Django/1.6/Django-1.6.11.8.tar.gz

Or:

$ easy_install -U http://downloads.reviewboard.org/releases/Django/1.6/Django-1.6.11.8.tar.gz

You can always keep up on the latest Review Board security announcements by subscribing to our Official Announcements mailing list, joining our Subreddit, or following us on Twitter.

Today's release of Review Board 3.0.11 features a security fix in the API, compatibility with modern Bitbucket WebHooks, and other improvements. We've also put out an accompanying 2.5.18 security release, for those who haven't yet upgraded to 3.0.

Diff Validation Security Fix

The Diff Validation API allowed for private repositories to be specified when validating a new diff. This did not leak any file contents whatsoever, but could expose whether a particular file at a revision did or did not exist, or whether an uploaded patch could be applied against those files.

This is only an issue for servers making use of private repositories, and it does not apply to Local Site access control. Still, we recommend that everyone updates to this release.

Modern Bitbucket WebHooks

Bitbucket removed support for their legacy WebHooks, which broke Review Board's ability to auto-close review requests when commits are pushed.

The 3.0.11 release adds compatibility with the newer WebHooks. Follow the instructions to re-add any hooks you had set before in Bitbucket.

Other Fixes and Improvements

• Repository names can now be up to 255 characters long, giving you enough room to generate names based on URLs or some other identifier
• Errors finding the GitLab API version (usually caused by domain resolution or SSL certificate trust issues) now contain enough information to help you locate the real problem
• Fixed crashes with sending WebHook payloads when certain data types were involved

See the Review Board 3.0.11 and 2.5.18 release notes for the full list of changes.

Security fixes

Review Board 3.0.10 addresses a security vulnerability found in-house that could allow for malicious JavaScript from a user profile to execute when rendering avatars. This bug was originally introduced in 3.0.7 and does not affect any prior releases.

Although there are no known exploits found in the wild, we do recommend that everyone upgrades to this release.

Plus several bug fixes, including

• A regression introduced in 3.0.9 with sending WebHooks
• An upgrade bug that could occur when upgrading to 3.0.x for the first time
• Conflicts between extensions when installing or upgrading multiple ones at a time
• URLs not always linking in comments and text fields

And other improvements

• The New Review Request page confirms that you want to post commits for review, in case you click the wrong thing
• Review request e-mails now show the branch information

That's not all. Check out the release notes for the rest of the changes.

Django released a new set of security releases that protect against swamping a server when passing certain strings to a few different functions used for building URLs and truncating content. See their announcement for the details on the fixes.

We maintain security-hardened builds of Django 1.6.x, the version series we use for Review Board 2.0 through 3.0. We've put out a new Django 1.6.11.7 release that contains these fixes.

To upgrade to this release, run:

$ pip install -U https://downloads.reviewboard.org/releases/Django/1.6/Django-1.6.11.7.tar.gz

Or:

$ easy_install -U http://downloads.reviewboard.org/releases/Django/1.6/Django-1.6.11.7.tar.gz

You can always keep up on the latest Review Board security announcements by subscribing to our Official Announcements mailing list, joining our Subreddit, or following us on Twitter.

We have two new releases for you today, both fixing a couple of undisclosed security bugs, along with providing other bug fixes and feature enhancements.

Security fixes

We discovered an information leak in one of our APIs, allowing a request to be crafted that would reveal some details of review requests otherwise intended to be private. This affects you if you use invite-only review groups or private repositories for access control.

We were also informed of a XSS vulnerability allowing a particular URL to be crafted that would execute JavaScript on your user's behalf.

Both of these issues have been fixed, and additional unit tests have been added to ensure these never regress. We recommend that everyone upgrade to this release at their earliest convenience.

If you locate a security problem in Review Board, please contact security@beanbaginc.com, or file a bug and choosing "Security issue".

New Markdown table support

Review Board 2.5.14 introduces support for GitHub-Flavored Markdown tables. You can now provide tabular data in review request descriptions or in comments.

Commit IDs are now searchable

If you're running Review Board 2.5.14 and have search enabled, you'll now be able to search for review requests based on their commit ID, which is useful if you're using Git or Bitbucket.

This will require a full re-index after upgrade.

And a handful of other fixes in 2.5.14

• Keyboard navigation in the diff viewer should no longer get stuck or fail to navigate to file headers.
• A regression in extension building/packaging when using LessCSS and UglifyJS has been fixed.
• Failure to load files from a repository when viewing diffs no longer results in huge entries in the log files.
• Sending test e-mails should now properly report any errors that come up when communicating with the mail server.
• The styling for buttons on Firefox should now be more consistent.

See the 2.0.30 and 2.5.14 release notes for more information on the release, along with upgrade instructions.