What's New in Review Board

Django released a new set of security releases that protect against malicious redirect URLs when serving static media (on development servers) and when logging in. See their announcement for the details on the fixes.

We maintain security-hardened builds of Django 1.6.x, the version series we use for Review Board 2.0 through 2.5. We've put out a new Django 1.6.11.6 release that contains these two fixes.

To upgrade to this release, run:

$ pip install -U https://downloads.reviewboard.org/releases/Django/1.6/Django-1.6.11.6.tar.gz

Or:

$ easy_install -U http://downloads.reviewboard.org/releases/Django/1.6/Django-1.6.11.6.tar.gz

You can always keep up on the latest Review Board security announcements by subscribing to our Official Announcements mailing list.

Earlier today, Django released a new set of security releases that address issues when running unit tests against Oracle databases and when running a Django-based application when setting DEBUG = True and ALLOWED_HOSTS = [] in a server's settings file.

Review Board should not be impacted by the Oracle issue (which would not occur in production), and we don't recommend running with DEBUG = True (plus, new sites created with Review Board 2.0+ will have a safe default for ALLOWED_HOSTS, keeping you safe). Still, we recommend that you always update to the latest Django 1.6.11.x security release anyway.

We maintain security-hardened builds of Django 1.6.x, the version series we use for Review Board 2.0 through 2.5. We've put out a new Django 1.6.11.5 release that contains these two fixes.

To upgrade to this release, run:

$ pip install -U https://downloads.reviewboard.org/releases/Django/1.6/Django-1.6.11.5.tar.gz

Or:

$ easy_install -U https://downloads.reviewboard.org/releases/Django/1.6/Django-1.6.11.5.tar.gz

We then recommend that you visit your Administration -> Security Checklist page to ensure that your ALLOWED_HOSTS and other security settings are correct.

You can always keep up on the latest Review Board security announcements by subscribing to our Official Announcements mailing list.

Django released a new set of security releases today, designed to fix a vulnerability in the cookie parsing code when combined with usage of Google Analytics that could allow an attacker to bypass CSRF protection. (See their announcement for more details.)

We maintain security-hardened builds of Django 1.6.x, the version series we use for Review Board 2.0 through 2.5. We have put out a Django 1.6.11.4 release containing these security fixes.

To upgrade to this release, run:

$ pip install -U https://downloads.reviewboard.org/releases/Django/1.6/Django-1.6.11.4.tar.gz

Or:

$ easy_install -U https://downloads.reviewboard.org/releases/Django/1.6/Django-1.6.11.4.tar.gz

This particular vulnerability is unlikely to affect most of our users (at least as documented in Django's release notes), but we still recommend upgrading, to be safe.

You can always keep up on the latest Review Board security announcements by subscribing to Official Announcements mailing list.

HTTPoxy is an old, but recently-discussed security vulnerability affecting CGI-backed web applications (and certain client-side libraries). It allows an attacker to send a Proxy HTTP header to a vulnerable web server, and have that translate into a HTTP_PROXY environment variable, which may then be used to specify an HTTP Proxy server for use by HTTP requests initiated from the server. This happens because CGI-based web applications are provided the client's HTTP headers as environment variables, converted to uppercase and prefixed with HTTP_. This is normally not a problem, but

Effectively, HTTPoxy allows an attacker to Man-in-the-Middle HTTP requests made by the web application, intercepting traffic or returning bad data.

Don't worry, Review Board is safe!

Review Board is not vulnerable to HTTPoxy, as it doesn't use CGI. Most Review Board installs use WSGI, and some older installs use mod_python or FastCGI. None of these implementations are vulnerable (despite the "CGI" in the name "FastCGI").

We'd still recommend fine-tuning your server's settings to work around the HTTPoxy vulnerability, as a precaution, particularly if you're running anything else on the server. See the HTTPoxy Mitigation instructions for further details.

We've just released two new versions of Review Board: 2.0.23 and 2.5.4. Both contain a number of bug fixes and other improvements, along with fixes for two small self-XSS vulnerabilities.

Security Fixes

The self-XSS vulnerabilities can cause a user to intentionally or unintentionally execute JavaScript code by crafting just the right kind of text in the review request or review dialog fields. These do not persist, cannot be triggered by external users, and cannot affect other users.

These were caused by a bad timing issue that resulted in user-inputted text being briefly considered as safe HTML. A user is unlikely to hit this, and likely will only hit it accidentally, but we recommend that everyone updates to this release as a precaution.

Thanks to "Secfathy" for reporting the self-XSS in the review dialog! We take security seriously, so if you find a vulnerability, please report it responsibly!

New Additions and Fixes

Security fixes aside, we've made a number of improvements in both of these releases:

• Support for JavaScript unit tests for extensions
• Settings for configuring the static media URL.
• Support for using modern versions of stunnel with Perforce.
• Compatibility fixes for Subversion with Beanstalk
• Stale cache fixes for Git diffs when changing the raw file URL mask.
• Information on support options and the current active support contract (if any) in the administration dashboard.

Those are just a few of the improvements! See the release notes for the rest:

• 2.0.23 release notes
• 2.5.4 release notes

We have a new batch of security updates today.

Django

Django put out a few new security releases this morning that focus on fixing two security issues. The first fixes a flaw that allowed malicious URLs to be considered "safe" when they shouldn't be. The second hardens the method by which passwords are stored so that older accounts will gain the security benefits when they next log in.

See their announcement for more details.

We maintain security-hardened builds of Django 1.6.x, the version series we use for all currently-supported releases of Review Board. We have put out a 1.6.11.3 release containing these security fixes.

If you're using a modern pip, you can upgrade to this release by running:

pip install -U https://downloads.reviewboard.org/releases/Django/1.6/Django-1.6.11.3.tar.gz

Or:

easy_install -U https://s3.amazonaws.com/downloads.reviewboard.org/releases/Django/1.6/Django-1.6.11.3.tar.gz

Djblets

We received a security report last night detailing how an attacker could craft a URL to a user's dashboard (or other similar pages) with a column sorting identifier containing JavaScript code. If the user visited that URL and subsequently clicked that column, the code would execute.

We immediately fixed this and prepared new releases of Djblets, which you'll want to install depending on your version of Review Board:

• Review Board 1.7.x: Djblets 0.7.33
• Review Board 2.0.x: Djblets 0.8.25
• Review Board 2.5.x: Djblets 0.9.2

If you're running a modern version of Pip, you can upgrade Djblets by running:

pip install Djblets==<version>

Or you can upgrade with:

easy_install Djblets==<version>

You can also verify the signatures of the builds against our PGP key, to confirm authenticity.

Thanks to Jose Carlos Exposito Bueno (0xlabs) for reporting this!

We have three new major Review Board releases for you today. Each of these have a mixture of bug fixes and feature additions for users, administrators, and extension authors alike. However, they also have security fixes for a vulnerability we discovered with private review requests.

Security Fixes

We discovered a vulnerability where a user with access to a review request can craft URLs to view file attachments, legacy screenshots, or metadata on review request updates for review requests that are private (those using invite-only review groups, private repositories, or Local Site server partitioning). This either requires knowledge if the specific database IDs from those review requests, or requires brute-forcing a range of IDs to scan for content.

If you don't use private review requests on your server, you have nothing to worry about, but we still recommend updating anyway.

Also, while not a vulnerability, it's important to note that if you're an extension author writing JavaScript-side extensions, any extension settings are provided client-side to your JavaScript code. We recently learned of a case where this caused some problems, so we've given extension authors more control here. More on that below.

If you run a public Review Board server, and want to be on a pre-notification list for security vulnerabilities, please contact us.

New Additions and Fixes

We've put some small feature additions into 2.0.22 and 2.5.3:

• Extension authors writing JavaScript-side code can now control what settings data is passed to the client by overriding JSExtension.get_settings. By default, this returns all the extension's settings, but you can return whatever you like here.
• We've improved error feedback when things go wrong while posting a diff using rbt post.
• Mobile styles have had some tweaks for better display on certain pages.
• You can now use memcached servers listening over UNIX sockets.

And some bug fixes:

• "Are you sure want to leave the page?" confirmations should no longer appear on Firefox if you haven't actually changed anything.
• Legacy screenshots from older releases should now display just fine on 2.5.3.
• Webhooks containing diff payloads aren't so broken on 2.5.3.

There's more, and we also have some backported bug fixes and feature changes for 1.7.29. (This will likely be the last 1.7.x release.)

See the release notes for more information:

• 2.5.3 release notes
• 2.0.22 release notes
• 1.7.29 release notes

Today, Django released new security patches for 1.7.x and 1.8.x, and 1.9. These fix a possible settings leak in the date template filter, enabling a user to steal settings like a database password if they're able to construct their own date format string.

We've put out a corresponding 1.6.11.2 release, which backports this fix to the version of Django used by Review Board 1.7.x through 2.5.x. While this vulnerability does not affect Review Board, we nevertheless suggest that you upgrade.

The latest security releases can always be downloaded here. We announce new releases on our Official Announcements mailing list and on our community support forum.

To upgrade to Django 1.6.11.2, you can run:

$ sudo easy_install \
    -f https://s3.amazonaws.com/downloads.reviewboard.org/releases/Django/1.6/index.html \
    Django==1.6.11.2

or, using pip:

$ sudo pip install \
    -f https://s3.amazonaws.com/downloads.reviewboard.org/releases/Django/1.6/index.html \
    Django==1.6.11.2

Unfortunately, due to restrictions in the design of pip, we will not be able to automatically upgrade to these versions of Django in Review Board. We are working on a solution for this. However, for now, it will be up to you to handle this.

For information on what's in this security release, see the Django's announcement.

Please note that Django 1.6.x is the last version to support Python 2.6.x, which has also end-of-lifed. We will be dropping support for Python 2.6 in Review Board 2.6, so we recommend moving to Python 2.7 at your earliest convenience.

We've just put out new, unofficial releases of Django 1.6.11 that contain security fixes backported from the latest versions of Django.

The Django project is no longer maintaining Django 1.6.x, as it has end-of-lifed. However, for many reasons, we're currently dependent on this version. As such, we will be maintaining security releases for Django 1.6.x from here on out, in the form of 1.6.11.x releases.

The latest security releases can always be download here. We will announce new releases on our Official Announcements mailing list and on our community support forum.

To upgrade to Django 1.6.11.1, you can run:

$ sudo easy_install \
    -f http://downloads.reviewboard.org/releases/Django/1.6/ \
    Django==1.6.11.1

or, using pip:

$ sudo pip install \
    -f https://s3.amazonaws.com/downloads.reviewboard.org/releases/Django/1.6/index.html \
    Django==1.6.11.1

Unfortunately, due to restrictions in the design of pip, we will not be able to automatically upgrade to these versions of Django in our upcoming releases of Review Board. It will be up to you to handle this for now. We will announce instructions along with the releases.

For information on what's in this security release, see Django's announcement.

Please note that Django 1.6.x is the last version to support Python 2.6.x, which has also end-of-lifed. We will be dropping support for Python 2.6 in Review Board 2.6, so we recommend moving to Python 2.7 at your earliest convenience.

The new 2.0.16 release is a nice mix of security fixes, performance, and bug fixes.

First off, this release fixes a security vulnerability recently reported that allows a user to craft a string that can, under the right circumstances, execute a malicious script. If you're running 2.0.x, we highly recommend that you upgrade, particularly if your server is public on the Internet.

Okay, now on to the fun parts.

A faster Review Board

The diff viewer is now fast. Very fast. You'll find some major speed improvements in loading and expanding diffs and viewing diff comment fragments.

Most other pages are a bit faster too. We've fixed and improved client-side caching behavior across the site. The speed improvement should be noticeable.

Lastly, in the performance category, we've identified and fixed a bug that could trigger unnecessary reloads of extension configuration, particularly when using Power Pack.

A more stable Review Board

We've fixed over 25 bugs in this release, spanning search, Unicode conversion, diff navigation, interdiffs, the API, extensions, Bitbucket, Git, Subversion, and more.

There are compatibility fixes for the latest versions of Whoosh and Haystack (both needed for search).

New features!

We've added support for browsing and posting commits on GitLab for review on the New Review Request page.

Using Mercurial? We've added compatibility with Git-formatted Mercurial diffs, which contain more useful information that Review Board can work with.

Extension authors can now choose to block review requests from closing or reopening, and can add new UI to the top of the review dialog.

Better installation through pip and Wheels

Like with RBTools, we're now officially releasing Python Wheel packages for Review Board, supporting the latest versions of pip. To install Review Board, simply type:

$ pip install --allow-all-external ReviewBoard

(In the future, we're hoping to eliminate the need for --allow-all-external.)

Signed releases

As of this release, we're now signing all Djblets and Review Board builds with our official PGP key. We discussed this previously in the RBTools 0.7.3 release announcement, so check that out to learn how to take advantage of this.

Final notes

If you're using search today, make sure to do a full rebuild of your search index. We've made some changes to the index format, which will break search results until reindexed.

For the full list of improvements, see the release notes.