Jump to >
Review Board 1.7.27 and 2.0.4 security releases

We have two new Review Board releases for you tonight. Both fix a couple security vulnerabilities that came to our attention, as well as several other bugs. There are also a few new feature additions.

One of the security vulnerabilities allowed an attacker to construct a URL that would inject custom JavaScript into the page, which could then be passed to a user, allowing the custom code to run in their session.

The other vulnerability allowed users without access to a private review request to construct a URL for accessing original or patched files from the repository, if they knew the right series of database IDs.

Feature-wise, 1.7.27 gained a few of the recent additions to review UIs, support pages, and API that were introduced in 2.0.3.

2.0.4 gained support for uploading parent diffs in the New Review Request page.

If you're upgrading to 1.7.27, you'll need to run:

sudo easy_install ReviewBoard==1.7.27

For the full list of changes, see the 1.7.27 and 2.0.4 release notes.

New Djblets security releases

Today, put out two new security releases of Djblets, our utility library for Review Board. These are versions 0.7.30 and 0.8.3, and fix a couple XSS vulnerabilities that were discovered in our Gravatar support and JSON serialization code.

We are strongly recommending that everyone upgrade to these releases, particularly if you're running a public Review Board server.

If you're running Review Board 2.0.x, you can upgrade by typing:

sudo easy_install -u Djblets

If you're running Review Board 1.7.x, you will need to upgrade by typing:

sudo easy_install Djblets==0.7.30

The Djblets 0.7.30 release has only been tested with Review Board 1.7.25. If you're on an older version, we recommend upgrading Review Board as well, to ensure better compatibility, and to benefit from the additional fixes in that release.

See the 0.7.30 release notes and 0.8.3 release notes for more information.

Review Board 1.7.23 and Heartbleed

Review Board 1.7.23 is out. It’s a fairly typical bug fix release, with one addition that helps to address Heartbleed.

Heartbleed is the name for a widespread SSL security vulnerability found in OpenSSL and announced to the world on April 7th that can allow attackers to, in some cases, access private data in memory. It’s not specific to Review Board (and, in fact, the vulnerability lies outside of Review Board). Most Linux distributions are now providing patched OpenSSL packages, and the general recommendation is to re-issue your SSL certificates.

GitHub is recommending that users change their passwords and reset their authorization tokens. Review Board uses these tokens to communicate with your repositories on GitHub.

In 1.7.23, we’re providing a new management command for resetting your associated GitHub authorization tokens. You’ll need to know the password (and two-factor auth token, if enabled) for each linked account that you want to update.

To reset your tokens, install 1.7.23 and run:

$ rb-site manage /path/to/site reset-github-tokens

If you’re running an installation accessible over the Internet, you may want to have your users reset their passwords as well, to be safe.

Along with this, we have some authorization fixes for GitLab, and a few small bug fixes.

See the release notes for more information.

Review Board 1.7.22 released

Review Board 1.7.22 is out. It's primarily a bug fix release, with an important security update (particularly for public installations).

An XSS vulnerability was reported that we've patched that involves the Search field. If you're running a 1.7.x release, we recommend updating to 1.7.22.

There's also a large number of bug fixes in this release. We've been working hard on going through the bug tracker and fixing up as many bugs as we can. This includes Git diff parsing fixes, compatibility improvements for Mercurial configurations, easier support for enabling HTTPS, and more.

See the release notes for the complete list of fixes.

Review Board 1.6.21 and 1.7.17 released

We have a couple new releases of Review Board tonight. These both fix a couple security vulnerabilities discovered last night, and from this alone, we strongly recommend upgrading immediately.

The new 1.7.17 release also provides better GitHub integration, Local Site permissions, Extension improvements, and various bug fixes throughout the product.

Those using GitHub will have an easier time setting up new repositories (no more having to configure SSH keys!), and if anything goes wrong in the setup process, Review Board will do a better job of telling you what may be wrong.

If you're using the Local Sites feature, there's some improvements for you as well. Administrators of Local Sites will now have the ability to edit, close and reopen review requests, as well as post under another user's name, just like full-on administrators. These permissions are limited to Local Sites, of course.

We've also fixed some bugs around extensions. Enabling, disabling or changing an extension's settings will now cause the browser to re-fetch pages, instead of using old cached versions. Furthermore, extension customization now works with subdirectory installs.

The improvements in 1.7.17 are covered in more detail in the release notes.

If you're using the new Review Board Power Pack extension, or are looking to try it out, we recommend you update to 1.7.17. There are some fixes in this release that improve the interactivity with Power Pack.

If you're upgrading to 1.6.21, be sure to specify the version on the command line:

$ sudo easy_install ReviewBoard==1.6.21

Release notes:

New security releases: Review Board 1.6.19 and 1.7.15

Review Board 1.6.19 and 1.7.15 fix a few issues in the API where users could access certain data they should not have been able to access, if using the Local Sites feature, invite-only groups, or private repositories. It also fixes cases with invite-only groups where the group name and list of private review requests would show up on some pages (though the review requests themselves were not accessible).

These issues do not affect most of the installations out there, but we strongly recommend upgrading anyway. There are no known cases of anyone exploiting these bugs, and in fact we discovered these internally while building new tools to test for security vulnerabilities in our codebase.

There are also some other bug fixes, and important changes needed for extensions that provide their own REST APIs.

See the 1.6.19 and 1.7.15 release notes for more details on these releases.

Important Django security update

The Django project just released an important security update that affects all Review Board 1.7.x servers, particularly public ones. It allows an attacker to perform a Denial-of-Service attack on the server through the authentication mechanism.

We recommend that everybody running a Review Board 1.7.x release immediately updates to Django 1.4.8. We will be putting out new releases of Review Board today, as well.

Please see the Django security announcement for more information.

Review Board 1.6.17 and 1.7.10 released

We have a pair of releases today for users of Review Board 1.6.x and 1.7.x. Both contain important security updates, and we recommend updating immediately.

This security vulnerability allows attackers to execute JavaScript under certain conditions. There are no known vulnerabilities in the wild. The latest 1.6.x and 1.7.x releases are susceptible to the flaw. We have released 1.6.x and 1.7.x updates. We recommend that all users upgrade their install to a modern release, particularly if you are running a version prior to 1.6.

Along with the security updates, Review Board 1.7.10 provides some new bug fixes, API enhancements (for comments and screenshots), and UI refinement.

See the 1.6.17 and 1.7.10 releases for more info.

New Review Board Security Releases: 1.5.7 and 1.6.3

It was brought to our attention today that Review Board 1.5.x and 1.6.x had a security vulnerability involving browser-side script injection in the diff viewer and screenshot pages. We take such things seriously, and are putting out a couple of releases to fix it. We strongly advise everyone to update, especially if you're running a public server.

Review Board 1.5.7 and 1.6.3 have been released. If you're running 1.6.x, just upgrade as normal, but if you're running 1.5.x, you need to upgrade by doing:

$ sudo easy_install -U ReviewBoard==1.5.7

Otherwise, you'll automatically upgrade to 1.6.x.

Thanks to Damian Johnson for letting us know about this vulnerability and providing a patch to fix it.

Security vulnerability found in Django 1.0.3 and 1.1

An announcement was made yesterday that the Django 1.0.3 and 1.1 releases contained a security vulnerability that may impact some users. We recommend that users upgrade to the latest version of Django immediately. This is especially important to open source projects with public Review Board servers.If you're running an older Review Board server with Django 1.0.x, you should download Django 1.0.4 and install it. If you're running a newer version, you can upgrade by typing:

easy_install -U Django

Once you've upgraded, re-run rb-site upgrade on your installed Review Board sites.

1 2 3 pages