What's New in Review Board

Today's release of Review Board 2.0.13 has a nice mix of bug fixes and features/improvements for Subversion users and administrators.

Let's get to the features first.

• Subversion users with non-standard repository layouts will now find that they can now browse commits from any top-level directory in their repository in the New Review Request page. Previously, they were kind of stuck if they didn't have the standard trunk/branches scheme.

• We've enhanced the administration UI to enable filtering/searching repositories (which is particularly useful if you have hundreds of repositories in your install). You can also search for any user and edit their profile information.

• Also, we have a new authentication backend. If you're maintaining HTTP Digest password files for other services, and want those same accounts to work with Review Board, you're in luck! Simply enable the new HTTP Digest backend, point to your password file, and you're good to go.

If you're running RBTools 0.7.1 or higher, you'll be able to take advantage of enhanced caching support in our API, making everything just a bit faster!

We also have a number of bug fixes throughout the product. This covers crashes, visual issues, diff interaction/selection/parsing bugs, and more.

See the release notes for the full list of changes.

We have another big Review Board release for you today!

Review Board 2.0.6 makes a number of improvements across the product, including:

• Fixes for numerous Subversion-related problems
• Internet Explorer compatibility fixes (note that if you use IE, you should use IE10 at a minimum)
• Extension installation fixes for multi-threaded servers
• Addition of OK/Cancel buttons on all fields on review requests
• Workarounds for broken file attachment mimetypes reported by the browser
• Smarter Markdown escaping
• The condensediffs command for reducing diff storage requirements now shows the estimated time until completion.
• and much more!

There are also a few important security fixes. Django just announced new security releases today, which may affect your server, especially if it's publicly accessible. By upgrading to 2.0.6, you'll get these fixes automatically.

If you're running Review Board 2.0.x, we strongly encourage you to upgrade to this release. It should make things run much smoother all around.

See the release notes for more information on this release.

We have two new Review Board releases for you tonight. Both fix a couple security vulnerabilities that came to our attention, as well as several other bugs. There are also a few new feature additions.

One of the security vulnerabilities allowed an attacker to construct a URL that would inject custom JavaScript into the page, which could then be passed to a user, allowing the custom code to run in their session.

The other vulnerability allowed users without access to a private review request to construct a URL for accessing original or patched files from the repository, if they knew the right series of database IDs.

Feature-wise, 1.7.27 gained a few of the recent additions to review UIs, support pages, and API that were introduced in 2.0.3.

2.0.4 gained support for uploading parent diffs in the New Review Request page.

If you're upgrading to 1.7.27, you'll need to run:

sudo easy_install ReviewBoard==1.7.27

For the full list of changes, see the 1.7.27 and 2.0.4 release notes.

Today, put out two new security releases of Djblets, our utility library for Review Board. These are versions 0.7.30 and 0.8.3, and fix a couple XSS vulnerabilities that were discovered in our Gravatar support and JSON serialization code.

We are strongly recommending that everyone upgrade to these releases, particularly if you're running a public Review Board server.

If you're running Review Board 2.0.x, you can upgrade by typing:

sudo easy_install -u Djblets

If you're running Review Board 1.7.x, you will need to upgrade by typing:

sudo easy_install Djblets==0.7.30

The Djblets 0.7.30 release has only been tested with Review Board 1.7.25. If you're on an older version, we recommend upgrading Review Board as well, to ensure better compatibility, and to benefit from the additional fixes in that release.

See the 0.7.30 release notes and 0.8.3 release notes for more information.

Review Board 1.7.23 is out. It’s a fairly typical bug fix release, with one addition that helps to address Heartbleed.

Heartbleed is the name for a widespread SSL security vulnerability found in OpenSSL and announced to the world on April 7th that can allow attackers to, in some cases, access private data in memory. It’s not specific to Review Board (and, in fact, the vulnerability lies outside of Review Board). Most Linux distributions are now providing patched OpenSSL packages, and the general recommendation is to re-issue your SSL certificates.

GitHub is recommending that users change their passwords and reset their authorization tokens. Review Board uses these tokens to communicate with your repositories on GitHub.

In 1.7.23, we’re providing a new management command for resetting your associated GitHub authorization tokens. You’ll need to know the password (and two-factor auth token, if enabled) for each linked account that you want to update.

To reset your tokens, install 1.7.23 and run:

$ rb-site manage /path/to/site reset-github-tokens

If you’re running an installation accessible over the Internet, you may want to have your users reset their passwords as well, to be safe.

Along with this, we have some authorization fixes for GitLab, and a few small bug fixes.

See the release notes for more information.

Review Board 1.7.22 is out. It's primarily a bug fix release, with an important security update (particularly for public installations).

An XSS vulnerability was reported that we've patched that involves the Search field. If you're running a 1.7.x release, we recommend updating to 1.7.22.

There's also a large number of bug fixes in this release. We've been working hard on going through the bug tracker and fixing up as many bugs as we can. This includes Git diff parsing fixes, compatibility improvements for Mercurial configurations, easier support for enabling HTTPS, and more.

See the release notes for the complete list of fixes.

We have a couple new releases of Review Board tonight. These both fix a couple security vulnerabilities discovered last night, and from this alone, we strongly recommend upgrading immediately.

The new 1.7.17 release also provides better GitHub integration, Local Site permissions, Extension improvements, and various bug fixes throughout the product.

Those using GitHub will have an easier time setting up new repositories (no more having to configure SSH keys!), and if anything goes wrong in the setup process, Review Board will do a better job of telling you what may be wrong.

If you're using the Local Sites feature, there's some improvements for you as well. Administrators of Local Sites will now have the ability to edit, close and reopen review requests, as well as post under another user's name, just like full-on administrators. These permissions are limited to Local Sites, of course.

We've also fixed some bugs around extensions. Enabling, disabling or changing an extension's settings will now cause the browser to re-fetch pages, instead of using old cached versions. Furthermore, extension customization now works with subdirectory installs.

The improvements in 1.7.17 are covered in more detail in the release notes.

If you're using the new Review Board Power Pack extension, or are looking to try it out, we recommend you update to 1.7.17. There are some fixes in this release that improve the interactivity with Power Pack.

If you're upgrading to 1.6.21, be sure to specify the version on the command line:

$ sudo easy_install ReviewBoard==1.6.21

Release notes:

• 1.6.21
• 1.7.17

Review Board 1.6.19 and 1.7.15 fix a few issues in the API where users could access certain data they should not have been able to access, if using the Local Sites feature, invite-only groups, or private repositories. It also fixes cases with invite-only groups where the group name and list of private review requests would show up on some pages (though the review requests themselves were not accessible).

These issues do not affect most of the installations out there, but we strongly recommend upgrading anyway. There are no known cases of anyone exploiting these bugs, and in fact we discovered these internally while building new tools to test for security vulnerabilities in our codebase.

There are also some other bug fixes, and important changes needed for extensions that provide their own REST APIs.

See the 1.6.19 and 1.7.15 release notes for more details on these releases.

The Django project just released an important security update that affects all Review Board 1.7.x servers, particularly public ones. It allows an attacker to perform a Denial-of-Service attack on the server through the authentication mechanism.

We recommend that everybody running a Review Board 1.7.x release immediately updates to Django 1.4.8. We will be putting out new releases of Review Board today, as well.

Please see the Django security announcement for more information.

We have a pair of releases today for users of Review Board 1.6.x and 1.7.x. Both contain important security updates, and we recommend updating immediately.

This security vulnerability allows attackers to execute JavaScript under certain conditions. There are no known vulnerabilities in the wild. The latest 1.6.x and 1.7.x releases are susceptible to the flaw. We have released 1.6.x and 1.7.x updates. We recommend that all users upgrade their install to a modern release, particularly if you are running a version prior to 1.6.

Along with the security updates, Review Board 1.7.10 provides some new bug fixes, API enhancements (for comments and screenshots), and UI refinement.

See the 1.6.17 and 1.7.10 releases for more info.