Features Download
From: <updates <at> fedoraproject.org>
Subject: [SECURITY] Fedora 19 Update: ReviewBoard-1.7.16-2.fc19
Newsgroups: gmane.linux.redhat.fedora.package.announce
Date: Tuesday 29th October 2013 03:40:02 UTC (over 3 years ago)
Fedora Update Notification
2013-10-11 22:52:24

Name        : ReviewBoard
Product     : Fedora 19
Version     : 1.7.16
Release     : 2.fc19
URL         : http://www.review-board.org
Summary     : Web-based code review tool
Description :
Review Board is a powerful web-based code review tool that offers
developers an easy way to handle code reviews. It scales well from small
projects to large companies and offers a variety of tools to take much
of the stress and time out of the code review process.

Update Information:

Review Board 1.6.19 and 1.7.15 fix a few issues in the API where users
could access certain data they should not have been able to access, if
using the Local Sites feature, invite-only groups, or private repositories.
It also fixes cases with invite-only groups where the group name and list
of private review requests would show up on some pages (though the review
requests themselves were not accessible).

These issues do not affect most of the installations out there, but we
strongly recommend upgrading anyway. There are no known cases of anyone
exploiting these bugs, and in fact we discovered these internally while
building new tools to test for security vulnerabilities in our codebase.

There are also some other bug fixes, and important changes needed for
extensions that provide their own REST APIs.

* Sun Oct 13 2013 Patrick Uiterwijk  - 1.7.16-2
- Update Djblets version
* Sun Oct 13 2013 Patrick Uiterwijk  - 1.7.15-2
- New upstream bugfix release 1.7.16
- Fixes a breakage when accessing the Review Group Users resource
- Fixes pagination in dashboard and similar pages
* Thu Oct 10 2013 Stephen Gallagher  - 1.7.15-1
- New upstream security release 1.7.15
- http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.15/
- Resolves: CVE-2013-4410
- Fixes access-control problems with REST API
- Resolves: CVE-2013-4411
- Fixes URL processing allowing unauthorized users to view review lists
* Mon Sep 23 2013 Stephen Gallagher  - 1.7.14-1
- New upstream security release 1.7.14
- http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.14/
- Some API resources were accessible even if their parent resources were
  due to a missing check. In most cases, this was harmless, but it can
  those using access control on groups or review requests.
* Thu Aug 15 2013 Stephen Gallagher  - 1.7.13-2
- New upstream release 1.7.13
- http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.13/
- Starting with this release, sites will automatically be upgraded if they
  listed in the text file /etc/reviewboard/sites by the path to their site,
  one per line.
* Mon Jul 29 2013 Stephen Gallagher  - 1.7.12-1
- New upstream release 1.7.12
- http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.12/
- Security Fixes:
    * Function names in diff headers are no longer rendered as HTML.
    * If a user’s full name contained HTML, the Submitters list would
render it
      as HTML, without escaping it. This was an XSS vulnerability.
    * The default Apache configuration is now more strict with how it
serves up
      file attachments. This does not apply to existing installations. See
      for details.
    * Uploaded files are now renamed to include a hash, preventing users
      uploading malicious filenames, and making filenames unguessable.
    * Recaptcha support has been updated to use the new URLs provided by
- New Features:
    * Added a X-ReviewRequest-Repository header for e-mails.
- Extension Improvements:
    * Extensions can now specify their list of app directories.
    * Extensions can now specify the author’s URL.
    * Improved the look and feel for extension configuration.
    * Improved the functionality for extension configuration.
    * Improved the list of available extensions.
- Bug Fixes:
    * Fixed the “Show Whitespace Changes” toggle.
    * Fixed compatibility with modern versions of django-storages.
    * Draft comments on file attachments are no longer shown to all users.
    * Fixed issues with console windows appearing when invoking Clear Case
      requests on Python 2.7.x and Windows 7.
    * Review requests on Local Sites are now guaranteed to have the proper
    * Fixed starring review requests on Local Sites.
* Thu Jun 27 2013 Stephen Gallagher  - 1.7.11-1
- New upstream release 1.7.11
- http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.11/
- Bug Fixes:
    * Fixed compatibility with Python 2.5
    * Fixed the drop-down arrow by Support and the account name on older
      versions of Internet Explorer
* Mon Jun 24 2013 Stephen Gallagher  - 1.7.10-1
- New upstream release 1.7.10
- http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.10/
- Security Updates:
    * Fixed an XSS vulnerability where users could trigger script errors
      certain conditions in auto-complete widgets
- Web API Changes:
    * Added n ?order-by= query parameter for comment resources,
      allowing ordering by fields such as line numbers (for diff comments)
    * Added a filename field to screenshot resources, which provides the
      filename (without path) of the screenshot
    * Added a review_url field to screenshot resources, which provides the
      to the screenshot review page
    * Added a thumbnail_url field to screenshot comment resources, which
      provides the URL to the snippet of the screenshot being commented on
    * Added a link_text field to file attachment comment resources, which
      the text for any link pointing to the file. This may differ depending
      the comment
    * Added a review_url field to file attachment comment resources, which
      provides the URL to the review page for the file
    * Added a thumbnail_html field to file attachment comment resources,
      provides HTML for rendering the thumbnail of the portion of the file
      being rendered, if any
- UI Changes:
    * Improved the look and feel of the issue summary table. It’s cleaner
      no longer looks odd with long comment text
- Bug Fixes:
    * Fixed periodic but harmless JavaScript errors when removing elements
      relative timestamps
    * Editing or reordering dashboard columns no longer breaks after the
      dashboard reloads
    * Relative timestamps in the dashboard no longer break after the
    * The maximum size of the timezone has increased, allowing for longer
      timezone strings

  [ 1 ] Bug #1016596 - CVE-2013-4410 ReviewBoard: access-control problems
  [ 2 ] Bug #1016599 - CVE-2013-4411 ReviewBoard: URL processing allows
unauthorized users to view review lists
  [ 3 ] Bug #1016601 - CVE-2013-4409 python-djblets: unsanitized eval()

This update can be installed with the "yum" update program.  Use 
su -c 'yum update ReviewBoard' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on
GPG keys used by the Fedora Project can be found at
package-announce mailing list
[email protected]
CD: 17ms