User: Password:
Subscribe / Log in / New account

Fedora alert FEDORA-2013-18931 (ReviewBoard)

Subject:  [SECURITY] Fedora 19 Update: ReviewBoard-1.7.16-2.fc19
Date:  Tue, 29 Oct 2013 03:40:02 +0000
Message-ID:  <>
Archive-link:  Article, Thread

-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2013-18931 2013-10-11 22:52:24 -------------------------------------------------------------------------------- Name : ReviewBoard Product : Fedora 19 Version : 1.7.16 Release : 2.fc19 URL : Summary : Web-based code review tool Description : Review Board is a powerful web-based code review tool that offers developers an easy way to handle code reviews. It scales well from small projects to large companies and offers a variety of tools to take much of the stress and time out of the code review process. -------------------------------------------------------------------------------- Update Information: Review Board 1.6.19 and 1.7.15 fix a few issues in the API where users could access certain data they should not have been able to access, if using the Local Sites feature, invite-only groups, or private repositories. It also fixes cases with invite-only groups where the group name and list of private review requests would show up on some pages (though the review requests themselves were not accessible). These issues do not affect most of the installations out there, but we strongly recommend upgrading anyway. There are no known cases of anyone exploiting these bugs, and in fact we discovered these internally while building new tools to test for security vulnerabilities in our codebase. There are also some other bug fixes, and important changes needed for extensions that provide their own REST APIs. -------------------------------------------------------------------------------- ChangeLog: * Sun Oct 13 2013 Patrick Uiterwijk <> - 1.7.16-2 - Update Djblets version * Sun Oct 13 2013 Patrick Uiterwijk <> - 1.7.15-2 - New upstream bugfix release 1.7.16 - Fixes a breakage when accessing the Review Group Users resource - Fixes pagination in dashboard and similar pages * Thu Oct 10 2013 Stephen Gallagher <> - 1.7.15-1 - New upstream security release 1.7.15 - - Resolves: CVE-2013-4410 - Fixes access-control problems with REST API - Resolves: CVE-2013-4411 - Fixes URL processing allowing unauthorized users to view review lists * Mon Sep 23 2013 Stephen Gallagher <> - 1.7.14-1 - New upstream security release 1.7.14 - - Some API resources were accessible even if their parent resources were not, due to a missing check. In most cases, this was harmless, but it can affect those using access control on groups or review requests. * Thu Aug 15 2013 Stephen Gallagher <> - 1.7.13-2 - New upstream release 1.7.13 - - Starting with this release, sites will automatically be upgraded if they are listed in the text file /etc/reviewboard/sites by the path to their site, one per line. * Mon Jul 29 2013 Stephen Gallagher <> - 1.7.12-1 - New upstream release 1.7.12 - - Security Fixes: * Function names in diff headers are no longer rendered as HTML. * If a user’s full name contained HTML, the Submitters list would render it as HTML, without escaping it. This was an XSS vulnerability. * The default Apache configuration is now more strict with how it serves up file attachments. This does not apply to existing installations. See for details. * Uploaded files are now renamed to include a hash, preventing users from uploading malicious filenames, and making filenames unguessable. * Recaptcha support has been updated to use the new URLs provided by Google. - New Features: * Added a X-ReviewRequest-Repository header for e-mails. - Extension Improvements: * Extensions can now specify their list of app directories. * Extensions can now specify the author’s URL. * Improved the look and feel for extension configuration. * Improved the functionality for extension configuration. * Improved the list of available extensions. - Bug Fixes: * Fixed the “Show Whitespace Changes” toggle. * Fixed compatibility with modern versions of django-storages. * Draft comments on file attachments are no longer shown to all users. * Fixed issues with console windows appearing when invoking Clear Case requests on Python 2.7.x and Windows 7. * Review requests on Local Sites are now guaranteed to have the proper ID. * Fixed starring review requests on Local Sites. * Thu Jun 27 2013 Stephen Gallagher <> - 1.7.11-1 - New upstream release 1.7.11 - - Bug Fixes: * Fixed compatibility with Python 2.5 * Fixed the drop-down arrow by Support and the account name on older versions of Internet Explorer * Mon Jun 24 2013 Stephen Gallagher <> - 1.7.10-1 - New upstream release 1.7.10 - - Security Updates: * Fixed an XSS vulnerability where users could trigger script errors under certain conditions in auto-complete widgets - Web API Changes: * Added n ?order-by=<fieldname> query parameter for comment resources, allowing ordering by fields such as line numbers (for diff comments) * Added a filename field to screenshot resources, which provides the base filename (without path) of the screenshot * Added a review_url field to screenshot resources, which provides the URL to the screenshot review page * Added a thumbnail_url field to screenshot comment resources, which provides the URL to the snippet of the screenshot being commented on * Added a link_text field to file attachment comment resources, which shows the text for any link pointing to the file. This may differ depending on the comment * Added a review_url field to file attachment comment resources, which provides the URL to the review page for the file * Added a thumbnail_html field to file attachment comment resources, which provides HTML for rendering the thumbnail of the portion of the file being rendered, if any - UI Changes: * Improved the look and feel of the issue summary table. It’s cleaner and no longer looks odd with long comment text - Bug Fixes: * Fixed periodic but harmless JavaScript errors when removing elements with relative timestamps * Editing or reordering dashboard columns no longer breaks after the dashboard reloads * Relative timestamps in the dashboard no longer break after the dashboard reloads * The maximum size of the timezone has increased, allowing for longer timezone strings -------------------------------------------------------------------------------- References: [ 1 ] Bug #1016596 - CVE-2013-4410 ReviewBoard: access-control problems with REST API [ 2 ] Bug #1016599 - CVE-2013-4411 ReviewBoard: URL processing allows unauthorized users to view review lists [ 3 ] Bug #1016601 - CVE-2013-4409 python-djblets: unsanitized eval() vulnerability -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update ReviewBoard' at the command line. For more information, refer to "Managing Software with yum", available at All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list

(Log in to post comments)

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds