User: Password:
|
|
Subscribe / Log in / New account

Fedora alert FEDORA-2013-17443 (ReviewBoard)

From:  updates@fedoraproject.org
To:  package-announce@lists.fedoraproject.org
Subject:  [SECURITY] Fedora 18 Update: ReviewBoard-1.7.14-1.fc18
Date:  Wed, 02 Oct 2013 06:52:03 +0000
Message-ID:  <20131002065205.69AB922276@bastion01.phx2.fedoraproject.org>
Archive-link:  Article, Thread

-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2013-17443 2013-09-23 22:48:12 -------------------------------------------------------------------------------- Name : ReviewBoard Product : Fedora 18 Version : 1.7.14 Release : 1.fc18 URL : http://www.review-board.org Summary : Web-based code review tool Description : Review Board is a powerful web-based code review tool that offers developers an easy way to handle code reviews. It scales well from small projects to large companies and offers a variety of tools to take much of the stress and time out of the code review process. -------------------------------------------------------------------------------- Update Information: * Mon Sep 23 2013 Stephen Gallagher <sgallagh@redhat.com> - 1.7.14-1 - New upstream security release 1.7.14 - http://www.reviewboard.org/docs/releasenotes/reviewboard/... - Some API resources were accessible even if their parent resources were not, due to a missing check. In most cases, this was harmless, but it can affect those using access control on groups or review requests. -------------------------------------------------------------------------------- ChangeLog: * Mon Sep 23 2013 Stephen Gallagher <sgallagh@redhat.com> - 1.7.14-1 - New upstream security release 1.7.14 - http://www.reviewboard.org/docs/releasenotes/reviewboard/... - Some API resources were accessible even if their parent resources were not, due to a missing check. In most cases, this was harmless, but it can affect those using access control on groups or review requests. * Thu Aug 15 2013 Stephen Gallagher <sgallagh@redhat.com> - 1.7.13-2 - New upstream release 1.7.13 - http://www.reviewboard.org/docs/releasenotes/reviewboard/... - Starting with this release, sites will automatically be upgraded if they are listed in the text file /etc/reviewboard/sites by the path to their site, one per line. * Mon Jul 29 2013 Stephen Gallagher <sgallagh@redhat.com> - 1.7.12-1 - New upstream release 1.7.12 - http://www.reviewboard.org/docs/releasenotes/reviewboard/... - Security Fixes: * Function names in diff headers are no longer rendered as HTML. * If a user’s full name contained HTML, the Submitters list would render it as HTML, without escaping it. This was an XSS vulnerability. * The default Apache configuration is now more strict with how it serves up file attachments. This does not apply to existing installations. See http://support.beanbaginc.com/support/solutions/articles/... for details. * Uploaded files are now renamed to include a hash, preventing users from uploading malicious filenames, and making filenames unguessable. * Recaptcha support has been updated to use the new URLs provided by Google. - New Features: * Added a X-ReviewRequest-Repository header for e-mails. - Extension Improvements: * Extensions can now specify their list of app directories. * Extensions can now specify the author’s URL. * Improved the look and feel for extension configuration. * Improved the functionality for extension configuration. * Improved the list of available extensions. - Bug Fixes: * Fixed the “Show Whitespace Changes” toggle. * Fixed compatibility with modern versions of django-storages. * Draft comments on file attachments are no longer shown to all users. * Fixed issues with console windows appearing when invoking Clear Case requests on Python 2.7.x and Windows 7. * Review requests on Local Sites are now guaranteed to have the proper ID. * Fixed starring review requests on Local Sites. * Thu Jun 27 2013 Stephen Gallagher <sgallagh@redhat.com> - 1.7.11-1 - New upstream release 1.7.11 - http://www.reviewboard.org/docs/releasenotes/reviewboard/... - Bug Fixes: * Fixed compatibility with Python 2.5 * Fixed the drop-down arrow by Support and the account name on older versions of Internet Explorer * Mon Jun 24 2013 Stephen Gallagher <sgallagh@redhat.com> - 1.7.10-1 - New upstream release 1.7.10 - http://www.reviewboard.org/docs/releasenotes/reviewboard/... - Security Updates: * Fixed an XSS vulnerability where users could trigger script errors under certain conditions in auto-complete widgets - Web API Changes: * Added n ?order-by=<fieldname> query parameter for comment resources, allowing ordering by fields such as line numbers (for diff comments) * Added a filename field to screenshot resources, which provides the base filename (without path) of the screenshot * Added a review_url field to screenshot resources, which provides the URL to the screenshot review page * Added a thumbnail_url field to screenshot comment resources, which provides the URL to the snippet of the screenshot being commented on * Added a link_text field to file attachment comment resources, which shows the text for any link pointing to the file. This may differ depending on the comment * Added a review_url field to file attachment comment resources, which provides the URL to the review page for the file * Added a thumbnail_html field to file attachment comment resources, which provides HTML for rendering the thumbnail of the portion of the file being rendered, if any - UI Changes: * Improved the look and feel of the issue summary table. It’s cleaner and no longer looks odd with long comment text - Bug Fixes: * Fixed periodic but harmless JavaScript errors when removing elements with relative timestamps * Editing or reordering dashboard columns no longer breaks after the dashboard reloads * Relative timestamps in the dashboard no longer break after the dashboard reloads * The maximum size of the timezone has increased, allowing for longer timezone strings * Mon Jun 3 2013 Stephen Gallagher <sgallagh@redhat.com> - 1.7.9-1 - New upstream release 1.7.9 - http://www.reviewboard.org/docs/releasenotes/reviewboard/... - API Changes: * Added new blocks and depends_on fields to the Review Request resource - Bug Fixes: * Fixed the max_length of the new HostingServiceAccount.hosting_url field * Fixed the documentation for the cgit configuration for Git * Fixed the cgit URL for Fedora Hosted * Mon Jun 3 2013 Stephen Gallagher <sgallagh@redhat.com> - 1.7.8.1-1 - New upstream release 1.7.8.1 - http://www.reviewboard.org/docs/releasenotes/reviewboard/... - Bug Fixes: * Fixed a regression with saving repositories that don't use hosting services - Misc. Changes: * Compatibility changes for the upcoming PDF review plugin - New upstream release 1.7.8 - http://www.reviewboard.org/docs/releasenotes/reviewboard/... - New Features: * Added Depends On and Blocks fields to review requests * Added an improved support page * Added the ability to set where Get Support takes users * Added improved logging for many operations - Performance Improvements: * Reduced the upload time for many new diffs * The templates used for rendering the various pages are now cached after the first render, speeding up the rendering for any future renders. We've seen speedups of ~100-120ms for review request pages - Usability Improvements: * The review request actions are now larger, making them more visible and easier to hit, particularly on touch screens * Clicking Fixed, Drop or Re-open now keeps the page in the same scroll position * The dashboard now reloads dynamically, without reloading the entire page * The comment dialog now tells you when you can't make a comment (due to being logged out or reviewing something that's part of a draft - API Changes * Fixed deleting pending replies to comments * Fixed some issues returning certain lists of data - Extensibility Improvements: * Extensions can now customize their metadata directly in the Extension class * TemplateHooks can now render their own content by overriding render_to_string() * NavigationBarHook can now take a url_name parameter specifying the URL name to link to * Review UIs can now specify the link and link text for any comments on a review by overriding get_comment_link_url() and get_comment_link_text() * Custom hosting services can now be registered/unregistered by extensions by using register_hosting_service() and unregister_hosting_service() (from reviewboard.hostingsvcs.service) * Added the ability to more easily write hosting services support that works for self-installable services - Bug Fixes: * Added missing repository validation for Mercurial repositories * Fixed replying to comments on file attachments that have since been removed * Fixed the display of the upload dialogs when viewing a file attachment * Comments on file attachments in e-mails now link to the correct review UI handling the file * Worked around rare issues where a reset of the Open An Issue default for a user would cause pages to break - Misc Changes: * E-mails now show the user’s full name instead of just their first name * The New Review Request page now mentions RBTools instead of just post-review * Mon Apr 22 2013 Stephen Gallagher <sgallagh@redhat.com> - 1.7.7.1-1 - New upstream release 1.7.7.1 - http://www.reviewboard.org/docs/releasenotes/reviewboard/... - Bug Fixes: * Fixed a problem with generating config files when creating a new site installations - New upstream release 1.7.7 - http://www.reviewboard.org/docs/releasenotes/reviewboard/... - New Features: * The configured SSH key can now be deleted * Added support for working against a GitHub OAuth application - Performance Improvements: * Uploading a diff with a parent diff will no longer attempt to process any files in the parent diff that aren't in the main diff * Sped up rendering times for the Dashboard, All Review Requests page, and the user/groups pages - Web API Improvements: * Fixed a breakage with updating comments when the issue_status field wasn't provided * Improved caching logic to not claim a cached payload is valid when the client reports a matching Last Modified timestamp but not a matching ETag - Bug Fixes: * Specifying a port in a SSH URL for a repository will now connect on that port * Fixed broken links to file attachments when using Local Sites * Review request e-mails now show the right ID in the subject for Local Sites * Fixed Python path issues when spawning processes * Fixed a rare breakage when saving repositories * Fixed the cookie path when using site directories * When installing a site, database hosts now accept a port in the format of hostname:port * Fixed visual glitches with some rounded corners in the UI * Wed Apr 10 2013 Stephen Gallagher <sgallagh@redhat.com> - 1.7.6-4 - Add explicit BuildRequires: python-django14 * Wed Apr 10 2013 Stephen Gallagher <sgallagh@redhat.com> - 1.7.6-3 - Change to explicit requirement on python-django14 - Resolves: rhbz#950411 - Change requires to python-django14 * Thu Mar 21 2013 Stephen Gallagher <sgallagh@redhat.com> - 1.7.6-2 - Replace references of id2= with id= for cgit - Use file blobs rather than plaintext representation with Fedora Hosted cgit repositories * Thu Feb 21 2013 Stephen Gallagher <sgallagh@redhat.com> - 1.7.6-1 - New upstream release 1.7.6 - http://www.reviewboard.org/docs/releasenotes/dev/reviewbo... - Fedora-specific: removed versioning requirement on paramiko; it's no longer needed - Security Updates: * We now require Django 1.4.5, which fixes a few security vulnerabilities - New Features: * Added Perforce ticket-based authentication * Added a setting for choosing Review Board log levels - Web API Changes: * Added API support for querying and manipulating default reviewers * Repositories deleted through the Web API are now only archived if they have any associated review requests - Bug Fixes: * Fixed fetching files with FedoraHosted * Fixed some cases where URLs to user pages were incorrect, especially on subdirectory installs and local sites * We try harder now to set the PYTHONPATH for subprocesses, which should fix some issues fetching files over Subversion * The Administration UI dashboard widgets no longer cache their data too aggressively * Fixed showing the error box when entering an invalid reviewer * Fixed config/ and db/ links for extensions, when in a subdirectory install * The Manual Updates page for the media upload directory no longer points to a non-existant wiki page * Thu Feb 7 2013 Stephen Gallagher <sgallagh@redhat.com> - 1.7.5-1 - New upstream release 1.7.5 - http://www.reviewboard.org/docs/releasenotes/dev/reviewbo... - New Features: * Added a nicer, human-readable view of diffs in the FileDiff tables in the administration UI * The repository name is now included in review request e-mails - Compatibility Fixes: * We now require django-pipeline 1.2.24, which restores our compatibility with Python 2.5 and fixes some errors when loading pages * Our list of supported timezones should now be consistent across all installs, since we now require a specific, modern version of pytz (Packager's note: this is an upstream change only. In Fedora we have always relied on the system pytz) - Bug Fixes: * The entire thumbnail for file attachments are now clickable, making it easier to download the file or reach the review page * Users are no longer locked out of their review requests when assigned to private groups they don’t have access to * The Hide whitespace changes toggle was broken on many browsers, causing a JavaScript error * Searching for a user in the quick search field and then clicking the user once again navigates to the user’s page * The review request counts in the dashboard no longer show “None” for new users when using Local Sites * Thu Jan 31 2013 Stephen Gallagher <sgallagh@redhat.com> - 1.7.4-1 - New upstream release 1.7.4 - http://www.reviewboard.org/docs/releasenotes/dev/reviewbo... - Bug Fixes: * Fixed a JavaScript error in Internet Explorer and Firefox 3.x involving the console object being undefined * Fixed the diff viewer’s changed file listings when using Windows file paths * Mon Jan 28 2013 Stephen Gallagher <sgallagh@redhat.com> - 1.7.3-1 - New upstream release 1.7.3 - http://www.reviewboard.org/docs/releasenotes/dev/reviewbo... - New Features: * Add optional support for sending e-mails when closing review requests - Compatibility Updates: * The new support for Perforce moved files has changed RBTools 0.4.3 will now require Review Board 1.7.3 at a minimum. * Review Board now works with SVN diffs generated in many non-C locales - Web API Changes: * Added a scmtools.perforce.moved_files capability to indicate moved file support for Perforce - Bug Fixes: * SMTP servers saved with additional whitespace will now have that whitespace stripped, in order to prevent lookup failures. * Fixed a crash when running a search index * The listed creation time for a review request now reflects when it was first published, not when the initial draft was first created * The "Add Comment" button on file attachment thumbnails is no longer shown if not logged in * Fixed a bug allowing for publishing blank review requests after filling in the field and then deleting them * Fixed an occasional crash when viewing a diff when displaying a function or class header on the left-hand side but when there was none on the right-hand side * Fixed a breakage on some systems when checking the Mercurial version * The Summary field no longer overlaps text when wrapping * Fixed the review ID column when using Local Sites * Using a custom SITE_ROOT with a development server setup no longer breaks all static media * Fixed the capitalization of the "VersionOne" bug tracker entry * Using ClearCase on Windows 7 should no longer cause console windows to pop up * Fixed loading blank comments in the diff viewer * Thu Jan 17 2013 Stephen Gallagher <sgallagh@redhat.com> - 1.7.2-1 - New upstream release 1.7.2 - http://www.reviewboard.org/docs/releasenotes/dev/reviewbo... - New Features: - Added bug tracker support for VersionOne - Added support for ssl:-prefixed P4PORTs for Perforce 2012.1+ - Added support for moved file handling for Perforce - Bug Fixes: - Fixed an HTML escaping issue when listing filenames in the diff viewer - Fixed the display of the static media instructions in rb-site - Attempting to install on Python 2.4 will now display a helpful error before failing, instead of a cryptic error - Fixed the display of file attachment names in review request change descriptions that don’t have captions - Fixed the default file-based cache path used when creating a new site - The Review Board Activity widget in the administration UI will now clear the data shown when the datasets are unselected - Fixed capitalization of the navigation bar entries to be consistent - Fixed the link to the PyLucene documentation in the General Settings page - Fixed default Apache configuration files to be explicit in enabling FollowSymLinks - Fixed timezone warnings when running the search index command * Fri Dec 21 2012 Stephen Gallagher <sgallagh@redhat.com> - 1.7.1-2 - Add missing runtime dependencies * Wed Dec 19 2012 Stephen Gallagher <sgallagh@redhat.com> - 1.7.1-1 - New upstream release 1.7.1 - http://www.reviewboard.org/docs/releasenotes/dev/reviewbo... - http://www.reviewboard.org/docs/releasenotes/dev/reviewbo... - http://www.reviewboard.org/docs/releasenotes/dev/reviewbo... * Thu Dec 13 2012 Stephen Gallagher <sgallagh@redhat.com> - 1.7-5.rc1 - Update to upstream release candidate 1.7rc1 - http://www.reviewboard.org/docs/releasenotes/dev/reviewbo... * Wed Oct 3 2012 Stephen Gallagher <sgallagh@redhat.com> - 1.7-4.beta2 - Disable building documentation * Wed Oct 3 2012 Stephen Gallagher <sgallagh@redhat.com> - 1.7-3.beta2 - Disable JavaScript minification until python-slimit is available * Wed Oct 3 2012 Stephen Gallagher <sgallagh@redhat.com> - 1.7-2.beta2 - New upstream release 1.7 beta2 - New Features: - Introduced a new style for Review Board - Performance Improvements: - We’ve updated our dependency on jQuery to the latest version. We’ve been on an old one for quite a while, and there have been many performance improvements since. The site’s responsiveness should be a little faster now. - Bug Fixes: - Fixed the paths to certain decorational image files - File attachment comments are no longer missing from the review box - Fixed problems with issue tracking statuses in the review box - Fixed wrapping of the text in the change updates - Admin UI widgets no longer overlap when loading the page * Mon Aug 6 2012 Stephen Gallagher <sgallagh@redhat.com> - 1.7-1.beta1 - New upstream release 1.7 beta1 - http://www.reviewboard.org/docs/releasenotes/dev/reviewbo... - Compatibility Changes: - Added a requirement for Django 1.4 - Dropped Python 2.4 support - New Features: - Experimental extension support - New administration UI - Issue summary table for review requests - Moved files in a change are better represented in the diff viewer - Some file attachments are now shown with more detailed previews - Added a “To Me” column in the dashboard - Dates and times are now localized to the user’s region - The review request update bubble now says if the review request was closed - E-mails now include the review request ID in the subject header - Links in the Description and Testing Done text now open in new windows or tabs - Required fields on a review request are now marked as required by showing an asterisk - Added a “Show changes” link on the change description boxes after publishing a diff - Added support for the latest CVS diff file format - Removed Features: - The hidden reports feature (accessible at /reports/) has been removed - Performance Improvements: - Reduced download time of JavaScript and CSS - Reduced diff storage and lookups - Web API Changes: - Added server capabilities in /api/info/ - Added resources for viewing the original and patched files for a FileDiff - Bug Fixes: - The “Diff Updated” column in the dashboard now actually reflects the last diff update - Captions changes for file attachments are now shown on change description boxes, just like screenshot caption changes -------------------------------------------------------------------------------- References: [ 1 ] Bug #1008423 - ReviewBoard-1.7.14 is available https://bugzilla.redhat.com/show_bug.cgi?id=1008423 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update ReviewBoard' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/. All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list package-announce@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/package-...


(Log in to post comments)


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds