User: Password:
|
|
Subscribe / Log in / New account

Fedora alert FEDORA-2013-18911 (ReviewBoard)

From:  updates@fedoraproject.org
To:  package-announce@lists.fedoraproject.org
Subject:  [SECURITY] Fedora 18 Update: ReviewBoard-1.7.16-2.fc18
Date:  Tue, 29 Oct 2013 03:43:47 +0000
Message-ID:  <20131029034347.696E121096@bastion01.phx2.fedoraproject.org>
Archive-link:  Article, Thread

-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2013-18911 2013-10-11 22:51:43 -------------------------------------------------------------------------------- Name : ReviewBoard Product : Fedora 18 Version : 1.7.16 Release : 2.fc18 URL : http://www.review-board.org Summary : Web-based code review tool Description : Review Board is a powerful web-based code review tool that offers developers an easy way to handle code reviews. It scales well from small projects to large companies and offers a variety of tools to take much of the stress and time out of the code review process. -------------------------------------------------------------------------------- Update Information: Review Board 1.6.19 and 1.7.15 fix a few issues in the API where users could access certain data they should not have been able to access, if using the Local Sites feature, invite-only groups, or private repositories. It also fixes cases with invite-only groups where the group name and list of private review requests would show up on some pages (though the review requests themselves were not accessible). These issues do not affect most of the installations out there, but we strongly recommend upgrading anyway. There are no known cases of anyone exploiting these bugs, and in fact we discovered these internally while building new tools to test for security vulnerabilities in our codebase. There are also some other bug fixes, and important changes needed for extensions that provide their own REST APIs. -------------------------------------------------------------------------------- ChangeLog: * Sun Oct 13 2013 Patrick Uiterwijk <puiterwijk@gmail.com> - 1.7.16-2 - Update Djblets version * Sun Oct 13 2013 Patrick Uiterwijk <puiterwijk@redhat.com> - 1.7.15-2 - New upstream bugfix release 1.7.16 - Fixes a breakage when accessing the Review Group Users resource - Fixes pagination in dashboard and similar pages * Thu Oct 10 2013 Stephen Gallagher <sgallagh@redhat.com> - 1.7.15-1 - New upstream security release 1.7.15 - http://www.reviewboard.org/docs/releasenotes/reviewboard/... - Resolves: CVE-2013-4410 - Fixes access-control problems with REST API - Resolves: CVE-2013-4411 - Fixes URL processing allowing unauthorized users to view review lists * Mon Sep 23 2013 Stephen Gallagher <sgallagh@redhat.com> - 1.7.14-1 - New upstream security release 1.7.14 - http://www.reviewboard.org/docs/releasenotes/reviewboard/... - Some API resources were accessible even if their parent resources were not, due to a missing check. In most cases, this was harmless, but it can affect those using access control on groups or review requests. * Thu Aug 15 2013 Stephen Gallagher <sgallagh@redhat.com> - 1.7.13-2 - New upstream release 1.7.13 - http://www.reviewboard.org/docs/releasenotes/reviewboard/... - Starting with this release, sites will automatically be upgraded if they are listed in the text file /etc/reviewboard/sites by the path to their site, one per line. * Mon Jul 29 2013 Stephen Gallagher <sgallagh@redhat.com> - 1.7.12-1 - New upstream release 1.7.12 - http://www.reviewboard.org/docs/releasenotes/reviewboard/... - Security Fixes: * Function names in diff headers are no longer rendered as HTML. * If a user’s full name contained HTML, the Submitters list would render it as HTML, without escaping it. This was an XSS vulnerability. * The default Apache configuration is now more strict with how it serves up file attachments. This does not apply to existing installations. See http://support.beanbaginc.com/support/solutions/articles/... for details. * Uploaded files are now renamed to include a hash, preventing users from uploading malicious filenames, and making filenames unguessable. * Recaptcha support has been updated to use the new URLs provided by Google. - New Features: * Added a X-ReviewRequest-Repository header for e-mails. - Extension Improvements: * Extensions can now specify their list of app directories. * Extensions can now specify the author’s URL. * Improved the look and feel for extension configuration. * Improved the functionality for extension configuration. * Improved the list of available extensions. - Bug Fixes: * Fixed the “Show Whitespace Changes” toggle. * Fixed compatibility with modern versions of django-storages. * Draft comments on file attachments are no longer shown to all users. * Fixed issues with console windows appearing when invoking Clear Case requests on Python 2.7.x and Windows 7. * Review requests on Local Sites are now guaranteed to have the proper ID. * Fixed starring review requests on Local Sites. * Thu Jun 27 2013 Stephen Gallagher <sgallagh@redhat.com> - 1.7.11-1 - New upstream release 1.7.11 - http://www.reviewboard.org/docs/releasenotes/reviewboard/... - Bug Fixes: * Fixed compatibility with Python 2.5 * Fixed the drop-down arrow by Support and the account name on older versions of Internet Explorer * Mon Jun 24 2013 Stephen Gallagher <sgallagh@redhat.com> - 1.7.10-1 - New upstream release 1.7.10 - http://www.reviewboard.org/docs/releasenotes/reviewboard/... - Security Updates: * Fixed an XSS vulnerability where users could trigger script errors under certain conditions in auto-complete widgets - Web API Changes: * Added n ?order-by=<fieldname> query parameter for comment resources, allowing ordering by fields such as line numbers (for diff comments) * Added a filename field to screenshot resources, which provides the base filename (without path) of the screenshot * Added a review_url field to screenshot resources, which provides the URL to the screenshot review page * Added a thumbnail_url field to screenshot comment resources, which provides the URL to the snippet of the screenshot being commented on * Added a link_text field to file attachment comment resources, which shows the text for any link pointing to the file. This may differ depending on the comment * Added a review_url field to file attachment comment resources, which provides the URL to the review page for the file * Added a thumbnail_html field to file attachment comment resources, which provides HTML for rendering the thumbnail of the portion of the file being rendered, if any - UI Changes: * Improved the look and feel of the issue summary table. It’s cleaner and no longer looks odd with long comment text - Bug Fixes: * Fixed periodic but harmless JavaScript errors when removing elements with relative timestamps * Editing or reordering dashboard columns no longer breaks after the dashboard reloads * Relative timestamps in the dashboard no longer break after the dashboard reloads * The maximum size of the timezone has increased, allowing for longer timezone strings * Mon Jun 3 2013 Stephen Gallagher <sgallagh@redhat.com> - 1.7.9-1 - New upstream release 1.7.9 - http://www.reviewboard.org/docs/releasenotes/reviewboard/... - API Changes: * Added new blocks and depends_on fields to the Review Request resource - Bug Fixes: * Fixed the max_length of the new HostingServiceAccount.hosting_url field * Fixed the documentation for the cgit configuration for Git * Fixed the cgit URL for Fedora Hosted * Mon Jun 3 2013 Stephen Gallagher <sgallagh@redhat.com> - 1.7.8.1-1 - New upstream release 1.7.8.1 - http://www.reviewboard.org/docs/releasenotes/reviewboard/... - Bug Fixes: * Fixed a regression with saving repositories that don't use hosting services - Misc. Changes: * Compatibility changes for the upcoming PDF review plugin - New upstream release 1.7.8 - http://www.reviewboard.org/docs/releasenotes/reviewboard/... - New Features: * Added Depends On and Blocks fields to review requests * Added an improved support page * Added the ability to set where Get Support takes users * Added improved logging for many operations - Performance Improvements: * Reduced the upload time for many new diffs * The templates used for rendering the various pages are now cached after the first render, speeding up the rendering for any future renders. We've seen speedups of ~100-120ms for review request pages - Usability Improvements: * The review request actions are now larger, making them more visible and easier to hit, particularly on touch screens * Clicking Fixed, Drop or Re-open now keeps the page in the same scroll position * The dashboard now reloads dynamically, without reloading the entire page * The comment dialog now tells you when you can't make a comment (due to being logged out or reviewing something that's part of a draft - API Changes * Fixed deleting pending replies to comments * Fixed some issues returning certain lists of data - Extensibility Improvements: * Extensions can now customize their metadata directly in the Extension class * TemplateHooks can now render their own content by overriding render_to_string() * NavigationBarHook can now take a url_name parameter specifying the URL name to link to * Review UIs can now specify the link and link text for any comments on a review by overriding get_comment_link_url() and get_comment_link_text() * Custom hosting services can now be registered/unregistered by extensions by using register_hosting_service() and unregister_hosting_service() (from reviewboard.hostingsvcs.service) * Added the ability to more easily write hosting services support that works for self-installable services - Bug Fixes: * Added missing repository validation for Mercurial repositories * Fixed replying to comments on file attachments that have since been removed * Fixed the display of the upload dialogs when viewing a file attachment * Comments on file attachments in e-mails now link to the correct review UI handling the file * Worked around rare issues where a reset of the Open An Issue default for a user would cause pages to break - Misc Changes: * E-mails now show the user’s full name instead of just their first name * The New Review Request page now mentions RBTools instead of just post-review * Mon Apr 22 2013 Stephen Gallagher <sgallagh@redhat.com> - 1.7.7.1-1 - New upstream release 1.7.7.1 - http://www.reviewboard.org/docs/releasenotes/reviewboard/... - Bug Fixes: * Fixed a problem with generating config files when creating a new site installations - New upstream release 1.7.7 - http://www.reviewboard.org/docs/releasenotes/reviewboard/... - New Features: * The configured SSH key can now be deleted * Added support for working against a GitHub OAuth application - Performance Improvements: * Uploading a diff with a parent diff will no longer attempt to process any files in the parent diff that aren't in the main diff * Sped up rendering times for the Dashboard, All Review Requests page, and the user/groups pages - Web API Improvements: * Fixed a breakage with updating comments when the issue_status field wasn't provided * Improved caching logic to not claim a cached payload is valid when the client reports a matching Last Modified timestamp but not a matching ETag - Bug Fixes: * Specifying a port in a SSH URL for a repository will now connect on that port * Fixed broken links to file attachments when using Local Sites * Review request e-mails now show the right ID in the subject for Local Sites * Fixed Python path issues when spawning processes * Fixed a rare breakage when saving repositories * Fixed the cookie path when using site directories * When installing a site, database hosts now accept a port in the format of hostname:port * Fixed visual glitches with some rounded corners in the UI * Wed Apr 10 2013 Stephen Gallagher <sgallagh@redhat.com> - 1.7.6-4 - Add explicit BuildRequires: python-django14 * Wed Apr 10 2013 Stephen Gallagher <sgallagh@redhat.com> - 1.7.6-3 - Change to explicit requirement on python-django14 - Resolves: rhbz#950411 - Change requires to python-django14 * Thu Mar 21 2013 Stephen Gallagher <sgallagh@redhat.com> - 1.7.6-2 - Replace references of id2= with id= for cgit - Use file blobs rather than plaintext representation with Fedora Hosted cgit repositories * Thu Feb 21 2013 Stephen Gallagher <sgallagh@redhat.com> - 1.7.6-1 - New upstream release 1.7.6 - http://www.reviewboard.org/docs/releasenotes/dev/reviewbo... - Fedora-specific: removed versioning requirement on paramiko; it's no longer needed - Security Updates: * We now require Django 1.4.5, which fixes a few security vulnerabilities - New Features: * Added Perforce ticket-based authentication * Added a setting for choosing Review Board log levels - Web API Changes: * Added API support for querying and manipulating default reviewers * Repositories deleted through the Web API are now only archived if they have any associated review requests - Bug Fixes: * Fixed fetching files with FedoraHosted * Fixed some cases where URLs to user pages were incorrect, especially on subdirectory installs and local sites * We try harder now to set the PYTHONPATH for subprocesses, which should fix some issues fetching files over Subversion * The Administration UI dashboard widgets no longer cache their data too aggressively * Fixed showing the error box when entering an invalid reviewer * Fixed config/ and db/ links for extensions, when in a subdirectory install * The Manual Updates page for the media upload directory no longer points to a non-existant wiki page * Thu Feb 7 2013 Stephen Gallagher <sgallagh@redhat.com> - 1.7.5-1 - New upstream release 1.7.5 - http://www.reviewboard.org/docs/releasenotes/dev/reviewbo... - New Features: * Added a nicer, human-readable view of diffs in the FileDiff tables in the administration UI * The repository name is now included in review request e-mails - Compatibility Fixes: * We now require django-pipeline 1.2.24, which restores our compatibility with Python 2.5 and fixes some errors when loading pages * Our list of supported timezones should now be consistent across all installs, since we now require a specific, modern version of pytz (Packager's note: this is an upstream change only. In Fedora we have always relied on the system pytz) - Bug Fixes: * The entire thumbnail for file attachments are now clickable, making it easier to download the file or reach the review page * Users are no longer locked out of their review requests when assigned to private groups they don’t have access to * The Hide whitespace changes toggle was broken on many browsers, causing a JavaScript error * Searching for a user in the quick search field and then clicking the user once again navigates to the user’s page * The review request counts in the dashboard no longer show “None” for new users when using Local Sites * Thu Jan 31 2013 Stephen Gallagher <sgallagh@redhat.com> - 1.7.4-1 - New upstream release 1.7.4 - http://www.reviewboard.org/docs/releasenotes/dev/reviewbo... - Bug Fixes: * Fixed a JavaScript error in Internet Explorer and Firefox 3.x involving the console object being undefined * Fixed the diff viewer’s changed file listings when using Windows file paths * Mon Jan 28 2013 Stephen Gallagher <sgallagh@redhat.com> - 1.7.3-1 - New upstream release 1.7.3 - http://www.reviewboard.org/docs/releasenotes/dev/reviewbo... - New Features: * Add optional support for sending e-mails when closing review requests - Compatibility Updates: * The new support for Perforce moved files has changed RBTools 0.4.3 will now require Review Board 1.7.3 at a minimum. * Review Board now works with SVN diffs generated in many non-C locales - Web API Changes: * Added a scmtools.perforce.moved_files capability to indicate moved file support for Perforce - Bug Fixes: * SMTP servers saved with additional whitespace will now have that whitespace stripped, in order to prevent lookup failures. * Fixed a crash when running a search index * The listed creation time for a review request now reflects when it was first published, not when the initial draft was first created * The "Add Comment" button on file attachment thumbnails is no longer shown if not logged in * Fixed a bug allowing for publishing blank review requests after filling in the field and then deleting them * Fixed an occasional crash when viewing a diff when displaying a function or class header on the left-hand side but when there was none on the right-hand side * Fixed a breakage on some systems when checking the Mercurial version * The Summary field no longer overlaps text when wrapping * Fixed the review ID column when using Local Sites * Using a custom SITE_ROOT with a development server setup no longer breaks all static media * Fixed the capitalization of the "VersionOne" bug tracker entry * Using ClearCase on Windows 7 should no longer cause console windows to pop up * Fixed loading blank comments in the diff viewer * Thu Jan 17 2013 Stephen Gallagher <sgallagh@redhat.com> - 1.7.2-1 - New upstream release 1.7.2 - http://www.reviewboard.org/docs/releasenotes/dev/reviewbo... - New Features: - Added bug tracker support for VersionOne - Added support for ssl:-prefixed P4PORTs for Perforce 2012.1+ - Added support for moved file handling for Perforce - Bug Fixes: - Fixed an HTML escaping issue when listing filenames in the diff viewer - Fixed the display of the static media instructions in rb-site - Attempting to install on Python 2.4 will now display a helpful error before failing, instead of a cryptic error - Fixed the display of file attachment names in review request change descriptions that don’t have captions - Fixed the default file-based cache path used when creating a new site - The Review Board Activity widget in the administration UI will now clear the data shown when the datasets are unselected - Fixed capitalization of the navigation bar entries to be consistent - Fixed the link to the PyLucene documentation in the General Settings page - Fixed default Apache configuration files to be explicit in enabling FollowSymLinks - Fixed timezone warnings when running the search index command * Fri Dec 21 2012 Stephen Gallagher <sgallagh@redhat.com> - 1.7.1-2 - Add missing runtime dependencies * Wed Dec 19 2012 Stephen Gallagher <sgallagh@redhat.com> - 1.7.1-1 - New upstream release 1.7.1 - http://www.reviewboard.org/docs/releasenotes/dev/reviewbo... - http://www.reviewboard.org/docs/releasenotes/dev/reviewbo... - http://www.reviewboard.org/docs/releasenotes/dev/reviewbo... * Thu Dec 13 2012 Stephen Gallagher <sgallagh@redhat.com> - 1.7-5.rc1 - Update to upstream release candidate 1.7rc1 - http://www.reviewboard.org/docs/releasenotes/dev/reviewbo... * Wed Oct 3 2012 Stephen Gallagher <sgallagh@redhat.com> - 1.7-4.beta2 - Disable building documentation * Wed Oct 3 2012 Stephen Gallagher <sgallagh@redhat.com> - 1.7-3.beta2 - Disable JavaScript minification until python-slimit is available * Wed Oct 3 2012 Stephen Gallagher <sgallagh@redhat.com> - 1.7-2.beta2 - New upstream release 1.7 beta2 - New Features: - Introduced a new style for Review Board - Performance Improvements: - We’ve updated our dependency on jQuery to the latest version. We’ve been on an old one for quite a while, and there have been many performance improvements since. The site’s responsiveness should be a little faster now. - Bug Fixes: - Fixed the paths to certain decorational image files - File attachment comments are no longer missing from the review box - Fixed problems with issue tracking statuses in the review box - Fixed wrapping of the text in the change updates - Admin UI widgets no longer overlap when loading the page * Mon Aug 6 2012 Stephen Gallagher <sgallagh@redhat.com> - 1.7-1.beta1 - New upstream release 1.7 beta1 - http://www.reviewboard.org/docs/releasenotes/dev/reviewbo... - Compatibility Changes: - Added a requirement for Django 1.4 - Dropped Python 2.4 support - New Features: - Experimental extension support - New administration UI - Issue summary table for review requests - Moved files in a change are better represented in the diff viewer - Some file attachments are now shown with more detailed previews - Added a “To Me” column in the dashboard - Dates and times are now localized to the user’s region - The review request update bubble now says if the review request was closed - E-mails now include the review request ID in the subject header - Links in the Description and Testing Done text now open in new windows or tabs - Required fields on a review request are now marked as required by showing an asterisk - Added a “Show changes” link on the change description boxes after publishing a diff - Added support for the latest CVS diff file format - Removed Features: - The hidden reports feature (accessible at /reports/) has been removed - Performance Improvements: - Reduced download time of JavaScript and CSS - Reduced diff storage and lookups - Web API Changes: - Added server capabilities in /api/info/ - Added resources for viewing the original and patched files for a FileDiff - Bug Fixes: - The “Diff Updated” column in the dashboard now actually reflects the last diff update - Captions changes for file attachments are now shown on change description boxes, just like screenshot caption changes -------------------------------------------------------------------------------- References: [ 1 ] Bug #1016596 - CVE-2013-4410 ReviewBoard: access-control problems with REST API https://bugzilla.redhat.com/show_bug.cgi?id=1016596 [ 2 ] Bug #1016599 - CVE-2013-4411 ReviewBoard: URL processing allows unauthorized users to view review lists https://bugzilla.redhat.com/show_bug.cgi?id=1016599 [ 3 ] Bug #1016601 - CVE-2013-4409 python-djblets: unsanitized eval() vulnerability https://bugzilla.redhat.com/show_bug.cgi?id=1016601 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update ReviewBoard' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/. All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list package-announce@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/package-...


(Log in to post comments)


Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds