Fedora alert FEDORA-2014-7333 (ReviewBoard)
| From: | updates@fedoraproject.org | |
| To: | package-announce@lists.fedoraproject.org | |
| Subject: | [SECURITY] Fedora 19 Update: ReviewBoard-1.7.26-2.fc19 | |
| Date: | Wed, 09 Jul 2014 02:27:04 +0000 | |
| Message-ID: | <20140709022704.4DE3421CE9@bastion01.phx2.fedoraproject.org> |
-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2014-7333 2014-06-13 04:45:26 -------------------------------------------------------------------------------- Name : ReviewBoard Product : Fedora 19 Version : 1.7.26 Release : 2.fc19 URL : http://www.review-board.org Summary : Web-based code review tool Description : Review Board is a powerful web-based code review tool that offers developers an easy way to handle code reviews. It scales well from small projects to large companies and offers a variety of tools to take much of the stress and time out of the code review process. -------------------------------------------------------------------------------- Update Information: Django Evolution: Drop back down to 0.6.9 as 0.7.x breaks Review Board upgrades. We'll support 0.7.x on Fedora 21 and EPEL 7 with Review Board 2.0 ReviewBoard: Address XSS vulnerabilities -------------------------------------------------------------------------------- ChangeLog: * Wed Jun 11 2014 Stephen Gallagher <sgallagh@redhat.com> 1.7.26-1 - New upstream security release 1.7.26 - http://www.reviewboard.org/docs/releasenotes/reviewboard/... * Thu Apr 24 2014 Stephen Gallagher <sgallagh@redhat.com> 1.7.25-1 - New upstream security release 1.7.25 - http://www.reviewboard.org/docs/releasenotes/reviewboard/... * Wed Apr 9 2014 Stephen Gallagher <sgallagh@redhat.com> 1.7.24-1 - New upstream bugfix release 1.7.24 - http://www.reviewboard.org/docs/releasenotes/reviewboard/... * Wed Apr 9 2014 Stephen Gallagher <sgallagh@redhat.com> 1.7.23-1 - New upstream bugfix release 1.7.23 - http://www.reviewboard.org/docs/releasenotes/reviewboard/... * Mon Mar 3 2014 Stephen Gallagher <sgallagh@redhat.com> 1.7.22-1 - New upstream security release 1.7.22 - http://www.reviewboard.org/docs/releasenotes/reviewboard/... - Security Fixes: * An XSS vulnerability was found in the Search field's auto-complete. - New Features: * Added support for anonymous access to public Local Sites. * Added support for parallel-installed versions of Django. - API Changes: * The documentation for Review Group Resource no longer says that review groups cannot be created through the API. - Bug Fixes: * Install/Upgrade: * Fixed compatibility with Apache 2.4's method for authorization in newly generated config files. * Fixed an issue on some configurations where loading in initial schema data for the database would fail * rb-site upgrade --all-sites no longer throws an error if there are no valid sites configured. * Administration: * Administrators now have access to all repositories, instead of just public ones or ones they're a member of. * Repositories backed by paths that no longer exist can now be hidden. * Fixed creating groups and repositories that had conflicting "unique" fields. * Password fields no longer appear blank when they have a value in forms. * Setting https in the server URL now properly marks the server as using HTTPS. All URLs generated for the API and e-mails will include https instead of http. * Fixed incorrect labelling for the review request status graph in the Admin dashboard. * LDAP: * Usernames, passwords, and other information are properly encoded to UTF-8 before authenticating. * Users without e-mail addresses in LDAP no longer break when first authenticating. * Dashboard: * Fixed support for accessing watched groups through the Dashboard. * Repositories: * Copied files in Git diffs no longer results in File Not Found errors, and properly handles showing the state much like moved files. * Added better compatibility with Mercurial repository when accessing hg-history URLs, when the server name didn't contain a trailing slash. * Added better CVS compatibility for repositories that don’t contain CVSROOT/modules. * Fixed issues with Clear Case in multi-site mode when OIDs weren’t yet available on the server. * Fri Feb 21 2014 Stephen Gallagher <sgallagh@redhat.com> 1.7.21-5 - Require patched version of Djblets to handle requires.txt * Fri Feb 21 2014 Stephen Gallagher <sgallagh@redhat.com> 1.7.21-4 - Fix mimeparse requirement * Fri Feb 21 2014 Stephen Gallagher <sgallagh@redhat.com> 1.7.21-3 - Support parallel-installable python-django14 package * Mon Jan 27 2014 Stephen Gallagher <sgallagh@redhat.com> 1.7.21-2 - Fix apache configuration to support new authorization directive * Wed Jan 15 2014 Stephen Gallagher <sgallagh@redhat.com> 1.7.21-1 - New upstream enhancement release 1.7.21 - http://www.reviewboard.org/docs/releasenotes/reviewboard/... - New Features: * Added support for GitLab servers. * Added support for the Unfuddle service. * Added support for publicly accessible Local Sites. - Performance Improvements: * Massively improved render time of large diffs. - API Changes: * Added new query parameters for filtering lists of repositories. - Bug Fixes: * Fixed issues verifying and accessing files for Subversion repositories on Beanstalk. * Fixed issues accessing properties on Subversion repositories on some hosting providers that require authentication. * The activity widget in the administration UI now shows data for the current day. * Fixed issues where the activity widget could break, depending on the date range. * Fixed a regression in error messages provided when setting up a GitHub repository. * Fixed links in e-mails to file attachments stored on CDNs. * Removed an unnecessary external image included in e-mails. * Users no longer on a LocalSite will be excluded from any e-mails on review requests or reviews they were previously involved in. * Thu Dec 12 2013 Stephen Gallagher <sgallagh@redhat.com> - 1.7.20-1 - New upstream bugfix release 1.7.20 - http://www.reviewboard.org/docs/releasenotes/reviewboard/... - Web API Changes: * When posting a review request and using submit-as, the given username will now be looked up in the auth backend (LDAP, Active Directory, etc.), instead of just the local database. - Bug Fixes: * Accessing file attachments without review UIs through the API no longer causes an HTTP 500 error. * Fields in the administration UI containing JSON will no longer cause errors during save. Furthermore, the JSON is now valid and properly editable. * Usernames with plus signs are now allowed. - Internal Changes * Rewrote the Mercurial support to use the command line tool. * Wed Nov 27 2013 Stephen Gallagher <sgallagh@redhat.com> - 1.7.19-1 - New upstream bugfix release 1.7.19 - http://www.reviewboard.org/docs/releasenotes/reviewboard/... - New Features: * Added support for two-factor authentication for GitHub. - Performance Improvements: * Re-introduced browser caching on the review request page. - Web API Changes: * Added the mirror_path field to Repository Resource. - Bug Fixes: * Fixed the default focus on the Review dialog. The top-most field now always has default focus. * Fixed displaying review requests for groups on a Local Site. * Prevented rare crashes with Local Sites using the new permissions support without any granted permissions. * Fixed HTTP basic authentication with the web API when using fastcgi. * Wed Nov 13 2013 Stephen Gallagher <sgallagh@redhat.com> - 1.7.18-1 - New upstream bugfix release 1.7.18 - http://www.reviewboard.org/docs/releasenotes/reviewboard/... - Convert to using UglifyJS2 for javascript minification * Wed Nov 6 2013 Stephen Gallagher <sgallagh@redhat.com> - 1.7.17-1.1 - Drop upstreamed patch for pytz requirement * Tue Nov 5 2013 Stephen Gallagher <sgallagh@redhat.com> - 1.7.17-1 - New upstream security release 1.7.17 - http://www.reviewboard.org/docs/releasenotes/reviewboard/... - Resolves: CVE-2013-4519 - Security Fixes: * Fixed XSS vulnerabilities for the 'Branch' field and uploaded file captions. * Added a 'X-Frame-Options' header to prevent clickjacking. - New Features: * Remove the need for SSH keys for GitHub repositories. * Improved validation for GitHub repositories. * Added support for permissions on Local Sites. - Performance Improvements: * Reduced query counts on all pages. * Reduced query counts in the web API when returning empty lists. - Extensibility: * Extensions using the ``configure_extension`` view an now pass in a custom ``template_name`` pointing to a template for the configuration page, if it needs additional customization. * Enabling, disabling or reconfiguring extensions will now invalidate the caches for pages, ensuring that hooks will take affect. * Extension configuration now works properly on subdirectory installs. - Bug Fixes: * Fixed showing private review requests on a submitter page. * The description for submitted or discarded review requests is now shown on the diff viewer. * Discarding, reopening and then closing a review request no longer makes the review request private. * Fixed a naming conflict with older PyCrypto packages, such as the default package on CentOS 6.4. * Users with the 'can_change_status' permission no longer need the 'can_edit_reviewrequest' permission in order to close or reopen review requests. * Switching a repository from using a hosting service to Custom no longer reverts back to the hosting service. * Fixed editing a repository if its associated hosting service can't be loaded (such as if an extension providing that hosting service is disabled). * Many diff validation errors weren't being shown on the New Review Request page, generating 500 errors instead. * Fixed caching issues with the Blocks field on review requests. * Editing JSON text fields in the administration UI now works, validates, and won't result in warnings in the log. * Fixed breakages with looking up URLs internally with Local Sites. * Wed Oct 16 2013 Stephen Gallagher <sgallagh@redhat.com> - 1.7.16-2.1 - Remove setup.py strict requirement on pytz. RHEL provides a patched version that meets the needs. * Sun Oct 13 2013 Patrick Uiterwijk <puiterwijk@gmail.com> - 1.7.16-2 - Update Djblets version * Sun Oct 13 2013 Patrick Uiterwijk <puiterwijk@redhat.com> - 1.7.15-2 - New upstream bugfix release 1.7.16 - Fixes a breakage when accessing the Review Group Users resource - Fixes pagination in dashboard and similar pages * Thu Oct 10 2013 Stephen Gallagher <sgallagh@redhat.com> - 1.7.15-1 - New upstream security release 1.7.15 - http://www.reviewboard.org/docs/releasenotes/reviewboard/... - Resolves: CVE-2013-4410 - Fixes access-control problems with REST API - Resolves: CVE-2013-4411 - Fixes URL processing allowing unauthorized users to view review lists * Mon Sep 23 2013 Stephen Gallagher <sgallagh@redhat.com> - 1.7.14-1 - New upstream security release 1.7.14 - http://www.reviewboard.org/docs/releasenotes/reviewboard/... - Some API resources were accessible even if their parent resources were not, due to a missing check. In most cases, this was harmless, but it can affect those using access control on groups or review requests. * Thu Aug 15 2013 Stephen Gallagher <sgallagh@redhat.com> - 1.7.13-2 - New upstream release 1.7.13 - http://www.reviewboard.org/docs/releasenotes/reviewboard/... - Starting with this release, sites will automatically be upgraded if they are listed in the text file /etc/reviewboard/sites by the path to their site, one per line. * Mon Jul 29 2013 Stephen Gallagher <sgallagh@redhat.com> - 1.7.12-1 - New upstream release 1.7.12 - http://www.reviewboard.org/docs/releasenotes/reviewboard/... - Security Fixes: * Function names in diff headers are no longer rendered as HTML. * If a user’s full name contained HTML, the Submitters list would render it as HTML, without escaping it. This was an XSS vulnerability. * The default Apache configuration is now more strict with how it serves up file attachments. This does not apply to existing installations. See http://support.beanbaginc.com/support/solutions/articles/... for details. * Uploaded files are now renamed to include a hash, preventing users from uploading malicious filenames, and making filenames unguessable. * Recaptcha support has been updated to use the new URLs provided by Google. - New Features: * Added a X-ReviewRequest-Repository header for e-mails. - Extension Improvements: * Extensions can now specify their list of app directories. * Extensions can now specify the author’s URL. * Improved the look and feel for extension configuration. * Improved the functionality for extension configuration. * Improved the list of available extensions. - Bug Fixes: * Fixed the “Show Whitespace Changes” toggle. * Fixed compatibility with modern versions of django-storages. * Draft comments on file attachments are no longer shown to all users. * Fixed issues with console windows appearing when invoking Clear Case requests on Python 2.7.x and Windows 7. * Review requests on Local Sites are now guaranteed to have the proper ID. * Fixed starring review requests on Local Sites. * Thu Jun 27 2013 Stephen Gallagher <sgallagh@redhat.com> - 1.7.11-1 - New upstream release 1.7.11 - http://www.reviewboard.org/docs/releasenotes/reviewboard/... - Bug Fixes: * Fixed compatibility with Python 2.5 * Fixed the drop-down arrow by Support and the account name on older versions of Internet Explorer * Mon Jun 24 2013 Stephen Gallagher <sgallagh@redhat.com> - 1.7.10-1 - New upstream release 1.7.10 - http://www.reviewboard.org/docs/releasenotes/reviewboard/... - Security Updates: * Fixed an XSS vulnerability where users could trigger script errors under certain conditions in auto-complete widgets - Web API Changes: * Added n ?order-by=<fieldname> query parameter for comment resources, allowing ordering by fields such as line numbers (for diff comments) * Added a filename field to screenshot resources, which provides the base filename (without path) of the screenshot * Added a review_url field to screenshot resources, which provides the URL to the screenshot review page * Added a thumbnail_url field to screenshot comment resources, which provides the URL to the snippet of the screenshot being commented on * Added a link_text field to file attachment comment resources, which shows the text for any link pointing to the file. This may differ depending on the comment * Added a review_url field to file attachment comment resources, which provides the URL to the review page for the file * Added a thumbnail_html field to file attachment comment resources, which provides HTML for rendering the thumbnail of the portion of the file being rendered, if any - UI Changes: * Improved the look and feel of the issue summary table. It’s cleaner and no longer looks odd with long comment text - Bug Fixes: * Fixed periodic but harmless JavaScript errors when removing elements with relative timestamps * Editing or reordering dashboard columns no longer breaks after the dashboard reloads * Relative timestamps in the dashboard no longer break after the dashboard reloads * The maximum size of the timezone has increased, allowing for longer timezone strings -------------------------------------------------------------------------------- References: [ 1 ] Bug #1108665 - django_evolution 0.7.x conflicts with Review Board in Fedora 19 and 20 https://bugzilla.redhat.com/show_bug.cgi?id=1108665 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update ReviewBoard' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/. All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list package-announce@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/package-...