You are here
Home > Preporuke > Ranjivosti programskog paketa ReviewBoard

Ranjivosti programskog paketa ReviewBoard

  • Detalji os-a: FED
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LFE

——————————————————————————–
Fedora Update Notification
FEDORA-2014-8771
2014-07-24 02:42:02
——————————————————————————–

Name : ReviewBoard
Product : Fedora 19
Version : 1.7.27
Release : 1.fc19
URL : http://www.review-board.org
Summary : Web-based code review tool
Description :
Review Board is a powerful web-based code review tool that offers
developers an easy way to handle code reviews. It scales well from small
projects to large companies and offers a variety of tools to take much
of the stress and time out of the code review process.

——————————————————————————–
Update Information:

– New upstream security release 1.7.27
– http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.27

——————————————————————————–
ChangeLog:

* Wed Jul 23 2014 Patrick Uiterwijk <puiterwijk@redhat.com> – 1.7.27-1
– New upstream security release 1.7.27
– http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.27
* Wed Jun 11 2014 Stephen Gallagher <sgallagh@redhat.com> 1.7.26-1
– New upstream security release 1.7.26
– http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.26
* Thu Apr 24 2014 Stephen Gallagher <sgallagh@redhat.com> 1.7.25-1
– New upstream security release 1.7.25
– http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.25
* Wed Apr 9 2014 Stephen Gallagher <sgallagh@redhat.com> 1.7.24-1
– New upstream bugfix release 1.7.24
– http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.24
* Wed Apr 9 2014 Stephen Gallagher <sgallagh@redhat.com> 1.7.23-1
– New upstream bugfix release 1.7.23
– http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.23
* Mon Mar 3 2014 Stephen Gallagher <sgallagh@redhat.com> 1.7.22-1
– New upstream security release 1.7.22
– http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.22/
– Security Fixes:
* An XSS vulnerability was found in the Search field’s auto-complete.
– New Features:
* Added support for anonymous access to public Local Sites.
* Added support for parallel-installed versions of Django.
– API Changes:
* The documentation for Review Group Resource no longer says that review
groups cannot be created through the API.
– Bug Fixes:
* Install/Upgrade:
* Fixed compatibility with Apache 2.4’s method for authorization in newly
generated config files.
* Fixed an issue on some configurations where loading in initial schema
data for the database would fail
* rb-site upgrade –all-sites no longer throws an error if there are no
valid sites configured.
* Administration:
* Administrators now have access to all repositories, instead of just
public ones or ones they’re a member of.
* Repositories backed by paths that no longer exist can now be hidden.
* Fixed creating groups and repositories that had conflicting “unique”
fields.
* Password fields no longer appear blank when they have a value in forms.
* Setting https in the server URL now properly marks the server as using
HTTPS. All URLs generated for the API and e-mails will include https
instead of http.
* Fixed incorrect labelling for the review request status graph in the
Admin dashboard.
* LDAP:
* Usernames, passwords, and other information are properly encoded to UTF-8
before authenticating.
* Users without e-mail addresses in LDAP no longer break when first
authenticating.
* Dashboard:
* Fixed support for accessing watched groups through the Dashboard.
* Repositories:
* Copied files in Git diffs no longer results in File Not Found errors, and
properly handles showing the state much like moved files.
* Added better compatibility with Mercurial repository when accessing
hg-history URLs, when the server name didn’t contain a trailing slash.
* Added better CVS compatibility for repositories that don’t contain
CVSROOT/modules.
* Fixed issues with Clear Case in multi-site mode when OIDs weren’t yet
available on the server.
* Fri Feb 21 2014 Stephen Gallagher <sgallagh@redhat.com> 1.7.21-5
– Require patched version of Djblets to handle requires.txt
* Fri Feb 21 2014 Stephen Gallagher <sgallagh@redhat.com> 1.7.21-4
– Fix mimeparse requirement
* Fri Feb 21 2014 Stephen Gallagher <sgallagh@redhat.com> 1.7.21-3
– Support parallel-installable python-django14 package
* Mon Jan 27 2014 Stephen Gallagher <sgallagh@redhat.com> 1.7.21-2
– Fix apache configuration to support new authorization directive
* Wed Jan 15 2014 Stephen Gallagher <sgallagh@redhat.com> 1.7.21-1
– New upstream enhancement release 1.7.21
– http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.21/
– New Features:
* Added support for GitLab servers.
* Added support for the Unfuddle service.
* Added support for publicly accessible Local Sites.
– Performance Improvements:
* Massively improved render time of large diffs.
– API Changes:
* Added new query parameters for filtering lists of repositories.
– Bug Fixes:
* Fixed issues verifying and accessing files for Subversion repositories on
Beanstalk.
* Fixed issues accessing properties on Subversion repositories on some
hosting providers that require authentication.
* The activity widget in the administration UI now shows data for the current
day.
* Fixed issues where the activity widget could break, depending on the date
range.
* Fixed a regression in error messages provided when setting up a GitHub
repository.
* Fixed links in e-mails to file attachments stored on CDNs.
* Removed an unnecessary external image included in e-mails.
* Users no longer on a LocalSite will be excluded from any e-mails on review
requests or reviews they were previously involved in.
* Thu Dec 12 2013 Stephen Gallagher <sgallagh@redhat.com> – 1.7.20-1
– New upstream bugfix release 1.7.20
– http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.20/
– Web API Changes:
* When posting a review request and using submit-as, the given username will
now be looked up in the auth backend (LDAP, Active Directory, etc.),
instead of just the local database.
– Bug Fixes:
* Accessing file attachments without review UIs through the API no longer
causes an HTTP 500 error.
* Fields in the administration UI containing JSON will no longer cause errors
during save. Furthermore, the JSON is now valid and properly editable.
* Usernames with plus signs are now allowed.
– Internal Changes
* Rewrote the Mercurial support to use the command line tool.
* Wed Nov 27 2013 Stephen Gallagher <sgallagh@redhat.com> – 1.7.19-1
– New upstream bugfix release 1.7.19
– http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.19/
– New Features:
* Added support for two-factor authentication for GitHub.
– Performance Improvements:
* Re-introduced browser caching on the review request page.
– Web API Changes:
* Added the mirror_path field to Repository Resource.
– Bug Fixes:
* Fixed the default focus on the Review dialog. The top-most field now always
has default focus.
* Fixed displaying review requests for groups on a Local Site.
* Prevented rare crashes with Local Sites using the new permissions support
without any granted permissions.
* Fixed HTTP basic authentication with the web API when using fastcgi.
* Wed Nov 13 2013 Stephen Gallagher <sgallagh@redhat.com> – 1.7.18-1
– New upstream bugfix release 1.7.18
– http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.18/
– Convert to using UglifyJS2 for javascript minification
* Wed Nov 6 2013 Stephen Gallagher <sgallagh@redhat.com> – 1.7.17-1.1
– Drop upstreamed patch for pytz requirement
* Tue Nov 5 2013 Stephen Gallagher <sgallagh@redhat.com> – 1.7.17-1
– New upstream security release 1.7.17
– http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.17/
– Resolves: CVE-2013-4519
– Security Fixes:
* Fixed XSS vulnerabilities for the ‘Branch’ field and uploaded file
captions.
* Added a ‘X-Frame-Options’ header to prevent clickjacking.
– New Features:
* Remove the need for SSH keys for GitHub repositories.
* Improved validation for GitHub repositories.
* Added support for permissions on Local Sites.
– Performance Improvements:
* Reduced query counts on all pages.
* Reduced query counts in the web API when returning empty lists.
– Extensibility:
* Extensions using the “configure_extension“ view an now pass in a custom
“template_name“ pointing to a template for the configuration page, if it
needs additional customization.
* Enabling, disabling or reconfiguring extensions will now invalidate the
caches for pages, ensuring that hooks will take affect.
* Extension configuration now works properly on subdirectory installs.
– Bug Fixes:
* Fixed showing private review requests on a submitter page.
* The description for submitted or discarded review requests is now shown on
the diff viewer.
* Discarding, reopening and then closing a review request no longer makes the
review request private.
* Fixed a naming conflict with older PyCrypto packages, such as the default
package on CentOS 6.4.
* Users with the ‘can_change_status’ permission no longer need the
‘can_edit_reviewrequest’ permission in order to close or reopen review
requests.
* Switching a repository from using a hosting service to Custom no longer
reverts back to the hosting service.
* Fixed editing a repository if its associated hosting service can’t be
loaded (such as if an extension providing that hosting service is
disabled).
* Many diff validation errors weren’t being shown on the New Review Request
page, generating 500 errors instead.
* Fixed caching issues with the Blocks field on review requests.
* Editing JSON text fields in the administration UI now works, validates, and
won’t result in warnings in the log.
* Fixed breakages with looking up URLs internally with Local Sites.
* Wed Oct 16 2013 Stephen Gallagher <sgallagh@redhat.com> – 1.7.16-2.1
– Remove setup.py strict requirement on pytz. RHEL provides a patched
version that meets the needs.
* Sun Oct 13 2013 Patrick Uiterwijk <puiterwijk@gmail.com> – 1.7.16-2
– Update Djblets version
* Sun Oct 13 2013 Patrick Uiterwijk <puiterwijk@redhat.com> – 1.7.15-2
– New upstream bugfix release 1.7.16
– Fixes a breakage when accessing the Review Group Users resource
– Fixes pagination in dashboard and similar pages
* Thu Oct 10 2013 Stephen Gallagher <sgallagh@redhat.com> – 1.7.15-1
– New upstream security release 1.7.15
– http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.15/
– Resolves: CVE-2013-4410
– Fixes access-control problems with REST API
– Resolves: CVE-2013-4411
– Fixes URL processing allowing unauthorized users to view review lists
* Mon Sep 23 2013 Stephen Gallagher <sgallagh@redhat.com> – 1.7.14-1
– New upstream security release 1.7.14
– http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.14/
– Some API resources were accessible even if their parent resources were not,
due to a missing check. In most cases, this was harmless, but it can affect
those using access control on groups or review requests.
* Thu Aug 15 2013 Stephen Gallagher <sgallagh@redhat.com> – 1.7.13-2
– New upstream release 1.7.13
– http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.13/
– Starting with this release, sites will automatically be upgraded if they are
listed in the text file /etc/reviewboard/sites by the path to their site,
one per line.
* Mon Jul 29 2013 Stephen Gallagher <sgallagh@redhat.com> – 1.7.12-1
– New upstream release 1.7.12
– http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.12/
– Security Fixes:
* Function names in diff headers are no longer rendered as HTML.
* If a user’s full name contained HTML, the Submitters list would render it
as HTML, without escaping it. This was an XSS vulnerability.
* The default Apache configuration is now more strict with how it serves up
file attachments. This does not apply to existing installations. See
http://support.beanbaginc.com/support/solutions/articles/110173-securing-file-attachments
for details.
* Uploaded files are now renamed to include a hash, preventing users from
uploading malicious filenames, and making filenames unguessable.
* Recaptcha support has been updated to use the new URLs provided by
Google.
– New Features:
* Added a X-ReviewRequest-Repository header for e-mails.
– Extension Improvements:
* Extensions can now specify their list of app directories.
* Extensions can now specify the author’s URL.
* Improved the look and feel for extension configuration.
* Improved the functionality for extension configuration.
* Improved the list of available extensions.
– Bug Fixes:
* Fixed the “Show Whitespace Changes” toggle.
* Fixed compatibility with modern versions of django-storages.
* Draft comments on file attachments are no longer shown to all users.
* Fixed issues with console windows appearing when invoking Clear Case
requests on Python 2.7.x and Windows 7.
* Review requests on Local Sites are now guaranteed to have the proper ID.
* Fixed starring review requests on Local Sites.
* Thu Jun 27 2013 Stephen Gallagher <sgallagh@redhat.com> – 1.7.11-1
– New upstream release 1.7.11
– http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.11/
– Bug Fixes:
* Fixed compatibility with Python 2.5
* Fixed the drop-down arrow by Support and the account name on older
versions of Internet Explorer
* Mon Jun 24 2013 Stephen Gallagher <sgallagh@redhat.com> – 1.7.10-1
– New upstream release 1.7.10
– http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.10/
– Security Updates:
* Fixed an XSS vulnerability where users could trigger script errors under
certain conditions in auto-complete widgets
– Web API Changes:
* Added n ?order-by=<fieldname> query parameter for comment resources,
allowing ordering by fields such as line numbers (for diff comments)
* Added a filename field to screenshot resources, which provides the base
filename (without path) of the screenshot
* Added a review_url field to screenshot resources, which provides the URL
to the screenshot review page
* Added a thumbnail_url field to screenshot comment resources, which
provides the URL to the snippet of the screenshot being commented on
* Added a link_text field to file attachment comment resources, which shows
the text for any link pointing to the file. This may differ depending on
the comment
* Added a review_url field to file attachment comment resources, which
provides the URL to the review page for the file
* Added a thumbnail_html field to file attachment comment resources, which
provides HTML for rendering the thumbnail of the portion of the file
being rendered, if any
– UI Changes:
* Improved the look and feel of the issue summary table. It’s cleaner and
no longer looks odd with long comment text
– Bug Fixes:
* Fixed periodic but harmless JavaScript errors when removing elements with
relative timestamps
* Editing or reordering dashboard columns no longer breaks after the
dashboard reloads
* Relative timestamps in the dashboard no longer break after the dashboard
reloads
* The maximum size of the timezone has increased, allowing for longer
timezone strings
——————————————————————————–

This update can be installed with the “yum” update program. Use
su -c ‘yum update ReviewBoard’ at the command line.
For more information, refer to “Managing Software with yum”,
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-announce
7e

AutorTomislav Protega
Cert idNCERT-REF-2014-09-0012-ADV
CveCVE-2013-4519 CVE-2013-4410 CVE-2013-4411
ID izvornikaFEDORA-2014-8771
ProizvodReviewBoard
Izvorhttp://www.redhat.com
Top
More in Preporuke
Ranjivosti programskog paketa apache-poi

Otkrivene su dvije ranjivosti u programskom paketu apache-poi za Fedoru. Prva ranjivost nalazila se u postavkama OPC SAX, a udaljeni...

Close