You are here
Home > Preporuke > Ranjivosti programskog paketa ReviewBoard

Ranjivosti programskog paketa ReviewBoard

  • Detalji os-a: FED
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LFE

Fedora Update Notification
2014-07-24 02:42:02

Name : ReviewBoard
Product : Fedora 19
Version : 1.7.27
Release : 1.fc19
Summary : Web-based code review tool
Description :
Review Board is a powerful web-based code review tool that offers
developers an easy way to handle code reviews. It scales well from small
projects to large companies and offers a variety of tools to take much
of the stress and time out of the code review process.

Update Information:

– New upstream security release 1.7.27


* Wed Jul 23 2014 Patrick Uiterwijk <> – 1.7.27-1
– New upstream security release 1.7.27
* Wed Jun 11 2014 Stephen Gallagher <> 1.7.26-1
– New upstream security release 1.7.26
* Thu Apr 24 2014 Stephen Gallagher <> 1.7.25-1
– New upstream security release 1.7.25
* Wed Apr 9 2014 Stephen Gallagher <> 1.7.24-1
– New upstream bugfix release 1.7.24
* Wed Apr 9 2014 Stephen Gallagher <> 1.7.23-1
– New upstream bugfix release 1.7.23
* Mon Mar 3 2014 Stephen Gallagher <> 1.7.22-1
– New upstream security release 1.7.22
– Security Fixes:
* An XSS vulnerability was found in the Search field’s auto-complete.
– New Features:
* Added support for anonymous access to public Local Sites.
* Added support for parallel-installed versions of Django.
– API Changes:
* The documentation for Review Group Resource no longer says that review
groups cannot be created through the API.
– Bug Fixes:
* Install/Upgrade:
* Fixed compatibility with Apache 2.4’s method for authorization in newly
generated config files.
* Fixed an issue on some configurations where loading in initial schema
data for the database would fail
* rb-site upgrade –all-sites no longer throws an error if there are no
valid sites configured.
* Administration:
* Administrators now have access to all repositories, instead of just
public ones or ones they’re a member of.
* Repositories backed by paths that no longer exist can now be hidden.
* Fixed creating groups and repositories that had conflicting “unique”
* Password fields no longer appear blank when they have a value in forms.
* Setting https in the server URL now properly marks the server as using
HTTPS. All URLs generated for the API and e-mails will include https
instead of http.
* Fixed incorrect labelling for the review request status graph in the
Admin dashboard.
* Usernames, passwords, and other information are properly encoded to UTF-8
before authenticating.
* Users without e-mail addresses in LDAP no longer break when first
* Dashboard:
* Fixed support for accessing watched groups through the Dashboard.
* Repositories:
* Copied files in Git diffs no longer results in File Not Found errors, and
properly handles showing the state much like moved files.
* Added better compatibility with Mercurial repository when accessing
hg-history URLs, when the server name didn’t contain a trailing slash.
* Added better CVS compatibility for repositories that don’t contain
* Fixed issues with Clear Case in multi-site mode when OIDs weren’t yet
available on the server.
* Fri Feb 21 2014 Stephen Gallagher <> 1.7.21-5
– Require patched version of Djblets to handle requires.txt
* Fri Feb 21 2014 Stephen Gallagher <> 1.7.21-4
– Fix mimeparse requirement
* Fri Feb 21 2014 Stephen Gallagher <> 1.7.21-3
– Support parallel-installable python-django14 package
* Mon Jan 27 2014 Stephen Gallagher <> 1.7.21-2
– Fix apache configuration to support new authorization directive
* Wed Jan 15 2014 Stephen Gallagher <> 1.7.21-1
– New upstream enhancement release 1.7.21
– New Features:
* Added support for GitLab servers.
* Added support for the Unfuddle service.
* Added support for publicly accessible Local Sites.
– Performance Improvements:
* Massively improved render time of large diffs.
– API Changes:
* Added new query parameters for filtering lists of repositories.
– Bug Fixes:
* Fixed issues verifying and accessing files for Subversion repositories on
* Fixed issues accessing properties on Subversion repositories on some
hosting providers that require authentication.
* The activity widget in the administration UI now shows data for the current
* Fixed issues where the activity widget could break, depending on the date
* Fixed a regression in error messages provided when setting up a GitHub
* Fixed links in e-mails to file attachments stored on CDNs.
* Removed an unnecessary external image included in e-mails.
* Users no longer on a LocalSite will be excluded from any e-mails on review
requests or reviews they were previously involved in.
* Thu Dec 12 2013 Stephen Gallagher <> – 1.7.20-1
– New upstream bugfix release 1.7.20
– Web API Changes:
* When posting a review request and using submit-as, the given username will
now be looked up in the auth backend (LDAP, Active Directory, etc.),
instead of just the local database.
– Bug Fixes:
* Accessing file attachments without review UIs through the API no longer
causes an HTTP 500 error.
* Fields in the administration UI containing JSON will no longer cause errors
during save. Furthermore, the JSON is now valid and properly editable.
* Usernames with plus signs are now allowed.
– Internal Changes
* Rewrote the Mercurial support to use the command line tool.
* Wed Nov 27 2013 Stephen Gallagher <> – 1.7.19-1
– New upstream bugfix release 1.7.19
– New Features:
* Added support for two-factor authentication for GitHub.
– Performance Improvements:
* Re-introduced browser caching on the review request page.
– Web API Changes:
* Added the mirror_path field to Repository Resource.
– Bug Fixes:
* Fixed the default focus on the Review dialog. The top-most field now always
has default focus.
* Fixed displaying review requests for groups on a Local Site.
* Prevented rare crashes with Local Sites using the new permissions support
without any granted permissions.
* Fixed HTTP basic authentication with the web API when using fastcgi.
* Wed Nov 13 2013 Stephen Gallagher <> – 1.7.18-1
– New upstream bugfix release 1.7.18
– Convert to using UglifyJS2 for javascript minification
* Wed Nov 6 2013 Stephen Gallagher <> – 1.7.17-1.1
– Drop upstreamed patch for pytz requirement
* Tue Nov 5 2013 Stephen Gallagher <> – 1.7.17-1
– New upstream security release 1.7.17
– Resolves: CVE-2013-4519
– Security Fixes:
* Fixed XSS vulnerabilities for the ‘Branch’ field and uploaded file
* Added a ‘X-Frame-Options’ header to prevent clickjacking.
– New Features:
* Remove the need for SSH keys for GitHub repositories.
* Improved validation for GitHub repositories.
* Added support for permissions on Local Sites.
– Performance Improvements:
* Reduced query counts on all pages.
* Reduced query counts in the web API when returning empty lists.
– Extensibility:
* Extensions using the “configure_extension“ view an now pass in a custom
“template_name“ pointing to a template for the configuration page, if it
needs additional customization.
* Enabling, disabling or reconfiguring extensions will now invalidate the
caches for pages, ensuring that hooks will take affect.
* Extension configuration now works properly on subdirectory installs.
– Bug Fixes:
* Fixed showing private review requests on a submitter page.
* The description for submitted or discarded review requests is now shown on
the diff viewer.
* Discarding, reopening and then closing a review request no longer makes the
review request private.
* Fixed a naming conflict with older PyCrypto packages, such as the default
package on CentOS 6.4.
* Users with the ‘can_change_status’ permission no longer need the
‘can_edit_reviewrequest’ permission in order to close or reopen review
* Switching a repository from using a hosting service to Custom no longer
reverts back to the hosting service.
* Fixed editing a repository if its associated hosting service can’t be
loaded (such as if an extension providing that hosting service is
* Many diff validation errors weren’t being shown on the New Review Request
page, generating 500 errors instead.
* Fixed caching issues with the Blocks field on review requests.
* Editing JSON text fields in the administration UI now works, validates, and
won’t result in warnings in the log.
* Fixed breakages with looking up URLs internally with Local Sites.
* Wed Oct 16 2013 Stephen Gallagher <> – 1.7.16-2.1
– Remove strict requirement on pytz. RHEL provides a patched
version that meets the needs.
* Sun Oct 13 2013 Patrick Uiterwijk <> – 1.7.16-2
– Update Djblets version
* Sun Oct 13 2013 Patrick Uiterwijk <> – 1.7.15-2
– New upstream bugfix release 1.7.16
– Fixes a breakage when accessing the Review Group Users resource
– Fixes pagination in dashboard and similar pages
* Thu Oct 10 2013 Stephen Gallagher <> – 1.7.15-1
– New upstream security release 1.7.15
– Resolves: CVE-2013-4410
– Fixes access-control problems with REST API
– Resolves: CVE-2013-4411
– Fixes URL processing allowing unauthorized users to view review lists
* Mon Sep 23 2013 Stephen Gallagher <> – 1.7.14-1
– New upstream security release 1.7.14
– Some API resources were accessible even if their parent resources were not,
due to a missing check. In most cases, this was harmless, but it can affect
those using access control on groups or review requests.
* Thu Aug 15 2013 Stephen Gallagher <> – 1.7.13-2
– New upstream release 1.7.13
– Starting with this release, sites will automatically be upgraded if they are
listed in the text file /etc/reviewboard/sites by the path to their site,
one per line.
* Mon Jul 29 2013 Stephen Gallagher <> – 1.7.12-1
– New upstream release 1.7.12
– Security Fixes:
* Function names in diff headers are no longer rendered as HTML.
* If a user’s full name contained HTML, the Submitters list would render it
as HTML, without escaping it. This was an XSS vulnerability.
* The default Apache configuration is now more strict with how it serves up
file attachments. This does not apply to existing installations. See
for details.
* Uploaded files are now renamed to include a hash, preventing users from
uploading malicious filenames, and making filenames unguessable.
* Recaptcha support has been updated to use the new URLs provided by
– New Features:
* Added a X-ReviewRequest-Repository header for e-mails.
– Extension Improvements:
* Extensions can now specify their list of app directories.
* Extensions can now specify the author’s URL.
* Improved the look and feel for extension configuration.
* Improved the functionality for extension configuration.
* Improved the list of available extensions.
– Bug Fixes:
* Fixed the “Show Whitespace Changes” toggle.
* Fixed compatibility with modern versions of django-storages.
* Draft comments on file attachments are no longer shown to all users.
* Fixed issues with console windows appearing when invoking Clear Case
requests on Python 2.7.x and Windows 7.
* Review requests on Local Sites are now guaranteed to have the proper ID.
* Fixed starring review requests on Local Sites.
* Thu Jun 27 2013 Stephen Gallagher <> – 1.7.11-1
– New upstream release 1.7.11
– Bug Fixes:
* Fixed compatibility with Python 2.5
* Fixed the drop-down arrow by Support and the account name on older
versions of Internet Explorer
* Mon Jun 24 2013 Stephen Gallagher <> – 1.7.10-1
– New upstream release 1.7.10
– Security Updates:
* Fixed an XSS vulnerability where users could trigger script errors under
certain conditions in auto-complete widgets
– Web API Changes:
* Added n ?order-by=<fieldname> query parameter for comment resources,
allowing ordering by fields such as line numbers (for diff comments)
* Added a filename field to screenshot resources, which provides the base
filename (without path) of the screenshot
* Added a review_url field to screenshot resources, which provides the URL
to the screenshot review page
* Added a thumbnail_url field to screenshot comment resources, which
provides the URL to the snippet of the screenshot being commented on
* Added a link_text field to file attachment comment resources, which shows
the text for any link pointing to the file. This may differ depending on
the comment
* Added a review_url field to file attachment comment resources, which
provides the URL to the review page for the file
* Added a thumbnail_html field to file attachment comment resources, which
provides HTML for rendering the thumbnail of the portion of the file
being rendered, if any
– UI Changes:
* Improved the look and feel of the issue summary table. It’s cleaner and
no longer looks odd with long comment text
– Bug Fixes:
* Fixed periodic but harmless JavaScript errors when removing elements with
relative timestamps
* Editing or reordering dashboard columns no longer breaks after the
dashboard reloads
* Relative timestamps in the dashboard no longer break after the dashboard
* The maximum size of the timezone has increased, allowing for longer
timezone strings

This update can be installed with the “yum” update program. Use
su -c ‘yum update ReviewBoard’ at the command line.
For more information, refer to “Managing Software with yum”,
available at

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
package-announce mailing list

AutorTomislav Protega
Cert idNCERT-REF-2014-09-0012-ADV
CveCVE-2013-4519 CVE-2013-4410 CVE-2013-4411
ID izvornikaFEDORA-2014-8771
More in Preporuke
Ranjivosti programskog paketa apache-poi

Otkrivene su dvije ranjivosti u programskom paketu apache-poi za Fedoru. Prva ranjivost nalazila se u postavkama OPC SAX, a udaljeni...