[SECURITY] Fedora 18 Update: ReviewBoard-1.7.16-2.fc18
updates at fedoraproject.org
updates at fedoraproject.org
Tue Oct 29 03:43:47 UTC 2013
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2013-18911
2013-10-11 22:51:43
--------------------------------------------------------------------------------
Name : ReviewBoard
Product : Fedora 18
Version : 1.7.16
Release : 2.fc18
URL : http://www.review-board.org
Summary : Web-based code review tool
Description :
Review Board is a powerful web-based code review tool that offers
developers an easy way to handle code reviews. It scales well from small
projects to large companies and offers a variety of tools to take much
of the stress and time out of the code review process.
--------------------------------------------------------------------------------
Update Information:
Review Board 1.6.19 and 1.7.15 fix a few issues in the API where users could access certain data they should not have been able to access, if using the Local Sites feature, invite-only groups, or private repositories. It also fixes cases with invite-only groups where the group name and list of private review requests would show up on some pages (though the review requests themselves were not accessible).
These issues do not affect most of the installations out there, but we strongly recommend upgrading anyway. There are no known cases of anyone exploiting these bugs, and in fact we discovered these internally while building new tools to test for security vulnerabilities in our codebase.
There are also some other bug fixes, and important changes needed for extensions that provide their own REST APIs.
--------------------------------------------------------------------------------
ChangeLog:
* Sun Oct 13 2013 Patrick Uiterwijk <puiterwijk at gmail.com> - 1.7.16-2
- Update Djblets version
* Sun Oct 13 2013 Patrick Uiterwijk <puiterwijk at redhat.com> - 1.7.15-2
- New upstream bugfix release 1.7.16
- Fixes a breakage when accessing the Review Group Users resource
- Fixes pagination in dashboard and similar pages
* Thu Oct 10 2013 Stephen Gallagher <sgallagh at redhat.com> - 1.7.15-1
- New upstream security release 1.7.15
- http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.15/
- Resolves: CVE-2013-4410
- Fixes access-control problems with REST API
- Resolves: CVE-2013-4411
- Fixes URL processing allowing unauthorized users to view review lists
* Mon Sep 23 2013 Stephen Gallagher <sgallagh at redhat.com> - 1.7.14-1
- New upstream security release 1.7.14
- http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.14/
- Some API resources were accessible even if their parent resources were not,
due to a missing check. In most cases, this was harmless, but it can affect
those using access control on groups or review requests.
* Thu Aug 15 2013 Stephen Gallagher <sgallagh at redhat.com> - 1.7.13-2
- New upstream release 1.7.13
- http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.13/
- Starting with this release, sites will automatically be upgraded if they are
listed in the text file /etc/reviewboard/sites by the path to their site,
one per line.
* Mon Jul 29 2013 Stephen Gallagher <sgallagh at redhat.com> - 1.7.12-1
- New upstream release 1.7.12
- http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.12/
- Security Fixes:
* Function names in diff headers are no longer rendered as HTML.
* If a user’s full name contained HTML, the Submitters list would render it
as HTML, without escaping it. This was an XSS vulnerability.
* The default Apache configuration is now more strict with how it serves up
file attachments. This does not apply to existing installations. See
http://support.beanbaginc.com/support/solutions/articles/110173-securing-file-attachments
for details.
* Uploaded files are now renamed to include a hash, preventing users from
uploading malicious filenames, and making filenames unguessable.
* Recaptcha support has been updated to use the new URLs provided by
Google.
- New Features:
* Added a X-ReviewRequest-Repository header for e-mails.
- Extension Improvements:
* Extensions can now specify their list of app directories.
* Extensions can now specify the author’s URL.
* Improved the look and feel for extension configuration.
* Improved the functionality for extension configuration.
* Improved the list of available extensions.
- Bug Fixes:
* Fixed the “Show Whitespace Changes” toggle.
* Fixed compatibility with modern versions of django-storages.
* Draft comments on file attachments are no longer shown to all users.
* Fixed issues with console windows appearing when invoking Clear Case
requests on Python 2.7.x and Windows 7.
* Review requests on Local Sites are now guaranteed to have the proper ID.
* Fixed starring review requests on Local Sites.
* Thu Jun 27 2013 Stephen Gallagher <sgallagh at redhat.com> - 1.7.11-1
- New upstream release 1.7.11
- http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.11/
- Bug Fixes:
* Fixed compatibility with Python 2.5
* Fixed the drop-down arrow by Support and the account name on older
versions of Internet Explorer
* Mon Jun 24 2013 Stephen Gallagher <sgallagh at redhat.com> - 1.7.10-1
- New upstream release 1.7.10
- http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.10/
- Security Updates:
* Fixed an XSS vulnerability where users could trigger script errors under
certain conditions in auto-complete widgets
- Web API Changes:
* Added n ?order-by=<fieldname> query parameter for comment resources,
allowing ordering by fields such as line numbers (for diff comments)
* Added a filename field to screenshot resources, which provides the base
filename (without path) of the screenshot
* Added a review_url field to screenshot resources, which provides the URL
to the screenshot review page
* Added a thumbnail_url field to screenshot comment resources, which
provides the URL to the snippet of the screenshot being commented on
* Added a link_text field to file attachment comment resources, which shows
the text for any link pointing to the file. This may differ depending on
the comment
* Added a review_url field to file attachment comment resources, which
provides the URL to the review page for the file
* Added a thumbnail_html field to file attachment comment resources, which
provides HTML for rendering the thumbnail of the portion of the file
being rendered, if any
- UI Changes:
* Improved the look and feel of the issue summary table. It’s cleaner and
no longer looks odd with long comment text
- Bug Fixes:
* Fixed periodic but harmless JavaScript errors when removing elements with
relative timestamps
* Editing or reordering dashboard columns no longer breaks after the
dashboard reloads
* Relative timestamps in the dashboard no longer break after the dashboard
reloads
* The maximum size of the timezone has increased, allowing for longer
timezone strings
* Mon Jun 3 2013 Stephen Gallagher <sgallagh at redhat.com> - 1.7.9-1
- New upstream release 1.7.9
- http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.9/
- API Changes:
* Added new blocks and depends_on fields to the Review Request resource
- Bug Fixes:
* Fixed the max_length of the new HostingServiceAccount.hosting_url field
* Fixed the documentation for the cgit configuration for Git
* Fixed the cgit URL for Fedora Hosted
* Mon Jun 3 2013 Stephen Gallagher <sgallagh at redhat.com> - 1.7.8.1-1
- New upstream release 1.7.8.1
- http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.8.1/
- Bug Fixes:
* Fixed a regression with saving repositories that don't use hosting
services
- Misc. Changes:
* Compatibility changes for the upcoming PDF review plugin
- New upstream release 1.7.8
- http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.8/
- New Features:
* Added Depends On and Blocks fields to review requests
* Added an improved support page
* Added the ability to set where Get Support takes users
* Added improved logging for many operations
- Performance Improvements:
* Reduced the upload time for many new diffs
* The templates used for rendering the various pages are now cached after
the first render, speeding up the rendering for any future renders. We've
seen speedups of ~100-120ms for review request pages
- Usability Improvements:
* The review request actions are now larger, making them more visible and
easier to hit, particularly on touch screens
* Clicking Fixed, Drop or Re-open now keeps the page in the same scroll
position
* The dashboard now reloads dynamically, without reloading the entire page
* The comment dialog now tells you when you can't make a comment (due to
being logged out or reviewing something that's part of a draft
- API Changes
* Fixed deleting pending replies to comments
* Fixed some issues returning certain lists of data
- Extensibility Improvements:
* Extensions can now customize their metadata directly in the Extension
class
* TemplateHooks can now render their own content by overriding
render_to_string()
* NavigationBarHook can now take a url_name parameter specifying the URL
name to link to
* Review UIs can now specify the link and link text for any comments on a
review by overriding get_comment_link_url() and get_comment_link_text()
* Custom hosting services can now be registered/unregistered by extensions
by using register_hosting_service() and unregister_hosting_service()
(from reviewboard.hostingsvcs.service)
* Added the ability to more easily write hosting services support that
works for self-installable services
- Bug Fixes:
* Added missing repository validation for Mercurial repositories
* Fixed replying to comments on file attachments that have since been
removed
* Fixed the display of the upload dialogs when viewing a file attachment
* Comments on file attachments in e-mails now link to the correct review UI
handling the file
* Worked around rare issues where a reset of the Open An Issue default for
a user would cause pages to break
- Misc Changes:
* E-mails now show the user’s full name instead of just their first name
* The New Review Request page now mentions RBTools instead of just
post-review
* Mon Apr 22 2013 Stephen Gallagher <sgallagh at redhat.com> - 1.7.7.1-1
- New upstream release 1.7.7.1
- http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.7.1/
- Bug Fixes:
* Fixed a problem with generating config files when creating a new site
installations
- New upstream release 1.7.7
- http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.7/
- New Features:
* The configured SSH key can now be deleted
* Added support for working against a GitHub OAuth application
- Performance Improvements:
* Uploading a diff with a parent diff will no longer attempt to process any
files in the parent diff that aren't in the main diff
* Sped up rendering times for the Dashboard, All Review Requests page, and
the user/groups pages
- Web API Improvements:
* Fixed a breakage with updating comments when the issue_status field
wasn't provided
* Improved caching logic to not claim a cached payload is valid when the
client reports a matching Last Modified timestamp but not a matching
ETag
- Bug Fixes:
* Specifying a port in a SSH URL for a repository will now connect on that
port
* Fixed broken links to file attachments when using Local Sites
* Review request e-mails now show the right ID in the subject for Local
Sites
* Fixed Python path issues when spawning processes
* Fixed a rare breakage when saving repositories
* Fixed the cookie path when using site directories
* When installing a site, database hosts now accept a port in the format of
hostname:port
* Fixed visual glitches with some rounded corners in the UI
* Wed Apr 10 2013 Stephen Gallagher <sgallagh at redhat.com> - 1.7.6-4
- Add explicit BuildRequires: python-django14
* Wed Apr 10 2013 Stephen Gallagher <sgallagh at redhat.com> - 1.7.6-3
- Change to explicit requirement on python-django14
- Resolves: rhbz#950411 - Change requires to python-django14
* Thu Mar 21 2013 Stephen Gallagher <sgallagh at redhat.com> - 1.7.6-2
- Replace references of id2= with id= for cgit
- Use file blobs rather than plaintext representation with Fedora
Hosted cgit repositories
* Thu Feb 21 2013 Stephen Gallagher <sgallagh at redhat.com> - 1.7.6-1
- New upstream release 1.7.6
- http://www.reviewboard.org/docs/releasenotes/dev/reviewboard/1.7.6/
- Fedora-specific: removed versioning requirement on paramiko; it's no longer
needed
- Security Updates:
* We now require Django 1.4.5, which fixes a few security vulnerabilities
- New Features:
* Added Perforce ticket-based authentication
* Added a setting for choosing Review Board log levels
- Web API Changes:
* Added API support for querying and manipulating default reviewers
* Repositories deleted through the Web API are now only archived if they
have any associated review requests
- Bug Fixes:
* Fixed fetching files with FedoraHosted
* Fixed some cases where URLs to user pages were incorrect, especially on
subdirectory installs and local sites
* We try harder now to set the PYTHONPATH for subprocesses, which should
fix some issues fetching files over Subversion
* The Administration UI dashboard widgets no longer cache their data too
aggressively
* Fixed showing the error box when entering an invalid reviewer
* Fixed config/ and db/ links for extensions, when in a subdirectory
install
* The Manual Updates page for the media upload directory no longer points
to a non-existant wiki page
* Thu Feb 7 2013 Stephen Gallagher <sgallagh at redhat.com> - 1.7.5-1
- New upstream release 1.7.5
- http://www.reviewboard.org/docs/releasenotes/dev/reviewboard/1.7.5/
- New Features:
* Added a nicer, human-readable view of diffs in the FileDiff tables in the
administration UI
* The repository name is now included in review request e-mails
- Compatibility Fixes:
* We now require django-pipeline 1.2.24, which restores our compatibility
with Python 2.5 and fixes some errors when loading pages
* Our list of supported timezones should now be consistent across all
installs, since we now require a specific, modern version of pytz
(Packager's note: this is an upstream change only. In Fedora we have
always relied on the system pytz)
- Bug Fixes:
* The entire thumbnail for file attachments are now clickable, making it
easier to download the file or reach the review page
* Users are no longer locked out of their review requests when assigned to
private groups they don’t have access to
* The Hide whitespace changes toggle was broken on many browsers, causing a
JavaScript error
* Searching for a user in the quick search field and then clicking the user
once again navigates to the user’s page
* The review request counts in the dashboard no longer show “None” for new
users when using Local Sites
* Thu Jan 31 2013 Stephen Gallagher <sgallagh at redhat.com> - 1.7.4-1
- New upstream release 1.7.4
- http://www.reviewboard.org/docs/releasenotes/dev/reviewboard/1.7.4/
- Bug Fixes:
* Fixed a JavaScript error in Internet Explorer and Firefox 3.x involving
the console object being undefined
* Fixed the diff viewer’s changed file listings when using Windows file
paths
* Mon Jan 28 2013 Stephen Gallagher <sgallagh at redhat.com> - 1.7.3-1
- New upstream release 1.7.3
- http://www.reviewboard.org/docs/releasenotes/dev/reviewboard/1.7.3/
- New Features:
* Add optional support for sending e-mails when closing review requests
- Compatibility Updates:
* The new support for Perforce moved files has changed
RBTools 0.4.3 will now require Review Board 1.7.3 at a minimum.
* Review Board now works with SVN diffs generated in many non-C locales
- Web API Changes:
* Added a scmtools.perforce.moved_files capability to indicate moved file
support for Perforce
- Bug Fixes:
* SMTP servers saved with additional whitespace will now have that
whitespace stripped, in order to prevent lookup failures.
* Fixed a crash when running a search index
* The listed creation time for a review request now reflects when it was
first published, not when the initial draft was first created
* The "Add Comment" button on file attachment thumbnails is no longer shown
if not logged in
* Fixed a bug allowing for publishing blank review requests after filling
in the field and then deleting them
* Fixed an occasional crash when viewing a diff when displaying a function
or class header on the left-hand side but when there was none on the
right-hand side
* Fixed a breakage on some systems when checking the Mercurial version
* The Summary field no longer overlaps text when wrapping
* Fixed the review ID column when using Local Sites
* Using a custom SITE_ROOT with a development server setup no longer breaks
all static media
* Fixed the capitalization of the "VersionOne" bug tracker entry
* Using ClearCase on Windows 7 should no longer cause console windows to
pop up
* Fixed loading blank comments in the diff viewer
* Thu Jan 17 2013 Stephen Gallagher <sgallagh at redhat.com> - 1.7.2-1
- New upstream release 1.7.2
- http://www.reviewboard.org/docs/releasenotes/dev/reviewboard/1.7.2/
- New Features:
- Added bug tracker support for VersionOne
- Added support for ssl:-prefixed P4PORTs for Perforce 2012.1+
- Added support for moved file handling for Perforce
- Bug Fixes:
- Fixed an HTML escaping issue when listing filenames in the diff viewer
- Fixed the display of the static media instructions in rb-site
- Attempting to install on Python 2.4 will now display a helpful error before
failing, instead of a cryptic error
- Fixed the display of file attachment names in review request change
descriptions that don’t have captions
- Fixed the default file-based cache path used when creating a new site
- The Review Board Activity widget in the administration UI will now clear
the data shown when the datasets are unselected
- Fixed capitalization of the navigation bar entries to be consistent
- Fixed the link to the PyLucene documentation in the General Settings page
- Fixed default Apache configuration files to be explicit in enabling
FollowSymLinks
- Fixed timezone warnings when running the search index command
* Fri Dec 21 2012 Stephen Gallagher <sgallagh at redhat.com> - 1.7.1-2
- Add missing runtime dependencies
* Wed Dec 19 2012 Stephen Gallagher <sgallagh at redhat.com> - 1.7.1-1
- New upstream release 1.7.1
- http://www.reviewboard.org/docs/releasenotes/dev/reviewboard/1.7/
- http://www.reviewboard.org/docs/releasenotes/dev/reviewboard/1.7.0.1/
- http://www.reviewboard.org/docs/releasenotes/dev/reviewboard/1.7.1/
* Thu Dec 13 2012 Stephen Gallagher <sgallagh at redhat.com> - 1.7-5.rc1
- Update to upstream release candidate 1.7rc1
- http://www.reviewboard.org/docs/releasenotes/dev/reviewboard/1.7-rc-1/
* Wed Oct 3 2012 Stephen Gallagher <sgallagh at redhat.com> - 1.7-4.beta2
- Disable building documentation
* Wed Oct 3 2012 Stephen Gallagher <sgallagh at redhat.com> - 1.7-3.beta2
- Disable JavaScript minification until python-slimit is available
* Wed Oct 3 2012 Stephen Gallagher <sgallagh at redhat.com> - 1.7-2.beta2
- New upstream release 1.7 beta2
- New Features:
- Introduced a new style for Review Board
- Performance Improvements:
- We’ve updated our dependency on jQuery to the latest version. We’ve been
on an old one for quite a while, and there have been many performance
improvements since. The site’s responsiveness should be a little faster
now.
- Bug Fixes:
- Fixed the paths to certain decorational image files
- File attachment comments are no longer missing from the review box
- Fixed problems with issue tracking statuses in the review box
- Fixed wrapping of the text in the change updates
- Admin UI widgets no longer overlap when loading the page
* Mon Aug 6 2012 Stephen Gallagher <sgallagh at redhat.com> - 1.7-1.beta1
- New upstream release 1.7 beta1
- http://www.reviewboard.org/docs/releasenotes/dev/reviewboard/1.7-beta-1/
- Compatibility Changes:
- Added a requirement for Django 1.4
- Dropped Python 2.4 support
- New Features:
- Experimental extension support
- New administration UI
- Issue summary table for review requests
- Moved files in a change are better represented in the diff viewer
- Some file attachments are now shown with more detailed previews
- Added a “To Me” column in the dashboard
- Dates and times are now localized to the user’s region
- The review request update bubble now says if the review request was
closed
- E-mails now include the review request ID in the subject header
- Links in the Description and Testing Done text now open in new windows or
tabs
- Required fields on a review request are now marked as required by showing
an asterisk
- Added a “Show changes” link on the change description boxes after
publishing a diff
- Added support for the latest CVS diff file format
- Removed Features:
- The hidden reports feature (accessible at /reports/) has been removed
- Performance Improvements:
- Reduced download time of JavaScript and CSS
- Reduced diff storage and lookups
- Web API Changes:
- Added server capabilities in /api/info/
- Added resources for viewing the original and patched files for a
FileDiff
- Bug Fixes:
- The “Diff Updated” column in the dashboard now actually reflects the last
diff update
- Captions changes for file attachments are now shown on change description
boxes, just like screenshot caption changes
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1016596 - CVE-2013-4410 ReviewBoard: access-control problems with REST API
https://bugzilla.redhat.com/show_bug.cgi?id=1016596
[ 2 ] Bug #1016599 - CVE-2013-4411 ReviewBoard: URL processing allows unauthorized users to view review lists
https://bugzilla.redhat.com/show_bug.cgi?id=1016599
[ 3 ] Bug #1016601 - CVE-2013-4409 python-djblets: unsanitized eval() vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=1016601
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update ReviewBoard' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
More information about the package-announce
mailing list