[SECURITY] Fedora 20 Update: ReviewBoard-1.7.17-1.fc20
updates at fedoraproject.org
updates at fedoraproject.org
Tue Nov 12 00:31:04 UTC 2013
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2013-20749
2013-11-06 17:56:38
--------------------------------------------------------------------------------
Name : ReviewBoard
Product : Fedora 20
Version : 1.7.17
Release : 1.fc20
URL : http://www.review-board.org
Summary : Web-based code review tool
Description :
Review Board is a powerful web-based code review tool that offers
developers an easy way to handle code reviews. It scales well from small
projects to large companies and offers a variety of tools to take much
of the stress and time out of the code review process.
--------------------------------------------------------------------------------
Update Information:
- New upstream security release 1.7.17
- http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.17/
- Resolves: CVE-2013-4519
- Security Fixes:
* Fixed XSS vulnerabilities for the 'Branch' field and uploaded file captions.
* Added a 'X-Frame-Options' header to prevent clickjacking.
- New Features:
* Remove the need for SSH keys for GitHub repositories.
* Improved validation for GitHub repositories.
* Added support for permissions on Local Sites.
- Performance Improvements:
* Reduced query counts on all pages.
* Reduced query counts in the web API when returning empty lists.
- Extensibility:
* Extensions using the ``configure_extension`` view an now pass in a custom ``template_name`` pointing to a template for the configuration page, if it needs additional customization.
* Enabling, disabling or reconfiguring extensions will now invalidate the caches for pages, ensuring that hooks will take affect.
* Extension configuration now works properly on subdirectory installs.
- Bug Fixes:
* Fixed showing private review requests on a submitter page.
* The description for submitted or discarded review requests is now shown on the diff viewer.
* Discarding, reopening and then closing a review request no longer makes the review request private.
* Fixed a naming conflict with older PyCrypto packages, such as the default package on CentOS 6.4.
* Users with the 'can_change_status' permission no longer need the 'can_edit_reviewrequest' permission in order to close or reopen review requests.
* Switching a repository from using a hosting service to Custom no longer reverts back to the hosting service.
* Fixed editing a repository if its associated hosting service can't be loaded (such as if an extension providing that hosting service is disabled).
* Many diff validation errors weren't being shown on the New Review Request page, generating 500 errors instead.
* Fixed caching issues with the Blocks field on review requests.
* Editing JSON text fields in the administration UI now works, validates, and won't result in warnings in the log.
* Fixed breakages with looking up URLs internally with Local Sites.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1027010 - CVE-2013-4519 ReviewBoard: two XSS vulnerabilities
https://bugzilla.redhat.com/show_bug.cgi?id=1027010
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update ReviewBoard' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
More information about the package-announce
mailing list