[SECURITY] Fedora 18 Update: ReviewBoard-1.7.18-1.fc18
updates at fedoraproject.org
updates at fedoraproject.org
Tue Nov 26 03:59:43 UTC 2013
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2013-20817
2013-11-07 02:32:01
--------------------------------------------------------------------------------
Name : ReviewBoard
Product : Fedora 18
Version : 1.7.18
Release : 1.fc18
URL : http://www.review-board.org
Summary : Web-based code review tool
Description :
Review Board is a powerful web-based code review tool that offers
developers an easy way to handle code reviews. It scales well from small
projects to large companies and offers a variety of tools to take much
of the stress and time out of the code review process.
--------------------------------------------------------------------------------
Update Information:
- Fix JavaScript errors
- New upstream security release 1.7.17
- http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.17/
- Resolves: CVE-2013-4519
- Security Fixes:
* Fixed XSS vulnerabilities for the 'Branch' field and uploaded file captions.
* Added a 'X-Frame-Options' header to prevent clickjacking.
- New Features:
* Remove the need for SSH keys for GitHub repositories.
* Improved validation for GitHub repositories.
* Added support for permissions on Local Sites.
- Performance Improvements:
* Reduced query counts on all pages.
* Reduced query counts in the web API when returning empty lists.
- Extensibility:
* Extensions using the ``configure_extension`` view an now pass in a custom ``template_name`` pointing to a template for the configuration page, if it needs additional customization.
* Enabling, disabling or reconfiguring extensions will now invalidate the caches for pages, ensuring that hooks will take affect.
* Extension configuration now works properly on subdirectory installs.
- Bug Fixes:
* Fixed showing private review requests on a submitter page.
* The description for submitted or discarded review requests is now shown on the diff viewer.
* Discarding, reopening and then closing a review request no longer makes the review request private.
* Fixed a naming conflict with older PyCrypto packages, such as the default package on CentOS 6.4.
* Users with the 'can_change_status' permission no longer need the 'can_edit_reviewrequest' permission in order to close or reopen review requests.
* Switching a repository from using a hosting service to Custom no longer reverts back to the hosting service.
* Fixed editing a repository if its associated hosting service can't be loaded (such as if an extension providing that hosting service is disabled).
* Many diff validation errors weren't being shown on the New Review Request page, generating 500 errors instead.
* Fixed caching issues with the Blocks field on review requests.
* Editing JSON text fields in the administration UI now works, validates, and won't result in warnings in the log.
* Fixed breakages with looking up URLs internally with Local Sites.
--------------------------------------------------------------------------------
ChangeLog:
* Wed Nov 13 2013 Stephen Gallagher <sgallagh at redhat.com> - 1.7.18-1
- New upstream bugfix release 1.7.18
- http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.18/
- Convert to using UglifyJS2 for javascript minification
* Tue Nov 5 2013 Stephen Gallagher <sgallagh at redhat.com> - 1.7.17-1
- New upstream security release 1.7.17
- http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.17/
- Resolves: CVE-2013-4519
- Security Fixes:
* Fixed XSS vulnerabilities for the 'Branch' field and uploaded file
captions.
* Added a 'X-Frame-Options' header to prevent clickjacking.
- New Features:
* Remove the need for SSH keys for GitHub repositories.
* Improved validation for GitHub repositories.
* Added support for permissions on Local Sites.
- Performance Improvements:
* Reduced query counts on all pages.
* Reduced query counts in the web API when returning empty lists.
- Extensibility:
* Extensions using the ``configure_extension`` view an now pass in a custom
``template_name`` pointing to a template for the configuration page, if it
needs additional customization.
* Enabling, disabling or reconfiguring extensions will now invalidate the
caches for pages, ensuring that hooks will take affect.
* Extension configuration now works properly on subdirectory installs.
- Bug Fixes:
* Fixed showing private review requests on a submitter page.
* The description for submitted or discarded review requests is now shown on
the diff viewer.
* Discarding, reopening and then closing a review request no longer makes the
review request private.
* Fixed a naming conflict with older PyCrypto packages, such as the default
package on CentOS 6.4.
* Users with the 'can_change_status' permission no longer need the
'can_edit_reviewrequest' permission in order to close or reopen review
requests.
* Switching a repository from using a hosting service to Custom no longer
reverts back to the hosting service.
* Fixed editing a repository if its associated hosting service can't be
loaded (such as if an extension providing that hosting service is
disabled).
* Many diff validation errors weren't being shown on the New Review Request
page, generating 500 errors instead.
* Fixed caching issues with the Blocks field on review requests.
* Editing JSON text fields in the administration UI now works, validates, and
won't result in warnings in the log.
* Fixed breakages with looking up URLs internally with Local Sites.
* Sun Oct 13 2013 Patrick Uiterwijk <puiterwijk at gmail.com> - 1.7.16-2
- Update Djblets version
* Sun Oct 13 2013 Patrick Uiterwijk <puiterwijk at redhat.com> - 1.7.15-2
- New upstream bugfix release 1.7.16
- Fixes a breakage when accessing the Review Group Users resource
- Fixes pagination in dashboard and similar pages
* Thu Oct 10 2013 Stephen Gallagher <sgallagh at redhat.com> - 1.7.15-1
- New upstream security release 1.7.15
- http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.15/
- Resolves: CVE-2013-4410
- Fixes access-control problems with REST API
- Resolves: CVE-2013-4411
- Fixes URL processing allowing unauthorized users to view review lists
* Mon Sep 23 2013 Stephen Gallagher <sgallagh at redhat.com> - 1.7.14-1
- New upstream security release 1.7.14
- http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.14/
- Some API resources were accessible even if their parent resources were not,
due to a missing check. In most cases, this was harmless, but it can affect
those using access control on groups or review requests.
* Thu Aug 15 2013 Stephen Gallagher <sgallagh at redhat.com> - 1.7.13-2
- New upstream release 1.7.13
- http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.13/
- Starting with this release, sites will automatically be upgraded if they are
listed in the text file /etc/reviewboard/sites by the path to their site,
one per line.
* Mon Jul 29 2013 Stephen Gallagher <sgallagh at redhat.com> - 1.7.12-1
- New upstream release 1.7.12
- http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.12/
- Security Fixes:
* Function names in diff headers are no longer rendered as HTML.
* If a user’s full name contained HTML, the Submitters list would render it
as HTML, without escaping it. This was an XSS vulnerability.
* The default Apache configuration is now more strict with how it serves up
file attachments. This does not apply to existing installations. See
http://support.beanbaginc.com/support/solutions/articles/110173-securing-file-attachments
for details.
* Uploaded files are now renamed to include a hash, preventing users from
uploading malicious filenames, and making filenames unguessable.
* Recaptcha support has been updated to use the new URLs provided by
Google.
- New Features:
* Added a X-ReviewRequest-Repository header for e-mails.
- Extension Improvements:
* Extensions can now specify their list of app directories.
* Extensions can now specify the author’s URL.
* Improved the look and feel for extension configuration.
* Improved the functionality for extension configuration.
* Improved the list of available extensions.
- Bug Fixes:
* Fixed the “Show Whitespace Changes” toggle.
* Fixed compatibility with modern versions of django-storages.
* Draft comments on file attachments are no longer shown to all users.
* Fixed issues with console windows appearing when invoking Clear Case
requests on Python 2.7.x and Windows 7.
* Review requests on Local Sites are now guaranteed to have the proper ID.
* Fixed starring review requests on Local Sites.
* Thu Jun 27 2013 Stephen Gallagher <sgallagh at redhat.com> - 1.7.11-1
- New upstream release 1.7.11
- http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.11/
- Bug Fixes:
* Fixed compatibility with Python 2.5
* Fixed the drop-down arrow by Support and the account name on older
versions of Internet Explorer
* Mon Jun 24 2013 Stephen Gallagher <sgallagh at redhat.com> - 1.7.10-1
- New upstream release 1.7.10
- http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.10/
- Security Updates:
* Fixed an XSS vulnerability where users could trigger script errors under
certain conditions in auto-complete widgets
- Web API Changes:
* Added n ?order-by=<fieldname> query parameter for comment resources,
allowing ordering by fields such as line numbers (for diff comments)
* Added a filename field to screenshot resources, which provides the base
filename (without path) of the screenshot
* Added a review_url field to screenshot resources, which provides the URL
to the screenshot review page
* Added a thumbnail_url field to screenshot comment resources, which
provides the URL to the snippet of the screenshot being commented on
* Added a link_text field to file attachment comment resources, which shows
the text for any link pointing to the file. This may differ depending on
the comment
* Added a review_url field to file attachment comment resources, which
provides the URL to the review page for the file
* Added a thumbnail_html field to file attachment comment resources, which
provides HTML for rendering the thumbnail of the portion of the file
being rendered, if any
- UI Changes:
* Improved the look and feel of the issue summary table. It’s cleaner and
no longer looks odd with long comment text
- Bug Fixes:
* Fixed periodic but harmless JavaScript errors when removing elements with
relative timestamps
* Editing or reordering dashboard columns no longer breaks after the
dashboard reloads
* Relative timestamps in the dashboard no longer break after the dashboard
reloads
* The maximum size of the timezone has increased, allowing for longer
timezone strings
* Mon Jun 3 2013 Stephen Gallagher <sgallagh at redhat.com> - 1.7.9-1
- New upstream release 1.7.9
- http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.9/
- API Changes:
* Added new blocks and depends_on fields to the Review Request resource
- Bug Fixes:
* Fixed the max_length of the new HostingServiceAccount.hosting_url field
* Fixed the documentation for the cgit configuration for Git
* Fixed the cgit URL for Fedora Hosted
* Mon Jun 3 2013 Stephen Gallagher <sgallagh at redhat.com> - 1.7.8.1-1
- New upstream release 1.7.8.1
- http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.8.1/
- Bug Fixes:
* Fixed a regression with saving repositories that don't use hosting
services
- Misc. Changes:
* Compatibility changes for the upcoming PDF review plugin
- New upstream release 1.7.8
- http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.8/
- New Features:
* Added Depends On and Blocks fields to review requests
* Added an improved support page
* Added the ability to set where Get Support takes users
* Added improved logging for many operations
- Performance Improvements:
* Reduced the upload time for many new diffs
* The templates used for rendering the various pages are now cached after
the first render, speeding up the rendering for any future renders. We've
seen speedups of ~100-120ms for review request pages
- Usability Improvements:
* The review request actions are now larger, making them more visible and
easier to hit, particularly on touch screens
* Clicking Fixed, Drop or Re-open now keeps the page in the same scroll
position
* The dashboard now reloads dynamically, without reloading the entire page
* The comment dialog now tells you when you can't make a comment (due to
being logged out or reviewing something that's part of a draft
- API Changes
* Fixed deleting pending replies to comments
* Fixed some issues returning certain lists of data
- Extensibility Improvements:
* Extensions can now customize their metadata directly in the Extension
class
* TemplateHooks can now render their own content by overriding
render_to_string()
* NavigationBarHook can now take a url_name parameter specifying the URL
name to link to
* Review UIs can now specify the link and link text for any comments on a
review by overriding get_comment_link_url() and get_comment_link_text()
* Custom hosting services can now be registered/unregistered by extensions
by using register_hosting_service() and unregister_hosting_service()
(from reviewboard.hostingsvcs.service)
* Added the ability to more easily write hosting services support that
works for self-installable services
- Bug Fixes:
* Added missing repository validation for Mercurial repositories
* Fixed replying to comments on file attachments that have since been
removed
* Fixed the display of the upload dialogs when viewing a file attachment
* Comments on file attachments in e-mails now link to the correct review UI
handling the file
* Worked around rare issues where a reset of the Open An Issue default for
a user would cause pages to break
- Misc Changes:
* E-mails now show the user’s full name instead of just their first name
* The New Review Request page now mentions RBTools instead of just
post-review
* Mon Apr 22 2013 Stephen Gallagher <sgallagh at redhat.com> - 1.7.7.1-1
- New upstream release 1.7.7.1
- http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.7.1/
- Bug Fixes:
* Fixed a problem with generating config files when creating a new site
installations
- New upstream release 1.7.7
- http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.7/
- New Features:
* The configured SSH key can now be deleted
* Added support for working against a GitHub OAuth application
- Performance Improvements:
* Uploading a diff with a parent diff will no longer attempt to process any
files in the parent diff that aren't in the main diff
* Sped up rendering times for the Dashboard, All Review Requests page, and
the user/groups pages
- Web API Improvements:
* Fixed a breakage with updating comments when the issue_status field
wasn't provided
* Improved caching logic to not claim a cached payload is valid when the
client reports a matching Last Modified timestamp but not a matching
ETag
- Bug Fixes:
* Specifying a port in a SSH URL for a repository will now connect on that
port
* Fixed broken links to file attachments when using Local Sites
* Review request e-mails now show the right ID in the subject for Local
Sites
* Fixed Python path issues when spawning processes
* Fixed a rare breakage when saving repositories
* Fixed the cookie path when using site directories
* When installing a site, database hosts now accept a port in the format of
hostname:port
* Fixed visual glitches with some rounded corners in the UI
* Wed Apr 10 2013 Stephen Gallagher <sgallagh at redhat.com> - 1.7.6-4
- Add explicit BuildRequires: python-django14
* Wed Apr 10 2013 Stephen Gallagher <sgallagh at redhat.com> - 1.7.6-3
- Change to explicit requirement on python-django14
- Resolves: rhbz#950411 - Change requires to python-django14
* Thu Mar 21 2013 Stephen Gallagher <sgallagh at redhat.com> - 1.7.6-2
- Replace references of id2= with id= for cgit
- Use file blobs rather than plaintext representation with Fedora
Hosted cgit repositories
* Thu Feb 21 2013 Stephen Gallagher <sgallagh at redhat.com> - 1.7.6-1
- New upstream release 1.7.6
- http://www.reviewboard.org/docs/releasenotes/dev/reviewboard/1.7.6/
- Fedora-specific: removed versioning requirement on paramiko; it's no longer
needed
- Security Updates:
* We now require Django 1.4.5, which fixes a few security vulnerabilities
- New Features:
* Added Perforce ticket-based authentication
* Added a setting for choosing Review Board log levels
- Web API Changes:
* Added API support for querying and manipulating default reviewers
* Repositories deleted through the Web API are now only archived if they
have any associated review requests
- Bug Fixes:
* Fixed fetching files with FedoraHosted
* Fixed some cases where URLs to user pages were incorrect, especially on
subdirectory installs and local sites
* We try harder now to set the PYTHONPATH for subprocesses, which should
fix some issues fetching files over Subversion
* The Administration UI dashboard widgets no longer cache their data too
aggressively
* Fixed showing the error box when entering an invalid reviewer
* Fixed config/ and db/ links for extensions, when in a subdirectory
install
* The Manual Updates page for the media upload directory no longer points
to a non-existant wiki page
* Thu Feb 7 2013 Stephen Gallagher <sgallagh at redhat.com> - 1.7.5-1
- New upstream release 1.7.5
- http://www.reviewboard.org/docs/releasenotes/dev/reviewboard/1.7.5/
- New Features:
* Added a nicer, human-readable view of diffs in the FileDiff tables in the
administration UI
* The repository name is now included in review request e-mails
- Compatibility Fixes:
* We now require django-pipeline 1.2.24, which restores our compatibility
with Python 2.5 and fixes some errors when loading pages
* Our list of supported timezones should now be consistent across all
installs, since we now require a specific, modern version of pytz
(Packager's note: this is an upstream change only. In Fedora we have
always relied on the system pytz)
- Bug Fixes:
* The entire thumbnail for file attachments are now clickable, making it
easier to download the file or reach the review page
* Users are no longer locked out of their review requests when assigned to
private groups they don’t have access to
* The Hide whitespace changes toggle was broken on many browsers, causing a
JavaScript error
* Searching for a user in the quick search field and then clicking the user
once again navigates to the user’s page
* The review request counts in the dashboard no longer show “None” for new
users when using Local Sites
* Thu Jan 31 2013 Stephen Gallagher <sgallagh at redhat.com> - 1.7.4-1
- New upstream release 1.7.4
- http://www.reviewboard.org/docs/releasenotes/dev/reviewboard/1.7.4/
- Bug Fixes:
* Fixed a JavaScript error in Internet Explorer and Firefox 3.x involving
the console object being undefined
* Fixed the diff viewer’s changed file listings when using Windows file
paths
* Mon Jan 28 2013 Stephen Gallagher <sgallagh at redhat.com> - 1.7.3-1
- New upstream release 1.7.3
- http://www.reviewboard.org/docs/releasenotes/dev/reviewboard/1.7.3/
- New Features:
* Add optional support for sending e-mails when closing review requests
- Compatibility Updates:
* The new support for Perforce moved files has changed
RBTools 0.4.3 will now require Review Board 1.7.3 at a minimum.
* Review Board now works with SVN diffs generated in many non-C locales
- Web API Changes:
* Added a scmtools.perforce.moved_files capability to indicate moved file
support for Perforce
- Bug Fixes:
* SMTP servers saved with additional whitespace will now have that
whitespace stripped, in order to prevent lookup failures.
* Fixed a crash when running a search index
* The listed creation time for a review request now reflects when it was
first published, not when the initial draft was first created
* The "Add Comment" button on file attachment thumbnails is no longer shown
if not logged in
* Fixed a bug allowing for publishing blank review requests after filling
in the field and then deleting them
* Fixed an occasional crash when viewing a diff when displaying a function
or class header on the left-hand side but when there was none on the
right-hand side
* Fixed a breakage on some systems when checking the Mercurial version
* The Summary field no longer overlaps text when wrapping
* Fixed the review ID column when using Local Sites
* Using a custom SITE_ROOT with a development server setup no longer breaks
all static media
* Fixed the capitalization of the "VersionOne" bug tracker entry
* Using ClearCase on Windows 7 should no longer cause console windows to
pop up
* Fixed loading blank comments in the diff viewer
* Thu Jan 17 2013 Stephen Gallagher <sgallagh at redhat.com> - 1.7.2-1
- New upstream release 1.7.2
- http://www.reviewboard.org/docs/releasenotes/dev/reviewboard/1.7.2/
- New Features:
- Added bug tracker support for VersionOne
- Added support for ssl:-prefixed P4PORTs for Perforce 2012.1+
- Added support for moved file handling for Perforce
- Bug Fixes:
- Fixed an HTML escaping issue when listing filenames in the diff viewer
- Fixed the display of the static media instructions in rb-site
- Attempting to install on Python 2.4 will now display a helpful error before
failing, instead of a cryptic error
- Fixed the display of file attachment names in review request change
descriptions that don’t have captions
- Fixed the default file-based cache path used when creating a new site
- The Review Board Activity widget in the administration UI will now clear
the data shown when the datasets are unselected
- Fixed capitalization of the navigation bar entries to be consistent
- Fixed the link to the PyLucene documentation in the General Settings page
- Fixed default Apache configuration files to be explicit in enabling
FollowSymLinks
- Fixed timezone warnings when running the search index command
* Fri Dec 21 2012 Stephen Gallagher <sgallagh at redhat.com> - 1.7.1-2
- Add missing runtime dependencies
* Wed Dec 19 2012 Stephen Gallagher <sgallagh at redhat.com> - 1.7.1-1
- New upstream release 1.7.1
- http://www.reviewboard.org/docs/releasenotes/dev/reviewboard/1.7/
- http://www.reviewboard.org/docs/releasenotes/dev/reviewboard/1.7.0.1/
- http://www.reviewboard.org/docs/releasenotes/dev/reviewboard/1.7.1/
* Thu Dec 13 2012 Stephen Gallagher <sgallagh at redhat.com> - 1.7-5.rc1
- Update to upstream release candidate 1.7rc1
- http://www.reviewboard.org/docs/releasenotes/dev/reviewboard/1.7-rc-1/
* Wed Oct 3 2012 Stephen Gallagher <sgallagh at redhat.com> - 1.7-4.beta2
- Disable building documentation
* Wed Oct 3 2012 Stephen Gallagher <sgallagh at redhat.com> - 1.7-3.beta2
- Disable JavaScript minification until python-slimit is available
* Wed Oct 3 2012 Stephen Gallagher <sgallagh at redhat.com> - 1.7-2.beta2
- New upstream release 1.7 beta2
- New Features:
- Introduced a new style for Review Board
- Performance Improvements:
- We’ve updated our dependency on jQuery to the latest version. We’ve been
on an old one for quite a while, and there have been many performance
improvements since. The site’s responsiveness should be a little faster
now.
- Bug Fixes:
- Fixed the paths to certain decorational image files
- File attachment comments are no longer missing from the review box
- Fixed problems with issue tracking statuses in the review box
- Fixed wrapping of the text in the change updates
- Admin UI widgets no longer overlap when loading the page
* Mon Aug 6 2012 Stephen Gallagher <sgallagh at redhat.com> - 1.7-1.beta1
- New upstream release 1.7 beta1
- http://www.reviewboard.org/docs/releasenotes/dev/reviewboard/1.7-beta-1/
- Compatibility Changes:
- Added a requirement for Django 1.4
- Dropped Python 2.4 support
- New Features:
- Experimental extension support
- New administration UI
- Issue summary table for review requests
- Moved files in a change are better represented in the diff viewer
- Some file attachments are now shown with more detailed previews
- Added a “To Me” column in the dashboard
- Dates and times are now localized to the user’s region
- The review request update bubble now says if the review request was
closed
- E-mails now include the review request ID in the subject header
- Links in the Description and Testing Done text now open in new windows or
tabs
- Required fields on a review request are now marked as required by showing
an asterisk
- Added a “Show changes” link on the change description boxes after
publishing a diff
- Added support for the latest CVS diff file format
- Removed Features:
- The hidden reports feature (accessible at /reports/) has been removed
- Performance Improvements:
- Reduced download time of JavaScript and CSS
- Reduced diff storage and lookups
- Web API Changes:
- Added server capabilities in /api/info/
- Added resources for viewing the original and patched files for a
FileDiff
- Bug Fixes:
- The “Diff Updated” column in the dashboard now actually reflects the last
diff update
- Captions changes for file attachments are now shown on change description
boxes, just like screenshot caption changes
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1027010 - CVE-2013-4519 ReviewBoard: two XSS vulnerabilities
https://bugzilla.redhat.com/show_bug.cgi?id=1027010
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update ReviewBoard' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
More information about the package-announce
mailing list