[SECURITY] Fedora 19 Update: ReviewBoard-1.7.16-2.fc19
updates at fedoraproject.org
updates at fedoraproject.org
Tue Oct 29 03:40:02 UTC 2013
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2013-18931
2013-10-11 22:52:24
--------------------------------------------------------------------------------
Name : ReviewBoard
Product : Fedora 19
Version : 1.7.16
Release : 2.fc19
URL : http://www.review-board.org
Summary : Web-based code review tool
Description :
Review Board is a powerful web-based code review tool that offers
developers an easy way to handle code reviews. It scales well from small
projects to large companies and offers a variety of tools to take much
of the stress and time out of the code review process.
--------------------------------------------------------------------------------
Update Information:
Review Board 1.6.19 and 1.7.15 fix a few issues in the API where users could access certain data they should not have been able to access, if using the Local Sites feature, invite-only groups, or private repositories. It also fixes cases with invite-only groups where the group name and list of private review requests would show up on some pages (though the review requests themselves were not accessible).
These issues do not affect most of the installations out there, but we strongly recommend upgrading anyway. There are no known cases of anyone exploiting these bugs, and in fact we discovered these internally while building new tools to test for security vulnerabilities in our codebase.
There are also some other bug fixes, and important changes needed for extensions that provide their own REST APIs.
--------------------------------------------------------------------------------
ChangeLog:
* Sun Oct 13 2013 Patrick Uiterwijk <puiterwijk at gmail.com> - 1.7.16-2
- Update Djblets version
* Sun Oct 13 2013 Patrick Uiterwijk <puiterwijk at redhat.com> - 1.7.15-2
- New upstream bugfix release 1.7.16
- Fixes a breakage when accessing the Review Group Users resource
- Fixes pagination in dashboard and similar pages
* Thu Oct 10 2013 Stephen Gallagher <sgallagh at redhat.com> - 1.7.15-1
- New upstream security release 1.7.15
- http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.15/
- Resolves: CVE-2013-4410
- Fixes access-control problems with REST API
- Resolves: CVE-2013-4411
- Fixes URL processing allowing unauthorized users to view review lists
* Mon Sep 23 2013 Stephen Gallagher <sgallagh at redhat.com> - 1.7.14-1
- New upstream security release 1.7.14
- http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.14/
- Some API resources were accessible even if their parent resources were not,
due to a missing check. In most cases, this was harmless, but it can affect
those using access control on groups or review requests.
* Thu Aug 15 2013 Stephen Gallagher <sgallagh at redhat.com> - 1.7.13-2
- New upstream release 1.7.13
- http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.13/
- Starting with this release, sites will automatically be upgraded if they are
listed in the text file /etc/reviewboard/sites by the path to their site,
one per line.
* Mon Jul 29 2013 Stephen Gallagher <sgallagh at redhat.com> - 1.7.12-1
- New upstream release 1.7.12
- http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.12/
- Security Fixes:
* Function names in diff headers are no longer rendered as HTML.
* If a user’s full name contained HTML, the Submitters list would render it
as HTML, without escaping it. This was an XSS vulnerability.
* The default Apache configuration is now more strict with how it serves up
file attachments. This does not apply to existing installations. See
http://support.beanbaginc.com/support/solutions/articles/110173-securing-file-attachments
for details.
* Uploaded files are now renamed to include a hash, preventing users from
uploading malicious filenames, and making filenames unguessable.
* Recaptcha support has been updated to use the new URLs provided by
Google.
- New Features:
* Added a X-ReviewRequest-Repository header for e-mails.
- Extension Improvements:
* Extensions can now specify their list of app directories.
* Extensions can now specify the author’s URL.
* Improved the look and feel for extension configuration.
* Improved the functionality for extension configuration.
* Improved the list of available extensions.
- Bug Fixes:
* Fixed the “Show Whitespace Changes” toggle.
* Fixed compatibility with modern versions of django-storages.
* Draft comments on file attachments are no longer shown to all users.
* Fixed issues with console windows appearing when invoking Clear Case
requests on Python 2.7.x and Windows 7.
* Review requests on Local Sites are now guaranteed to have the proper ID.
* Fixed starring review requests on Local Sites.
* Thu Jun 27 2013 Stephen Gallagher <sgallagh at redhat.com> - 1.7.11-1
- New upstream release 1.7.11
- http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.11/
- Bug Fixes:
* Fixed compatibility with Python 2.5
* Fixed the drop-down arrow by Support and the account name on older
versions of Internet Explorer
* Mon Jun 24 2013 Stephen Gallagher <sgallagh at redhat.com> - 1.7.10-1
- New upstream release 1.7.10
- http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.10/
- Security Updates:
* Fixed an XSS vulnerability where users could trigger script errors under
certain conditions in auto-complete widgets
- Web API Changes:
* Added n ?order-by=<fieldname> query parameter for comment resources,
allowing ordering by fields such as line numbers (for diff comments)
* Added a filename field to screenshot resources, which provides the base
filename (without path) of the screenshot
* Added a review_url field to screenshot resources, which provides the URL
to the screenshot review page
* Added a thumbnail_url field to screenshot comment resources, which
provides the URL to the snippet of the screenshot being commented on
* Added a link_text field to file attachment comment resources, which shows
the text for any link pointing to the file. This may differ depending on
the comment
* Added a review_url field to file attachment comment resources, which
provides the URL to the review page for the file
* Added a thumbnail_html field to file attachment comment resources, which
provides HTML for rendering the thumbnail of the portion of the file
being rendered, if any
- UI Changes:
* Improved the look and feel of the issue summary table. It’s cleaner and
no longer looks odd with long comment text
- Bug Fixes:
* Fixed periodic but harmless JavaScript errors when removing elements with
relative timestamps
* Editing or reordering dashboard columns no longer breaks after the
dashboard reloads
* Relative timestamps in the dashboard no longer break after the dashboard
reloads
* The maximum size of the timezone has increased, allowing for longer
timezone strings
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1016596 - CVE-2013-4410 ReviewBoard: access-control problems with REST API
https://bugzilla.redhat.com/show_bug.cgi?id=1016596
[ 2 ] Bug #1016599 - CVE-2013-4411 ReviewBoard: URL processing allows unauthorized users to view review lists
https://bugzilla.redhat.com/show_bug.cgi?id=1016599
[ 3 ] Bug #1016601 - CVE-2013-4409 python-djblets: unsanitized eval() vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=1016601
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update ReviewBoard' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
More information about the package-announce
mailing list