Review Board 1.6.19 and 1.7.15 fix a few issues in the API where users could access certain data they should not have been able to access, if using the Local Sites feature, invite-only groups, or private repositories. It also fixes cases with invite-only groups where the group name and list of private review requests would show up on some pages (though the review requests themselves were not accessible).

These issues do not affect most of the installations out there, but we strongly recommend upgrading anyway. There are no known cases of anyone exploiting these bugs, and in fact we discovered these internally while building new tools to test for security vulnerabilities in our codebase.

There are also some other bug fixes, and important changes needed for extensions that provide their own REST APIs.

This update has been submitted for testing by sgallagh.

8 years ago

sgallagh has edited this update. New build(s): python-djblets-0.7.20-1.el6. Removed build(s): python-djblets-0.7.19-1.el6.

8 years ago

This update is currently being pushed to the Fedora EPEL 6 testing updates repository.

8 years ago

This update has been pushed to testing

8 years ago

sgallagh has edited this update. New build(s): ReviewBoard-1.7.16-2.el6, python-djblets-0.7.21-1.el6. Removed build(s): python-djblets-0.7.20-1.el6, ReviewBoard-1.7.15-1.el6.

8 years ago

This update has been submitted for testing by sgallagh.

8 years ago

This update is currently being pushed to the Fedora EPEL 6 testing updates repository.

8 years ago

This update has been pushed to testing

8 years ago

sgallagh has edited this update. New build(s): ReviewBoard-1.7.16-2.el6.1. Removed build(s): ReviewBoard-1.7.16-2.el6.

8 years ago

This update has been submitted for testing by sgallagh.

8 years ago

This update is currently being pushed to the Fedora EPEL 6 testing updates repository.

8 years ago

This update has been pushed to testing

8 years ago

This update has reached 14 days in testing and can be pushed to stable now if the maintainer wishes

8 years ago

This update has been submitted for stable by sgallagh.

8 years ago

This update is currently being pushed to the Fedora EPEL 6 stable updates repository.

8 years ago

This update has been pushed to stable

8 years ago

Please login to add feedback.

Metadata
Type
security
Karma
0
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
disabled
Stable by Time
disabled
Dates
submitted
8 years ago
in testing
8 years ago
in stable
8 years ago
modified
8 years ago
BZ#1016596 CVE-2013-4410 ReviewBoard: access-control problems with REST API
0
0
BZ#1016599 CVE-2013-4411 ReviewBoard: URL processing allows unauthorized users to view review lists
0
0
BZ#1016601 CVE-2013-4409 python-djblets: unsanitized eval() vulnerability
0
0
BZ#1018000 CVE-2013-4410 CVE-2013-4411 ReviewBoard: various flaws [epel-6]
0
0
BZ#1018002 CVE-2013-4409 python-djblets: unsanitized eval() vulnerability [epel-6]
0
0
BZ#1018598 ReviewBoard-1.7.16 is available
0
0

Automated Test Results