http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.12/ Some security fixes in there as well.
Release date: July 28, 2013 = Security Fixes = This release contains security updates to better lock down Review Board from malicious users. There are no known vulnerabilities in the wild for these issues, but we recommend upgrading immediately. * Function names in diff headers are no longer rendered as HTML. Patch by Damian Johnson. (Bug #2612) * The default Apache configuration is now more strict with how it serves up file attachments. This does not apply to older installations. To update your configuration, and to read best practices, read our guide on securing file attachments. * Uploaded files are now renamed to include a hash, preventing users from uploading malicious filenames, and making filenames unguessable. * Recaptcha support has been updated to use the new URLs provided by Google. This re-enables Recaptcha support when serving over HTTPS.
patch @ https://github.com/atagar/ReviewBoard/commit/617f526af36d320910626eac6872714734c5d7dd is incorporated in reviewboard-1.7.12.ebuild *reviewboard-1.7.12 (01 Aug 2013) 01 Aug 2013; Ian Delaney <idella4@gentoo.org> +reviewboard-1.7.12.ebuild: bump, fixes Bug #478470 Well it seems it addresses rather than fixes. I'm leaving it to you to address Bug 479404
right, I was somewhat premature in bumping it; updated the deps leading to it's masked while awaiting the required bump to Djblets which is more or less Bug 479404
*** Bug 481040 has been marked as a duplicate of this bug. ***
Reviewboard moves on and now we have: Security Updates We now require Django 1.4.8, which is their latest security release. It fixes a major denial-of-service attack vector against the authentication support. We strongly encourage everybody running Review Board 1.7.x to update to this release, particularly if you’re running a site exposed to the Internet. Some API resources were accessible even if their parent resources were not, due to a missing check. In most cases, this was harmless, but it can affect those using access control on groups or review requests. http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.14/
From http://secunia.com/advisories/55208/ : Description Two security issues and a vulnerability have been reported in ReviewBoard, which can be exploited by malicious users to bypass certain security restrictions and potentially compromise a vulnerable system. 1) An error within the Djblets library while parsing JSON requests can be exploited to potentially execute arbitrary Python code via a specially crafted serialized Python object. This vulnerability is reported in versions prior to 1.7.15. 2) The application does not properly restrict access to certain REST APIs, which can be exploited to gain access to otherwise restricted resources. Successful exploitation of this security issue requires using the Local Sites feature, invite-only groups, or private repositories. 3) An error within the dashboard URL processing can be exploited to gain access to private review requests via a specially crafted URL. The security issues #2 and #3 are reported in versions prior to 1.6.19 and 1.7.15. Solution: Update to version 1.6.19 or 1.7.15. Provided and/or discovered by: Reported by the vendor. Original Advisory: http://www.reviewboard.org/docs/releasenotes/reviewboard/1.6.19/ http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.15/ http://www.reviewboard.org/news/2013/10/10/new-security-releases-review-board-1-6-19-and-1-7-15/
https://bugzilla.redhat.com/show_bug.cgi?id=1027010 : == Issue 1 == === Summary === A flaw in the display of the branch field of a review request allows an attacker to inject arbitrary HTML, allowing attackers to construct scripts that run in the context of the page. === Affected Deployments === All Review Board deployments are vulnerable to this flaw. === Scope === Any registered user on a Review Board instance can provide malicious content for this field, impacting any user who views the page. === Resolution === The field's contents were set to HTML-escaped on display. === Acknowledgements === Frederik Braun from Mozilla is credited with discovering this vulnerability. Christian Hammond, lead upstream developer of Review Board, is credited with correcting it. == Issue 2 == === Summary === A flaw in the display of the alt text for an uploaded screenshot or image file attachment allows an attacker to inject arbitrary HTML through the caption field, allowing attackers to construct scripts that run in the context of the page. === Affected Deployments === All Review Board deployments are vulnerable to this flaw. === Scope === Any registered user on a Review Board instance can provide malicious content for a caption, impacting any user who views the page. === Resolution === The field's contents were set to HTML-escaped on display. === Acknowledgements === Frederik Braun from Mozilla is credited with discovering this vulnerability. Christian Hammond, lead upstream developer of Review Board, is credited with correcting it. Fixed upstream in versions 1.6.21 and 1.7.17: http://www.reviewboard.org/news/2013/11/05/review-board-1-6-21-and-1-7-17-released/ http://www.reviewboard.org/docs/releasenotes/reviewboard/1.6.21/ http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.17/
CVE-2013-4519 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4519): Multiple cross-site scripting (XSS) vulnerabilities in Review Board 1.6.x before 1.6.21 and 1.7.x before 1.7.17 allow remote attackers to inject arbitrary web script or HTML via the (1) Branch field or (2) caption of an uploaded file.
Now that dev-python/Djblets-0.7.25 is in the tree, can we have a new reviewboard ebuild?
(In reply to Joakim Tjernlund from comment #9) > Now that dev-python/Djblets-0.7.25 is in the tree, can we have a new > reviewboard ebuild? At this point no because reviewboard-1.7.20/work/ReviewBoard-1.7.20/ReviewBoard.egg-info/requires.txt says Django>=1.4.10,<1.5 django_evolution>=0.6.9,<0.7 Djblets>=0.7.26,<0.8 django-pipeline>=1.2.24,<1.3 and more. dev-python/django Available versions: 1.4.8 (~)1.5.4 bombs out, django_evolution>=0.6.9,<0.7 works, django-pipeline>=1.2.24,<1.3 doesn't, Djblets>=0.7.26,<0.8 doesn't and there's more but that's enough. The ReviewBoard-2.0 is a beta release. There are a number of other 1.7 releases prior to 1.7.20 which are by their nature superseded, but if you can find 1 that has all the requires.txt's list of python team packages present and accounted for, say the word and I can/shall bump it. Otherwise, the ..... that appears in place from the python team regarding bumping such required packages .... . best I not fill in the blanks. There is also a 2nd. listed maintainer of the package.
reviewboard 2.0.1 is out, dare I ask if all dependencies are in place?
Currently reviewboard-1.7.12 is still masked in the tree: # Ian Delaney <idella4@gentoo.org> (01 Aug 2013) # Mask while awaiting bump to dep Djblets-0.7.16 =dev-util/reviewboard-1.7.12 It looks like all the dependencies (also those mentioned in comment 10), so can this version be unmasked? And perhaps a later 1.7.x version being added while the javascript issues with the reviewboard 2.x dependencies are being worked out?
Please upgrade in bug 522472 to Version 1.7.27 or above, setting dependency.
Maintainer(s), Thank you for your work. No GLSA needed as there are no stable versions.
