Review Board 1.7.27 fixes two vulnerabilities: We strongly recommend that everyone upgrade to this release. Fixed a vulnerability where a URL to a diff fragment could be crafted that would inject custom HTML into the page. An attacker could send such a URL to another user and execute code in their browser session. This was reported by Uchida. A CVE number is pending. The Original File and Patched File resources could be used to access files on a private review request that the user did not have access to, if they knew the approciate database IDs. A CVE number is pending.
Making this the blocker for other security bugs for reviewboard. Please bump to version Review Board 1.7.27 or above. Maintainers please advise when ebuild is ready. No stabilization is needed as there are no stable versions.
*reviewboard-1.7.28 (21 Sep 2014) 21 Sep 2014; Ian Delaney <idella4@gentoo.org> +files/1.7.28-docs.patch, +reviewboard-1.7.28.ebuild, -files/docs.patch, -reviewboard-1.7.7.1-r1.ebuild, -reviewboard-1.7.7.1.ebuild: bump; ebuild based on graaf's verion from his overlay with additions to the doc builds, thx graaf. Remove old ebuilds and patch, see Bug 522472
Maintainer(s), Thank you for your work. No GLSA needed as there are no stable versions. Leaving open, Emailed maintainer to see if he actually got CVE's issued for his request.