Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 518302 (CVE-2013-4410) - <dev-util/reviewboard-1.7.28: Multiple Vulnerabilities (CVE-2013-{4409,4410,4411,4795})
Summary: <dev-util/reviewboard-1.7.28: Multiple Vulnerabilities (CVE-2013-{4409,4410,4...
Alias: CVE-2013-4410
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~3 [noglsa]
Depends on:
Reported: 2014-07-27 02:57 UTC by Yury German
Modified: 2014-10-05 18:49 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Yury German Gentoo Infrastructure gentoo-dev 2014-07-27 02:57:30 UTC
Vulnerabilities from 1.7.7-r1 to 1.7.15

Review Board - 1.7.10
Fixed an XSS vulnerability where users could trigger script errors under certain conditions in auto-complete widgets.


Review Board - 1.7.12
Function names in diff headers are no longer rendered as HTML. Patch by Damian Johnson. (Bug #2612)

If a user’s full name contained HTML, the Submitters list would render it as HTML, without escaping it. This was an XSS vulnerability. (CVE-2013-4795)

The default Apache configuration is now more strict with how it serves up file attachments. This does not apply to older installations. To update your configuration, and to read best practices, read our guide on securing file attachments.

Uploaded files are now renamed to include a hash, preventing users from uploading malicious filenames, and making filenames unguessable.

Recaptcha support has been updated to use the new URLs provided by Google. This re-enables Recaptcha support when serving over HTTPS.


Review Board - 1.7.13
We now require Django 1.4.6, which is their latest security release. It fixes a couple of issues that we are not impacted by, but are worth having for any third-party modules, applications or extensions.

We have updated the recommended Apache configuration for file attachment protection. We will be unveiling a better security method in coming releases, but for now, if you’re serving file attachments from Apache, be sure to update your configuration based on our recommendations.


Review Board - 1.7.14
We now require Django 1.4.8, which is their latest security release. It fixes a major denial-of-service attack vector against the authentication support. We strongly encourage everybody running Review Board 1.7.x to update to this release, particularly if you’re running a site exposed to the Internet.

Some API resources were accessible even if their parent resources were not, due to a missing check. In most cases, this was harmless, but it can affect those using access control on groups or review requests.


Review Board - 1.7.15
Some API resources returned information on private review requests the caller did not have access to (by way of an invite-only group, private repository, or Local Site), if the appropriate database IDs were known or discovered. (CVE-2013-4410)

Summaries for private review requests were displayed on the All Review Requests page, on the review request list on a user’s page, and through a specially crafted dashboard URL. (CVE-2013-4411)

Extensions making use of JSONField are now more protected from possible remote code exploits, if they’re not already being careful of input. This was reported and fixed by Frederik Braun from Mozilla. (CVE-2013-4409)
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2014-08-19 23:21:21 UTC
CVE-2013-4795 (
  Cross-site scripting (XSS) vulnerability in the Submitters list in Review
  Board 1.6.x before 1.6.18 and 1.7.x before 1.7.12 allows remote attackers to
  inject arbitrary web script or HTML via a user full name.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2014-09-10 03:24:32 UTC
Please upgrade in bug 522472 to Version 1.7.27 or above, setting dependency.
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2014-10-05 18:44:44 UTC
Maintainer(s), Thank you for your work. 

No GLSA needed as there are no stable versions.