Vulnerabilities from 1.7.7-r1 to 1.7.15 Review Board - 1.7.10 Fixed an XSS vulnerability where users could trigger script errors under certain conditions in auto-complete widgets. --- Review Board - 1.7.12 Function names in diff headers are no longer rendered as HTML. Patch by Damian Johnson. (Bug #2612) If a user’s full name contained HTML, the Submitters list would render it as HTML, without escaping it. This was an XSS vulnerability. (CVE-2013-4795) The default Apache configuration is now more strict with how it serves up file attachments. This does not apply to older installations. To update your configuration, and to read best practices, read our guide on securing file attachments. Uploaded files are now renamed to include a hash, preventing users from uploading malicious filenames, and making filenames unguessable. Recaptcha support has been updated to use the new URLs provided by Google. This re-enables Recaptcha support when serving over HTTPS. --- Review Board - 1.7.13 We now require Django 1.4.6, which is their latest security release. It fixes a couple of issues that we are not impacted by, but are worth having for any third-party modules, applications or extensions. We have updated the recommended Apache configuration for file attachment protection. We will be unveiling a better security method in coming releases, but for now, if you’re serving file attachments from Apache, be sure to update your configuration based on our recommendations. --- Review Board - 1.7.14 We now require Django 1.4.8, which is their latest security release. It fixes a major denial-of-service attack vector against the authentication support. We strongly encourage everybody running Review Board 1.7.x to update to this release, particularly if you’re running a site exposed to the Internet. Some API resources were accessible even if their parent resources were not, due to a missing check. In most cases, this was harmless, but it can affect those using access control on groups or review requests. --- Review Board - 1.7.15 Vulnerabilities: Some API resources returned information on private review requests the caller did not have access to (by way of an invite-only group, private repository, or Local Site), if the appropriate database IDs were known or discovered. (CVE-2013-4410) Summaries for private review requests were displayed on the All Review Requests page, on the review request list on a user’s page, and through a specially crafted dashboard URL. (CVE-2013-4411) Extensions making use of JSONField are now more protected from possible remote code exploits, if they’re not already being careful of input. This was reported and fixed by Frederik Braun from Mozilla. (CVE-2013-4409)
CVE-2013-4795 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4795): Cross-site scripting (XSS) vulnerability in the Submitters list in Review Board 1.6.x before 1.6.18 and 1.7.x before 1.7.12 allows remote attackers to inject arbitrary web script or HTML via a user full name.
Please upgrade in bug 522472 to Version 1.7.27 or above, setting dependency.
Maintainer(s), Thank you for your work. No GLSA needed as there are no stable versions.
