Review Board 1.7.23 is out. It’s a fairly typical bug fix release, with one addition that helps to address Heartbleed.
Heartbleed is the name for a widespread SSL security vulnerability found in OpenSSL and announced to the world on April 7th that can allow attackers to, in some cases, access private data in memory. It’s not specific to Review Board (and, in fact, the vulnerability lies outside of Review Board). Most Linux distributions are now providing patched OpenSSL packages, and the general recommendation is to re-issue your SSL certificates.
GitHub is recommending that users change their passwords and reset their authorization tokens. Review Board uses these tokens to communicate with your repositories on GitHub.
In 1.7.23, we’re providing a new management command for resetting your associated GitHub authorization tokens. You’ll need to know the password (and two-factor auth token, if enabled) for each linked account that you want to update.
To reset your tokens, install 1.7.23 and run:
$ rb-site manage /path/to/site reset-github-tokens
If you’re running an installation accessible over the Internet, you may want to have your users reset their passwords as well, to be safe.
Along with this, we have some authorization fixes for GitLab, and a few small bug fixes.
See the release notes for more information.