We have two new Review Board releases for you tonight. Both fix a couple security vulnerabilities that came to our attention, as well as several other bugs. There are also a few new feature additions.
One of the security vulnerabilities allowed an attacker to construct a URL that would inject custom JavaScript into the page, which could then be passed to a user, allowing the custom code to run in their session.
The other vulnerability allowed users without access to a private review request to construct a URL for accessing original or patched files from the repository, if they knew the right series of database IDs.
Feature-wise, 1.7.27 gained a few of the recent additions to review UIs, support pages, and API that were introduced in 2.0.3.
2.0.4 gained support for uploading parent diffs in the New Review Request page.
If you're upgrading to 1.7.27, you'll need to run:
sudo easy_install ReviewBoard==1.7.27
For the full list of changes, see the 1.7.27 and 2.0.4 release notes.