Today, Django released new security patches for 1.7.x and 1.8.x, and 1.9. These fix a possible settings leak in the date template filter, enabling a user to steal settings like a database password if they're able to construct their own date format string.
We've put out a corresponding 1.6.11.2 release, which backports this fix to the version of Django used by Review Board 1.7.x through 2.5.x. While this vulnerability does not affect Review Board, we nevertheless suggest that you upgrade.
The latest security releases can always be downloaded here. We announce new releases on our Official Announcements mailing list and on our community support forum.
To upgrade to Django 1.6.11.2, you can run:
$ sudo easy_install \
-f https://s3.amazonaws.com/downloads.reviewboard.org/releases/Django/1.6/index.html \
Django==1.6.11.2
or, using pip:
$ sudo pip install \
-f https://s3.amazonaws.com/downloads.reviewboard.org/releases/Django/1.6/index.html \
Django==1.6.11.2
Unfortunately, due to restrictions in the design of pip, we will not be able to automatically upgrade to these versions of Django in Review Board. We are working on a solution for this. However, for now, it will be up to you to handle this.
For information on what's in this security release, see the Django's announcement.
Please note that Django 1.6.x is the last version to support Python 2.6.x, which has also end-of-lifed. We will be dropping support for Python 2.6 in Review Board 2.6, so we recommend moving to Python 2.7 at your earliest convenience.