We have a new batch of security updates today.
Django
Django put out a few new security releases this morning that focus on fixing two security issues. The first fixes a flaw that allowed malicious URLs to be considered "safe" when they shouldn't be. The second hardens the method by which passwords are stored so that older accounts will gain the security benefits when they next log in.
See their announcement for more details.
We maintain security-hardened builds of Django 1.6.x, the version series we use for all currently-supported releases of Review Board. We have put out a 1.6.11.3 release containing these security fixes.
If you're using a modern pip, you can upgrade to this release by running:
pip install -U https://downloads.reviewboard.org/releases/Django/1.6/Django-1.6.11.3.tar.gz
Or:
easy_install -U https://s3.amazonaws.com/downloads.reviewboard.org/releases/Django/1.6/Django-1.6.11.3.tar.gz
Djblets
We received a security report last night detailing how an attacker could craft a URL to a user's dashboard (or other similar pages) with a column sorting identifier containing JavaScript code. If the user visited that URL and subsequently clicked that column, the code would execute.
We immediately fixed this and prepared new releases of Djblets, which you'll want to install depending on your version of Review Board:
- Review Board 1.7.x: Djblets 0.7.33
- Review Board 2.0.x: Djblets 0.8.25
- Review Board 2.5.x: Djblets 0.9.2
If you're running a modern version of Pip, you can upgrade Djblets by running:
pip install Djblets==<version>
Or you can upgrade with:
easy_install Djblets==<version>
You can also verify the signatures of the builds against our PGP key, to confirm authenticity.
Thanks to Jose Carlos Exposito Bueno (0xlabs) for reporting this!