Django released a new set of security releases today, designed to fix a vulnerability in the cookie parsing code when combined with usage of Google Analytics that could allow an attacker to bypass CSRF protection. (See their announcement for more details.)
We maintain security-hardened builds of Django 1.6.x, the version series we use for Review Board 2.0 through 2.5. We have put out a Django 1.6.11.4 release containing these security fixes.
To upgrade to this release, run:
$ pip install -U https://downloads.reviewboard.org/releases/Django/1.6/Django-1.6.11.4.tar.gz
Or:
$ easy_install -U https://downloads.reviewboard.org/releases/Django/1.6/Django-1.6.11.4.tar.gz
This particular vulnerability is unlikely to affect most of our users (at least as documented in Django's release notes), but we still recommend upgrading, to be safe.
You can always keep up on the latest Review Board security announcements by subscribing to Official Announcements mailing list.