Earlier today, Django released a new set of security releases that address issues when running unit tests against Oracle databases and when running a Django-based application when setting DEBUG = True and ALLOWED_HOSTS = [] in a server's settings file.
Review Board should not be impacted by the Oracle issue (which would not occur in production), and we don't recommend running with DEBUG = True (plus, new sites created with Review Board 2.0+ will have a safe default for ALLOWED_HOSTS, keeping you safe). Still, we recommend that you always update to the latest Django 1.6.11.x security release anyway.
We maintain security-hardened builds of Django 1.6.x, the version series we use for Review Board 2.0 through 2.5. We've put out a new Django 1.6.11.5 release that contains these two fixes.
To upgrade to this release, run:
$ pip install -U https://downloads.reviewboard.org/releases/Django/1.6/Django-1.6.11.5.tar.gz
Or:
$ easy_install -U https://downloads.reviewboard.org/releases/Django/1.6/Django-1.6.11.5.tar.gz
We then recommend that you visit your Administration -> Security Checklist page to ensure that your ALLOWED_HOSTS and other security settings are correct.
You can always keep up on the latest Review Board security announcements by subscribing to our Official Announcements mailing list.