We have two new releases for you today, focusing on a security fix, bug fixes, and compatibility improvements.
Security Fix
A XSS vulnerability was reported and patched today in the review request page. This allowed an attacker to craft a URL that would execute JavaScript on the user's behalf.
This was a publicly-disclosed vulnerability, so there's no CVE number or non-Python packages currently available.
This affects Review Board 1.7.x, 2.0.x, 2.5.x, and the 3.0 beta 1. We are no longer providing any support for Review Board 1.7.x, and 3.0 beta 1 is not intended for any production use, so security releases are only available for 2.0.x and 2.5.x at this time.
To report security vulnerabilities, please file a security bug on our bug tracker. If you have a security patch to contribute, you should post to https://reviews.reviewboard.org and post only to the "security" review group.
Compatibility Improvements
We've made some improvements to our Bazaar, Bitbucket, Mercurial, and Subversion support, improving compatibility across the board.
Our Bazaar support has been rewritten to avoid licensing and Python versioning issues. Mercurial was also susceptible to Python versioning issues.
Subversion diffs generated by IDEs such as WebStorm can now be parsed.
The Bitbucket support now uses their 2.0 API, which solves many of the random bugs and bad error reporting people have encountered in the past. This rewrite is only available for Review Board 2.5.10.
Better Move Detection
We've made a large number of improvements to move detection, helping to resolve issues with lots of overlapping or colliding moved ranges.
More updates for move detection, along with fixes for interdiffs and performance improvements for diff parsing and viewing, should be coming in the next 2.5.x release.
And More
See the full release notes to see all the changes going into this release, along with upgrade instructions for 2.0.28: