We have two new releases for you today, both fixing a couple of undisclosed security bugs, along with providing other bug fixes and feature enhancements.
Security fixes
We discovered an information leak in one of our APIs, allowing a request to be crafted that would reveal some details of review requests otherwise intended to be private. This affects you if you use invite-only review groups or private repositories for access control.
We were also informed of a XSS vulnerability allowing a particular URL to be crafted that would execute JavaScript on your user's behalf.
Both of these issues have been fixed, and additional unit tests have been added to ensure these never regress. We recommend that everyone upgrade to this release at their earliest convenience.
If you locate a security problem in Review Board, please contact security@beanbaginc.com, or file a bug and choosing "Security issue".
New Markdown table support
Review Board 2.5.14 introduces support for GitHub-Flavored Markdown tables. You can now provide tabular data in review request descriptions or in comments.
Commit IDs are now searchable
If you're running Review Board 2.5.14 and have search enabled, you'll now be able to search for review requests based on their commit ID, which is useful if you're using Git or Bitbucket.
This will require a full re-index after upgrade.
And a handful of other fixes in 2.5.14
- Keyboard navigation in the diff viewer should no longer get stuck or fail to navigate to file headers.
- A regression in extension building/packaging when using LessCSS and UglifyJS has been fixed.
- Failure to load files from a repository when viewing diffs no longer results in huge entries in the log files.
- Sending test e-mails should now properly report any errors that come up when communicating with the mail server.
- The styling for buttons on Firefox should now be more consistent.
See the 2.0.30 and 2.5.14 release notes for more information on the release, along with upgrade instructions.