Today's releases fix an important security vulnerability we've found in-house, and improve stability overall in Review Board 6.
API Security Fix
We discovered a security issue with two of our APIs while performing an in-house performance audit of our code. This allows a user with legitimate access to a Review Board server to craft a specific API request that returns diff content they wouldn't normally have permission to access (draft diffs or published diffs associated with a private repository or invite-only review group).
Users cannot exploit this bug without legitimate access to the Review Board server (or the Local Site server partition, if used).
We aren't aware of this vulnerability being used in the wild. It requires making use of an optional header when accessing these APIs, plus knowledge of internal database APIs for published diffs.
As part of fixing this security issue, we've done the following:
- We sent patches (and custom builds as needed) to our customers with Premium Support contracts.
- We audited the remainder of our APIs. This type of issue was not found anywhere else.
- We improved our testing infrastructure so that this type of issue would be found automatically going forward.
We recommend that everyone upgrade to the appropriate release of Review Board.
Review Board 6 Stability
We've addressed a few regressions introduced in Review Board 6.0:
- Manually uploading diffs (either to new or existing review requests) should now work on all types of repositories.
- Batch publishing will now work when using Local Site server partitions.
- Empty reviews will no longer be posted if creating a review, leaving comments, and then deleting the comments.
- Switching between search engine backends no longer require restarting the web server.
- Logging in from the Log Out page now takes you to the dashboard, instead of logging you back out.
- Some minor UI issues in the Administration UI have been fixed.
Upgrading
If you're using our official releases, follow the upgrade instructions in the release notes below:
If you're using releases provided by your Linux distribution or a third-party, you will need to inquire with them about your upgrade options and support.
If you need assistance with your server, we can help under a support contract. This entitles you to on-going support for your server, custom builds, backported fixes, pre-release security patches, and solutions tailored for your company's needs.