Login
Newsletter
Werbung

Sicherheit: Cross-Site Scripting in ReviewBoard
Aktuelle Meldungen Distributionen
Name: Cross-Site Scripting in ReviewBoard
ID: FEDORA-2013-11646
Distribution: Fedora
Plattformen: Fedora 18
Datum: So, 7. Juli 2013, 01:38
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2209
Applikationen: ReviewBoard

Originalnachricht

Name        : ReviewBoard
Product : Fedora 18
Version : 1.7.11
Release : 1.fc18
URL : http://www.review-board.org
Summary : Web-based code review tool
Description :
Review Board is a powerful web-based code review tool that offers
developers an easy way to handle code reviews. It scales well from small
projects to large companies and offers a variety of tools to take much
of the stress and time out of the code review process.

-------------------------------------------------------------------------------
-
Update Information:

- New upstream release 1.7.11
- http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.11/
- Bug Fixes:
* Fixed compatibility with Python 2.5
* Fixed the drop-down arrow by Support and the account name on older
versions of Internet Explorer

- New upstream release 1.7.10
- http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.10/
- Security Updates:
* Fixed an XSS vulnerability where users could trigger script errors under
certain conditions in auto-complete widgets
- Web API Changes:
* Added n ?order-by=<fieldname> query parameter for comment
resources,
allowing ordering by fields such as line numbers (for diff comments)
* Added a filename field to screenshot resources, which provides the base
filename (without path) of the screenshot
* Added a review_url field to screenshot resources, which provides the URL
to the screenshot review page
* Added a thumbnail_url field to screenshot comment resources, which
provides the URL to the snippet of the screenshot being commented on
* Added a link_text field to file attachment comment resources, which
shows
the text for any link pointing to the file. This may differ depending on
the comment
* Added a review_url field to file attachment comment resources, which
provides the URL to the review page for the file
* Added a thumbnail_html field to file attachment comment resources, which
provides HTML for rendering the thumbnail of the portion of the file
being rendered, if any
- UI Changes:
* Improved the look and feel of the issue summary table. It’s cleaner and
no longer looks odd with long comment text
- Bug Fixes:
* Fixed periodic but harmless JavaScript errors when removing elements
with
relative timestamps
* Editing or reordering dashboard columns no longer breaks after the
dashboard reloads
* Relative timestamps in the dashboard no longer break after the dashboard
reloads
* The maximum size of the timezone has increased, allowing for longer
timezone strings

-------------------------------------------------------------------------------
-
ChangeLog:

* Thu Jun 27 2013 Stephen Gallagher <sgallagh@redhat.com> - 1.7.11-1
- New upstream release 1.7.11
- http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.11/
- Bug Fixes:
* Fixed compatibility with Python 2.5
* Fixed the drop-down arrow by Support and the account name on older
versions of Internet Explorer
* Mon Jun 24 2013 Stephen Gallagher <sgallagh@redhat.com> - 1.7.10-1
- New upstream release 1.7.10
- http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.10/
- Security Updates:
* Fixed an XSS vulnerability where users could trigger script errors under
certain conditions in auto-complete widgets
- Web API Changes:
* Added n ?order-by=<fieldname> query parameter for comment
resources,
allowing ordering by fields such as line numbers (for diff comments)
* Added a filename field to screenshot resources, which provides the base
filename (without path) of the screenshot
* Added a review_url field to screenshot resources, which provides the URL
to the screenshot review page
* Added a thumbnail_url field to screenshot comment resources, which
provides the URL to the snippet of the screenshot being commented on
* Added a link_text field to file attachment comment resources, which shows
the text for any link pointing to the file. This may differ depending on
the comment
* Added a review_url field to file attachment comment resources, which
provides the URL to the review page for the file
* Added a thumbnail_html field to file attachment comment resources, which
provides HTML for rendering the thumbnail of the portion of the file
being rendered, if any
- UI Changes:
* Improved the look and feel of the issue summary table. It’s cleaner and
no longer looks odd with long comment text
- Bug Fixes:
* Fixed periodic but harmless JavaScript errors when removing elements with
relative timestamps
* Editing or reordering dashboard columns no longer breaks after the
dashboard reloads
* Relative timestamps in the dashboard no longer break after the dashboard
reloads
* The maximum size of the timezone has increased, allowing for longer
timezone strings
* Mon Jun 3 2013 Stephen Gallagher <sgallagh@redhat.com> - 1.7.9-1
- New upstream release 1.7.9
- http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.9/
- API Changes:
* Added new blocks and depends_on fields to the Review Request resource
- Bug Fixes:
* Fixed the max_length of the new HostingServiceAccount.hosting_url field
* Fixed the documentation for the cgit configuration for Git
* Fixed the cgit URL for Fedora Hosted
* Mon Jun 3 2013 Stephen Gallagher <sgallagh@redhat.com> - 1.7.8.1-1
- New upstream release 1.7.8.1
- http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.8.1/
- Bug Fixes:
* Fixed a regression with saving repositories that don't use hosting
services
- Misc. Changes:
* Compatibility changes for the upcoming PDF review plugin
- New upstream release 1.7.8
- http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.8/
- New Features:
* Added Depends On and Blocks fields to review requests
* Added an improved support page
* Added the ability to set where Get Support takes users
* Added improved logging for many operations
- Performance Improvements:
* Reduced the upload time for many new diffs
* The templates used for rendering the various pages are now cached after
the first render, speeding up the rendering for any future renders.
We've
seen speedups of ~100-120ms for review request pages
- Usability Improvements:
* The review request actions are now larger, making them more visible and
easier to hit, particularly on touch screens
* Clicking Fixed, Drop or Re-open now keeps the page in the same scroll
position
* The dashboard now reloads dynamically, without reloading the entire page
* The comment dialog now tells you when you can't make a comment (due
to
being logged out or reviewing something that's part of a draft
- API Changes
* Fixed deleting pending replies to comments
* Fixed some issues returning certain lists of data
- Extensibility Improvements:
* Extensions can now customize their metadata directly in the Extension
class
* TemplateHooks can now render their own content by overriding
render_to_string()
* NavigationBarHook can now take a url_name parameter specifying the URL
name to link to
* Review UIs can now specify the link and link text for any comments on a
review by overriding get_comment_link_url() and get_comment_link_text()
* Custom hosting services can now be registered/unregistered by extensions
by using register_hosting_service() and unregister_hosting_service()
(from reviewboard.hostingsvcs.service)
* Added the ability to more easily write hosting services support that
works for self-installable services
- Bug Fixes:
* Added missing repository validation for Mercurial repositories
* Fixed replying to comments on file attachments that have since been
removed
* Fixed the display of the upload dialogs when viewing a file attachment
* Comments on file attachments in e-mails now link to the correct review UI
handling the file
* Worked around rare issues where a reset of the Open An Issue default for
a user would cause pages to break
- Misc Changes:
* E-mails now show the user’s full name instead of just their first name
* The New Review Request page now mentions RBTools instead of just
post-review
* Mon Apr 22 2013 Stephen Gallagher <sgallagh@redhat.com> - 1.7.7.1-1
- New upstream release 1.7.7.1
- http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.7.1/
- Bug Fixes:
* Fixed a problem with generating config files when creating a new site
installations
- New upstream release 1.7.7
- http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.7/
- New Features:
* The configured SSH key can now be deleted
* Added support for working against a GitHub OAuth application
- Performance Improvements:
* Uploading a diff with a parent diff will no longer attempt to process any
files in the parent diff that aren't in the main diff
* Sped up rendering times for the Dashboard, All Review Requests page, and
the user/groups pages
- Web API Improvements:
* Fixed a breakage with updating comments when the issue_status field
wasn't provided
* Improved caching logic to not claim a cached payload is valid when the
client reports a matching Last Modified timestamp but not a matching
ETag
- Bug Fixes:
* Specifying a port in a SSH URL for a repository will now connect on that
port
* Fixed broken links to file attachments when using Local Sites
* Review request e-mails now show the right ID in the subject for Local
Sites
* Fixed Python path issues when spawning processes
* Fixed a rare breakage when saving repositories
* Fixed the cookie path when using site directories
* When installing a site, database hosts now accept a port in the format of
hostname:port
* Fixed visual glitches with some rounded corners in the UI
* Wed Apr 10 2013 Stephen Gallagher <sgallagh@redhat.com> - 1.7.6-4
- Add explicit BuildRequires: python-django14
* Wed Apr 10 2013 Stephen Gallagher <sgallagh@redhat.com> - 1.7.6-3
- Change to explicit requirement on python-django14
- Resolves: rhbz#950411 - Change requires to python-django14
* Thu Mar 21 2013 Stephen Gallagher <sgallagh@redhat.com> - 1.7.6-2
- Replace references of id2= with id= for cgit
- Use file blobs rather than plaintext representation with Fedora
Hosted cgit repositories
* Thu Feb 21 2013 Stephen Gallagher <sgallagh@redhat.com> - 1.7.6-1
- New upstream release 1.7.6
- http://www.reviewboard.org/docs/releasenotes/dev/reviewboard/1.7.6/
- Fedora-specific: removed versioning requirement on paramiko; it's no
longer
needed
- Security Updates:
* We now require Django 1.4.5, which fixes a few security vulnerabilities
- New Features:
* Added Perforce ticket-based authentication
* Added a setting for choosing Review Board log levels
- Web API Changes:
* Added API support for querying and manipulating default reviewers
* Repositories deleted through the Web API are now only archived if they
have any associated review requests
- Bug Fixes:
* Fixed fetching files with FedoraHosted
* Fixed some cases where URLs to user pages were incorrect, especially on
subdirectory installs and local sites
* We try harder now to set the PYTHONPATH for subprocesses, which should
fix some issues fetching files over Subversion
* The Administration UI dashboard widgets no longer cache their data too
aggressively
* Fixed showing the error box when entering an invalid reviewer
* Fixed config/ and db/ links for extensions, when in a subdirectory
install
* The Manual Updates page for the media upload directory no longer points
to a non-existant wiki page
* Thu Feb 7 2013 Stephen Gallagher <sgallagh@redhat.com> - 1.7.5-1
- New upstream release 1.7.5
- http://www.reviewboard.org/docs/releasenotes/dev/reviewboard/1.7.5/
- New Features:
* Added a nicer, human-readable view of diffs in the FileDiff tables in the
administration UI
* The repository name is now included in review request e-mails
- Compatibility Fixes:
* We now require django-pipeline 1.2.24, which restores our compatibility
with Python 2.5 and fixes some errors when loading pages
* Our list of supported timezones should now be consistent across all
installs, since we now require a specific, modern version of pytz
(Packager's note: this is an upstream change only. In Fedora we have
always relied on the system pytz)
- Bug Fixes:
* The entire thumbnail for file attachments are now clickable, making it
easier to download the file or reach the review page
* Users are no longer locked out of their review requests when assigned to
private groups they don’t have access to
* The Hide whitespace changes toggle was broken on many browsers, causing a
JavaScript error
* Searching for a user in the quick search field and then clicking the user
once again navigates to the user’s page
* The review request counts in the dashboard no longer show “None” for new
users when using Local Sites
* Thu Jan 31 2013 Stephen Gallagher <sgallagh@redhat.com> - 1.7.4-1
- New upstream release 1.7.4
- http://www.reviewboard.org/docs/releasenotes/dev/reviewboard/1.7.4/
- Bug Fixes:
* Fixed a JavaScript error in Internet Explorer and Firefox 3.x involving
the console object being undefined
* Fixed the diff viewer’s changed file listings when using Windows file
paths
* Mon Jan 28 2013 Stephen Gallagher <sgallagh@redhat.com> - 1.7.3-1
- New upstream release 1.7.3
- http://www.reviewboard.org/docs/releasenotes/dev/reviewboard/1.7.3/
- New Features:
* Add optional support for sending e-mails when closing review requests
- Compatibility Updates:
* The new support for Perforce moved files has changed
RBTools 0.4.3 will now require Review Board 1.7.3 at a minimum.
* Review Board now works with SVN diffs generated in many non-C locales
- Web API Changes:
* Added a scmtools.perforce.moved_files capability to indicate moved file
support for Perforce
- Bug Fixes:
* SMTP servers saved with additional whitespace will now have that
whitespace stripped, in order to prevent lookup failures.
* Fixed a crash when running a search index
* The listed creation time for a review request now reflects when it was
first published, not when the initial draft was first created
* The "Add Comment" button on file attachment thumbnails is no
longer shown
if not logged in
* Fixed a bug allowing for publishing blank review requests after filling
in the field and then deleting them
* Fixed an occasional crash when viewing a diff when displaying a function
or class header on the left-hand side but when there was none on the
right-hand side
* Fixed a breakage on some systems when checking the Mercurial version
* The Summary field no longer overlaps text when wrapping
* Fixed the review ID column when using Local Sites
* Using a custom SITE_ROOT with a development server setup no longer breaks
all static media
* Fixed the capitalization of the "VersionOne" bug tracker entry
* Using ClearCase on Windows 7 should no longer cause console windows to
pop up
* Fixed loading blank comments in the diff viewer
* Thu Jan 17 2013 Stephen Gallagher <sgallagh@redhat.com> - 1.7.2-1
- New upstream release 1.7.2
- http://www.reviewboard.org/docs/releasenotes/dev/reviewboard/1.7.2/
- New Features:
- Added bug tracker support for VersionOne
- Added support for ssl:-prefixed P4PORTs for Perforce 2012.1+
- Added support for moved file handling for Perforce
- Bug Fixes:
- Fixed an HTML escaping issue when listing filenames in the diff viewer
- Fixed the display of the static media instructions in rb-site
- Attempting to install on Python 2.4 will now display a helpful error before
failing, instead of a cryptic error
- Fixed the display of file attachment names in review request change
descriptions that don’t have captions
- Fixed the default file-based cache path used when creating a new site
- The Review Board Activity widget in the administration UI will now clear
the data shown when the datasets are unselected
- Fixed capitalization of the navigation bar entries to be consistent
- Fixed the link to the PyLucene documentation in the General Settings page
- Fixed default Apache configuration files to be explicit in enabling
FollowSymLinks
- Fixed timezone warnings when running the search index command
* Fri Dec 21 2012 Stephen Gallagher <sgallagh@redhat.com> - 1.7.1-2
- Add missing runtime dependencies
* Wed Dec 19 2012 Stephen Gallagher <sgallagh@redhat.com> - 1.7.1-1
- New upstream release 1.7.1
- http://www.reviewboard.org/docs/releasenotes/dev/reviewboard/1.7/
- http://www.reviewboard.org/docs/releasenotes/dev/reviewboard/1.7.0.1/
- http://www.reviewboard.org/docs/releasenotes/dev/reviewboard/1.7.1/
* Thu Dec 13 2012 Stephen Gallagher <sgallagh@redhat.com> - 1.7-5.rc1
- Update to upstream release candidate 1.7rc1
- http://www.reviewboard.org/docs/releasenotes/dev/reviewboard/1.7-rc-1/
* Wed Oct 3 2012 Stephen Gallagher <sgallagh@redhat.com> - 1.7-4.beta2
- Disable building documentation
* Wed Oct 3 2012 Stephen Gallagher <sgallagh@redhat.com> - 1.7-3.beta2
- Disable JavaScript minification until python-slimit is available
* Wed Oct 3 2012 Stephen Gallagher <sgallagh@redhat.com> - 1.7-2.beta2
- New upstream release 1.7 beta2
- New Features:
- Introduced a new style for Review Board
- Performance Improvements:
- We’ve updated our dependency on jQuery to the latest version. We’ve been
on an old one for quite a while, and there have been many performance
improvements since. The site’s responsiveness should be a little faster
now.
- Bug Fixes:
- Fixed the paths to certain decorational image files
- File attachment comments are no longer missing from the review box
- Fixed problems with issue tracking statuses in the review box
- Fixed wrapping of the text in the change updates
- Admin UI widgets no longer overlap when loading the page
* Mon Aug 6 2012 Stephen Gallagher <sgallagh@redhat.com> - 1.7-1.beta1
- New upstream release 1.7 beta1
- http://www.reviewboard.org/docs/releasenotes/dev/reviewboard/1.7-beta-1/
- Compatibility Changes:
- Added a requirement for Django 1.4
- Dropped Python 2.4 support
- New Features:
- Experimental extension support
- New administration UI
- Issue summary table for review requests
- Moved files in a change are better represented in the diff viewer
- Some file attachments are now shown with more detailed previews
- Added a “To Me” column in the dashboard
- Dates and times are now localized to the user’s region
- The review request update bubble now says if the review request was
closed
- E-mails now include the review request ID in the subject header
- Links in the Description and Testing Done text now open in new windows or
tabs
- Required fields on a review request are now marked as required by showing
an asterisk
- Added a “Show changes” link on the change description boxes after
publishing a diff
- Added support for the latest CVS diff file format
- Removed Features:
- The hidden reports feature (accessible at /reports/) has been removed
- Performance Improvements:
- Reduced download time of JavaScript and CSS
- Reduced diff storage and lookups
- Web API Changes:
- Added server capabilities in /api/info/
- Added resources for viewing the original and patched files for a
FileDiff
- Bug Fixes:
- The “Diff Updated” column in the dashboard now actually reflects the last
diff update
- Captions changes for file attachments are now shown on change description
boxes, just like screenshot caption changes
-------------------------------------------------------------------------------
-
References:

[ 1 ] Bug #977423 - CVE-2013-2209 ReviewBoard: Stored XSS due improper
sanitization of user's full name in the reviews dropdown
https://bugzilla.redhat.com/show_bug.cgi?id=977423
-------------------------------------------------------------------------------
-

This update can be installed with the "yum" update program. Use
su -c 'yum update ReviewBoard' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
-------------------------------------------------------------------------------
-
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-announce
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten
Werbung