Fedora 18 : ReviewBoard-1.7.12-1.fc18 / python-djblets-0.7.16-1.fc18 (2013-13911)

high Nessus Plugin ID 69249

Synopsis

The remote Fedora host is missing one or more security updates.

Description

As with all ReviewBoard updates, you will need to run 'rb-site upgrade /path/to/site' for all installed sites after applying this update.

== Action Required ==

The default Apache configuration is now more strict with how it serves up file attachments. This does not apply to existing installations.
See http://support.beanbaginc.com/support/solutions/articles/110173-securi ng-file-attachments for details.

== Description ==

- New upstream release 1.7.12

- http://www.reviewboard.org/docs/releasenotes/reviewboa rd/1.7.12/

- Security Fixes :

- Function names in diff headers are no longer rendered as HTML.

- If a user's full name contained HTML, the Submitters list would render it as HTML, without escaping it.
This was an XSS vulnerability.

- The default Apache configuration is now more strict with how it serves up file attachments. This does not apply to existing installations. See http://support.beanbaginc.com/support/solutions/articl es/110173-securing-file-attachments for details.

- Uploaded files are now renamed to include a hash, preventing users from uploading malicious filenames, and making filenames unguessable.

- Recaptcha support has been updated to use the new URLs provided by Google.

- New Features :

- Added a X-ReviewRequest-Repository header for e-mails.

- Extension Improvements :

- Extensions can now specify their list of app directories.

- Extensions can now specify the author's URL.

- Improved the look and feel for extension configuration.

- Improved the functionality for extension configuration.

- Improved the list of available extensions.

- Bug Fixes :

- Fixed the 'Show Whitespace Changes' toggle.

- Fixed compatibility with modern versions of django-storages.

- Draft comments on file attachments are no longer shown to all users.

- Fixed issues with console windows appearing when invoking Clear Case requests on Python 2.7.x and Windows 7.

- Review requests on Local Sites are now guaranteed to have the proper ID.

- Fixed starring review requests on Local Sites.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the affected ReviewBoard and / or python-djblets packages.

See Also

http://www.nessus.org/u?b2c5459f

https://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.12/

http://www.nessus.org/u?a77c05ea

http://www.nessus.org/u?a283226f

Plugin Details

Severity: High

ID: 69249

File Name: fedora_2013-13911.nasl

Version: 1.6

Type: local

Agent: unix

Published: 8/8/2013

Updated: 1/11/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Vulnerability Information

CPE: p-cpe:/a:fedoraproject:fedora:reviewboard, p-cpe:/a:fedoraproject:fedora:python-djblets, cpe:/o:fedoraproject:fedora:18

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list

Patch Publication Date: 7/30/2013

Reference Information

FEDORA: 2013-13911