Fedora 18 : ReviewBoard-1.7.12-1.fc18 / python-djblets-0.7.16-1.fc18 (2013-13911)
High Nessus Plugin ID 69249
SynopsisThe remote Fedora host is missing one or more security updates.
DescriptionAs with all ReviewBoard updates, you will need to run 'rb-site upgrade /path/to/site' for all installed sites after applying this update.
== Action Required ==
The default Apache configuration is now more strict with how it serves up file attachments. This does not apply to existing installations.
See http://support.beanbaginc.com/support/solutions/articles/110173-securi ng-file-attachments for details.
== Description ==
- New upstream release 1.7.12
- http://www.reviewboard.org/docs/releasenotes/reviewboa rd/1.7.12/
- Security Fixes :
- Function names in diff headers are no longer rendered as HTML.
- If a user's full name contained HTML, the Submitters list would render it as HTML, without escaping it.
This was an XSS vulnerability.
- The default Apache configuration is now more strict with how it serves up file attachments. This does not apply to existing installations. See http://support.beanbaginc.com/support/solutions/articl es/110173-securing-file-attachments for details.
- Uploaded files are now renamed to include a hash, preventing users from uploading malicious filenames, and making filenames unguessable.
- Recaptcha support has been updated to use the new URLs provided by Google.
- New Features :
- Added a X-ReviewRequest-Repository header for e-mails.
- Extension Improvements :
- Extensions can now specify their list of app directories.
- Extensions can now specify the author's URL.
- Improved the look and feel for extension configuration.
- Improved the functionality for extension configuration.
- Improved the list of available extensions.
- Bug Fixes :
- Fixed the 'Show Whitespace Changes' toggle.
- Fixed compatibility with modern versions of django-storages.
- Draft comments on file attachments are no longer shown to all users.
- Fixed issues with console windows appearing when invoking Clear Case requests on Python 2.7.x and Windows 7.
- Review requests on Local Sites are now guaranteed to have the proper ID.
- Fixed starring review requests on Local Sites.
Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
SolutionUpdate the affected ReviewBoard and / or python-djblets packages.