Security Releases: Review Board 6.0.2, 5.0.7, 4.0.13, 3.0.26

34 views
Skip to first unread message

Christian Hammond

unread,
Jan 16, 2024, 2:31:17 PMJan 16
to revie...@googlegroups.com
Hi everyone,

Today's releases address a security bug discovered in-house with one of our APIs, and fixes stability issues in Review Board 6.

See the release announcement for full details in this release, and links to the release notes. We'll go over the security issue here.


API Security Fix

We discovered a security issue with two of our APIs while performing an in-house performance audit of our code. This allows a user with legitimate access to a Review Board server to craft a specific API request that returns diff content they wouldn't normally have permission to access (draft diffs or published diffs associated with a private repository or invite-only review group).

Users cannot exploit this bug without legitimate access to the Review Board server (or the Local Site server partition, if used).

We aren't aware of this vulnerability being used in the wild. It requires making use of an optional header when accessing these APIs, plus knowledge of internal database APIs for published diffs.

As part of fixing this security issue, we've done the following:

1 We sent patches (and custom builds as needed) to our customers with Premium Support contracts.
2 We audited the remainder of our APIs. This type of issue was not found anywhere else.
3 We improved our testing infrastructure so that this type of issue would be found automatically going forward.

We recommend that everyone upgrade to the appropriate release of Review Board.


Thanks to our Review Board Support customers who have tested the patches for these releases.

Christian

--
Christian Hammond
President/CEO of Beanbag
Makers of Review Board

RBUser

unread,
Jan 17, 2024, 5:08:44 PMJan 17
to Review Board Community
When will the docker images for these new releases be published?

Christian Hammond

unread,
Jan 20, 2024, 1:05:00 AMJan 20
to revie...@googlegroups.com
Hi,

My apologies, the Docker images hadn't pushed correctly. They've been pushed since for 4.0.13, 5.0.7, and 6.0.2.

Christian

--
Supercharge your Review Board with Power Pack: https://www.reviewboard.org/powerpack/
Want us to host Review Board for you? Check out RBCommons: https://rbcommons.com/
Happy user? Let us know! https://www.reviewboard.org/users/
---
You received this message because you are subscribed to the Google Groups "Review Board Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to reviewboard...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/reviewboard/a1152ec7-3879-4e52-b14d-2f34c19e077bn%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages