Hi everyone,
Today's releases address a security bug discovered in-house with one of our APIs, and fixes stability issues in Review Board 6.
See the
release announcement for full details in this release, and links to the release notes. We'll go over the security issue here.
API Security Fix
We discovered a security issue with two of our APIs while performing an in-house performance audit of our code. This allows a user with legitimate access to a Review Board server to craft a specific API request that returns diff content they wouldn't normally have permission to access (draft diffs or published diffs associated with a private repository or invite-only review group).
Users cannot exploit this bug without legitimate access to the Review Board server (or the Local Site server partition, if used).
We aren't aware of this vulnerability being used in the wild. It requires making use of an optional header when accessing these APIs, plus knowledge of internal database APIs for published diffs.
As part of fixing this security issue, we've done the following:
1 We sent patches (and custom builds as needed) to our customers with Premium Support contracts.
2 We audited the remainder of our APIs. This type of issue was not found anywhere else.
3 We improved our testing infrastructure so that this type of issue would be found automatically going forward.
We recommend that everyone upgrade to the appropriate release of Review Board.
Christian