summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGitLab Release Tools Bot <robert+release-tools@gitlab.com>2018-12-28 09:51:57 +0000
committerGitLab Release Tools Bot <robert+release-tools@gitlab.com>2018-12-28 09:51:57 +0000
commit3649904e9b38ac2724edc6ed7bf1ad54db09c074 (patch)
tree87cf0b72986170d5177f7521797f47b05db08949
parent11174c34e9bb525900534809250db011b385294b (diff)
downloadgitlab-ce-3649904e9b38ac2724edc6ed7bf1ad54db09c074.tar.gz
Update CHANGELOG.md for 11.4.13
[ci skip]
Diffstat
-rw-r--r--CHANGELOG.md25
-rw-r--r--changelogs/unreleased/54427-label-xss.yml5
-rw-r--r--changelogs/unreleased/54857-fix-templates-path-traversal.yml5
-rw-r--r--changelogs/unreleased/ensure-that-build-token-is-always-running.yml5
-rw-r--r--changelogs/unreleased/fix-security-group-user-removal.yml5
-rw-r--r--changelogs/unreleased/security-11-4-54377-label-milestone-name-xss.yml5
-rw-r--r--changelogs/unreleased/security-11-4-group-cicd-settings-accessible-to-maintainer.yml5
-rw-r--r--changelogs/unreleased/security-11-4-guests-jobs-api.yml5
-rw-r--r--changelogs/unreleased/security-11-4-secret-ci-variables-exposed.yml5
-rw-r--r--changelogs/unreleased/security-11-5-secret-ci-variables-exposed.yml5
-rw-r--r--changelogs/unreleased/security-2754-fix-lfs-import.yml5
-rw-r--r--changelogs/unreleased/security-48259-private-snippet.yml5
-rw-r--r--changelogs/unreleased/security-53543-user-keeps-access-to-mr-issue-when-removed-from-team.yml5
-rw-r--r--changelogs/unreleased/security-bvl-fix-cross-project-mr-exposure.yml5
-rw-r--r--changelogs/unreleased/security-fix-ssrf-import-url-remote-mirror.yml5
-rw-r--r--changelogs/unreleased/security-import-symlink.yml5
-rw-r--r--changelogs/unreleased/security-master-url-rel.yml5
-rw-r--r--changelogs/unreleased/security-refs-available-to-project-guest.yml5
-rw-r--r--changelogs/unreleased/security-todos_not_redacted_for_guests.yml5
-rw-r--r--changelogs/unreleased/security-wiki-svg-attachment.yml5
20 files changed, 25 insertions, 95 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5c147490d84..0e172971b3b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,31 @@
documentation](doc/development/changelog.md) for instructions on adding your own
entry.
+## 11.4.13 (2018-12-28)
+
+### Security (19 changes)
+
+- Escape label and milestone titles to prevent XSS in GFM autocomplete. !2742
+- Validate LFS hrefs before downloading them.
+- Ensure that build token is only used when running.
+- Add subresources removal to member destroy service.
+- Escape html entities in LabelReferenceFilter when no label found.
+- Allow changing group CI/CD settings only for owners.
+- Authorize before reading job information via API.
+- Prevent leaking protected variables for ambiguous refs.
+- Prevent leaking protected variables for ambiguous refs.
+- Prevent a path traversal attack on global file templates.
+- Prevent private snippets from being embeddable.
+- Issuable no longer is visible to users when project can't be viewed.
+- Don't expose cross project repositories through diffs when creating merge reqeusts.
+- Fix SSRF with import_url and remote mirror url.
+- Fix persistent symlink in project import.
+- Set URL rel attribute for broken URLs.
+- Project guests no longer are able to see refs page.
+- Delete confidential todos for user when downgraded to Guest.
+- Setting svg disposition as attachment in wikis.
+
+
## 11.4.12 (2018-12-20)
### Security (1 change)
diff --git a/changelogs/unreleased/54427-label-xss.yml b/changelogs/unreleased/54427-label-xss.yml
deleted file mode 100644
index 090d1832af2..00000000000
--- a/changelogs/unreleased/54427-label-xss.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Escape html entities in LabelReferenceFilter when no label found
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/54857-fix-templates-path-traversal.yml b/changelogs/unreleased/54857-fix-templates-path-traversal.yml
deleted file mode 100644
index 0da02432c60..00000000000
--- a/changelogs/unreleased/54857-fix-templates-path-traversal.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Prevent a path traversal attack on global file templates
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/ensure-that-build-token-is-always-running.yml b/changelogs/unreleased/ensure-that-build-token-is-always-running.yml
deleted file mode 100644
index ec1f73c70ab..00000000000
--- a/changelogs/unreleased/ensure-that-build-token-is-always-running.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Ensure that build token is only used when running
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/fix-security-group-user-removal.yml b/changelogs/unreleased/fix-security-group-user-removal.yml
deleted file mode 100644
index 09d09a96f84..00000000000
--- a/changelogs/unreleased/fix-security-group-user-removal.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Add subresources removal to member destroy service
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-11-4-54377-label-milestone-name-xss.yml b/changelogs/unreleased/security-11-4-54377-label-milestone-name-xss.yml
deleted file mode 100644
index b20f9fd83cc..00000000000
--- a/changelogs/unreleased/security-11-4-54377-label-milestone-name-xss.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Escape label and milestone titles to prevent XSS in GFM autocomplete
-merge_request: 2742
-author:
-type: security
diff --git a/changelogs/unreleased/security-11-4-group-cicd-settings-accessible-to-maintainer.yml b/changelogs/unreleased/security-11-4-group-cicd-settings-accessible-to-maintainer.yml
deleted file mode 100644
index 5586fa6cd8e..00000000000
--- a/changelogs/unreleased/security-11-4-group-cicd-settings-accessible-to-maintainer.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Allow changing group CI/CD settings only for owners.
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-11-4-guests-jobs-api.yml b/changelogs/unreleased/security-11-4-guests-jobs-api.yml
deleted file mode 100644
index 83022e91aca..00000000000
--- a/changelogs/unreleased/security-11-4-guests-jobs-api.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Authorize before reading job information via API.
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-11-4-secret-ci-variables-exposed.yml b/changelogs/unreleased/security-11-4-secret-ci-variables-exposed.yml
deleted file mode 100644
index 702181065f5..00000000000
--- a/changelogs/unreleased/security-11-4-secret-ci-variables-exposed.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Prevent leaking protected variables for ambiguous refs.
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-11-5-secret-ci-variables-exposed.yml b/changelogs/unreleased/security-11-5-secret-ci-variables-exposed.yml
deleted file mode 100644
index 702181065f5..00000000000
--- a/changelogs/unreleased/security-11-5-secret-ci-variables-exposed.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Prevent leaking protected variables for ambiguous refs.
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-2754-fix-lfs-import.yml b/changelogs/unreleased/security-2754-fix-lfs-import.yml
deleted file mode 100644
index e8e74c9c3f6..00000000000
--- a/changelogs/unreleased/security-2754-fix-lfs-import.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Validate LFS hrefs before downloading them
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-48259-private-snippet.yml b/changelogs/unreleased/security-48259-private-snippet.yml
deleted file mode 100644
index 6cf1e5dc694..00000000000
--- a/changelogs/unreleased/security-48259-private-snippet.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Prevent private snippets from being embeddable
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-53543-user-keeps-access-to-mr-issue-when-removed-from-team.yml b/changelogs/unreleased/security-53543-user-keeps-access-to-mr-issue-when-removed-from-team.yml
deleted file mode 100644
index ab12ba539c1..00000000000
--- a/changelogs/unreleased/security-53543-user-keeps-access-to-mr-issue-when-removed-from-team.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Issuable no longer is visible to users when project can't be viewed
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-bvl-fix-cross-project-mr-exposure.yml b/changelogs/unreleased/security-bvl-fix-cross-project-mr-exposure.yml
deleted file mode 100644
index 11aae4428fb..00000000000
--- a/changelogs/unreleased/security-bvl-fix-cross-project-mr-exposure.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Don't expose cross project repositories through diffs when creating merge reqeusts
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-fix-ssrf-import-url-remote-mirror.yml b/changelogs/unreleased/security-fix-ssrf-import-url-remote-mirror.yml
deleted file mode 100644
index 7ba7aa21090..00000000000
--- a/changelogs/unreleased/security-fix-ssrf-import-url-remote-mirror.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Fix SSRF with import_url and remote mirror url
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-import-symlink.yml b/changelogs/unreleased/security-import-symlink.yml
deleted file mode 100644
index fe1b6eccf9e..00000000000
--- a/changelogs/unreleased/security-import-symlink.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Fix persistent symlink in project import
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-master-url-rel.yml b/changelogs/unreleased/security-master-url-rel.yml
deleted file mode 100644
index 75f599f6bcd..00000000000
--- a/changelogs/unreleased/security-master-url-rel.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Set URL rel attribute for broken URLs.
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-refs-available-to-project-guest.yml b/changelogs/unreleased/security-refs-available-to-project-guest.yml
deleted file mode 100644
index eb6804c52d3..00000000000
--- a/changelogs/unreleased/security-refs-available-to-project-guest.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Project guests no longer are able to see refs page
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-todos_not_redacted_for_guests.yml b/changelogs/unreleased/security-todos_not_redacted_for_guests.yml
deleted file mode 100644
index be0ae9a7193..00000000000
--- a/changelogs/unreleased/security-todos_not_redacted_for_guests.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Delete confidential todos for user when downgraded to Guest
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-wiki-svg-attachment.yml b/changelogs/unreleased/security-wiki-svg-attachment.yml
deleted file mode 100644
index 02ddc443fa2..00000000000
--- a/changelogs/unreleased/security-wiki-svg-attachment.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Setting svg disposition as attachment in wikis
-merge_request:
-author:
-type: security
View Lorry Controller Status