summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGitLab Release Tools Bot <robert+release-tools@gitlab.com>2018-11-26 22:35:38 +0000
committerGitLab Release Tools Bot <robert+release-tools@gitlab.com>2018-11-26 22:35:38 +0000
commitcf37836ca1a0f537f456db978a1a171a3e4563bf (patch)
tree1cf331f30233552c9fb41e140a661eb86070686b
parentf1b51e116ea7424e85120caad0263a358a2dd891 (diff)
downloadgitlab-ce-cf37836ca1a0f537f456db978a1a171a3e4563bf.tar.gz
Update CHANGELOG.md for 11.5.1
[ci skip]
Diffstat
-rw-r--r--CHANGELOG.md23
-rw-r--r--changelogs/unreleased/security-11-5-2717-xss-username-autocomplete.yml5
-rw-r--r--changelogs/unreleased/security-11-5-fj-crlf-injection.yml5
-rw-r--r--changelogs/unreleased/security-11-5-xss-in-markdown-following-unrecognized-html-element.yml5
-rw-r--r--changelogs/unreleased/security-182-update-workhorse.yml5
-rw-r--r--changelogs/unreleased/security-2736-prometheus-ssrf.yml5
-rw-r--r--changelogs/unreleased/security-bvl-exposure-in-commits-list.yml5
-rw-r--r--changelogs/unreleased/security-email-change-notification.yml5
-rw-r--r--changelogs/unreleased/security-fix-pat-web-access.yml5
-rw-r--r--changelogs/unreleased/security-fix-uri-xss-applications.yml5
-rw-r--r--changelogs/unreleased/security-fix-webhook-ssrf-ipv6.yml5
-rw-r--r--changelogs/unreleased/security-guest-comments.yml5
-rw-r--r--changelogs/unreleased/security-guest-comments_2.yml5
-rw-r--r--changelogs/unreleased/security-issue_51301.yml5
-rw-r--r--changelogs/unreleased/security-mermaid-xss.yml5
-rw-r--r--changelogs/unreleased/security-pages-toctou-race.yml6
-rw-r--r--changelogs/unreleased/security-private-group-11-5.yml6
-rw-r--r--changelogs/unreleased/security-stored-xss-for-environments.yml5
18 files changed, 23 insertions, 87 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3beb864f702..4ff86cd5a7c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,29 @@
documentation](doc/development/changelog.md) for instructions on adding your own
entry.
+## 11.5.1 (2018-11-26)
+
+### Security (17 changes)
+
+- Escape user fullname while rendering autocomplete template to prevent XSS.
+- Fix CRLF vulnerability in Project hooks.
+- Fix possible XSS attack in Markdown urls with spaces.
+- Redact sensitive information on gitlab-workhorse log.
+- Do not follow redirects in Prometheus service when making http requests to the configured api url.
+- Don't expose confidential information in commit message list.
+- Provide email notification when a user changes their email address.
+- Restrict Personal Access Tokens to API scope on web requests.
+- Resolve reflected XSS in Ouath authorize window.
+- Fix SSRF in project integrations.
+- Fixed ability to comment on locked/confidential issues.
+- Fixed ability of guest users to edit/delete comments on locked or confidential issues.
+- Fix milestone promotion authorization check.
+- Configure mermaid to not render HTML content in diagrams.
+- Fix a possible symlink time of check to time of use race condition in GitLab Pages.
+- Removed ability to see private group names when the group id is entered in the url.
+- Fix stored XSS for Environments.
+
+
## 11.5.0 (2018-11-22)
### Security (10 changes, 1 of them is from the community)
diff --git a/changelogs/unreleased/security-11-5-2717-xss-username-autocomplete.yml b/changelogs/unreleased/security-11-5-2717-xss-username-autocomplete.yml
deleted file mode 100644
index d9b1015eeb4..00000000000
--- a/changelogs/unreleased/security-11-5-2717-xss-username-autocomplete.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Escape user fullname while rendering autocomplete template to prevent XSS
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-11-5-fj-crlf-injection.yml b/changelogs/unreleased/security-11-5-fj-crlf-injection.yml
deleted file mode 100644
index 861167b8a6e..00000000000
--- a/changelogs/unreleased/security-11-5-fj-crlf-injection.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Fix CRLF vulnerability in Project hooks
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-11-5-xss-in-markdown-following-unrecognized-html-element.yml b/changelogs/unreleased/security-11-5-xss-in-markdown-following-unrecognized-html-element.yml
deleted file mode 100644
index 16c4474aadd..00000000000
--- a/changelogs/unreleased/security-11-5-xss-in-markdown-following-unrecognized-html-element.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Fix possible XSS attack in Markdown urls with spaces
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-182-update-workhorse.yml b/changelogs/unreleased/security-182-update-workhorse.yml
deleted file mode 100644
index 76850901b68..00000000000
--- a/changelogs/unreleased/security-182-update-workhorse.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Redact sensitive information on gitlab-workhorse log
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-2736-prometheus-ssrf.yml b/changelogs/unreleased/security-2736-prometheus-ssrf.yml
deleted file mode 100644
index 9d0dda8a75f..00000000000
--- a/changelogs/unreleased/security-2736-prometheus-ssrf.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Do not follow redirects in Prometheus service when making http requests to the configured api url
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-bvl-exposure-in-commits-list.yml b/changelogs/unreleased/security-bvl-exposure-in-commits-list.yml
deleted file mode 100644
index 0361fb0c041..00000000000
--- a/changelogs/unreleased/security-bvl-exposure-in-commits-list.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Don't expose confidential information in commit message list
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-email-change-notification.yml b/changelogs/unreleased/security-email-change-notification.yml
deleted file mode 100644
index 45075ff20bb..00000000000
--- a/changelogs/unreleased/security-email-change-notification.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Provide email notification when a user changes their email address
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-fix-pat-web-access.yml b/changelogs/unreleased/security-fix-pat-web-access.yml
deleted file mode 100644
index 62ffb908fe5..00000000000
--- a/changelogs/unreleased/security-fix-pat-web-access.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Restrict Personal Access Tokens to API scope on web requests
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-fix-uri-xss-applications.yml b/changelogs/unreleased/security-fix-uri-xss-applications.yml
deleted file mode 100644
index 0eaa1b1c4a3..00000000000
--- a/changelogs/unreleased/security-fix-uri-xss-applications.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Resolve reflected XSS in Ouath authorize window
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-fix-webhook-ssrf-ipv6.yml b/changelogs/unreleased/security-fix-webhook-ssrf-ipv6.yml
deleted file mode 100644
index 32c85a2a7da..00000000000
--- a/changelogs/unreleased/security-fix-webhook-ssrf-ipv6.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Fix SSRF in project integrations
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-guest-comments.yml b/changelogs/unreleased/security-guest-comments.yml
deleted file mode 100644
index 2c99512433b..00000000000
--- a/changelogs/unreleased/security-guest-comments.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Fixed ability to comment on locked/confidential issues.
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-guest-comments_2.yml b/changelogs/unreleased/security-guest-comments_2.yml
deleted file mode 100644
index be6f2d6a490..00000000000
--- a/changelogs/unreleased/security-guest-comments_2.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Fixed ability of guest users to edit/delete comments on locked or confidential issues.
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-issue_51301.yml b/changelogs/unreleased/security-issue_51301.yml
deleted file mode 100644
index cf8ebb54b1c..00000000000
--- a/changelogs/unreleased/security-issue_51301.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Fix milestone promotion authorization check
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-mermaid-xss.yml b/changelogs/unreleased/security-mermaid-xss.yml
deleted file mode 100644
index bcf93ef37ff..00000000000
--- a/changelogs/unreleased/security-mermaid-xss.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Configure mermaid to not render HTML content in diagrams
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-pages-toctou-race.yml b/changelogs/unreleased/security-pages-toctou-race.yml
deleted file mode 100644
index 1c055f6087f..00000000000
--- a/changelogs/unreleased/security-pages-toctou-race.yml
+++ /dev/null
@@ -1,6 +0,0 @@
----
-title: Fix a possible symlink time of check to time of use race condition in GitLab
- Pages
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-private-group-11-5.yml b/changelogs/unreleased/security-private-group-11-5.yml
deleted file mode 100644
index dbb7794dfed..00000000000
--- a/changelogs/unreleased/security-private-group-11-5.yml
+++ /dev/null
@@ -1,6 +0,0 @@
----
-title: Removed ability to see private group names when the group id is entered in
- the url.
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-stored-xss-for-environments.yml b/changelogs/unreleased/security-stored-xss-for-environments.yml
deleted file mode 100644
index 5d78ca00942..00000000000
--- a/changelogs/unreleased/security-stored-xss-for-environments.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Fix stored XSS for Environments
-merge_request:
-author:
-type: security
View Lorry Controller Status