summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRobert Speicher <rspeicher@gmail.com>2019-07-30 11:28:50 -0500
committerRobert Speicher <rspeicher@gmail.com>2019-07-30 11:28:50 -0500
commitd77fef5bddc6c91ad46949726f71884bb4bfb348 (patch)
treedb1d5432055e497e75d01dcf1e9f5d36fb568ee5
parentd55b52f2e31db2458407741e06dbe4a469a71bcd (diff)
parentd9d2466983248809638c8ca1abf5b0f440b3568f (diff)
downloadgitlab-ce-rs-merge-auto-deploy-security.tar.gz
Merge branch '12-1-auto-deploy-20190721' into rs-merge-auto-deploy-securityrs-merge-auto-deploy-security
Diffstat
-rw-r--r--changelogs/unreleased/security-60143-patch-additional-xss-vector-in-wikis.yml5
-rw-r--r--changelogs/unreleased/security-bvl-filter-mr-params.yml5
-rw-r--r--changelogs/unreleased/security-dns-ssrf-bypass.yml5
-rw-r--r--changelogs/unreleased/security-fix-badges-leaked-to-unauthorized-users.yml5
-rw-r--r--changelogs/unreleased/security-hide_moved_issue_id.yml5
-rw-r--r--changelogs/unreleased/security-mr-pipeline-permissions.yml5
-rw-r--r--changelogs/unreleased/security-remove-take-trigger-ownership-feature.yml5
7 files changed, 35 insertions, 0 deletions
diff --git a/changelogs/unreleased/security-60143-patch-additional-xss-vector-in-wikis.yml b/changelogs/unreleased/security-60143-patch-additional-xss-vector-in-wikis.yml
new file mode 100644
index 00000000000..a8a26d5fc56
--- /dev/null
+++ b/changelogs/unreleased/security-60143-patch-additional-xss-vector-in-wikis.yml
@@ -0,0 +1,5 @@
+---
+title: Patch XSS issue in wiki links
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-bvl-filter-mr-params.yml b/changelogs/unreleased/security-bvl-filter-mr-params.yml
new file mode 100644
index 00000000000..4433ec73b7c
--- /dev/null
+++ b/changelogs/unreleased/security-bvl-filter-mr-params.yml
@@ -0,0 +1,5 @@
+---
+title: Filter merge request params on the new merge request page
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-dns-ssrf-bypass.yml b/changelogs/unreleased/security-dns-ssrf-bypass.yml
new file mode 100644
index 00000000000..e48696ce5bd
--- /dev/null
+++ b/changelogs/unreleased/security-dns-ssrf-bypass.yml
@@ -0,0 +1,5 @@
+---
+title: Fix Server Side Request Forgery mitigation bypass
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-fix-badges-leaked-to-unauthorized-users.yml b/changelogs/unreleased/security-fix-badges-leaked-to-unauthorized-users.yml
new file mode 100644
index 00000000000..9526f3c559f
--- /dev/null
+++ b/changelogs/unreleased/security-fix-badges-leaked-to-unauthorized-users.yml
@@ -0,0 +1,5 @@
+---
+title: Show badges if pipelines are public otherwise default to project permissions.
+erge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-hide_moved_issue_id.yml b/changelogs/unreleased/security-hide_moved_issue_id.yml
new file mode 100644
index 00000000000..24353d797c9
--- /dev/null
+++ b/changelogs/unreleased/security-hide_moved_issue_id.yml
@@ -0,0 +1,5 @@
+---
+title: Do not show moved issue id for users that cannot read issue
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-mr-pipeline-permissions.yml b/changelogs/unreleased/security-mr-pipeline-permissions.yml
new file mode 100644
index 00000000000..a317c93228c
--- /dev/null
+++ b/changelogs/unreleased/security-mr-pipeline-permissions.yml
@@ -0,0 +1,5 @@
+---
+title: Use source project as permissions reference for MergeRequestsController#pipelines
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-remove-take-trigger-ownership-feature.yml b/changelogs/unreleased/security-remove-take-trigger-ownership-feature.yml
new file mode 100644
index 00000000000..201f66e1f18
--- /dev/null
+++ b/changelogs/unreleased/security-remove-take-trigger-ownership-feature.yml
@@ -0,0 +1,5 @@
+---
+title: Drop feature to take ownership of trigger token.
+merge_request:
+author:
+type: security
View Lorry Controller Status