diff options
author | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2018-12-28 09:52:06 +0000 |
---|---|---|
committer | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2018-12-28 09:52:06 +0000 |
commit | 466be2f726dc2db819f6c45f89622c8d699537d0 (patch) | |
tree | 1900754c1357dbd53a0bf39e20234e476342aeb6 | |
parent | f6d8c63b1f44ec56e9219de0e063f0961edf585c (diff) | |
download | gitlab-ce-466be2f726dc2db819f6c45f89622c8d699537d0.tar.gz |
Update CHANGELOG.md for 11.5.6
[ci skip]
19 files changed, 27 insertions, 90 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 9de77431eb8..4eb40fc0af4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,33 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. +## 11.5.6 (2018-12-28) + +### Security (17 changes) + +- Escape label and milestone titles to prevent XSS in GFM autocomplete. !2741 +- Validate LFS hrefs before downloading them. +- Ensure that build token is only used when running. +- Add subresources removal to member destroy service. +- Prevent a path traversal attack on global file templates. +- Allow changing group CI/CD settings only for owners. +- Authorize before reading job information via API. +- Prevent leaking protected variables for ambiguous refs. +- Escape html entities in LabelReferenceFilter when no label found. +- Prevent private snippets from being embeddable. +- Issuable no longer is visible to users when project can't be viewed. +- Don't expose cross project repositories through diffs when creating merge reqeusts. +- Fix SSRF with import_url and remote mirror url. +- Fix persistent symlink in project import. +- Set URL rel attribute for broken URLs. +- Project guests no longer are able to see refs page. +- Delete confidential todos for user when downgraded to Guest. + +### Other (1 change) + +- Fix due date test. !23845 + + ## 11.5.5 (2018-12-20) ### Security (1 change) diff --git a/changelogs/unreleased/54427-label-xss.yml b/changelogs/unreleased/54427-label-xss.yml deleted file mode 100644 index 090d1832af2..00000000000 --- a/changelogs/unreleased/54427-label-xss.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Escape html entities in LabelReferenceFilter when no label found -merge_request: -author: -type: security diff --git a/changelogs/unreleased/54857-fix-templates-path-traversal.yml b/changelogs/unreleased/54857-fix-templates-path-traversal.yml deleted file mode 100644 index 0da02432c60..00000000000 --- a/changelogs/unreleased/54857-fix-templates-path-traversal.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prevent a path traversal attack on global file templates -merge_request: -author: -type: security diff --git a/changelogs/unreleased/55402-broken-master-karma-test-failing-in-spec-javascripts-boards-components-issue_due_date_spec-js.yml b/changelogs/unreleased/55402-broken-master-karma-test-failing-in-spec-javascripts-boards-components-issue_due_date_spec-js.yml deleted file mode 100644 index d2ff095ce55..00000000000 --- a/changelogs/unreleased/55402-broken-master-karma-test-failing-in-spec-javascripts-boards-components-issue_due_date_spec-js.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix due date test -merge_request: 23845 -author: -type: other diff --git a/changelogs/unreleased/ensure-that-build-token-is-always-running.yml b/changelogs/unreleased/ensure-that-build-token-is-always-running.yml deleted file mode 100644 index ec1f73c70ab..00000000000 --- a/changelogs/unreleased/ensure-that-build-token-is-always-running.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Ensure that build token is only used when running -merge_request: -author: -type: security diff --git a/changelogs/unreleased/fix-security-group-user-removal.yml b/changelogs/unreleased/fix-security-group-user-removal.yml deleted file mode 100644 index 09d09a96f84..00000000000 --- a/changelogs/unreleased/fix-security-group-user-removal.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Add subresources removal to member destroy service -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-11-5-54377-label-milestone-name-xss.yml b/changelogs/unreleased/security-11-5-54377-label-milestone-name-xss.yml deleted file mode 100644 index 29d371349aa..00000000000 --- a/changelogs/unreleased/security-11-5-54377-label-milestone-name-xss.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Escape label and milestone titles to prevent XSS in GFM autocomplete -merge_request: 2741 -author: -type: security diff --git a/changelogs/unreleased/security-11-5-group-cicd-settings-accessible-to-maintainer.yml b/changelogs/unreleased/security-11-5-group-cicd-settings-accessible-to-maintainer.yml deleted file mode 100644 index 5586fa6cd8e..00000000000 --- a/changelogs/unreleased/security-11-5-group-cicd-settings-accessible-to-maintainer.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Allow changing group CI/CD settings only for owners. -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-11-5-guests-jobs-api.yml b/changelogs/unreleased/security-11-5-guests-jobs-api.yml deleted file mode 100644 index 83022e91aca..00000000000 --- a/changelogs/unreleased/security-11-5-guests-jobs-api.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Authorize before reading job information via API. -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-11-5-secret-ci-variables-exposed.yml b/changelogs/unreleased/security-11-5-secret-ci-variables-exposed.yml deleted file mode 100644 index 702181065f5..00000000000 --- a/changelogs/unreleased/security-11-5-secret-ci-variables-exposed.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prevent leaking protected variables for ambiguous refs. -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-2754-fix-lfs-import.yml b/changelogs/unreleased/security-2754-fix-lfs-import.yml deleted file mode 100644 index e8e74c9c3f6..00000000000 --- a/changelogs/unreleased/security-2754-fix-lfs-import.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Validate LFS hrefs before downloading them -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-48259-private-snippet.yml b/changelogs/unreleased/security-48259-private-snippet.yml deleted file mode 100644 index 6cf1e5dc694..00000000000 --- a/changelogs/unreleased/security-48259-private-snippet.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prevent private snippets from being embeddable -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-53543-user-keeps-access-to-mr-issue-when-removed-from-team.yml b/changelogs/unreleased/security-53543-user-keeps-access-to-mr-issue-when-removed-from-team.yml deleted file mode 100644 index ab12ba539c1..00000000000 --- a/changelogs/unreleased/security-53543-user-keeps-access-to-mr-issue-when-removed-from-team.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Issuable no longer is visible to users when project can't be viewed -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-bvl-fix-cross-project-mr-exposure.yml b/changelogs/unreleased/security-bvl-fix-cross-project-mr-exposure.yml deleted file mode 100644 index 11aae4428fb..00000000000 --- a/changelogs/unreleased/security-bvl-fix-cross-project-mr-exposure.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Don't expose cross project repositories through diffs when creating merge reqeusts -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-fix-ssrf-import-url-remote-mirror.yml b/changelogs/unreleased/security-fix-ssrf-import-url-remote-mirror.yml deleted file mode 100644 index 7ba7aa21090..00000000000 --- a/changelogs/unreleased/security-fix-ssrf-import-url-remote-mirror.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix SSRF with import_url and remote mirror url -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-import-symlink.yml b/changelogs/unreleased/security-import-symlink.yml deleted file mode 100644 index fe1b6eccf9e..00000000000 --- a/changelogs/unreleased/security-import-symlink.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix persistent symlink in project import -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-master-url-rel.yml b/changelogs/unreleased/security-master-url-rel.yml deleted file mode 100644 index 75f599f6bcd..00000000000 --- a/changelogs/unreleased/security-master-url-rel.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Set URL rel attribute for broken URLs. -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-refs-available-to-project-guest.yml b/changelogs/unreleased/security-refs-available-to-project-guest.yml deleted file mode 100644 index eb6804c52d3..00000000000 --- a/changelogs/unreleased/security-refs-available-to-project-guest.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Project guests no longer are able to see refs page -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-todos_not_redacted_for_guests.yml b/changelogs/unreleased/security-todos_not_redacted_for_guests.yml deleted file mode 100644 index be0ae9a7193..00000000000 --- a/changelogs/unreleased/security-todos_not_redacted_for_guests.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Delete confidential todos for user when downgraded to Guest -merge_request: -author: -type: security |