summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJohn Jarvis <jarv@gitlab.com>2019-08-28 17:48:38 +0200
committerJohn Jarvis <jarv@gitlab.com>2019-08-28 17:49:08 +0200
commitdce99389fd60a1f590e7823131b2c705ec0e2b12 (patch)
tree8e3cc63287a9dbb665df7afc24aa2279bafd8d15
parent1b4a88f0187fcaa4310ecbe889af294956cc03cf (diff)
downloadgitlab-ce-dce99389fd60a1f590e7823131b2c705ec0e2b12.tar.gz
Revert "Update CHANGELOG.md for 12.0.7"
This reverts commit 49858350fa12ccd9c863bd05edc660b549e7657a.
Diffstat
-rw-r--r--CHANGELOG.md26
-rw-r--r--changelogs/unreleased/ce-60465-prevent-comments-on-private-mrs.yml3
-rw-r--r--changelogs/unreleased/security-59549-add-capcha-for-failed-logins.yml5
-rw-r--r--changelogs/unreleased/security-60551-fix-upload-scope-12-0.yml5
-rw-r--r--changelogs/unreleased/security-61974-limit-issue-comment-size-2.yml5
-rw-r--r--changelogs/unreleased/security-61974-limit-issue-comment-size.yml5
-rw-r--r--changelogs/unreleased/security-64711-fix-commit-todos.yml5
-rw-r--r--changelogs/unreleased/security-ci-metrics-permissions.yml6
-rw-r--r--changelogs/unreleased/security-enable-image-proxy.yml5
-rw-r--r--changelogs/unreleased/security-epic-notes-api-reveals-historical-info-ce-master.yml5
-rw-r--r--changelogs/unreleased/security-exposed-default-branch.yml5
-rw-r--r--changelogs/unreleased/security-fix-html-injection-for-label-description-ce-master.yml5
-rw-r--r--changelogs/unreleased/security-fix-markdown-xss.yml5
-rw-r--r--changelogs/unreleased/security-fix_jira_ssrf_vulnerability.yml5
-rw-r--r--changelogs/unreleased/security-group-runners-permissions.yml5
-rw-r--r--changelogs/unreleased/security-hide_merge_request_ids_on_emails.yml5
-rw-r--r--changelogs/unreleased/security-id-filter-timeline-activities-for-guests.yml5
-rw-r--r--changelogs/unreleased/security-katex-dos-12-0.yml5
-rw-r--r--changelogs/unreleased/security-mr-head-pipeline-leak.yml5
-rw-r--r--changelogs/unreleased/security-personal-snippets.yml5
-rw-r--r--changelogs/unreleased/security-project-import-bypass.yml5
-rw-r--r--changelogs/unreleased/security-sarcila-fix-weak-session-management.yml6
-rw-r--r--changelogs/unreleased/security-ssrf-kubernetes-dns.yml5
23 files changed, 111 insertions, 25 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1ffd18ecaeb..d4a0f699a39 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,31 +4,7 @@ entry.
## 12.0.7
-### Security (22 changes)
-
-- Ensure only authorised users can create notes on Merge Requests and Issues.
-- Add :login_recaptcha_protection_enabled setting to prevent bots from brute-force attacks.
-- Queries for Upload should be scoped by model.
-- Speed up regexp in namespace format by failing fast after reaching maximum namespace depth.
-- Limit the size of issuable description and comments.
-- Send TODOs for comments on commits correctly.
-- Restrict MergeRequests#test_reports to authenticated users with read-access on Builds.
-- Added image proxy to mitigate potential stealing of IP addresses.
-- Filter out old system notes for epics in notes api endpoint response.
-- Avoid exposing unaccessible repo data upon GFM post processing.
-- Fix HTML injection for label description.
-- Make sure HTML text is always escaped when replacing label/milestone references.
-- Prevent DNS rebind on JIRA service integration.
-- Use admin_group authorization in Groups::RunnersController.
-- Prevent disclosure of merge request ID via email.
-- Show cross-referenced MR-id in issues' activities only to authorized users.
-- Enforce max chars and max render time in markdown math.
-- Check permissions before responding in MergeController#pipeline_status.
-- Remove EXIF from users/personal snippet uploads.
-- Fix project import restricted visibility bypass via API.
-- Fix weak session management by clearing password reset tokens after login (username/email) are updated.
-- Fix SSRF via DNS rebinding in Kubernetes Integration.
-
+- Unreleased due to QA failure.
## 12.0.6
diff --git a/changelogs/unreleased/ce-60465-prevent-comments-on-private-mrs.yml b/changelogs/unreleased/ce-60465-prevent-comments-on-private-mrs.yml
new file mode 100644
index 00000000000..ba970162447
--- /dev/null
+++ b/changelogs/unreleased/ce-60465-prevent-comments-on-private-mrs.yml
@@ -0,0 +1,3 @@
+---
+title: Ensure only authorised users can create notes on Merge Requests and Issues
+type: security
diff --git a/changelogs/unreleased/security-59549-add-capcha-for-failed-logins.yml b/changelogs/unreleased/security-59549-add-capcha-for-failed-logins.yml
new file mode 100644
index 00000000000..55f9e36c39c
--- /dev/null
+++ b/changelogs/unreleased/security-59549-add-capcha-for-failed-logins.yml
@@ -0,0 +1,5 @@
+---
+title: Add :login_recaptcha_protection_enabled setting to prevent bots from brute-force attacks.
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-60551-fix-upload-scope-12-0.yml b/changelogs/unreleased/security-60551-fix-upload-scope-12-0.yml
new file mode 100644
index 00000000000..7d7096833a7
--- /dev/null
+++ b/changelogs/unreleased/security-60551-fix-upload-scope-12-0.yml
@@ -0,0 +1,5 @@
+---
+title: Queries for Upload should be scoped by model
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-61974-limit-issue-comment-size-2.yml b/changelogs/unreleased/security-61974-limit-issue-comment-size-2.yml
new file mode 100644
index 00000000000..962171dc6f8
--- /dev/null
+++ b/changelogs/unreleased/security-61974-limit-issue-comment-size-2.yml
@@ -0,0 +1,5 @@
+---
+title: Speed up regexp in namespace format by failing fast after reaching maximum namespace depth
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-61974-limit-issue-comment-size.yml b/changelogs/unreleased/security-61974-limit-issue-comment-size.yml
new file mode 100644
index 00000000000..6d5ef057d83
--- /dev/null
+++ b/changelogs/unreleased/security-61974-limit-issue-comment-size.yml
@@ -0,0 +1,5 @@
+---
+title: Limit the size of issuable description and comments
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-64711-fix-commit-todos.yml b/changelogs/unreleased/security-64711-fix-commit-todos.yml
new file mode 100644
index 00000000000..ce4b3cdeeaf
--- /dev/null
+++ b/changelogs/unreleased/security-64711-fix-commit-todos.yml
@@ -0,0 +1,5 @@
+---
+title: Send TODOs for comments on commits correctly
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-ci-metrics-permissions.yml b/changelogs/unreleased/security-ci-metrics-permissions.yml
new file mode 100644
index 00000000000..51c6493442a
--- /dev/null
+++ b/changelogs/unreleased/security-ci-metrics-permissions.yml
@@ -0,0 +1,6 @@
+---
+title: Restrict MergeRequests#test_reports to authenticated users with read-access
+ on Builds
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-enable-image-proxy.yml b/changelogs/unreleased/security-enable-image-proxy.yml
new file mode 100644
index 00000000000..88b49ffd9e8
--- /dev/null
+++ b/changelogs/unreleased/security-enable-image-proxy.yml
@@ -0,0 +1,5 @@
+---
+title: Added image proxy to mitigate potential stealing of IP addresses
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-epic-notes-api-reveals-historical-info-ce-master.yml b/changelogs/unreleased/security-epic-notes-api-reveals-historical-info-ce-master.yml
new file mode 100644
index 00000000000..c639098721e
--- /dev/null
+++ b/changelogs/unreleased/security-epic-notes-api-reveals-historical-info-ce-master.yml
@@ -0,0 +1,5 @@
+---
+title: Filter out old system notes for epics in notes api endpoint response
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-exposed-default-branch.yml b/changelogs/unreleased/security-exposed-default-branch.yml
new file mode 100644
index 00000000000..bf32617ee8a
--- /dev/null
+++ b/changelogs/unreleased/security-exposed-default-branch.yml
@@ -0,0 +1,5 @@
+---
+title: Avoid exposing unaccessible repo data upon GFM post processing
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-fix-html-injection-for-label-description-ce-master.yml b/changelogs/unreleased/security-fix-html-injection-for-label-description-ce-master.yml
new file mode 100644
index 00000000000..07124ac399b
--- /dev/null
+++ b/changelogs/unreleased/security-fix-html-injection-for-label-description-ce-master.yml
@@ -0,0 +1,5 @@
+---
+title: Fix HTML injection for label description
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-fix-markdown-xss.yml b/changelogs/unreleased/security-fix-markdown-xss.yml
new file mode 100644
index 00000000000..7ef19f13fd5
--- /dev/null
+++ b/changelogs/unreleased/security-fix-markdown-xss.yml
@@ -0,0 +1,5 @@
+---
+title: Make sure HTML text is always escaped when replacing label/milestone references.
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-fix_jira_ssrf_vulnerability.yml b/changelogs/unreleased/security-fix_jira_ssrf_vulnerability.yml
new file mode 100644
index 00000000000..25518dd2d05
--- /dev/null
+++ b/changelogs/unreleased/security-fix_jira_ssrf_vulnerability.yml
@@ -0,0 +1,5 @@
+---
+title: Prevent DNS rebind on JIRA service integration
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-group-runners-permissions.yml b/changelogs/unreleased/security-group-runners-permissions.yml
new file mode 100644
index 00000000000..6c74be30b6d
--- /dev/null
+++ b/changelogs/unreleased/security-group-runners-permissions.yml
@@ -0,0 +1,5 @@
+---
+title: Use admin_group authorization in Groups::RunnersController
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-hide_merge_request_ids_on_emails.yml b/changelogs/unreleased/security-hide_merge_request_ids_on_emails.yml
new file mode 100644
index 00000000000..cd8c9590a70
--- /dev/null
+++ b/changelogs/unreleased/security-hide_merge_request_ids_on_emails.yml
@@ -0,0 +1,5 @@
+---
+title: Prevent disclosure of merge request ID via email
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-id-filter-timeline-activities-for-guests.yml b/changelogs/unreleased/security-id-filter-timeline-activities-for-guests.yml
new file mode 100644
index 00000000000..0fa5f89e2c0
--- /dev/null
+++ b/changelogs/unreleased/security-id-filter-timeline-activities-for-guests.yml
@@ -0,0 +1,5 @@
+---
+title: Show cross-referenced MR-id in issues' activities only to authorized users
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-katex-dos-12-0.yml b/changelogs/unreleased/security-katex-dos-12-0.yml
new file mode 100644
index 00000000000..df803a5eafd
--- /dev/null
+++ b/changelogs/unreleased/security-katex-dos-12-0.yml
@@ -0,0 +1,5 @@
+---
+title: Enforce max chars and max render time in markdown math
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-mr-head-pipeline-leak.yml b/changelogs/unreleased/security-mr-head-pipeline-leak.yml
new file mode 100644
index 00000000000..b15b353ff41
--- /dev/null
+++ b/changelogs/unreleased/security-mr-head-pipeline-leak.yml
@@ -0,0 +1,5 @@
+---
+title: Check permissions before responding in MergeController#pipeline_status
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-personal-snippets.yml b/changelogs/unreleased/security-personal-snippets.yml
new file mode 100644
index 00000000000..95f61993b98
--- /dev/null
+++ b/changelogs/unreleased/security-personal-snippets.yml
@@ -0,0 +1,5 @@
+---
+title: Remove EXIF from users/personal snippet uploads.
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-project-import-bypass.yml b/changelogs/unreleased/security-project-import-bypass.yml
new file mode 100644
index 00000000000..fc7b823509c
--- /dev/null
+++ b/changelogs/unreleased/security-project-import-bypass.yml
@@ -0,0 +1,5 @@
+---
+title: Fix project import restricted visibility bypass via API
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-sarcila-fix-weak-session-management.yml b/changelogs/unreleased/security-sarcila-fix-weak-session-management.yml
new file mode 100644
index 00000000000..a37a3099519
--- /dev/null
+++ b/changelogs/unreleased/security-sarcila-fix-weak-session-management.yml
@@ -0,0 +1,6 @@
+---
+title: Fix weak session management by clearing password reset tokens after login (username/email)
+ are updated
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-ssrf-kubernetes-dns.yml b/changelogs/unreleased/security-ssrf-kubernetes-dns.yml
new file mode 100644
index 00000000000..4d6335e4b08
--- /dev/null
+++ b/changelogs/unreleased/security-ssrf-kubernetes-dns.yml
@@ -0,0 +1,5 @@
+---
+title: Fix SSRF via DNS rebinding in Kubernetes Integration
+merge_request:
+author:
+type: security
View Lorry Controller Status