diff options
author | GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> | 2019-08-27 01:24:42 +0000 |
---|---|---|
committer | GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> | 2019-08-27 01:24:42 +0000 |
commit | 49858350fa12ccd9c863bd05edc660b549e7657a (patch) | |
tree | 7a6074a73839ed94116606f426007fe95d333f42 | |
parent | 49cee93674e75cfa03d7457c1d22feb2c6606896 (diff) | |
download | gitlab-ce-49858350fa12ccd9c863bd05edc660b549e7657a.tar.gz |
Update CHANGELOG.md for 12.0.7
[ci skip]
23 files changed, 28 insertions, 110 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index a0bb6d1d313..1ffd18ecaeb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,34 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. +## 12.0.7 + +### Security (22 changes) + +- Ensure only authorised users can create notes on Merge Requests and Issues. +- Add :login_recaptcha_protection_enabled setting to prevent bots from brute-force attacks. +- Queries for Upload should be scoped by model. +- Speed up regexp in namespace format by failing fast after reaching maximum namespace depth. +- Limit the size of issuable description and comments. +- Send TODOs for comments on commits correctly. +- Restrict MergeRequests#test_reports to authenticated users with read-access on Builds. +- Added image proxy to mitigate potential stealing of IP addresses. +- Filter out old system notes for epics in notes api endpoint response. +- Avoid exposing unaccessible repo data upon GFM post processing. +- Fix HTML injection for label description. +- Make sure HTML text is always escaped when replacing label/milestone references. +- Prevent DNS rebind on JIRA service integration. +- Use admin_group authorization in Groups::RunnersController. +- Prevent disclosure of merge request ID via email. +- Show cross-referenced MR-id in issues' activities only to authorized users. +- Enforce max chars and max render time in markdown math. +- Check permissions before responding in MergeController#pipeline_status. +- Remove EXIF from users/personal snippet uploads. +- Fix project import restricted visibility bypass via API. +- Fix weak session management by clearing password reset tokens after login (username/email) are updated. +- Fix SSRF via DNS rebinding in Kubernetes Integration. + + ## 12.0.6 ### Security (2 changes) diff --git a/changelogs/unreleased/ce-60465-prevent-comments-on-private-mrs.yml b/changelogs/unreleased/ce-60465-prevent-comments-on-private-mrs.yml deleted file mode 100644 index ba970162447..00000000000 --- a/changelogs/unreleased/ce-60465-prevent-comments-on-private-mrs.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -title: Ensure only authorised users can create notes on Merge Requests and Issues -type: security diff --git a/changelogs/unreleased/security-59549-add-capcha-for-failed-logins.yml b/changelogs/unreleased/security-59549-add-capcha-for-failed-logins.yml deleted file mode 100644 index 55f9e36c39c..00000000000 --- a/changelogs/unreleased/security-59549-add-capcha-for-failed-logins.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Add :login_recaptcha_protection_enabled setting to prevent bots from brute-force attacks. -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-60551-fix-upload-scope-12-0.yml b/changelogs/unreleased/security-60551-fix-upload-scope-12-0.yml deleted file mode 100644 index 7d7096833a7..00000000000 --- a/changelogs/unreleased/security-60551-fix-upload-scope-12-0.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Queries for Upload should be scoped by model -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-61974-limit-issue-comment-size-2.yml b/changelogs/unreleased/security-61974-limit-issue-comment-size-2.yml deleted file mode 100644 index 962171dc6f8..00000000000 --- a/changelogs/unreleased/security-61974-limit-issue-comment-size-2.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Speed up regexp in namespace format by failing fast after reaching maximum namespace depth -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-61974-limit-issue-comment-size.yml b/changelogs/unreleased/security-61974-limit-issue-comment-size.yml deleted file mode 100644 index 6d5ef057d83..00000000000 --- a/changelogs/unreleased/security-61974-limit-issue-comment-size.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Limit the size of issuable description and comments -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-64711-fix-commit-todos.yml b/changelogs/unreleased/security-64711-fix-commit-todos.yml deleted file mode 100644 index ce4b3cdeeaf..00000000000 --- a/changelogs/unreleased/security-64711-fix-commit-todos.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Send TODOs for comments on commits correctly -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-ci-metrics-permissions.yml b/changelogs/unreleased/security-ci-metrics-permissions.yml deleted file mode 100644 index 51c6493442a..00000000000 --- a/changelogs/unreleased/security-ci-metrics-permissions.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -title: Restrict MergeRequests#test_reports to authenticated users with read-access - on Builds -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-enable-image-proxy.yml b/changelogs/unreleased/security-enable-image-proxy.yml deleted file mode 100644 index 88b49ffd9e8..00000000000 --- a/changelogs/unreleased/security-enable-image-proxy.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Added image proxy to mitigate potential stealing of IP addresses -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-epic-notes-api-reveals-historical-info-ce-master.yml b/changelogs/unreleased/security-epic-notes-api-reveals-historical-info-ce-master.yml deleted file mode 100644 index c639098721e..00000000000 --- a/changelogs/unreleased/security-epic-notes-api-reveals-historical-info-ce-master.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Filter out old system notes for epics in notes api endpoint response -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-exposed-default-branch.yml b/changelogs/unreleased/security-exposed-default-branch.yml deleted file mode 100644 index bf32617ee8a..00000000000 --- a/changelogs/unreleased/security-exposed-default-branch.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Avoid exposing unaccessible repo data upon GFM post processing -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-fix-html-injection-for-label-description-ce-master.yml b/changelogs/unreleased/security-fix-html-injection-for-label-description-ce-master.yml deleted file mode 100644 index 07124ac399b..00000000000 --- a/changelogs/unreleased/security-fix-html-injection-for-label-description-ce-master.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix HTML injection for label description -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-fix-markdown-xss.yml b/changelogs/unreleased/security-fix-markdown-xss.yml deleted file mode 100644 index 7ef19f13fd5..00000000000 --- a/changelogs/unreleased/security-fix-markdown-xss.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Make sure HTML text is always escaped when replacing label/milestone references. -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-fix_jira_ssrf_vulnerability.yml b/changelogs/unreleased/security-fix_jira_ssrf_vulnerability.yml deleted file mode 100644 index 25518dd2d05..00000000000 --- a/changelogs/unreleased/security-fix_jira_ssrf_vulnerability.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prevent DNS rebind on JIRA service integration -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-group-runners-permissions.yml b/changelogs/unreleased/security-group-runners-permissions.yml deleted file mode 100644 index 6c74be30b6d..00000000000 --- a/changelogs/unreleased/security-group-runners-permissions.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Use admin_group authorization in Groups::RunnersController -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-hide_merge_request_ids_on_emails.yml b/changelogs/unreleased/security-hide_merge_request_ids_on_emails.yml deleted file mode 100644 index cd8c9590a70..00000000000 --- a/changelogs/unreleased/security-hide_merge_request_ids_on_emails.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prevent disclosure of merge request ID via email -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-id-filter-timeline-activities-for-guests.yml b/changelogs/unreleased/security-id-filter-timeline-activities-for-guests.yml deleted file mode 100644 index 0fa5f89e2c0..00000000000 --- a/changelogs/unreleased/security-id-filter-timeline-activities-for-guests.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Show cross-referenced MR-id in issues' activities only to authorized users -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-katex-dos-12-0.yml b/changelogs/unreleased/security-katex-dos-12-0.yml deleted file mode 100644 index df803a5eafd..00000000000 --- a/changelogs/unreleased/security-katex-dos-12-0.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Enforce max chars and max render time in markdown math -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-mr-head-pipeline-leak.yml b/changelogs/unreleased/security-mr-head-pipeline-leak.yml deleted file mode 100644 index b15b353ff41..00000000000 --- a/changelogs/unreleased/security-mr-head-pipeline-leak.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Check permissions before responding in MergeController#pipeline_status -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-personal-snippets.yml b/changelogs/unreleased/security-personal-snippets.yml deleted file mode 100644 index 95f61993b98..00000000000 --- a/changelogs/unreleased/security-personal-snippets.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Remove EXIF from users/personal snippet uploads. -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-project-import-bypass.yml b/changelogs/unreleased/security-project-import-bypass.yml deleted file mode 100644 index fc7b823509c..00000000000 --- a/changelogs/unreleased/security-project-import-bypass.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix project import restricted visibility bypass via API -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-sarcila-fix-weak-session-management.yml b/changelogs/unreleased/security-sarcila-fix-weak-session-management.yml deleted file mode 100644 index a37a3099519..00000000000 --- a/changelogs/unreleased/security-sarcila-fix-weak-session-management.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -title: Fix weak session management by clearing password reset tokens after login (username/email) - are updated -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-ssrf-kubernetes-dns.yml b/changelogs/unreleased/security-ssrf-kubernetes-dns.yml deleted file mode 100644 index 4d6335e4b08..00000000000 --- a/changelogs/unreleased/security-ssrf-kubernetes-dns.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix SSRF via DNS rebinding in Kubernetes Integration -merge_request: -author: -type: security |