diff options
| author | GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> | 2019-10-28 15:00:05 +0000 |
|---|---|---|
| committer | GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> | 2019-10-28 15:00:05 +0000 |
| commit | fed21ce48d18655282234e95b1850254869173e3 (patch) | |
| tree | 3e05c369ceff8381abeccb11bd797faae79e10c2 | |
| parent | f60864f2db12dec044b372afe3ab33f27d2d0d02 (diff) | |
| download | gitlab-ce-fed21ce48d18655282234e95b1850254869173e3.tar.gz | |
Update CHANGELOG.md for 12.3.6
[ci skip]
15 files changed, 20 insertions, 68 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 3ec3b4e56a1..bc35154362c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,26 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. +## 12.3.6 + +### Security (14 changes) + +- Standardize error response when route is missing. +- Do not display project labels that are not visible for user accessing group labels. +- Show cross-referenced label and milestones in issues' activities only to authorized users. +- Analyze incoming GraphQL queries and check for recursion. +- Disallow unprivileged users from commenting on private repository commits. +- Don't allow maintainers of a target project to delete the source branch of a merge request from a fork. +- Require Maintainer permission on group where project is transferred to. +- Don't leak private members in project member autocomplete suggestions. +- Return 404 on LFS request if project doesn't exist. +- Mask sentry auth token in Error Tracking dashboard. +- Fixes a Open Redirect issue in `InternalRedirect`. +- Sanitize search text to prevent XSS. +- Sanitize all wiki markup formats with GitLab sanitization pipelines. +- Fix stored XSS issue for grafana_url. + + ## 12.3.5 - No changes. diff --git a/changelogs/unreleased/29986-remove-leaky-401-responses.yml b/changelogs/unreleased/29986-remove-leaky-401-responses.yml deleted file mode 100644 index 3d60011b63f..00000000000 --- a/changelogs/unreleased/29986-remove-leaky-401-responses.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Standardize error response when route is missing -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-2914-labels-visible-despite-no-access-to-issues-repositories.yml b/changelogs/unreleased/security-2914-labels-visible-despite-no-access-to-issues-repositories.yml deleted file mode 100644 index 59af202a3bd..00000000000 --- a/changelogs/unreleased/security-2914-labels-visible-despite-no-access-to-issues-repositories.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Do not display project labels that are not visible for user accessing group labels -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-2920-fix-notes-with-label-cross-reference.yml b/changelogs/unreleased/security-2920-fix-notes-with-label-cross-reference.yml deleted file mode 100644 index b2901411729..00000000000 --- a/changelogs/unreleased/security-2920-fix-notes-with-label-cross-reference.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Show cross-referenced label and milestones in issues' activities only to authorized users -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-64519-nested-graphql-query-can-cause-denial-of-service.yml b/changelogs/unreleased/security-64519-nested-graphql-query-can-cause-denial-of-service.yml deleted file mode 100644 index 5ce37b0d032..00000000000 --- a/changelogs/unreleased/security-64519-nested-graphql-query-can-cause-denial-of-service.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Analyze incoming GraphQL queries and check for recursion -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-65756-ex-admin-attacker-can-comment-in-internal.yml b/changelogs/unreleased/security-65756-ex-admin-attacker-can-comment-in-internal.yml deleted file mode 100644 index 3d9f480ba11..00000000000 --- a/changelogs/unreleased/security-65756-ex-admin-attacker-can-comment-in-internal.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Disallow unprivileged users from commenting on private repository commits -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-bvl-validate-force-remove-branch-on-mrs.yml b/changelogs/unreleased/security-bvl-validate-force-remove-branch-on-mrs.yml deleted file mode 100644 index 50dc9c32c5d..00000000000 --- a/changelogs/unreleased/security-bvl-validate-force-remove-branch-on-mrs.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -title: Don't allow maintainers of a target project to delete the source branch of - a merge request from a fork -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-developer-transfer-project.yml b/changelogs/unreleased/security-developer-transfer-project.yml deleted file mode 100644 index fe533fc099a..00000000000 --- a/changelogs/unreleased/security-developer-transfer-project.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Require Maintainer permission on group where project is transferred to -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-hide-private-members-in-project-member-autocomplete.yml b/changelogs/unreleased/security-hide-private-members-in-project-member-autocomplete.yml deleted file mode 100644 index 5992e93bda2..00000000000 --- a/changelogs/unreleased/security-hide-private-members-in-project-member-autocomplete.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -title: "Don't leak private members in project member autocomplete suggestions" -type: security diff --git a/changelogs/unreleased/security-id-fix-disclosure-of-private-repo-names.yml b/changelogs/unreleased/security-id-fix-disclosure-of-private-repo-names.yml deleted file mode 100644 index dfd7a2d11f9..00000000000 --- a/changelogs/unreleased/security-id-fix-disclosure-of-private-repo-names.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Return 404 on LFS request if project doesn't exist -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-mask-sentry-token-ce.yml b/changelogs/unreleased/security-mask-sentry-token-ce.yml deleted file mode 100644 index e9fe780a488..00000000000 --- a/changelogs/unreleased/security-mask-sentry-token-ce.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -title: Mask sentry auth token in Error Tracking dashboard -author: -type: security diff --git a/changelogs/unreleased/security-open-redirect-internalredirect-12-3.yml b/changelogs/unreleased/security-open-redirect-internalredirect-12-3.yml deleted file mode 100644 index 5ac65a4b355..00000000000 --- a/changelogs/unreleased/security-open-redirect-internalredirect-12-3.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fixes a Open Redirect issue in `InternalRedirect`. -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-stored-xss-using-find-file.yml b/changelogs/unreleased/security-stored-xss-using-find-file.yml deleted file mode 100644 index 41cd2f9494f..00000000000 --- a/changelogs/unreleased/security-stored-xss-using-find-file.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Sanitize search text to prevent XSS -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-wiki-rdoc-content.yml b/changelogs/unreleased/security-wiki-rdoc-content.yml deleted file mode 100644 index f40f1abcd94..00000000000 --- a/changelogs/unreleased/security-wiki-rdoc-content.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Sanitize all wiki markup formats with GitLab sanitization pipelines -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-xss-grafana-url-12-4.yml b/changelogs/unreleased/security-xss-grafana-url-12-4.yml deleted file mode 100644 index d0adff94b76..00000000000 --- a/changelogs/unreleased/security-xss-grafana-url-12-4.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix stored XSS issue for grafana_url -merge_request: -author: -type: security |