diff options
| author | GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> | 2020-01-28 22:19:29 +0000 |
|---|---|---|
| committer | GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> | 2020-01-28 22:19:29 +0000 |
| commit | f22809ecefaa98fed87e404de89802c7d90e06e3 (patch) | |
| tree | e03b00aaf7aca4f60dc44e0b8fab95efda2da55c | |
| parent | 110592dfad951d3a3ad8d1ea6a12e8a2dbc3815a (diff) | |
| download | gitlab-ce-f22809ecefaa98fed87e404de89802c7d90e06e3.tar.gz | |
Update CHANGELOG.md for 12.7.3
[ci skip]
18 files changed, 23 insertions, 85 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 9a1552ffb2d..542d0016e1d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,29 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. +## 12.7.3 + +### Security (17 changes, 1 of them is from the community) + +- Fix xss on frequent groups dropdown. !50 +- Bump rubyzip to 2.0.0. (Utkarsh Gupta) +- Disable access to last_pipeline in commits API for users without read permissions. +- Add constraint to group dependency proxy endpoint param. +- Limit number of AsciiDoc includes per document. +- Prevent API access for unconfirmed users. +- Enforce permission check when counting activity events. +- Prevent gafana integration token from being displayed as a plain text to other project maintainers, by only displaying a masked version of it. GraphQL api deprecate token field in GrafanaIntegration type. +- Cleanup todos for users from a removed linked group. +- Fix XSS vulnerability on custom project templates form. +- Protect internal CI builds from external overrides. +- ImportExport::ExportService to require admin_project permission. +- Make sure that only system notes where all references are visible to user are exposed in GraphQL API. +- Disable caching of repository/files/:file_path/raw API endpoint. +- Make cross-repository comparisons happen in the source repository. +- Update excon to 0.71.1 to fix CVE-2019-16779. +- Add workhorse request verification to package upload endpoints. + + ## 12.7.2 - No changes. diff --git a/changelogs/unreleased/security-13-update-ruby-zip-pages-master.yml b/changelogs/unreleased/security-13-update-ruby-zip-pages-master.yml deleted file mode 100644 index 976ce6f90b3..00000000000 --- a/changelogs/unreleased/security-13-update-ruby-zip-pages-master.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Bump rubyzip to 2.0.0 -merge_request: -author: Utkarsh Gupta -type: security diff --git a/changelogs/unreleased/security-35235-todos-cleanup.yml b/changelogs/unreleased/security-35235-todos-cleanup.yml deleted file mode 100644 index 119220fbc73..00000000000 --- a/changelogs/unreleased/security-35235-todos-cleanup.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Cleanup todos for users from a removed linked group -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-commits-api-last-pipeline-status.yml b/changelogs/unreleased/security-commits-api-last-pipeline-status.yml deleted file mode 100644 index a68151f9732..00000000000 --- a/changelogs/unreleased/security-commits-api-last-pipeline-status.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Disable access to last_pipeline in commits API for users without read permissions -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-dependency-proxy-path-traversal.yml b/changelogs/unreleased/security-dependency-proxy-path-traversal.yml deleted file mode 100644 index ca0a03e36ab..00000000000 --- a/changelogs/unreleased/security-dependency-proxy-path-traversal.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Add constraint to group dependency proxy endpoint param -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-dos-via-asciidoc-includes.yml b/changelogs/unreleased/security-dos-via-asciidoc-includes.yml deleted file mode 100644 index 8fc3bd32316..00000000000 --- a/changelogs/unreleased/security-dos-via-asciidoc-includes.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Limit number of AsciiDoc includes per document -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-email-confirmation-bypass-via-api-ee.yml b/changelogs/unreleased/security-email-confirmation-bypass-via-api-ee.yml deleted file mode 100644 index 8bd2b7a452f..00000000000 --- a/changelogs/unreleased/security-email-confirmation-bypass-via-api-ee.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prevent API access for unconfirmed users -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-enforce-permissions-for-event-filter-ee.yml b/changelogs/unreleased/security-enforce-permissions-for-event-filter-ee.yml deleted file mode 100644 index 7d74d6108f8..00000000000 --- a/changelogs/unreleased/security-enforce-permissions-for-event-filter-ee.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Enforce permission check when counting activity events -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-fix-grafana-token-leaked-in-plain-to-other-maintainers.yml b/changelogs/unreleased/security-fix-grafana-token-leaked-in-plain-to-other-maintainers.yml deleted file mode 100644 index 0b8de350393..00000000000 --- a/changelogs/unreleased/security-fix-grafana-token-leaked-in-plain-to-other-maintainers.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prevent gafana integration token from being displayed as a plain text to other project maintainers, by only displaying a masked version of it. GraphQL api deprecate token field in GrafanaIntegration type. -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-fix-xss-on-frequent-groups-dropdown.yml b/changelogs/unreleased/security-fix-xss-on-frequent-groups-dropdown.yml deleted file mode 100644 index 9381efff0c8..00000000000 --- a/changelogs/unreleased/security-fix-xss-on-frequent-groups-dropdown.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix xss on frequent groups dropdown -merge_request: 50 -author: -type: security diff --git a/changelogs/unreleased/security-fix-xss-on-project-templates.yml b/changelogs/unreleased/security-fix-xss-on-project-templates.yml deleted file mode 100644 index 2930bbaff87..00000000000 --- a/changelogs/unreleased/security-fix-xss-on-project-templates.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix XSS vulnerability on custom project templates form -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-proctect-internal-builds-from-external-overrides.yml b/changelogs/unreleased/security-proctect-internal-builds-from-external-overrides.yml deleted file mode 100644 index b540172d95c..00000000000 --- a/changelogs/unreleased/security-proctect-internal-builds-from-external-overrides.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Protect internal CI builds from external overrides -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-project_export_service_permission_check.yml b/changelogs/unreleased/security-project_export_service_permission_check.yml deleted file mode 100644 index a38aaabfc9b..00000000000 --- a/changelogs/unreleased/security-project_export_service_permission_check.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: ImportExport::ExportService to require admin_project permission -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-reference-check.yml b/changelogs/unreleased/security-reference-check.yml deleted file mode 100644 index f33cea66eb1..00000000000 --- a/changelogs/unreleased/security-reference-check.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Make sure that only system notes where all references are visible to user are exposed in GraphQL API. -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-remove-caching-from-api-project-raw-endpoint.yml b/changelogs/unreleased/security-remove-caching-from-api-project-raw-endpoint.yml deleted file mode 100644 index 308a618da89..00000000000 --- a/changelogs/unreleased/security-remove-caching-from-api-project-raw-endpoint.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Disable caching of repository/files/:file_path/raw API endpoint -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-reverse-polarity-of-branch-compare.yml b/changelogs/unreleased/security-reverse-polarity-of-branch-compare.yml deleted file mode 100644 index db6a4f064a4..00000000000 --- a/changelogs/unreleased/security-reverse-polarity-of-branch-compare.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Make cross-repository comparisons happen in the source repository -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-update-excon-cve-2019-16779.yml b/changelogs/unreleased/security-update-excon-cve-2019-16779.yml deleted file mode 100644 index e849dc92848..00000000000 --- a/changelogs/unreleased/security-update-excon-cve-2019-16779.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Update excon to 0.71.1 to fix CVE-2019-16779 -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-workhorse-package-bypass.yml b/changelogs/unreleased/security-workhorse-package-bypass.yml deleted file mode 100644 index bb9aa0a2bf1..00000000000 --- a/changelogs/unreleased/security-workhorse-package-bypass.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Add workhorse request verification to package upload endpoints -merge_request: -author: -type: security |