diff options
| author | GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> | 2020-03-26 12:17:39 +0000 |
|---|---|---|
| committer | GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> | 2020-03-26 12:17:39 +0000 |
| commit | a4cb5a6ff44c9f82e11a6c0c7194c46fdcd066a2 (patch) | |
| tree | c102a176747a52cb3fc621c17f5ed6c8ef814ea4 | |
| parent | 1acb2ee361985ca7fb445c99b6c75e9ece04b1f9 (diff) | |
| download | gitlab-ce-a4cb5a6ff44c9f82e11a6c0c7194c46fdcd066a2.tar.gz | |
Update CHANGELOG.md for 12.9.1
[ci skip]
18 files changed, 26 insertions, 85 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index cf9105114c0..f5d55efc24a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,32 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. +## 12.9.1 (2020-03-26) + +### Security (16 changes) + +- Add permission check for pipeline status of MR. +- Ignore empty remote_id params from Workhorse accelerated uploads. +- External user can not create personal snippet through API. +- Prevent malicious entry for group name. +- Restrict mirroring changes to admins only when mirroring is disabled. +- Reject all container registry requests from blocked users. +- Deny localhost requests on fogbugz importer. +- Redact notes in moved confidential issues. +- Fix UploadRewriter Path Traversal vulnerability. +- Block hotlinking to repository archives. +- Restrict access to project pipeline metrics reports. +- vulnerability_feedback records should be restricted to a dev role and above. +- Exclude Carrierwave remote URL methods from import. +- Update Nokogiri to fix CVE-2020-7595. +- Prevent updating trigger by other maintainers. +- Fix XSS vulnerability in `admin/email` "Recipient Group" dropdown. + +### Fixed (1 change) + +- Fix updating the authorized_keys file. !27798 + + ## 12.9.0 (2020-03-22) ### Security (1 change) diff --git a/changelogs/unreleased/212178-fix-authorized-keys-worker.yml b/changelogs/unreleased/212178-fix-authorized-keys-worker.yml deleted file mode 100644 index a95f2e0e71a..00000000000 --- a/changelogs/unreleased/212178-fix-authorized-keys-worker.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix updating the authorized_keys file -merge_request: 27798 -author: -type: fixed diff --git a/changelogs/unreleased/security-120026-redact-notes-in-moved-confidential-issues.yml b/changelogs/unreleased/security-120026-redact-notes-in-moved-confidential-issues.yml deleted file mode 100644 index 54ee6ac9048..00000000000 --- a/changelogs/unreleased/security-120026-redact-notes-in-moved-confidential-issues.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Redact notes in moved confidential issues -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-193100-ignore-duplicate-multipart-params.yml b/changelogs/unreleased/security-193100-ignore-duplicate-multipart-params.yml deleted file mode 100644 index c871e1615e0..00000000000 --- a/changelogs/unreleased/security-193100-ignore-duplicate-multipart-params.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Ignore empty remote_id params from Workhorse accelerated uploads -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-59-prevent-create-api-snippet.yml b/changelogs/unreleased/security-59-prevent-create-api-snippet.yml deleted file mode 100644 index 135fdfe7153..00000000000 --- a/changelogs/unreleased/security-59-prevent-create-api-snippet.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: External user can not create personal snippet through API -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-backend-xss-admin-email.yml b/changelogs/unreleased/security-backend-xss-admin-email.yml deleted file mode 100644 index 82f97cd719a..00000000000 --- a/changelogs/unreleased/security-backend-xss-admin-email.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prevent malicious entry for group name -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-disable-mirroring-fix.yml b/changelogs/unreleased/security-disable-mirroring-fix.yml deleted file mode 100644 index 1b0a6a87515..00000000000 --- a/changelogs/unreleased/security-disable-mirroring-fix.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Restrict mirroring changes to admins only when mirroring is disabled -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-docker-blocked-users.yml b/changelogs/unreleased/security-docker-blocked-users.yml deleted file mode 100644 index 6e34506e7fd..00000000000 --- a/changelogs/unreleased/security-docker-blocked-users.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Reject all container registry requests from blocked users -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-fogbugz-importer-deny-localhost-requests.yml b/changelogs/unreleased/security-fogbugz-importer-deny-localhost-requests.yml deleted file mode 100644 index ecc05470717..00000000000 --- a/changelogs/unreleased/security-fogbugz-importer-deny-localhost-requests.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Deny localhost requests on fogbugz importer -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-mr-pipeline-status-permission-check.yml b/changelogs/unreleased/security-mr-pipeline-status-permission-check.yml deleted file mode 100644 index 598804bd0a7..00000000000 --- a/changelogs/unreleased/security-mr-pipeline-status-permission-check.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Add permission check for pipeline status of MR -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-path-traversal-master.yml b/changelogs/unreleased/security-path-traversal-master.yml deleted file mode 100644 index d5e269823ea..00000000000 --- a/changelogs/unreleased/security-path-traversal-master.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix UploadRewriter Path Traversal vulnerability -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-repository-archive-hotlinking.yml b/changelogs/unreleased/security-repository-archive-hotlinking.yml deleted file mode 100644 index cf87ea488f0..00000000000 --- a/changelogs/unreleased/security-repository-archive-hotlinking.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Block hotlinking to repository archives -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-restrict-project-pipeline-metrics.yml b/changelogs/unreleased/security-restrict-project-pipeline-metrics.yml deleted file mode 100644 index 20c24aa6bdf..00000000000 --- a/changelogs/unreleased/security-restrict-project-pipeline-metrics.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Restrict access to project pipeline metrics reports -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-rf-vulnerability-metadata-fix.yml b/changelogs/unreleased/security-rf-vulnerability-metadata-fix.yml deleted file mode 100644 index 5de5fc761fd..00000000000 --- a/changelogs/unreleased/security-rf-vulnerability-metadata-fix.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: vulnerability_feedback records should be restricted to a dev role and above -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-ssrf-attachment-url.yml b/changelogs/unreleased/security-ssrf-attachment-url.yml deleted file mode 100644 index bb5e3e54574..00000000000 --- a/changelogs/unreleased/security-ssrf-attachment-url.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Exclude Carrierwave remote URL methods from import -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-update-nokogiri-cve-2020-7595.yml b/changelogs/unreleased/security-update-nokogiri-cve-2020-7595.yml deleted file mode 100644 index 58ad219f0eb..00000000000 --- a/changelogs/unreleased/security-update-nokogiri-cve-2020-7595.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Update Nokogiri to fix CVE-2020-7595 -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-updating-description-of-trigger-by-other-maintainer.yml b/changelogs/unreleased/security-updating-description-of-trigger-by-other-maintainer.yml deleted file mode 100644 index f7bef1589a2..00000000000 --- a/changelogs/unreleased/security-updating-description-of-trigger-by-other-maintainer.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prevent updating trigger by other maintainers -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-xss-vulnerability-in-admin-send-email-notification.yml b/changelogs/unreleased/security-xss-vulnerability-in-admin-send-email-notification.yml deleted file mode 100644 index fe31f1167eb..00000000000 --- a/changelogs/unreleased/security-xss-vulnerability-in-admin-send-email-notification.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix XSS vulnerability in `admin/email` "Recipient Group" dropdown -merge_request: -author: -type: security |