diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-03-31 12:23:42 +0000 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-03-31 12:23:42 +0000 |
| commit | c93927607f55350f2e2af4bdaf03ff9dba80ab1d (patch) | |
| tree | be836d10a991163527d2e349ff1e770276ecbea2 | |
| parent | 15f38fbeb1d235b5270d8771fdb8cf3283454091 (diff) | |
| download | gitlab-ce-c93927607f55350f2e2af4bdaf03ff9dba80ab1d.tar.gz | |
Add latest changes from gitlab-org/security/gitlab@13-10-stable-eev13.10.1
12 files changed, 23 insertions, 51 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index a86c95e163c..e6d382fef4b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,28 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. +## 13.10.1 (2021-03-31) + +### Security (6 changes) + +- Leave pool repository on fork unlinking. +- Fixed XSS in merge requests sidebar. +- Fix arbitrary read/write in AsciiDoctor and Kroki gems. +- Prevent infinite loop when checking if collaboration is allowed. +- Disable arbitrary URI and file reads in JSON validator. +- Require POST request to trigger system hooks. + +### Removed (1 change) + +- Make HipChat project service do nothing. !57434 + +### Other (3 changes) + +- Remove direct mimemagic dependency. !57387 +- Refactor MimeMagic calls to new MimeType class. !57421 +- Switch to using a fake mimemagic gem. !57443 + + ## 13.10.0 (2021-03-22) ### Security (3 changes) diff --git a/GITALY_SERVER_VERSION b/GITALY_SERVER_VERSION index 04f98b43cda..306c8f502bc 100644 --- a/GITALY_SERVER_VERSION +++ b/GITALY_SERVER_VERSION @@ -1 +1 @@ -13.10.0
\ No newline at end of file +13.10.1
\ No newline at end of file diff --git a/changelogs/unreleased/mimemagic_shim.yml b/changelogs/unreleased/mimemagic_shim.yml deleted file mode 100644 index 0376122f0ce..00000000000 --- a/changelogs/unreleased/mimemagic_shim.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Switch to using a fake mimemagic gem -merge_request: 57443 -author: -type: other diff --git a/changelogs/unreleased/remove-direct-mimemagic-dependency-minimal.yml b/changelogs/unreleased/remove-direct-mimemagic-dependency-minimal.yml deleted file mode 100644 index 727887f7e7b..00000000000 --- a/changelogs/unreleased/remove-direct-mimemagic-dependency-minimal.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Refactor MimeMagic calls to new MimeType class -merge_request: 57421 -author: -type: other diff --git a/changelogs/unreleased/remove-direct-mimemagic-dependency.yml b/changelogs/unreleased/remove-direct-mimemagic-dependency.yml deleted file mode 100644 index 5194dfdf751..00000000000 --- a/changelogs/unreleased/remove-direct-mimemagic-dependency.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Remove direct mimemagic dependency -merge_request: 57387 -author: -type: other diff --git a/changelogs/unreleased/remove_hipchat_gem.yml b/changelogs/unreleased/remove_hipchat_gem.yml deleted file mode 100644 index 21a5db3bb5a..00000000000 --- a/changelogs/unreleased/remove_hipchat_gem.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Make HipChat project service do nothing -merge_request: 57434 -author: -type: removed diff --git a/changelogs/unreleased/security-fix-xss-in-mr-sidebar.yml b/changelogs/unreleased/security-fix-xss-in-mr-sidebar.yml deleted file mode 100644 index a04c1038877..00000000000 --- a/changelogs/unreleased/security-fix-xss-in-mr-sidebar.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fixed XSS in merge requests sidebar -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-id-leave-pool-for-private-forks.yml b/changelogs/unreleased/security-id-leave-pool-for-private-forks.yml deleted file mode 100644 index df4688583d4..00000000000 --- a/changelogs/unreleased/security-id-leave-pool-for-private-forks.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Leave pool repository on fork unlinking -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-kroki-arbitraryfile-read-write.yml b/changelogs/unreleased/security-kroki-arbitraryfile-read-write.yml deleted file mode 100644 index acefc5e6fac..00000000000 --- a/changelogs/unreleased/security-kroki-arbitraryfile-read-write.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix arbitrary read/write in AsciiDoctor and Kroki gems -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-projects-branch-collaboration-loop.yml b/changelogs/unreleased/security-projects-branch-collaboration-loop.yml deleted file mode 100644 index 607bd37d2f6..00000000000 --- a/changelogs/unreleased/security-projects-branch-collaboration-loop.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prevent infinite loop when checking if collaboration is allowed -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-sh-json-validator-open-uri-patch.yml b/changelogs/unreleased/security-sh-json-validator-open-uri-patch.yml deleted file mode 100644 index bf51ad66174..00000000000 --- a/changelogs/unreleased/security-sh-json-validator-open-uri-patch.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Disable arbitrary URI and file reads in JSON validator -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-trigger-system-hook-by-post.yml b/changelogs/unreleased/security-trigger-system-hook-by-post.yml deleted file mode 100644 index c86b9bd40f8..00000000000 --- a/changelogs/unreleased/security-trigger-system-hook-by-post.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Require POST request to trigger system hooks -merge_request: -author: -type: security |