diff options
| author | GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> | 2020-10-01 12:46:56 +0000 |
|---|---|---|
| committer | GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> | 2020-10-01 12:46:56 +0000 |
| commit | c1fab6d439d9cec9aa10c45f80a35488325d8030 (patch) | |
| tree | e1e839058bc4a41d930d6f487b39b844766dbfa4 | |
| parent | 653715239f6affc26eb36f333c22519c164d3f40 (diff) | |
| download | gitlab-ce-c1fab6d439d9cec9aa10c45f80a35488325d8030.tar.gz | |
Update CHANGELOG.md for 13.3.7
[ci skip]
15 files changed, 20 insertions, 70 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 4507a0061af..c5eae43f2cb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,26 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. +## 13.3.7 (2020-10-01) + +### Security (14 changes) + +- Do not store session id in Redis. +- Fix permission checks when updating confidentiality and milestone on issues or merge requests. +- Purge unaccepted member invitations older than 90 days. +- Adds feature flags plan limits. +- Prevent SVG XSS via Web IDE. +- Ensure user has no solo owned groups before triggering account deletion. +- Security fix safe params helper. +- Do not bypass admin mode when authenticated with deploy token. +- Fixes release asset link filepath ReDoS. +- Ensure global ID is of Annotation type in GraphQL destroy mutation. +- Validate that membership expiry dates are not in the past. +- Rate limit adding new email and re-sending email confirmation. +- Fix redaction of confidential Todos. +- Update GitLab Runner Helm Chart to 0.19.4. + + ## 13.3.6 (2020-09-14) ### Fixed (2 changes) diff --git a/changelogs/unreleased/17817-hashed_session_ids_in_redis.yml b/changelogs/unreleased/17817-hashed_session_ids_in_redis.yml deleted file mode 100644 index 0c274f33f36..00000000000 --- a/changelogs/unreleased/17817-hashed_session_ids_in_redis.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Do not store session id in Redis -merge_request: -author: -type: security diff --git a/changelogs/unreleased/195327-update-confidentiality-and-milestone.yml b/changelogs/unreleased/195327-update-confidentiality-and-milestone.yml deleted file mode 100644 index 1f883523353..00000000000 --- a/changelogs/unreleased/195327-update-confidentiality-and-milestone.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -title: Fix permission checks when updating confidentiality and milestone on issues - or merge requests -merge_request: -author: -type: security diff --git a/changelogs/unreleased/222349-purge_unaccepted_member_invitations.yml b/changelogs/unreleased/222349-purge_unaccepted_member_invitations.yml deleted file mode 100644 index 988ebe9f0c8..00000000000 --- a/changelogs/unreleased/222349-purge_unaccepted_member_invitations.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Purge unaccepted member invitations older than 90 days -merge_request: -author: -type: security diff --git a/changelogs/unreleased/feature-flag-plan-limits.yml b/changelogs/unreleased/feature-flag-plan-limits.yml deleted file mode 100644 index cac5e0847e4..00000000000 --- a/changelogs/unreleased/feature-flag-plan-limits.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Adds feature flags plan limits -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-44-stored-xss-via-svg-file-preview.yml b/changelogs/unreleased/security-44-stored-xss-via-svg-file-preview.yml deleted file mode 100644 index 89a1eedb753..00000000000 --- a/changelogs/unreleased/security-44-stored-xss-via-svg-file-preview.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prevent SVG XSS via Web IDE -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-ensure-prerequisites-are-met-before-account-deletion.yml b/changelogs/unreleased/security-ensure-prerequisites-are-met-before-account-deletion.yml deleted file mode 100644 index 4b8f1c64ec7..00000000000 --- a/changelogs/unreleased/security-ensure-prerequisites-are-met-before-account-deletion.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Ensure user has no solo owned groups before triggering account deletion -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-fix-safe-params-helper.yml b/changelogs/unreleased/security-fix-safe-params-helper.yml deleted file mode 100644 index ac7d2b60ff2..00000000000 --- a/changelogs/unreleased/security-fix-safe-params-helper.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -title: Security fix safe params helper -author: -type: security diff --git a/changelogs/unreleased/security-fix_session_bypassing_for_admin_mode_in_api.yml b/changelogs/unreleased/security-fix_session_bypassing_for_admin_mode_in_api.yml deleted file mode 100644 index bf86f177cd3..00000000000 --- a/changelogs/unreleased/security-fix_session_bypassing_for_admin_mode_in_api.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Do not bypass admin mode when authenticated with deploy token -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-fixes-release-asset-link-filepath-ReDoS.yml b/changelogs/unreleased/security-fixes-release-asset-link-filepath-ReDoS.yml deleted file mode 100644 index e48c3ff963c..00000000000 --- a/changelogs/unreleased/security-fixes-release-asset-link-filepath-ReDoS.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fixes release asset link filepath ReDoS -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-insufficient-type-check.yml b/changelogs/unreleased/security-insufficient-type-check.yml deleted file mode 100644 index b5ce90e7dd4..00000000000 --- a/changelogs/unreleased/security-insufficient-type-check.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Ensure global ID is of Annotation type in GraphQL destroy mutation -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-members-expiry-date-should-be-in-future.yml b/changelogs/unreleased/security-members-expiry-date-should-be-in-future.yml deleted file mode 100644 index 42418f24345..00000000000 --- a/changelogs/unreleased/security-members-expiry-date-should-be-in-future.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Validate that membership expiry dates are not in the past -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-rate-limit-email-confirmation.yml b/changelogs/unreleased/security-rate-limit-email-confirmation.yml deleted file mode 100644 index 4fa34a3739d..00000000000 --- a/changelogs/unreleased/security-rate-limit-email-confirmation.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Rate limit adding new email and re-sending email confirmation -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-todos-redact-guests.yml b/changelogs/unreleased/security-todos-redact-guests.yml deleted file mode 100644 index a2e97b847d3..00000000000 --- a/changelogs/unreleased/security-todos-redact-guests.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix redaction of confidential Todos -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-update-runner-version-13-3-stable.yml b/changelogs/unreleased/security-update-runner-version-13-3-stable.yml deleted file mode 100644 index b335e031363..00000000000 --- a/changelogs/unreleased/security-update-runner-version-13-3-stable.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Update GitLab Runner Helm Chart to 0.19.4 -merge_request: -author: -type: security |