summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGitLab Bot <gitlab-bot@gitlab.com>2020-12-07 09:37:32 +0000
committerGitLab Bot <gitlab-bot@gitlab.com>2020-12-07 09:37:32 +0000
commitf508fb8a043a4b1f996cb7ec8bba198e5b5986f5 (patch)
tree11bb99aa913b3a18342818e15a71856e214caee6
parent449338db4a18f4bbf0980e0c6c16101758a70afb (diff)
downloadgitlab-ce-f508fb8a043a4b1f996cb7ec8bba198e5b5986f5.tar.gz
Add latest changes from gitlab-org/security/gitlab@13-6-stable-eev13.6.2
-rw-r--r--CHANGELOG.md16
-rw-r--r--GITALY_SERVER_VERSION2
-rw-r--r--changelogs/unreleased/security-290-graphql-exposed-email.yml5
-rw-r--r--changelogs/unreleased/security-296-private_profile_exposure.yml5
-rw-r--r--changelogs/unreleased/security-hide-email-in-confirmation-page.yml5
-rw-r--r--changelogs/unreleased/security-idor-ff-user-list.yml5
-rw-r--r--changelogs/unreleased/security-mermaid-rc-13-6.yml5
-rw-r--r--changelogs/unreleased/security-prevent-short-searches-in-explore-projects.yml5
-rw-r--r--changelogs/unreleased/security-project-import-zoom-xss.yml5
-rw-r--r--changelogs/unreleased/security-search-term-logged.yml5
-rw-r--r--changelogs/unreleased/security-starred-projects-api-fix.yml5
-rw-r--r--changelogs/unreleased/security-starred-projects-private-profile.yml5
12 files changed, 17 insertions, 51 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6b0c4b07275..d2ecaa19b49 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,22 @@
documentation](doc/development/changelog.md) for instructions on adding your own
entry.
+## 13.6.2 (2020-12-07)
+
+### Security (10 changes)
+
+- Validate zoom links to start with https only. !1055
+- Require at least 3 characters when searching for project in the Explore page.
+- Do not show emails of users in confirmation page.
+- Forbid setting a gitlabUserList strategy to a list from another project.
+- Fix mermaid resource consumption in GFM fields.
+- Ensure group and project memberships are not leaked via API for users with private profiles.
+- GraphQL User: do not expose email if set to private.
+- Filter search parameter to prevent data leaks.
+- Do not expose starred projects of users with private profile via API.
+- Do not show starred & contributed projects of users with private profile.
+
+
## 13.6.1 (2020-11-23)
### Fixed (5 changes)
diff --git a/GITALY_SERVER_VERSION b/GITALY_SERVER_VERSION
index 156557438e1..cf51d24272d 100644
--- a/GITALY_SERVER_VERSION
+++ b/GITALY_SERVER_VERSION
@@ -1 +1 @@
-13.6.1 \ No newline at end of file
+13.6.2 \ No newline at end of file
diff --git a/changelogs/unreleased/security-290-graphql-exposed-email.yml b/changelogs/unreleased/security-290-graphql-exposed-email.yml
deleted file mode 100644
index 8b07bb1342f..00000000000
--- a/changelogs/unreleased/security-290-graphql-exposed-email.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: 'GraphQL User: do not expose email if set to private'
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-296-private_profile_exposure.yml b/changelogs/unreleased/security-296-private_profile_exposure.yml
deleted file mode 100644
index 05d98788aed..00000000000
--- a/changelogs/unreleased/security-296-private_profile_exposure.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Ensure group and project memberships are not leaked via API for users with private profiles
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-hide-email-in-confirmation-page.yml b/changelogs/unreleased/security-hide-email-in-confirmation-page.yml
deleted file mode 100644
index b8f448acfcd..00000000000
--- a/changelogs/unreleased/security-hide-email-in-confirmation-page.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Do not show emails of users in confirmation page
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-idor-ff-user-list.yml b/changelogs/unreleased/security-idor-ff-user-list.yml
deleted file mode 100644
index 6d17f9af11d..00000000000
--- a/changelogs/unreleased/security-idor-ff-user-list.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Forbid setting a gitlabUserList strategy to a list from another project
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-mermaid-rc-13-6.yml b/changelogs/unreleased/security-mermaid-rc-13-6.yml
deleted file mode 100644
index 10c620de108..00000000000
--- a/changelogs/unreleased/security-mermaid-rc-13-6.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Fix mermaid resource consumption in GFM fields
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-prevent-short-searches-in-explore-projects.yml b/changelogs/unreleased/security-prevent-short-searches-in-explore-projects.yml
deleted file mode 100644
index 672ccc09a33..00000000000
--- a/changelogs/unreleased/security-prevent-short-searches-in-explore-projects.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Require at least 3 characters when searching for project in the Explore page
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-project-import-zoom-xss.yml b/changelogs/unreleased/security-project-import-zoom-xss.yml
deleted file mode 100644
index 4f4d7f14b6b..00000000000
--- a/changelogs/unreleased/security-project-import-zoom-xss.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Validate zoom links to start with https only
-merge_request: 1055
-author:
-type: security
diff --git a/changelogs/unreleased/security-search-term-logged.yml b/changelogs/unreleased/security-search-term-logged.yml
deleted file mode 100644
index c3e9d1862bd..00000000000
--- a/changelogs/unreleased/security-search-term-logged.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Filter search parameter to prevent data leaks
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-starred-projects-api-fix.yml b/changelogs/unreleased/security-starred-projects-api-fix.yml
deleted file mode 100644
index efb12998393..00000000000
--- a/changelogs/unreleased/security-starred-projects-api-fix.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Do not expose starred projects of users with private profile via API
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-starred-projects-private-profile.yml b/changelogs/unreleased/security-starred-projects-private-profile.yml
deleted file mode 100644
index 1fb47dce518..00000000000
--- a/changelogs/unreleased/security-starred-projects-private-profile.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Do not show starred & contributed projects of users with private profile
-merge_request:
-author:
-type: security