diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-01-07 07:40:49 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-01-07 07:40:49 +0000 |
commit | 15e305ed34e03560429db4dafcb835bd027a348f (patch) | |
tree | 2dc8f963aa9b3de573af212c67ecfa74443464a7 | |
parent | d4d523a5ab35764d68652e0ef8f1bdd7de0c009f (diff) | |
download | gitlab-ce-15e305ed34e03560429db4dafcb835bd027a348f.tar.gz |
Add latest changes from gitlab-org/security/gitlab@13-7-stable-eev13.7.2
9 files changed, 14 insertions, 36 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index fe4775033e1..e45d9933ab4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,19 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. +## 13.7.2 (2021-01-07) + +### Security (7 changes) + +- Forbid public cache for private repos. +- Deny implicit flow for confidential apps. +- Update NuGet regular expression to protect against ReDoS. +- Fix regular expression backtracking issue in package name validation. +- Fix stealing API token from GitLab Pages and DoS Prometheus through GitLab Pages. +- Update trusted OAuth applications to set them as confidential. +- Upgrade Workhorse to 8.58.2. + + ## 13.7.1 (2020-12-23) ### Fixed (1 change) diff --git a/GITALY_SERVER_VERSION b/GITALY_SERVER_VERSION index 5d6328a378c..4ed0bdb8717 100644 --- a/GITALY_SERVER_VERSION +++ b/GITALY_SERVER_VERSION @@ -1 +1 @@ -13.7.1
\ No newline at end of file +13.7.2
\ No newline at end of file diff --git a/changelogs/unreleased/security-id-forbid-public-cache-for-private-repos.yml b/changelogs/unreleased/security-id-forbid-public-cache-for-private-repos.yml deleted file mode 100644 index 20cd1659565..00000000000 --- a/changelogs/unreleased/security-id-forbid-public-cache-for-private-repos.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Forbid public cache for private repos -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-implicit-confidential.yml b/changelogs/unreleased/security-implicit-confidential.yml deleted file mode 100644 index bbf2d95b3fb..00000000000 --- a/changelogs/unreleased/security-implicit-confidential.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Deny implicit flow for confidential apps -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-nuget-regex-update-redos.yml b/changelogs/unreleased/security-nuget-regex-update-redos.yml deleted file mode 100644 index 5182097b8b1..00000000000 --- a/changelogs/unreleased/security-nuget-regex-update-redos.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Update NuGet regular expression to protect against ReDoS -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-package-regex-dos.yml b/changelogs/unreleased/security-package-regex-dos.yml deleted file mode 100644 index 79bec83526d..00000000000 --- a/changelogs/unreleased/security-package-regex-dos.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix regular expression backtracking issue in package name validation -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-pages-1-33.yml b/changelogs/unreleased/security-pages-1-33.yml deleted file mode 100644 index d3ca056eefc..00000000000 --- a/changelogs/unreleased/security-pages-1-33.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix stealing API token from GitLab Pages and DoS Prometheus through GitLab Pages -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-trusted-confidential-apps.yml b/changelogs/unreleased/security-trusted-confidential-apps.yml deleted file mode 100644 index b4f7a9eb448..00000000000 --- a/changelogs/unreleased/security-trusted-confidential-apps.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Update trusted OAuth applications to set them as confidential -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-workhorse-prometheus-13-7.yml b/changelogs/unreleased/security-workhorse-prometheus-13-7.yml deleted file mode 100644 index ab731831033..00000000000 --- a/changelogs/unreleased/security-workhorse-prometheus-13-7.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Upgrade Workhorse to 8.58.2 -merge_request: -author: -type: security |