diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-12-07 09:37:32 +0000 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-12-07 09:37:32 +0000 |
| commit | f508fb8a043a4b1f996cb7ec8bba198e5b5986f5 (patch) | |
| tree | 11bb99aa913b3a18342818e15a71856e214caee6 | |
| parent | 449338db4a18f4bbf0980e0c6c16101758a70afb (diff) | |
| download | gitlab-ce-f508fb8a043a4b1f996cb7ec8bba198e5b5986f5.tar.gz | |
Add latest changes from gitlab-org/security/gitlab@13-6-stable-eev13.6.2
12 files changed, 17 insertions, 51 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 6b0c4b07275..d2ecaa19b49 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,22 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. +## 13.6.2 (2020-12-07) + +### Security (10 changes) + +- Validate zoom links to start with https only. !1055 +- Require at least 3 characters when searching for project in the Explore page. +- Do not show emails of users in confirmation page. +- Forbid setting a gitlabUserList strategy to a list from another project. +- Fix mermaid resource consumption in GFM fields. +- Ensure group and project memberships are not leaked via API for users with private profiles. +- GraphQL User: do not expose email if set to private. +- Filter search parameter to prevent data leaks. +- Do not expose starred projects of users with private profile via API. +- Do not show starred & contributed projects of users with private profile. + + ## 13.6.1 (2020-11-23) ### Fixed (5 changes) diff --git a/GITALY_SERVER_VERSION b/GITALY_SERVER_VERSION index 156557438e1..cf51d24272d 100644 --- a/GITALY_SERVER_VERSION +++ b/GITALY_SERVER_VERSION @@ -1 +1 @@ -13.6.1
\ No newline at end of file +13.6.2
\ No newline at end of file diff --git a/changelogs/unreleased/security-290-graphql-exposed-email.yml b/changelogs/unreleased/security-290-graphql-exposed-email.yml deleted file mode 100644 index 8b07bb1342f..00000000000 --- a/changelogs/unreleased/security-290-graphql-exposed-email.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: 'GraphQL User: do not expose email if set to private' -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-296-private_profile_exposure.yml b/changelogs/unreleased/security-296-private_profile_exposure.yml deleted file mode 100644 index 05d98788aed..00000000000 --- a/changelogs/unreleased/security-296-private_profile_exposure.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Ensure group and project memberships are not leaked via API for users with private profiles -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-hide-email-in-confirmation-page.yml b/changelogs/unreleased/security-hide-email-in-confirmation-page.yml deleted file mode 100644 index b8f448acfcd..00000000000 --- a/changelogs/unreleased/security-hide-email-in-confirmation-page.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Do not show emails of users in confirmation page -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-idor-ff-user-list.yml b/changelogs/unreleased/security-idor-ff-user-list.yml deleted file mode 100644 index 6d17f9af11d..00000000000 --- a/changelogs/unreleased/security-idor-ff-user-list.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Forbid setting a gitlabUserList strategy to a list from another project -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-mermaid-rc-13-6.yml b/changelogs/unreleased/security-mermaid-rc-13-6.yml deleted file mode 100644 index 10c620de108..00000000000 --- a/changelogs/unreleased/security-mermaid-rc-13-6.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix mermaid resource consumption in GFM fields -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-prevent-short-searches-in-explore-projects.yml b/changelogs/unreleased/security-prevent-short-searches-in-explore-projects.yml deleted file mode 100644 index 672ccc09a33..00000000000 --- a/changelogs/unreleased/security-prevent-short-searches-in-explore-projects.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Require at least 3 characters when searching for project in the Explore page -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-project-import-zoom-xss.yml b/changelogs/unreleased/security-project-import-zoom-xss.yml deleted file mode 100644 index 4f4d7f14b6b..00000000000 --- a/changelogs/unreleased/security-project-import-zoom-xss.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Validate zoom links to start with https only -merge_request: 1055 -author: -type: security diff --git a/changelogs/unreleased/security-search-term-logged.yml b/changelogs/unreleased/security-search-term-logged.yml deleted file mode 100644 index c3e9d1862bd..00000000000 --- a/changelogs/unreleased/security-search-term-logged.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Filter search parameter to prevent data leaks -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-starred-projects-api-fix.yml b/changelogs/unreleased/security-starred-projects-api-fix.yml deleted file mode 100644 index efb12998393..00000000000 --- a/changelogs/unreleased/security-starred-projects-api-fix.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Do not expose starred projects of users with private profile via API -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-starred-projects-private-profile.yml b/changelogs/unreleased/security-starred-projects-private-profile.yml deleted file mode 100644 index 1fb47dce518..00000000000 --- a/changelogs/unreleased/security-starred-projects-private-profile.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Do not show starred & contributed projects of users with private profile -merge_request: -author: -type: security |