diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-03-04 13:59:41 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-03-04 13:59:41 +0000 |
commit | ffa40048302e604259fae5e5aa4b3b32b24210aa (patch) | |
tree | 8cc593dca49a07e72e60ddbf74a8b3cdec1bcef9 | |
parent | a5fafe1c7f66ed02bc4a056137a266102e3f1d60 (diff) | |
download | gitlab-ce-ffa40048302e604259fae5e5aa4b3b32b24210aa.tar.gz |
Add latest changes from gitlab-org/security/gitlab@13-8-stable-eev13.8.5
-rw-r--r-- | CHANGELOG.md | 12 | ||||
-rw-r--r-- | GITALY_SERVER_VERSION | 2 | ||||
-rw-r--r-- | changelogs/unreleased/security-13-8-fj-fix-xss-wiki-email.yml | 5 | ||||
-rw-r--r-- | changelogs/unreleased/security-bvl-update-thrift-gem.yml | 5 | ||||
-rw-r--r-- | changelogs/unreleased/security-ci-api-variables-permissions.yml | 5 | ||||
-rw-r--r-- | changelogs/unreleased/security-clean-up-active-sessions.yml | 5 | ||||
-rw-r--r-- | changelogs/unreleased/security-jv-workhorse-router-13-8.yml | 5 | ||||
-rw-r--r-- | changelogs/unreleased/security-upgrade-swagger-ui.yml | 5 |
8 files changed, 13 insertions, 31 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 46776b926c1..866522303f7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,18 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. +## 13.8.5 (2021-03-04) + +### Security (6 changes) + +- Fix XSS in wiki author email and name. +- Bump thrift gem to 0.14.0. +- Allow only owners to manage group variables. +- Do not store marshalled sessions ids in Redis. +- Workhorse: prevent escaped router path traversal. +- Fix XSS vulnerability for swagger file viewer. + + ## 13.8.4 (2021-02-11) ### Security (9 changes) diff --git a/GITALY_SERVER_VERSION b/GITALY_SERVER_VERSION index 355a70a7731..16b3c156a4e 100644 --- a/GITALY_SERVER_VERSION +++ b/GITALY_SERVER_VERSION @@ -1 +1 @@ -13.8.4
\ No newline at end of file +13.8.5
\ No newline at end of file diff --git a/changelogs/unreleased/security-13-8-fj-fix-xss-wiki-email.yml b/changelogs/unreleased/security-13-8-fj-fix-xss-wiki-email.yml deleted file mode 100644 index 9faabdc9750..00000000000 --- a/changelogs/unreleased/security-13-8-fj-fix-xss-wiki-email.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix XSS in wiki author email and name -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-bvl-update-thrift-gem.yml b/changelogs/unreleased/security-bvl-update-thrift-gem.yml deleted file mode 100644 index afe1a0332e3..00000000000 --- a/changelogs/unreleased/security-bvl-update-thrift-gem.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Bump thrift gem to 0.14.0 -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-ci-api-variables-permissions.yml b/changelogs/unreleased/security-ci-api-variables-permissions.yml deleted file mode 100644 index 05642a0ff57..00000000000 --- a/changelogs/unreleased/security-ci-api-variables-permissions.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Allow only owners to manage group variables -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-clean-up-active-sessions.yml b/changelogs/unreleased/security-clean-up-active-sessions.yml deleted file mode 100644 index 49d24584ddb..00000000000 --- a/changelogs/unreleased/security-clean-up-active-sessions.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Do not store marshalled sessions ids in Redis -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-jv-workhorse-router-13-8.yml b/changelogs/unreleased/security-jv-workhorse-router-13-8.yml deleted file mode 100644 index af17a71086d..00000000000 --- a/changelogs/unreleased/security-jv-workhorse-router-13-8.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: 'Workhorse: prevent escaped router path traversal' -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-upgrade-swagger-ui.yml b/changelogs/unreleased/security-upgrade-swagger-ui.yml deleted file mode 100644 index 280dd92e23e..00000000000 --- a/changelogs/unreleased/security-upgrade-swagger-ui.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix XSS vulnerability for swagger file viewer -merge_request: -author: -type: security |