diff options
| author | GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> | 2020-10-01 12:46:44 +0000 |
|---|---|---|
| committer | GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> | 2020-10-01 12:46:44 +0000 |
| commit | 5150dc27ee891d338f7b60fe15f8e6202a01958b (patch) | |
| tree | 4f88455d0ac5ba48372a90ffa786d76693d4e586 | |
| parent | 54f5f2d902d087c2e0545694e3ec9da7a4b24ad2 (diff) | |
| download | gitlab-ce-5150dc27ee891d338f7b60fe15f8e6202a01958b.tar.gz | |
Update CHANGELOG.md for 13.4.2
[ci skip]
15 files changed, 20 insertions, 70 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index a3d165653c2..95191fd373d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,26 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. +## 13.4.2 (2020-10-01) + +### Security (14 changes) + +- Do not store session id in Redis. +- Fix permission checks when updating confidentiality and milestone on issues or merge requests. +- Purge unaccepted member invitations older than 90 days. +- Adds feature flags plan limits. +- Prevent SVG XSS via Web IDE. +- Ensure user has no solo owned groups before triggering account deletion. +- Security fix safe params helper. +- Do not bypass admin mode when authenticated with deploy token. +- Fixes release asset link filepath ReDoS. +- Ensure global ID is of Annotation type in GraphQL destroy mutation. +- Validate that membership expiry dates are not in the past. +- Rate limit adding new email and re-sending email confirmation. +- Fix redaction of confidential Todos. +- Update GitLab Runner Helm Chart to 0.20.2. + + ## 13.4.1 (2020-09-24) ### Fixed (2 changes) diff --git a/changelogs/unreleased/17817-hashed_session_ids_in_redis.yml b/changelogs/unreleased/17817-hashed_session_ids_in_redis.yml deleted file mode 100644 index 0c274f33f36..00000000000 --- a/changelogs/unreleased/17817-hashed_session_ids_in_redis.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Do not store session id in Redis -merge_request: -author: -type: security diff --git a/changelogs/unreleased/195327-update-confidentiality-and-milestone.yml b/changelogs/unreleased/195327-update-confidentiality-and-milestone.yml deleted file mode 100644 index 1f883523353..00000000000 --- a/changelogs/unreleased/195327-update-confidentiality-and-milestone.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -title: Fix permission checks when updating confidentiality and milestone on issues - or merge requests -merge_request: -author: -type: security diff --git a/changelogs/unreleased/222349-purge_unaccepted_member_invitations.yml b/changelogs/unreleased/222349-purge_unaccepted_member_invitations.yml deleted file mode 100644 index 988ebe9f0c8..00000000000 --- a/changelogs/unreleased/222349-purge_unaccepted_member_invitations.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Purge unaccepted member invitations older than 90 days -merge_request: -author: -type: security diff --git a/changelogs/unreleased/feature-flag-plan-limits.yml b/changelogs/unreleased/feature-flag-plan-limits.yml deleted file mode 100644 index cac5e0847e4..00000000000 --- a/changelogs/unreleased/feature-flag-plan-limits.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Adds feature flags plan limits -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-44-stored-xss-via-svg-file-preview.yml b/changelogs/unreleased/security-44-stored-xss-via-svg-file-preview.yml deleted file mode 100644 index 89a1eedb753..00000000000 --- a/changelogs/unreleased/security-44-stored-xss-via-svg-file-preview.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prevent SVG XSS via Web IDE -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-ensure-prerequisites-are-met-before-account-deletion.yml b/changelogs/unreleased/security-ensure-prerequisites-are-met-before-account-deletion.yml deleted file mode 100644 index 4b8f1c64ec7..00000000000 --- a/changelogs/unreleased/security-ensure-prerequisites-are-met-before-account-deletion.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Ensure user has no solo owned groups before triggering account deletion -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-fix-safe-params-helper.yml b/changelogs/unreleased/security-fix-safe-params-helper.yml deleted file mode 100644 index ac7d2b60ff2..00000000000 --- a/changelogs/unreleased/security-fix-safe-params-helper.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -title: Security fix safe params helper -author: -type: security diff --git a/changelogs/unreleased/security-fix_session_bypassing_for_admin_mode_in_api.yml b/changelogs/unreleased/security-fix_session_bypassing_for_admin_mode_in_api.yml deleted file mode 100644 index bf86f177cd3..00000000000 --- a/changelogs/unreleased/security-fix_session_bypassing_for_admin_mode_in_api.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Do not bypass admin mode when authenticated with deploy token -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-fixes-release-asset-link-filepath-ReDoS.yml b/changelogs/unreleased/security-fixes-release-asset-link-filepath-ReDoS.yml deleted file mode 100644 index e48c3ff963c..00000000000 --- a/changelogs/unreleased/security-fixes-release-asset-link-filepath-ReDoS.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fixes release asset link filepath ReDoS -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-insufficient-type-check.yml b/changelogs/unreleased/security-insufficient-type-check.yml deleted file mode 100644 index b5ce90e7dd4..00000000000 --- a/changelogs/unreleased/security-insufficient-type-check.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Ensure global ID is of Annotation type in GraphQL destroy mutation -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-members-expiry-date-should-be-in-future.yml b/changelogs/unreleased/security-members-expiry-date-should-be-in-future.yml deleted file mode 100644 index 42418f24345..00000000000 --- a/changelogs/unreleased/security-members-expiry-date-should-be-in-future.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Validate that membership expiry dates are not in the past -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-rate-limit-email-confirmation.yml b/changelogs/unreleased/security-rate-limit-email-confirmation.yml deleted file mode 100644 index 4fa34a3739d..00000000000 --- a/changelogs/unreleased/security-rate-limit-email-confirmation.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Rate limit adding new email and re-sending email confirmation -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-todos-redact-guests.yml b/changelogs/unreleased/security-todos-redact-guests.yml deleted file mode 100644 index a2e97b847d3..00000000000 --- a/changelogs/unreleased/security-todos-redact-guests.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix redaction of confidential Todos -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-update-runner-version-13-4-stable.yml b/changelogs/unreleased/security-update-runner-version-13-4-stable.yml deleted file mode 100644 index ddf3eb7e267..00000000000 --- a/changelogs/unreleased/security-update-runner-version-13-4-stable.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Update GitLab Runner Helm Chart to 0.20.2 -merge_request: -author: -type: security |