diff options
author | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-02-28 12:58:45 +0000 |
---|---|---|
committer | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-02-28 12:58:45 +0000 |
commit | ae001ece77eac711c949304d6ec6eaa6210e2006 (patch) | |
tree | 182458dfaa1d10815ce1136a988d860868f712c6 | |
parent | ea9734fa59512eafe660f59a7289e7924b216f8a (diff) | |
download | gitlab-ce-ae001ece77eac711c949304d6ec6eaa6210e2006.tar.gz |
Update CHANGELOG.md for 11.8.1
[ci skip]
22 files changed, 27 insertions, 107 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index feda5e0835b..6174ac973f0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,33 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. +## 11.8.1 (2019-02-28) + +### Security (21 changes) + +- Stop linking to unrecognized package sources. !55518 +- Don't allow non-members to see private related MRs. +- Do not display impersonated sessions under active sessions and remove ability to revoke session. +- Display only information visible to current user on the Milestone page. +- Show only merge requests visible to user on milestone detail page. +- Disable issue boards API when issues are disabled. +- Don't show new issue link after move when a user does not have permissions. +- Fix git clone revealing private repo's presence. +- Fix blind SSRF in Prometheus integration by checking URL before querying. +- Check snippet attached file to be moved is within designated directory. +- Check if desired milestone for an issue is available. +- Fix arbitrary file read via diffs during import. +- Display the correct number of MRs a user has access to. +- Forbid creating discussions for users with restricted access. +- Do not disclose milestone titles for unauthorized users. +- Validate session key when authorizing with GCP to create a cluster. +- Block local URLs for Kubernetes integration. +- Limit mermaid rendering to 5K characters. +- Remove the possibility to share a project with a group that a user is not a member of. +- Fix leaking private repository information in API. +- Prevent releases links API to leak tag existance. + + ## 11.8.0 (2019-02-22) ### Security (7 changes, 1 of them is from the community) diff --git a/changelogs/unreleased/2802-security-add-public-internal-groups-as-members-to-your-project-idor.yml b/changelogs/unreleased/2802-security-add-public-internal-groups-as-members-to-your-project-idor.yml deleted file mode 100644 index 27ad151cd06..00000000000 --- a/changelogs/unreleased/2802-security-add-public-internal-groups-as-members-to-your-project-idor.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -title: Remove the possibility to share a project with a group that a user is not a member - of -merge_request: -author: -type: security diff --git a/changelogs/unreleased/51971-milestones-visibility.yml b/changelogs/unreleased/51971-milestones-visibility.yml deleted file mode 100644 index 818f0071e6c..00000000000 --- a/changelogs/unreleased/51971-milestones-visibility.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Check if desired milestone for an issue is available -merge_request: -author: -type: security diff --git a/changelogs/unreleased/57534_filter_impersonated_sessions.yml b/changelogs/unreleased/57534_filter_impersonated_sessions.yml deleted file mode 100644 index 80aea0ab1bc..00000000000 --- a/changelogs/unreleased/57534_filter_impersonated_sessions.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -title: Do not display impersonated sessions under active sessions and remove ability - to revoke session -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-2774-milestones-detail.yml b/changelogs/unreleased/security-2774-milestones-detail.yml deleted file mode 100644 index faf56fee01e..00000000000 --- a/changelogs/unreleased/security-2774-milestones-detail.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Display only information visible to current user on the Milestone page -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-2797-milestone-mrs.yml b/changelogs/unreleased/security-2797-milestone-mrs.yml deleted file mode 100644 index 5bb104ec403..00000000000 --- a/changelogs/unreleased/security-2797-milestone-mrs.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Show only merge requests visible to user on milestone detail page -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-2798-fix-boards-policy.yml b/changelogs/unreleased/security-2798-fix-boards-policy.yml deleted file mode 100644 index 10e8ac3a787..00000000000 --- a/changelogs/unreleased/security-2798-fix-boards-policy.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Disable issue boards API when issues are disabled -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-2799-emails.yml b/changelogs/unreleased/security-2799-emails.yml deleted file mode 100644 index dbf1207810e..00000000000 --- a/changelogs/unreleased/security-2799-emails.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Don't show new issue link after move when a user does not have permissions -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-50334.yml b/changelogs/unreleased/security-50334.yml deleted file mode 100644 index 828ef82b517..00000000000 --- a/changelogs/unreleased/security-50334.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix git clone revealing private repo's presence -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-55468-check-validity-before-querying.yml b/changelogs/unreleased/security-55468-check-validity-before-querying.yml deleted file mode 100644 index 8bb11a97f52..00000000000 --- a/changelogs/unreleased/security-55468-check-validity-before-querying.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix blind SSRF in Prometheus integration by checking URL before querying -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-56348.yml b/changelogs/unreleased/security-56348.yml deleted file mode 100644 index a289e4e9077..00000000000 --- a/changelogs/unreleased/security-56348.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Check snippet attached file to be moved is within designated directory -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-commit-private-related-mr.yml b/changelogs/unreleased/security-commit-private-related-mr.yml deleted file mode 100644 index c4de200b0d8..00000000000 --- a/changelogs/unreleased/security-commit-private-related-mr.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Don't allow non-members to see private related MRs. -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-fj-diff-import-file-read-fix.yml b/changelogs/unreleased/security-fj-diff-import-file-read-fix.yml deleted file mode 100644 index e98d4e89712..00000000000 --- a/changelogs/unreleased/security-fj-diff-import-file-read-fix.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix arbitrary file read via diffs during import -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-id-fix-mr-visibility.yml b/changelogs/unreleased/security-id-fix-mr-visibility.yml deleted file mode 100644 index 8f41d191acc..00000000000 --- a/changelogs/unreleased/security-id-fix-mr-visibility.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Display the correct number of MRs a user has access to -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-id-restricted-access-to-private-repo.yml b/changelogs/unreleased/security-id-restricted-access-to-private-repo.yml deleted file mode 100644 index 7d7478d297b..00000000000 --- a/changelogs/unreleased/security-id-restricted-access-to-private-repo.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Forbid creating discussions for users with restricted access -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-issue_54789_2.yml b/changelogs/unreleased/security-issue_54789_2.yml deleted file mode 100644 index 8ecb72a2ae3..00000000000 --- a/changelogs/unreleased/security-issue_54789_2.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Do not disclose milestone titles for unauthorized users -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-kubernetes-google-login-csrf.yml b/changelogs/unreleased/security-kubernetes-google-login-csrf.yml deleted file mode 100644 index 2f87100a8dd..00000000000 --- a/changelogs/unreleased/security-kubernetes-google-login-csrf.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Validate session key when authorizing with GCP to create a cluster -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-kubernetes-local-ssrf.yml b/changelogs/unreleased/security-kubernetes-local-ssrf.yml deleted file mode 100644 index 7a2ad092339..00000000000 --- a/changelogs/unreleased/security-kubernetes-local-ssrf.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Block local URLs for Kubernetes integration -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-mermaid.yml b/changelogs/unreleased/security-mermaid.yml deleted file mode 100644 index ec42b5a1615..00000000000 --- a/changelogs/unreleased/security-mermaid.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Limit mermaid rendering to 5K characters -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-osw-stop-linking-to-packages.yml b/changelogs/unreleased/security-osw-stop-linking-to-packages.yml deleted file mode 100644 index 078f06140fe..00000000000 --- a/changelogs/unreleased/security-osw-stop-linking-to-packages.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Stop linking to unrecognized package sources -merge_request: 55518 -author: -type: security diff --git a/changelogs/unreleased/security-protect-private-repo-information.yml b/changelogs/unreleased/security-protect-private-repo-information.yml deleted file mode 100644 index 8b1a528206d..00000000000 --- a/changelogs/unreleased/security-protect-private-repo-information.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix leaking private repository information in API -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-tags-oracle.yml b/changelogs/unreleased/security-tags-oracle.yml deleted file mode 100644 index eb8ad6f646c..00000000000 --- a/changelogs/unreleased/security-tags-oracle.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prevent releases links API to leak tag existance -merge_request: -author: -type: security |