diff options
| author | Robert Speicher <rspeicher@gmail.com> | 2019-01-29 17:00:52 -0600 |
|---|---|---|
| committer | Robert Speicher <rspeicher@gmail.com> | 2019-01-29 17:00:52 -0600 |
| commit | ddce3a2c2da294725bebddb91fcecd7667161aed (patch) | |
| tree | 074c4a64c634478a3efc5938b5e6020974c1febb | |
| parent | 835cefa2b90cec36aede4e3216c9cab77db6f93c (diff) | |
| download | gitlab-ce-ddce3a2c2da294725bebddb91fcecd7667161aed.tar.gz | |
Revert "Update CHANGELOG.md for 11.6.6"
This reverts commit 066208f1762b1a60408c62a9098a71b2ed905958.
25 files changed, 122 insertions, 30 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 278a15949ea..9939f36ad0d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,36 +2,6 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. -## 11.6.6 (2019-01-28) - -### Security (24 changes, 1 of them is from the community) - -- Make potentially malicious links more visible in the UI and scrub RTLO chars from links. !2770 -- Don't process MR refs for guests in the notes. !2771 -- Sanitize user full name to clean up any URL to prevent mail clients from auto-linking URLs. !2829 -- Fixed XSS content in KaTex links. -- Disallows unauthorized users from accessing the pipelines section. -- Verify that LFS upload requests are genuine. -- Bump Ruby on Rails to 4.2.11. (@blackst0ne) -- Prevent awarding emojis to notes whose parent is not visible to user. -- Prevent unauthorized replies when discussion is locked or confidential. -- Disable git v2 protocol temporarily. -- Fix showing ci status for guest users when public pipline are not set. -- Fix contributed projects info still visible when user enable private profile. -- Extract GitLab Pages using RubyZip. -- Add more LFS validations to prevent forgery. -- Use common error for unauthenticated users when creating issues. -- Fix slow regex in project reference pattern. -- Fix private user email being visible in push (and tag push) webhooks. -- Fix wiki access rights when external wiki is enabled. -- Group guests are no longer able to see merge requests they don't have access to at group level. -- Fix path disclosure on project import error. -- Restrict project import visibility based on its group. -- Expose CI/CD trigger token only to the trigger owner. -- Notify only users who can access the project on project move. -- Alias GitHub and BitBucket OAuth2 callback URLs. - - ## 11.6.5 (2019-01-17) ### Fixed (5 changes) diff --git a/changelogs/unreleased/11-6-security-stored-xss-via-katex.yml b/changelogs/unreleased/11-6-security-stored-xss-via-katex.yml new file mode 100644 index 00000000000..a71ae1123f2 --- /dev/null +++ b/changelogs/unreleased/11-6-security-stored-xss-via-katex.yml @@ -0,0 +1,5 @@ +--- +title: Fixed XSS content in KaTex links +merge_request: +author: +type: security diff --git a/changelogs/unreleased/blackst0ne-bump-rails-cve-2018-16476.yml b/changelogs/unreleased/blackst0ne-bump-rails-cve-2018-16476.yml new file mode 100644 index 00000000000..fc8af425779 --- /dev/null +++ b/changelogs/unreleased/blackst0ne-bump-rails-cve-2018-16476.yml @@ -0,0 +1,5 @@ +--- +title: Bump Ruby on Rails to 4.2.11 +merge_request: +author: "@blackst0ne" +type: security diff --git a/changelogs/unreleased/extract-pages-with-rubyzip.yml b/changelogs/unreleased/extract-pages-with-rubyzip.yml new file mode 100644 index 00000000000..8352e79d3e5 --- /dev/null +++ b/changelogs/unreleased/extract-pages-with-rubyzip.yml @@ -0,0 +1,5 @@ +--- +title: Extract GitLab Pages using RubyZip +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-11-6-22076-sanitize-url-in-names.yml b/changelogs/unreleased/security-11-6-22076-sanitize-url-in-names.yml new file mode 100644 index 00000000000..f28ab554660 --- /dev/null +++ b/changelogs/unreleased/security-11-6-22076-sanitize-url-in-names.yml @@ -0,0 +1,6 @@ +--- +title: Sanitize user full name to clean up any URL to prevent mail clients from auto-linking + URLs +merge_request: 2829 +author: +type: security diff --git a/changelogs/unreleased/security-11-6-test-permissions.yml b/changelogs/unreleased/security-11-6-test-permissions.yml new file mode 100644 index 00000000000..cfb69fdcb1e --- /dev/null +++ b/changelogs/unreleased/security-11-6-test-permissions.yml @@ -0,0 +1,5 @@ +--- +title: Disallows unauthorized users from accessing the pipelines section. +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-2767-verify-lfs-finalize-from-workhorse.yml b/changelogs/unreleased/security-2767-verify-lfs-finalize-from-workhorse.yml new file mode 100644 index 00000000000..e79e3263df7 --- /dev/null +++ b/changelogs/unreleased/security-2767-verify-lfs-finalize-from-workhorse.yml @@ -0,0 +1,5 @@ +--- +title: Verify that LFS upload requests are genuine +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-2769-idn-homograph-attack.yml b/changelogs/unreleased/security-2769-idn-homograph-attack.yml new file mode 100644 index 00000000000..a014b522c96 --- /dev/null +++ b/changelogs/unreleased/security-2769-idn-homograph-attack.yml @@ -0,0 +1,5 @@ +--- +title: Make potentially malicious links more visible in the UI and scrub RTLO chars from links +merge_request: 2770 +author: +type: security diff --git a/changelogs/unreleased/security-2776-fix-add-reaction-permissions.yml b/changelogs/unreleased/security-2776-fix-add-reaction-permissions.yml new file mode 100644 index 00000000000..3ad92578c44 --- /dev/null +++ b/changelogs/unreleased/security-2776-fix-add-reaction-permissions.yml @@ -0,0 +1,5 @@ +--- +title: Prevent awarding emojis to notes whose parent is not visible to user +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-2779-fix-email-comment-permissions-check.yml b/changelogs/unreleased/security-2779-fix-email-comment-permissions-check.yml new file mode 100644 index 00000000000..2f76064d8a4 --- /dev/null +++ b/changelogs/unreleased/security-2779-fix-email-comment-permissions-check.yml @@ -0,0 +1,5 @@ +--- +title: Prevent unauthorized replies when discussion is locked or confidential +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-2780-disable-git-v2-protocol.yml b/changelogs/unreleased/security-2780-disable-git-v2-protocol.yml new file mode 100644 index 00000000000..30a08a98e83 --- /dev/null +++ b/changelogs/unreleased/security-2780-disable-git-v2-protocol.yml @@ -0,0 +1,5 @@ +--- +title: Disable git v2 protocol temporarily +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-commit-status-shown-for-guest-user.yml b/changelogs/unreleased/security-commit-status-shown-for-guest-user.yml new file mode 100644 index 00000000000..a80170091d0 --- /dev/null +++ b/changelogs/unreleased/security-commit-status-shown-for-guest-user.yml @@ -0,0 +1,5 @@ +--- +title: Fix showing ci status for guest users when public pipline are not set +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-contributed-projects.yml b/changelogs/unreleased/security-contributed-projects.yml new file mode 100644 index 00000000000..f745a2255ca --- /dev/null +++ b/changelogs/unreleased/security-contributed-projects.yml @@ -0,0 +1,5 @@ +--- +title: Fix contributed projects info still visible when user enable private profile +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-do-not-process-mr-ref-for-guests.yml b/changelogs/unreleased/security-do-not-process-mr-ref-for-guests.yml new file mode 100644 index 00000000000..0281dde11e6 --- /dev/null +++ b/changelogs/unreleased/security-do-not-process-mr-ref-for-guests.yml @@ -0,0 +1,5 @@ +--- +title: Don't process MR refs for guests in the notes +merge_request: 2771 +author: +type: security diff --git a/changelogs/unreleased/security-fix-lfs-import-project-ssrf-forgery.yml b/changelogs/unreleased/security-fix-lfs-import-project-ssrf-forgery.yml new file mode 100644 index 00000000000..b6315ec29d8 --- /dev/null +++ b/changelogs/unreleased/security-fix-lfs-import-project-ssrf-forgery.yml @@ -0,0 +1,5 @@ +--- +title: Add more LFS validations to prevent forgery +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-fix-new-issues-login-message.yml b/changelogs/unreleased/security-fix-new-issues-login-message.yml new file mode 100644 index 00000000000..9dabf2438c9 --- /dev/null +++ b/changelogs/unreleased/security-fix-new-issues-login-message.yml @@ -0,0 +1,5 @@ +--- +title: Use common error for unauthenticated users when creating issues +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-fix-regex-dos.yml b/changelogs/unreleased/security-fix-regex-dos.yml new file mode 100644 index 00000000000..b08566d2f15 --- /dev/null +++ b/changelogs/unreleased/security-fix-regex-dos.yml @@ -0,0 +1,5 @@ +--- +title: Fix slow regex in project reference pattern +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-fix-user-email-tag-push-leak.yml b/changelogs/unreleased/security-fix-user-email-tag-push-leak.yml new file mode 100644 index 00000000000..915ea7b5216 --- /dev/null +++ b/changelogs/unreleased/security-fix-user-email-tag-push-leak.yml @@ -0,0 +1,5 @@ +--- +title: Fix private user email being visible in push (and tag push) webhooks +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-fix-wiki-access-rights-with-external-wiki-enabled.yml b/changelogs/unreleased/security-fix-wiki-access-rights-with-external-wiki-enabled.yml new file mode 100644 index 00000000000..d5f20b87a90 --- /dev/null +++ b/changelogs/unreleased/security-fix-wiki-access-rights-with-external-wiki-enabled.yml @@ -0,0 +1,5 @@ +--- +title: Fix wiki access rights when external wiki is enabled +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-guests-can-see-list-of-merge-requests.yml b/changelogs/unreleased/security-guests-can-see-list-of-merge-requests.yml new file mode 100644 index 00000000000..f5b74011829 --- /dev/null +++ b/changelogs/unreleased/security-guests-can-see-list-of-merge-requests.yml @@ -0,0 +1,6 @@ +--- +title: Group guests are no longer able to see merge requests they don't have access + to at group level +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-import-path-logging.yml b/changelogs/unreleased/security-import-path-logging.yml new file mode 100644 index 00000000000..2ba2d88d82a --- /dev/null +++ b/changelogs/unreleased/security-import-path-logging.yml @@ -0,0 +1,5 @@ +--- +title: Fix path disclosure on project import error +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-import-project-visibility.yml b/changelogs/unreleased/security-import-project-visibility.yml new file mode 100644 index 00000000000..04ae172a9a1 --- /dev/null +++ b/changelogs/unreleased/security-import-project-visibility.yml @@ -0,0 +1,5 @@ +--- +title: Restrict project import visibility based on its group +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-pipeline-trigger-tokens-exposure.yml b/changelogs/unreleased/security-pipeline-trigger-tokens-exposure.yml new file mode 100644 index 00000000000..97d743eead1 --- /dev/null +++ b/changelogs/unreleased/security-pipeline-trigger-tokens-exposure.yml @@ -0,0 +1,5 @@ +--- +title: Expose CI/CD trigger token only to the trigger owner +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-project-move-users.yml b/changelogs/unreleased/security-project-move-users.yml new file mode 100644 index 00000000000..744df68651f --- /dev/null +++ b/changelogs/unreleased/security-project-move-users.yml @@ -0,0 +1,5 @@ +--- +title: Notify only users who can access the project on project move. +merge_request: +author: +type: security diff --git a/changelogs/unreleased/sh-fix-issue-56663-11-6.yml b/changelogs/unreleased/sh-fix-issue-56663-11-6.yml new file mode 100644 index 00000000000..addf327b69d --- /dev/null +++ b/changelogs/unreleased/sh-fix-issue-56663-11-6.yml @@ -0,0 +1,5 @@ +--- +title: Alias GitHub and BitBucket OAuth2 callback URLs +merge_request: +author: +type: security |