Update CHANGELOG.md for 9.4.6

[ci skip]
author: Jose Ivan Vargas <jvargas@gitlab.com> 2017-09-06 16:47:23 -0500
committer: Jose Ivan Vargas <jvargas@gitlab.com> 2017-09-06 16:47:23 -0500
commit: a0274a502b859c99db5306700daf02e980e86b86 (patch)
tree: b622536ac15e21eb376f598f5e1395962cfa3295 /CHANGELOG.md
parent: 916e16426d6d0d726b1cb3f57fffe1136808ecd0 (diff)
download: gitlab-ce-a0274a502b859c99db5306700daf02e980e86b86.tar.gz
1 files changed, 12 insertions, 0 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md
index e7bc279eefd..eed9f71ed58 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -203,6 +203,18 @@ entry.
 - Use a specialized class for querying events to improve performance.
 - Update build badges to be pipeline badges and display passing instead of success.
 
+## 9.4.6 (2017-09-06)
+
+- [SECURITY] Upgrade mail and nokogiri gems due to security issues. !13662 (Markus Koller)
+- [SECURITY] Prevent a persistent XSS in the commit author block.
+- Fix XSS issue in go-get handling.
+- Remove hidden symlinks from project import files.
+- Fixes race condition in project uploads.
+- Disallow Git URLs that include a username or hostname beginning with a non-alphanumeric character.
+- Disallow arbitrary properties in `th` and `td` `style` attributes.
+- Resolve CSRF token leakage via pathname manipulation on environments page.
+- Disallow the `name` attribute on all user-provided markup.
+
 ## 9.4.5 (2017-08-14)
 
 - Fix deletion of deploy keys linked to other projects. !13162
author	Jose Ivan Vargas <jvargas@gitlab.com>	2017-09-06 16:47:23 -0500
committer	Jose Ivan Vargas <jvargas@gitlab.com>	2017-09-06 16:47:23 -0500
commit	a0274a502b859c99db5306700daf02e980e86b86 (patch)
tree	b622536ac15e21eb376f598f5e1395962cfa3295 /CHANGELOG.md
parent	916e16426d6d0d726b1cb3f57fffe1136808ecd0 (diff)
download	gitlab-ce-a0274a502b859c99db5306700daf02e980e86b86.tar.gz