diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2019-10-22 11:31:16 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2019-10-22 11:31:16 +0000 |
commit | 905c1110b08f93a19661cf42a276c7ea90d0a0ff (patch) | |
tree | 756d138db422392c00471ab06acdff92c5a9b69c /CHANGELOG.md | |
parent | 50d93f8d1686950fc58dda4823c4835fd0d8c14b (diff) | |
download | gitlab-ce-905c1110b08f93a19661cf42a276c7ea90d0a0ff.tar.gz |
Add latest changes from gitlab-org/gitlab@12-4-stable-ee
Diffstat (limited to 'CHANGELOG.md')
-rw-r--r-- | CHANGELOG.md | 79 |
1 files changed, 67 insertions, 12 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 3ec3b4e56a1..279c6ede932 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,33 +2,28 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. -## 12.3.5 - -- No changes. - ## 12.3.4 -- No changes. - -## 12.3.3 +### Fixed (2 changes) -### Security (1 change) - -- Fix private feature Elasticsearch leak. +- Fix cannot merge icon showing in dropdown for users who can merge. !17306 +- Fix pipelines for merge requests in project exports. !17844 ## 12.3.2 -### Security (10 changes) +### Security (12 changes) - Fix Gitaly SearchBlobs flag RPC injection. - Add a policy check for system notes that may not be visible due to cross references to private items. - Display only participants that user has permission to see on milestone page. - Do not disclose project milestones on group milestones page when project milestones access is disabled in project settings. +- Check permissions before showing head pipeline blocking merge requests. - Fix new project path being disclosed through unsubscribe link of issue/merge requests. - Prevent bypassing email verification using Salesforce. - Do not show resource label events referencing not accessible labels. - Cancel all running CI jobs triggered by the user who is just blocked. +- Fix Gitaly SearchBlobs flag RPC injection. - Only render fixed number of mermaid blocks. - Prevent GitLab accounts takeover if SAML is configured. @@ -312,6 +307,37 @@ entry. - Updates tooltip of 'detached' label/state. +## 12.2.8 + +### Security (1 change) + +- Limit search for IID to a type to avoid leaking records with the same IID that the user does not have access to. + + +## 12.2.7 + +### Security (1 change) + +- Fix private feature Elasticsearch leak. + + +## 12.2.6 + +### Security (11 changes) + +- Add a policy check for system notes that may not be visible due to cross references to private items. +- Display only participants that user has permission to see on milestone page. +- Do not disclose project milestones on group milestones page when project milestones access is disabled in project settings. +- Check permissions before showing head pipeline blocking merge requests. +- Fix new project path being disclosed through unsubscribe link of issue/merge requests. +- Prevent bypassing email verification using Salesforce. +- Do not show resource label events referencing not accessible labels. +- Cancel all running CI jobs triggered by the user who is just blocked. +- Fix Gitaly SearchBlobs flag RPC injection [Gitaly v1.59.3]. +- Only render fixed number of mermaid blocks. +- Prevent GitLab accounts takeover if SAML is configured. + + ## 12.2.5 ### Security (1 change) @@ -630,6 +656,35 @@ entry. - Update Packer.gitlab-ci.yml to use latest image. (Kelly Hair) +## 12.1.14 + +### Security (1 change) + +- Limit search for IID to a type to avoid leaking records with the same IID that the user does not have access to. + + +## 12.1.12 + +### Security (12 changes) + +- Add a policy check for system notes that may not be visible due to cross references to private items. +- Display only participants that user has permission to see on milestone page. +- Do not disclose project milestones on group milestones page when project milestones access is disabled in project settings. +- Check permissions before showing head pipeline blocking merge requests. +- Fix new project path being disclosed through unsubscribe link of issue/merge requests. +- Prevent bypassing email verification using Salesforce. +- Do not show resource label events referencing not accessible labels. +- Cancel all running CI jobs triggered by the user who is just blocked. +- Fix Gitaly SearchBlobs flag RPC injection. +- Only render fixed number of mermaid blocks. +- Prevent GitLab accounts takeover if SAML is configured. +- Upgrade mermaid to prevent XSS. + + +## 12.1.10 + +- No changes. + ## 12.1.5 ### Security (2 changes) @@ -8394,7 +8449,7 @@ entry. - Reinstate is_admin flag in users api when authenticated user is an admin. !12211 (rickettm) - Fix edit button for deploy keys available from other projects. !12301 (Alexander Randa) - Fix passing CI_ENVIRONMENT_NAME and CI_ENVIRONMENT_SLUG for CI_ENVIRONMENT_URL. !12344 -- Disable environment list refresh due to bug https://gitlab.com/gitlab-org/gitlab-ee/issues/2677. !12347 +- Disable environment list refresh due to bug https://gitlab.com/gitlab-org/gitlab/issues/2677. !12347 - Standardize timeline note margins across different viewport sizes. !12364 - Fix Ordered Task List Items. !31483 (Jared Deckard <jared.deckard@gmail.com>) - Upgrade dependency to Go 1.8.3. !31943 |