diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-11-02 09:37:00 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-11-02 09:37:00 +0000 |
commit | 187cae1b32bdbb01d70ad09a341dfc372bb559b7 (patch) | |
tree | 464e01a35aed53a7896be0a016205465300e9caa /CHANGELOG.md | |
parent | d79daf5b28080755f933875c3bcf1833684dc367 (diff) | |
download | gitlab-ce-187cae1b32bdbb01d70ad09a341dfc372bb559b7.tar.gz |
Add latest changes from gitlab-org/security/gitlab@13-5-stable-eev13.5.2
Diffstat (limited to 'CHANGELOG.md')
-rw-r--r-- | CHANGELOG.md | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 2a25a525e8b..1c118d23fad 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,21 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. +## 13.5.2 (2020-11-02) + +### Security (9 changes) + +- Add CSRF protection to runner pause and resume. !1021 +- Do not expose Terraform state record in API. +- Path traversal to RCE via LFS upload. +- Update container_repository_name_regex to prevent catastrophic backtracking. +- Validate nuget package names. +- Prevent private repo from being accessed via internal Kubernetes API. +- Validate each upload param key in multipart.rb. +- Fix XSS vulnerability for job build dependencies. +- Fix unauthorized user is able to access schedule pipeline variables and values. + + ## 13.5.1 (2020-10-22) ### Other (1 change) |