Merge remote-tracking branch 'dev/13-9-stable' into 13-9-stable

author: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> 2021-03-04 19:10:30 +0000
committer: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> 2021-03-04 19:10:30 +0000
commit: 9a70fcd2e277721bbe7b9a0c92ed925ddea201b6 (patch)
tree: 01b1c941fae4768b8803526e0799aa09a245f244 /CHANGELOG.md
parent: 03979b4aaf060cae40934b2aade0bbe8a210e311 (diff)
parent: 189a15a911843a9059d1f8bfd31008557bea520b (diff)
download: gitlab-ce-9a70fcd2e277721bbe7b9a0c92ed925ddea201b6.tar.gz
1 files changed, 12 insertions, 0 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1bd602f975d..b5a038d9106 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,18 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.
 
+## 13.9.2 (2021-03-04)
+
+### Security (6 changes)
+
+- Bump thrift gem to 0.14.0.
+- Allow only owners to manage group variables.
+- Do not store marshalled sessions ids in Redis.
+- Fix XSS in wiki author email and name.
+- Workhorse: prevent escaped router path traversal.
+- Fix XSS vulnerability for swagger file viewer.
+
+
 ## 13.9.1 (2021-02-23)
 
 ### Fixed (6 changes, 1 of them is from the community)
author	GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>	2021-03-04 19:10:30 +0000
committer	GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>	2021-03-04 19:10:30 +0000
commit	9a70fcd2e277721bbe7b9a0c92ed925ddea201b6 (patch)
tree	01b1c941fae4768b8803526e0799aa09a245f244 /CHANGELOG.md
parent	03979b4aaf060cae40934b2aade0bbe8a210e311 (diff)
parent	189a15a911843a9059d1f8bfd31008557bea520b (diff)
download	gitlab-ce-9a70fcd2e277721bbe7b9a0c92ed925ddea201b6.tar.gz