diff options
15 files changed, 20 insertions, 70 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index d82b267037c..7a01b71d1ef 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,26 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. +## 12.10.7 (2020-05-27) + +### Security (14 changes) + +- Add an extra validation to Static Site Editor payload. +- Hide EKS secret key in admin integrations settings. +- Added data integrity check before updating a deploy key. +- Display only verified emails on notifications and profile page. +- Disable caching on repo/blobs/[sha]/raw endpoint. +- Require confirmed email address for GitLab OAuth authentication. +- Kubernetes cluster details page no longer exposes Service Token. +- Fix confirming unverified emails with soft email confirmation flow enabled. +- Disallow user to control PUT request using mermaid markdown in issue description. +- Check forked project permissions before allowing fork. +- Limit memory footprint of a command that generates ZIP artifacts metadata. +- Fix file enuming using Group Import. +- Prevent XSS in the monitoring dashboard. +- Use `gsub` instead of the Ruby `%` operator to perform variable substitution in Prometheus proxy API. + + ## 12.10.6 (2020-05-15) ### Fixed (5 changes) diff --git a/changelogs/unreleased/216528-confidential-issue.yml b/changelogs/unreleased/216528-confidential-issue.yml deleted file mode 100644 index 8d9d882e64d..00000000000 --- a/changelogs/unreleased/216528-confidential-issue.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Add an extra validation to Static Site Editor payload -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-132-remove-eks-details-from-admin-form.yml b/changelogs/unreleased/security-132-remove-eks-details-from-admin-form.yml deleted file mode 100644 index ce1c48a6345..00000000000 --- a/changelogs/unreleased/security-132-remove-eks-details-from-admin-form.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Hide EKS secret key in admin integrations settings -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-208449-fix-deploy-key-can-push.yml b/changelogs/unreleased/security-208449-fix-deploy-key-can-push.yml deleted file mode 100644 index cf738bd8479..00000000000 --- a/changelogs/unreleased/security-208449-fix-deploy-key-can-push.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Added data integrity check before updating a deploy key. -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-25994-unverified-email-mitigation.yml b/changelogs/unreleased/security-25994-unverified-email-mitigation.yml deleted file mode 100644 index ee5672c6dff..00000000000 --- a/changelogs/unreleased/security-25994-unverified-email-mitigation.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Display only verified emails on notifications and profile page -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-99-disable-caching-on-api-repo-blobs-raw.yml b/changelogs/unreleased/security-99-disable-caching-on-api-repo-blobs-raw.yml deleted file mode 100644 index 1869e6ea039..00000000000 --- a/changelogs/unreleased/security-99-disable-caching-on-api-repo-blobs-raw.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Disable caching on repo/blobs/[sha]/raw endpoint -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-dblessing-oauth-email-verification.yml b/changelogs/unreleased/security-dblessing-oauth-email-verification.yml deleted file mode 100644 index 1f9a06d10d5..00000000000 --- a/changelogs/unreleased/security-dblessing-oauth-email-verification.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Require confirmed email address for GitLab OAuth authentication -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-do-not-expose-kubernetes-token.yml b/changelogs/unreleased/security-do-not-expose-kubernetes-token.yml deleted file mode 100644 index 9297a4d927e..00000000000 --- a/changelogs/unreleased/security-do-not-expose-kubernetes-token.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Kubernetes cluster details page no longer exposes Service Token -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-fix-email-confirmation-bug.yml b/changelogs/unreleased/security-fix-email-confirmation-bug.yml deleted file mode 100644 index ce66a255616..00000000000 --- a/changelogs/unreleased/security-fix-email-confirmation-bug.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix confirming unverified emails with soft email confirmation flow enabled -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-fix-mermaid-issue.yml b/changelogs/unreleased/security-fix-mermaid-issue.yml deleted file mode 100644 index 4c254f8a4f5..00000000000 --- a/changelogs/unreleased/security-fix-mermaid-issue.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Disallow user to control PUT request using mermaid markdown in issue description -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-forked-from.yml b/changelogs/unreleased/security-forked-from.yml deleted file mode 100644 index 77550193533..00000000000 --- a/changelogs/unreleased/security-forked-from.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Check forked project permissions before allowing fork -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-gb-fix-workhorse-zip-metadata-resources.yml b/changelogs/unreleased/security-gb-fix-workhorse-zip-metadata-resources.yml deleted file mode 100644 index 1649bda4df3..00000000000 --- a/changelogs/unreleased/security-gb-fix-workhorse-zip-metadata-resources.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Limit memory footprint of a command that generates ZIP artifacts metadata -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-group-import-file-enuming.yml b/changelogs/unreleased/security-group-import-file-enuming.yml deleted file mode 100644 index efdff7e84e9..00000000000 --- a/changelogs/unreleased/security-group-import-file-enuming.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix file enuming using Group Import -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-jivanvl-prevent-xss-duplicate-dashboard-modal.yml b/changelogs/unreleased/security-jivanvl-prevent-xss-duplicate-dashboard-modal.yml deleted file mode 100644 index d4d7b1dbff6..00000000000 --- a/changelogs/unreleased/security-jivanvl-prevent-xss-duplicate-dashboard-modal.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prevent XSS in the monitoring dashboard -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-use-gsub-variable-substitution.yml b/changelogs/unreleased/security-use-gsub-variable-substitution.yml deleted file mode 100644 index 83fb61ae47a..00000000000 --- a/changelogs/unreleased/security-use-gsub-variable-substitution.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Use `gsub` instead of the Ruby `%` operator to perform variable substitution in Prometheus proxy API -merge_request: -author: -type: security |