diff options
Diffstat (limited to 'CHANGELOG.md')
-rw-r--r-- | CHANGELOG.md | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 5c147490d84..0e172971b3b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,31 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. +## 11.4.13 (2018-12-28) + +### Security (19 changes) + +- Escape label and milestone titles to prevent XSS in GFM autocomplete. !2742 +- Validate LFS hrefs before downloading them. +- Ensure that build token is only used when running. +- Add subresources removal to member destroy service. +- Escape html entities in LabelReferenceFilter when no label found. +- Allow changing group CI/CD settings only for owners. +- Authorize before reading job information via API. +- Prevent leaking protected variables for ambiguous refs. +- Prevent leaking protected variables for ambiguous refs. +- Prevent a path traversal attack on global file templates. +- Prevent private snippets from being embeddable. +- Issuable no longer is visible to users when project can't be viewed. +- Don't expose cross project repositories through diffs when creating merge reqeusts. +- Fix SSRF with import_url and remote mirror url. +- Fix persistent symlink in project import. +- Set URL rel attribute for broken URLs. +- Project guests no longer are able to see refs page. +- Delete confidential todos for user when downgraded to Guest. +- Setting svg disposition as attachment in wikis. + + ## 11.4.12 (2018-12-20) ### Security (1 change) |