summaryrefslogtreecommitdiff
path: root/CHANGELOG.md
diff options
context:
space:
mode:
Diffstat (limited to 'CHANGELOG.md')
-rw-r--r--CHANGELOG.md25
1 files changed, 25 insertions, 0 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5c147490d84..0e172971b3b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,31 @@
documentation](doc/development/changelog.md) for instructions on adding your own
entry.
+## 11.4.13 (2018-12-28)
+
+### Security (19 changes)
+
+- Escape label and milestone titles to prevent XSS in GFM autocomplete. !2742
+- Validate LFS hrefs before downloading them.
+- Ensure that build token is only used when running.
+- Add subresources removal to member destroy service.
+- Escape html entities in LabelReferenceFilter when no label found.
+- Allow changing group CI/CD settings only for owners.
+- Authorize before reading job information via API.
+- Prevent leaking protected variables for ambiguous refs.
+- Prevent leaking protected variables for ambiguous refs.
+- Prevent a path traversal attack on global file templates.
+- Prevent private snippets from being embeddable.
+- Issuable no longer is visible to users when project can't be viewed.
+- Don't expose cross project repositories through diffs when creating merge reqeusts.
+- Fix SSRF with import_url and remote mirror url.
+- Fix persistent symlink in project import.
+- Set URL rel attribute for broken URLs.
+- Project guests no longer are able to see refs page.
+- Delete confidential todos for user when downgraded to Guest.
+- Setting svg disposition as attachment in wikis.
+
+
## 11.4.12 (2018-12-20)
### Security (1 change)