diff options
Diffstat (limited to 'CHANGELOG.md')
-rw-r--r-- | CHANGELOG.md | 18 |
1 files changed, 14 insertions, 4 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index bc35154362c..0f3c30f6044 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,7 @@ entry. ## 12.3.6 -### Security (14 changes) +### Security (15 changes) - Standardize error response when route is missing. - Do not display project labels that are not visible for user accessing group labels. @@ -17,6 +17,7 @@ entry. - Return 404 on LFS request if project doesn't exist. - Mask sentry auth token in Error Tracking dashboard. - Fixes a Open Redirect issue in `InternalRedirect`. +- Remove deploy access level when project/group link is deleted. - Sanitize search text to prevent XSS. - Sanitize all wiki markup formats with GitLab sanitization pipelines. - Fix stored XSS issue for grafana_url. @@ -24,11 +25,18 @@ entry. ## 12.3.5 -- No changes. +### Security (1 change) + +- Limit search for IID to a type to avoid leaking records with the same IID that the user does not have access to. + ## 12.3.4 -- No changes. +### Fixed (2 changes) + +- Fix cannot merge icon showing in dropdown for users who can merge. !17306 +- Fix pipelines for merge requests in project exports. !17844 + ## 12.3.3 @@ -39,16 +47,18 @@ entry. ## 12.3.2 -### Security (10 changes) +### Security (12 changes) - Fix Gitaly SearchBlobs flag RPC injection. - Add a policy check for system notes that may not be visible due to cross references to private items. - Display only participants that user has permission to see on milestone page. - Do not disclose project milestones on group milestones page when project milestones access is disabled in project settings. +- Check permissions before showing head pipeline blocking merge requests. - Fix new project path being disclosed through unsubscribe link of issue/merge requests. - Prevent bypassing email verification using Salesforce. - Do not show resource label events referencing not accessible labels. - Cancel all running CI jobs triggered by the user who is just blocked. +- Fix Gitaly SearchBlobs flag RPC injection. - Only render fixed number of mermaid blocks. - Prevent GitLab accounts takeover if SAML is configured. |