summaryrefslogtreecommitdiff
path: root/CHANGELOG.md
diff options
context:
space:
mode:
Diffstat (limited to 'CHANGELOG.md')
-rw-r--r--CHANGELOG.md18
1 files changed, 14 insertions, 4 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md
index bc35154362c..0f3c30f6044 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,7 +4,7 @@ entry.
## 12.3.6
-### Security (14 changes)
+### Security (15 changes)
- Standardize error response when route is missing.
- Do not display project labels that are not visible for user accessing group labels.
@@ -17,6 +17,7 @@ entry.
- Return 404 on LFS request if project doesn't exist.
- Mask sentry auth token in Error Tracking dashboard.
- Fixes a Open Redirect issue in `InternalRedirect`.
+- Remove deploy access level when project/group link is deleted.
- Sanitize search text to prevent XSS.
- Sanitize all wiki markup formats with GitLab sanitization pipelines.
- Fix stored XSS issue for grafana_url.
@@ -24,11 +25,18 @@ entry.
## 12.3.5
-- No changes.
+### Security (1 change)
+
+- Limit search for IID to a type to avoid leaking records with the same IID that the user does not have access to.
+
## 12.3.4
-- No changes.
+### Fixed (2 changes)
+
+- Fix cannot merge icon showing in dropdown for users who can merge. !17306
+- Fix pipelines for merge requests in project exports. !17844
+
## 12.3.3
@@ -39,16 +47,18 @@ entry.
## 12.3.2
-### Security (10 changes)
+### Security (12 changes)
- Fix Gitaly SearchBlobs flag RPC injection.
- Add a policy check for system notes that may not be visible due to cross references to private items.
- Display only participants that user has permission to see on milestone page.
- Do not disclose project milestones on group milestones page when project milestones access is disabled in project settings.
+- Check permissions before showing head pipeline blocking merge requests.
- Fix new project path being disclosed through unsubscribe link of issue/merge requests.
- Prevent bypassing email verification using Salesforce.
- Do not show resource label events referencing not accessible labels.
- Cancel all running CI jobs triggered by the user who is just blocked.
+- Fix Gitaly SearchBlobs flag RPC injection.
- Only render fixed number of mermaid blocks.
- Prevent GitLab accounts takeover if SAML is configured.
View Lorry Controller Status