summaryrefslogtreecommitdiff
path: root/changelogs/unreleased
diff options
context:
space:
mode:
Diffstat (limited to 'changelogs/unreleased')
-rw-r--r--changelogs/unreleased/security-199-show-actual-group.yml6
-rw-r--r--changelogs/unreleased/security-209-dblessing-prevent-stale-otp-user-id.yml5
-rw-r--r--changelogs/unreleased/security-212-regenerate-2fa-app-code.yml5
-rw-r--r--changelogs/unreleased/security-213-delete-other-sessions-when-activating-2fa.yml5
-rw-r--r--changelogs/unreleased/security-214-dblessing-revoke-session-on-pw-change.yml5
-rw-r--r--changelogs/unreleased/security-216-access-to-private-projects.yml5
-rw-r--r--changelogs/unreleased/security-217-dblessing-safe-omniauth-errors.yml5
-rw-r--r--changelogs/unreleased/security-218-prevent-2fa-bypass-using-api.yml6
-rw-r--r--changelogs/unreleased/security-220-dblessing-revoke-remember-me-on-session-revocation.yml5
-rw-r--r--changelogs/unreleased/security-223-webhook-dos-attack.yml5
-rw-r--r--changelogs/unreleased/security-deploy-token-can-read-disabled-repo.yml5
-rw-r--r--changelogs/unreleased/security-graphql-type-check.yml5
-rw-r--r--changelogs/unreleased/security-improper-access-control-on-deploy-key.yml5
-rw-r--r--changelogs/unreleased/security-pb-limit-profile-events.yml5
-rw-r--r--changelogs/unreleased/security-upgrade-jquery-3-5.yml5
-rw-r--r--changelogs/unreleased/update-gitlab-runner-helm-chart-to-0-19-3.yml5
16 files changed, 82 insertions, 0 deletions
diff --git a/changelogs/unreleased/security-199-show-actual-group.yml b/changelogs/unreleased/security-199-show-actual-group.yml
new file mode 100644
index 00000000000..91f5e4dea01
--- /dev/null
+++ b/changelogs/unreleased/security-199-show-actual-group.yml
@@ -0,0 +1,6 @@
+---
+title: Show on two-factor authentication setup page groups that are the cause of this
+ requirement
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-209-dblessing-prevent-stale-otp-user-id.yml b/changelogs/unreleased/security-209-dblessing-prevent-stale-otp-user-id.yml
new file mode 100644
index 00000000000..8fe0892f39b
--- /dev/null
+++ b/changelogs/unreleased/security-209-dblessing-prevent-stale-otp-user-id.yml
@@ -0,0 +1,5 @@
+---
+title: Prevent interrupted 2FA sign-in from signing-in incorrect user
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-212-regenerate-2fa-app-code.yml b/changelogs/unreleased/security-212-regenerate-2fa-app-code.yml
new file mode 100644
index 00000000000..c07dcb168f0
--- /dev/null
+++ b/changelogs/unreleased/security-212-regenerate-2fa-app-code.yml
@@ -0,0 +1,5 @@
+---
+title: Create new 2FA code each time user is entering 2FA setup page
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-213-delete-other-sessions-when-activating-2fa.yml b/changelogs/unreleased/security-213-delete-other-sessions-when-activating-2fa.yml
new file mode 100644
index 00000000000..c690af01c6a
--- /dev/null
+++ b/changelogs/unreleased/security-213-delete-other-sessions-when-activating-2fa.yml
@@ -0,0 +1,5 @@
+---
+title: Remove all sessions but current while enabling 2FA
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-214-dblessing-revoke-session-on-pw-change.yml b/changelogs/unreleased/security-214-dblessing-revoke-session-on-pw-change.yml
new file mode 100644
index 00000000000..f8549721588
--- /dev/null
+++ b/changelogs/unreleased/security-214-dblessing-revoke-session-on-pw-change.yml
@@ -0,0 +1,5 @@
+---
+title: Invalidate two factor sign-in when user password changes
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-216-access-to-private-projects.yml b/changelogs/unreleased/security-216-access-to-private-projects.yml
new file mode 100644
index 00000000000..bc54586fad3
--- /dev/null
+++ b/changelogs/unreleased/security-216-access-to-private-projects.yml
@@ -0,0 +1,5 @@
+---
+title: Delete members invites created by users being deleted
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-217-dblessing-safe-omniauth-errors.yml b/changelogs/unreleased/security-217-dblessing-safe-omniauth-errors.yml
new file mode 100644
index 00000000000..1262ae4f836
--- /dev/null
+++ b/changelogs/unreleased/security-217-dblessing-safe-omniauth-errors.yml
@@ -0,0 +1,5 @@
+---
+title: Prevent OmniAuth from rendering arbitrary error messages
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-218-prevent-2fa-bypass-using-api.yml b/changelogs/unreleased/security-218-prevent-2fa-bypass-using-api.yml
new file mode 100644
index 00000000000..7f79c5fc412
--- /dev/null
+++ b/changelogs/unreleased/security-218-prevent-2fa-bypass-using-api.yml
@@ -0,0 +1,6 @@
+---
+title: Prevent not-2fa authenticated users that are supposed to use it to consume
+ api via session
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-220-dblessing-revoke-remember-me-on-session-revocation.yml b/changelogs/unreleased/security-220-dblessing-revoke-remember-me-on-session-revocation.yml
new file mode 100644
index 00000000000..830002a19d7
--- /dev/null
+++ b/changelogs/unreleased/security-220-dblessing-revoke-remember-me-on-session-revocation.yml
@@ -0,0 +1,5 @@
+---
+title: Invalidate remember me when an active session is revoked
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-223-webhook-dos-attack.yml b/changelogs/unreleased/security-223-webhook-dos-attack.yml
new file mode 100644
index 00000000000..ef1ab2c2415
--- /dev/null
+++ b/changelogs/unreleased/security-223-webhook-dos-attack.yml
@@ -0,0 +1,5 @@
+---
+title: Add rate limit on webhooks testing feature
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-deploy-token-can-read-disabled-repo.yml b/changelogs/unreleased/security-deploy-token-can-read-disabled-repo.yml
new file mode 100644
index 00000000000..c18e4e9674f
--- /dev/null
+++ b/changelogs/unreleased/security-deploy-token-can-read-disabled-repo.yml
@@ -0,0 +1,5 @@
+---
+title: Prevent Deploy Tokens to read project resources when repository is disabled
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-graphql-type-check.yml b/changelogs/unreleased/security-graphql-type-check.yml
new file mode 100644
index 00000000000..704cdebdb22
--- /dev/null
+++ b/changelogs/unreleased/security-graphql-type-check.yml
@@ -0,0 +1,5 @@
+---
+title: Ensure global ID is of Snippet type in GraphQL destroy mutation
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-improper-access-control-on-deploy-key.yml b/changelogs/unreleased/security-improper-access-control-on-deploy-key.yml
new file mode 100644
index 00000000000..d10b9214922
--- /dev/null
+++ b/changelogs/unreleased/security-improper-access-control-on-deploy-key.yml
@@ -0,0 +1,5 @@
+---
+title: Fix Improper Access Control on Deploy-Key
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-pb-limit-profile-events.yml b/changelogs/unreleased/security-pb-limit-profile-events.yml
new file mode 100644
index 00000000000..f724bcf7e09
--- /dev/null
+++ b/changelogs/unreleased/security-pb-limit-profile-events.yml
@@ -0,0 +1,5 @@
+---
+title: Set maximum limit for profile events
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-upgrade-jquery-3-5.yml b/changelogs/unreleased/security-upgrade-jquery-3-5.yml
new file mode 100644
index 00000000000..d2a9a8fed6c
--- /dev/null
+++ b/changelogs/unreleased/security-upgrade-jquery-3-5.yml
@@ -0,0 +1,5 @@
+---
+title: Upgrade jquery to v3.5
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/update-gitlab-runner-helm-chart-to-0-19-3.yml b/changelogs/unreleased/update-gitlab-runner-helm-chart-to-0-19-3.yml
new file mode 100644
index 00000000000..8aa5657006f
--- /dev/null
+++ b/changelogs/unreleased/update-gitlab-runner-helm-chart-to-0-19-3.yml
@@ -0,0 +1,5 @@
+---
+title: Update GitLab Runner Helm Chart to 0.19.3
+merge_request:
+author:
+type: security
View Lorry Controller Status