diff options
Diffstat (limited to 'changelogs/unreleased')
16 files changed, 82 insertions, 0 deletions
diff --git a/changelogs/unreleased/security-199-show-actual-group.yml b/changelogs/unreleased/security-199-show-actual-group.yml new file mode 100644 index 00000000000..91f5e4dea01 --- /dev/null +++ b/changelogs/unreleased/security-199-show-actual-group.yml @@ -0,0 +1,6 @@ +--- +title: Show on two-factor authentication setup page groups that are the cause of this + requirement +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-209-dblessing-prevent-stale-otp-user-id.yml b/changelogs/unreleased/security-209-dblessing-prevent-stale-otp-user-id.yml new file mode 100644 index 00000000000..8fe0892f39b --- /dev/null +++ b/changelogs/unreleased/security-209-dblessing-prevent-stale-otp-user-id.yml @@ -0,0 +1,5 @@ +--- +title: Prevent interrupted 2FA sign-in from signing-in incorrect user +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-212-regenerate-2fa-app-code.yml b/changelogs/unreleased/security-212-regenerate-2fa-app-code.yml new file mode 100644 index 00000000000..c07dcb168f0 --- /dev/null +++ b/changelogs/unreleased/security-212-regenerate-2fa-app-code.yml @@ -0,0 +1,5 @@ +--- +title: Create new 2FA code each time user is entering 2FA setup page +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-213-delete-other-sessions-when-activating-2fa.yml b/changelogs/unreleased/security-213-delete-other-sessions-when-activating-2fa.yml new file mode 100644 index 00000000000..c690af01c6a --- /dev/null +++ b/changelogs/unreleased/security-213-delete-other-sessions-when-activating-2fa.yml @@ -0,0 +1,5 @@ +--- +title: Remove all sessions but current while enabling 2FA +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-214-dblessing-revoke-session-on-pw-change.yml b/changelogs/unreleased/security-214-dblessing-revoke-session-on-pw-change.yml new file mode 100644 index 00000000000..f8549721588 --- /dev/null +++ b/changelogs/unreleased/security-214-dblessing-revoke-session-on-pw-change.yml @@ -0,0 +1,5 @@ +--- +title: Invalidate two factor sign-in when user password changes +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-216-access-to-private-projects.yml b/changelogs/unreleased/security-216-access-to-private-projects.yml new file mode 100644 index 00000000000..bc54586fad3 --- /dev/null +++ b/changelogs/unreleased/security-216-access-to-private-projects.yml @@ -0,0 +1,5 @@ +--- +title: Delete members invites created by users being deleted +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-217-dblessing-safe-omniauth-errors.yml b/changelogs/unreleased/security-217-dblessing-safe-omniauth-errors.yml new file mode 100644 index 00000000000..1262ae4f836 --- /dev/null +++ b/changelogs/unreleased/security-217-dblessing-safe-omniauth-errors.yml @@ -0,0 +1,5 @@ +--- +title: Prevent OmniAuth from rendering arbitrary error messages +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-218-prevent-2fa-bypass-using-api.yml b/changelogs/unreleased/security-218-prevent-2fa-bypass-using-api.yml new file mode 100644 index 00000000000..7f79c5fc412 --- /dev/null +++ b/changelogs/unreleased/security-218-prevent-2fa-bypass-using-api.yml @@ -0,0 +1,6 @@ +--- +title: Prevent not-2fa authenticated users that are supposed to use it to consume + api via session +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-220-dblessing-revoke-remember-me-on-session-revocation.yml b/changelogs/unreleased/security-220-dblessing-revoke-remember-me-on-session-revocation.yml new file mode 100644 index 00000000000..830002a19d7 --- /dev/null +++ b/changelogs/unreleased/security-220-dblessing-revoke-remember-me-on-session-revocation.yml @@ -0,0 +1,5 @@ +--- +title: Invalidate remember me when an active session is revoked +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-223-webhook-dos-attack.yml b/changelogs/unreleased/security-223-webhook-dos-attack.yml new file mode 100644 index 00000000000..ef1ab2c2415 --- /dev/null +++ b/changelogs/unreleased/security-223-webhook-dos-attack.yml @@ -0,0 +1,5 @@ +--- +title: Add rate limit on webhooks testing feature +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-deploy-token-can-read-disabled-repo.yml b/changelogs/unreleased/security-deploy-token-can-read-disabled-repo.yml new file mode 100644 index 00000000000..c18e4e9674f --- /dev/null +++ b/changelogs/unreleased/security-deploy-token-can-read-disabled-repo.yml @@ -0,0 +1,5 @@ +--- +title: Prevent Deploy Tokens to read project resources when repository is disabled +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-graphql-type-check.yml b/changelogs/unreleased/security-graphql-type-check.yml new file mode 100644 index 00000000000..704cdebdb22 --- /dev/null +++ b/changelogs/unreleased/security-graphql-type-check.yml @@ -0,0 +1,5 @@ +--- +title: Ensure global ID is of Snippet type in GraphQL destroy mutation +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-improper-access-control-on-deploy-key.yml b/changelogs/unreleased/security-improper-access-control-on-deploy-key.yml new file mode 100644 index 00000000000..d10b9214922 --- /dev/null +++ b/changelogs/unreleased/security-improper-access-control-on-deploy-key.yml @@ -0,0 +1,5 @@ +--- +title: Fix Improper Access Control on Deploy-Key +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-pb-limit-profile-events.yml b/changelogs/unreleased/security-pb-limit-profile-events.yml new file mode 100644 index 00000000000..f724bcf7e09 --- /dev/null +++ b/changelogs/unreleased/security-pb-limit-profile-events.yml @@ -0,0 +1,5 @@ +--- +title: Set maximum limit for profile events +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-upgrade-jquery-3-5.yml b/changelogs/unreleased/security-upgrade-jquery-3-5.yml new file mode 100644 index 00000000000..d2a9a8fed6c --- /dev/null +++ b/changelogs/unreleased/security-upgrade-jquery-3-5.yml @@ -0,0 +1,5 @@ +--- +title: Upgrade jquery to v3.5 +merge_request: +author: +type: security diff --git a/changelogs/unreleased/update-gitlab-runner-helm-chart-to-0-19-3.yml b/changelogs/unreleased/update-gitlab-runner-helm-chart-to-0-19-3.yml new file mode 100644 index 00000000000..8aa5657006f --- /dev/null +++ b/changelogs/unreleased/update-gitlab-runner-helm-chart-to-0-19-3.yml @@ -0,0 +1,5 @@ +--- +title: Update GitLab Runner Helm Chart to 0.19.3 +merge_request: +author: +type: security |