diff options
Diffstat (limited to 'changelogs')
20 files changed, 100 insertions, 0 deletions
diff --git a/changelogs/unreleased/7597-add-template-repository-usage-to-the-usage-ping.yml b/changelogs/unreleased/7597-add-template-repository-usage-to-the-usage-ping.yml new file mode 100644 index 00000000000..f9479c3eef4 --- /dev/null +++ b/changelogs/unreleased/7597-add-template-repository-usage-to-the-usage-ping.yml @@ -0,0 +1,5 @@ +--- +title: Add template repository usage to the usage ping +merge_request: 20126 +author: minghuan lei +type: changed diff --git a/changelogs/unreleased/jl-bump-rack-cors-1-0-6.yml b/changelogs/unreleased/jl-bump-rack-cors-1-0-6.yml new file mode 100644 index 00000000000..d54a7d885d1 --- /dev/null +++ b/changelogs/unreleased/jl-bump-rack-cors-1-0-6.yml @@ -0,0 +1,5 @@ +--- +title: Update rack-cors to 1.0.6 +merge_request: +author: +type: security diff --git a/changelogs/unreleased/jl-bump-rdoc-6-1-2.yml b/changelogs/unreleased/jl-bump-rdoc-6-1-2.yml new file mode 100644 index 00000000000..69c37e121a5 --- /dev/null +++ b/changelogs/unreleased/jl-bump-rdoc-6-1-2.yml @@ -0,0 +1,5 @@ +--- +title: Update rdoc to 6.1.2 +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-13-update-ruby-zip-pages-master.yml b/changelogs/unreleased/security-13-update-ruby-zip-pages-master.yml new file mode 100644 index 00000000000..976ce6f90b3 --- /dev/null +++ b/changelogs/unreleased/security-13-update-ruby-zip-pages-master.yml @@ -0,0 +1,5 @@ +--- +title: Bump rubyzip to 2.0.0 +merge_request: +author: Utkarsh Gupta +type: security diff --git a/changelogs/unreleased/security-35235-todos-cleanup.yml b/changelogs/unreleased/security-35235-todos-cleanup.yml new file mode 100644 index 00000000000..119220fbc73 --- /dev/null +++ b/changelogs/unreleased/security-35235-todos-cleanup.yml @@ -0,0 +1,5 @@ +--- +title: Cleanup todos for users from a removed linked group +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-commits-api-last-pipeline-status.yml b/changelogs/unreleased/security-commits-api-last-pipeline-status.yml new file mode 100644 index 00000000000..a68151f9732 --- /dev/null +++ b/changelogs/unreleased/security-commits-api-last-pipeline-status.yml @@ -0,0 +1,5 @@ +--- +title: Disable access to last_pipeline in commits API for users without read permissions +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-dependency-proxy-path-traversal.yml b/changelogs/unreleased/security-dependency-proxy-path-traversal.yml new file mode 100644 index 00000000000..ca0a03e36ab --- /dev/null +++ b/changelogs/unreleased/security-dependency-proxy-path-traversal.yml @@ -0,0 +1,5 @@ +--- +title: Add constraint to group dependency proxy endpoint param +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-dos-via-asciidoc-includes.yml b/changelogs/unreleased/security-dos-via-asciidoc-includes.yml new file mode 100644 index 00000000000..8fc3bd32316 --- /dev/null +++ b/changelogs/unreleased/security-dos-via-asciidoc-includes.yml @@ -0,0 +1,5 @@ +--- +title: Limit number of AsciiDoc includes per document +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-email-confirmation-bypass-via-api-ee.yml b/changelogs/unreleased/security-email-confirmation-bypass-via-api-ee.yml new file mode 100644 index 00000000000..8bd2b7a452f --- /dev/null +++ b/changelogs/unreleased/security-email-confirmation-bypass-via-api-ee.yml @@ -0,0 +1,5 @@ +--- +title: Prevent API access for unconfirmed users +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-enforce-permissions-for-event-filter-ee.yml b/changelogs/unreleased/security-enforce-permissions-for-event-filter-ee.yml new file mode 100644 index 00000000000..7d74d6108f8 --- /dev/null +++ b/changelogs/unreleased/security-enforce-permissions-for-event-filter-ee.yml @@ -0,0 +1,5 @@ +--- +title: Enforce permission check when counting activity events +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-fix-grafana-token-leaked-in-plain-to-other-maintainers.yml b/changelogs/unreleased/security-fix-grafana-token-leaked-in-plain-to-other-maintainers.yml new file mode 100644 index 00000000000..a44005f8dac --- /dev/null +++ b/changelogs/unreleased/security-fix-grafana-token-leaked-in-plain-to-other-maintainers.yml @@ -0,0 +1,5 @@ +--- +title: Prevent gafana integration token from being displayed as a plain text to other project maintainers, by only displaying a masked version of it. +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-fix-xss-on-frequent-groups-dropdown.yml b/changelogs/unreleased/security-fix-xss-on-frequent-groups-dropdown.yml new file mode 100644 index 00000000000..970708fe8d5 --- /dev/null +++ b/changelogs/unreleased/security-fix-xss-on-frequent-groups-dropdown.yml @@ -0,0 +1,5 @@ +--- +title: Fix xss on frequent groups dropdown +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-fix-xss-on-project-templates.yml b/changelogs/unreleased/security-fix-xss-on-project-templates.yml new file mode 100644 index 00000000000..2930bbaff87 --- /dev/null +++ b/changelogs/unreleased/security-fix-xss-on-project-templates.yml @@ -0,0 +1,5 @@ +--- +title: Fix XSS vulnerability on custom project templates form +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-proctect-internal-builds-from-external-overrides.yml b/changelogs/unreleased/security-proctect-internal-builds-from-external-overrides.yml new file mode 100644 index 00000000000..b540172d95c --- /dev/null +++ b/changelogs/unreleased/security-proctect-internal-builds-from-external-overrides.yml @@ -0,0 +1,5 @@ +--- +title: Protect internal CI builds from external overrides +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-project_export_service_permission_check.yml b/changelogs/unreleased/security-project_export_service_permission_check.yml new file mode 100644 index 00000000000..a38aaabfc9b --- /dev/null +++ b/changelogs/unreleased/security-project_export_service_permission_check.yml @@ -0,0 +1,5 @@ +--- +title: ImportExport::ExportService to require admin_project permission +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-reference-check.yml b/changelogs/unreleased/security-reference-check.yml new file mode 100644 index 00000000000..f33cea66eb1 --- /dev/null +++ b/changelogs/unreleased/security-reference-check.yml @@ -0,0 +1,5 @@ +--- +title: Make sure that only system notes where all references are visible to user are exposed in GraphQL API. +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-remove-caching-from-api-project-raw-endpoint.yml b/changelogs/unreleased/security-remove-caching-from-api-project-raw-endpoint.yml new file mode 100644 index 00000000000..308a618da89 --- /dev/null +++ b/changelogs/unreleased/security-remove-caching-from-api-project-raw-endpoint.yml @@ -0,0 +1,5 @@ +--- +title: Disable caching of repository/files/:file_path/raw API endpoint +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-reverse-polarity-of-branch-compare.yml b/changelogs/unreleased/security-reverse-polarity-of-branch-compare.yml new file mode 100644 index 00000000000..db6a4f064a4 --- /dev/null +++ b/changelogs/unreleased/security-reverse-polarity-of-branch-compare.yml @@ -0,0 +1,5 @@ +--- +title: Make cross-repository comparisons happen in the source repository +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-update-excon-cve-2019-16779.yml b/changelogs/unreleased/security-update-excon-cve-2019-16779.yml new file mode 100644 index 00000000000..e849dc92848 --- /dev/null +++ b/changelogs/unreleased/security-update-excon-cve-2019-16779.yml @@ -0,0 +1,5 @@ +--- +title: Update excon to 0.71.1 to fix CVE-2019-16779 +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-workhorse-package-bypass-12-5.yml b/changelogs/unreleased/security-workhorse-package-bypass-12-5.yml new file mode 100644 index 00000000000..bb9aa0a2bf1 --- /dev/null +++ b/changelogs/unreleased/security-workhorse-package-bypass-12-5.yml @@ -0,0 +1,5 @@ +--- +title: Add workhorse request verification to package upload endpoints +merge_request: +author: +type: security |