From 1d469732061c0c5e974deb5e2bbe7fa88544e263 Mon Sep 17 00:00:00 2001 From: GitLab Release Tools Bot Date: Mon, 28 Jan 2019 21:19:19 +0000 Subject: Update CHANGELOG.md for 11.7.1 [ci skip] --- CHANGELOG.md | 30 ++++++++++++++++++++++ .../11-7-security-stored-xss-via-katex.yml | 5 ---- .../unreleased/extract-pages-with-rubyzip.yml | 5 ---- .../unreleased/fix-security-group-user-removal.yml | 5 ---- .../security-11-7-22076-sanitize-url-in-names.yml | 6 ----- .../unreleased/security-11-7-test-permissions.yml | 5 ---- ...ity-2767-verify-lfs-finalize-from-workhorse.yml | 5 ---- .../security-2769-idn-homograph-attack.yml | 5 ---- .../security-2776-fix-add-reaction-permissions.yml | 5 ---- ...ty-2779-fix-email-comment-permissions-check.yml | 5 ---- .../security-2780-disable-git-v2-protocol.yml | 5 ---- ...security-commit-status-shown-for-guest-user.yml | 5 ---- .../unreleased/security-contributed-projects.yml | 5 ---- .../security-do-not-process-mr-ref-for-guests.yml | 5 ---- ...ecurity-fix-lfs-import-project-ssrf-forgery.yml | 5 ---- .../security-fix-new-issues-login-message.yml | 5 ---- changelogs/unreleased/security-fix-regex-dos.yml | 5 ---- .../security-fix-user-email-tag-push-leak.yml | 5 ---- ...ki-access-rights-with-external-wiki-enabled.yml | 5 ---- ...urity-guests-can-see-list-of-merge-requests.yml | 6 ----- .../unreleased/security-import-path-logging.yml | 5 ---- .../security-import-project-visibility.yml | 5 ---- .../security-pipeline-trigger-tokens-exposure.yml | 5 ---- .../unreleased/security-project-move-users.yml | 5 ---- changelogs/unreleased/sh-fix-issue-56663-11-7.yml | 5 ---- 25 files changed, 30 insertions(+), 122 deletions(-) delete mode 100644 changelogs/unreleased/11-7-security-stored-xss-via-katex.yml delete mode 100644 changelogs/unreleased/extract-pages-with-rubyzip.yml delete mode 100644 changelogs/unreleased/fix-security-group-user-removal.yml delete mode 100644 changelogs/unreleased/security-11-7-22076-sanitize-url-in-names.yml delete mode 100644 changelogs/unreleased/security-11-7-test-permissions.yml delete mode 100644 changelogs/unreleased/security-2767-verify-lfs-finalize-from-workhorse.yml delete mode 100644 changelogs/unreleased/security-2769-idn-homograph-attack.yml delete mode 100644 changelogs/unreleased/security-2776-fix-add-reaction-permissions.yml delete mode 100644 changelogs/unreleased/security-2779-fix-email-comment-permissions-check.yml delete mode 100644 changelogs/unreleased/security-2780-disable-git-v2-protocol.yml delete mode 100644 changelogs/unreleased/security-commit-status-shown-for-guest-user.yml delete mode 100644 changelogs/unreleased/security-contributed-projects.yml delete mode 100644 changelogs/unreleased/security-do-not-process-mr-ref-for-guests.yml delete mode 100644 changelogs/unreleased/security-fix-lfs-import-project-ssrf-forgery.yml delete mode 100644 changelogs/unreleased/security-fix-new-issues-login-message.yml delete mode 100644 changelogs/unreleased/security-fix-regex-dos.yml delete mode 100644 changelogs/unreleased/security-fix-user-email-tag-push-leak.yml delete mode 100644 changelogs/unreleased/security-fix-wiki-access-rights-with-external-wiki-enabled.yml delete mode 100644 changelogs/unreleased/security-guests-can-see-list-of-merge-requests.yml delete mode 100644 changelogs/unreleased/security-import-path-logging.yml delete mode 100644 changelogs/unreleased/security-import-project-visibility.yml delete mode 100644 changelogs/unreleased/security-pipeline-trigger-tokens-exposure.yml delete mode 100644 changelogs/unreleased/security-project-move-users.yml delete mode 100644 changelogs/unreleased/sh-fix-issue-56663-11-7.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index 6687ef59383..5905107d7e6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,36 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. +## 11.7.1 (2019-01-28) + +### Security (24 changes) + +- Make potentially malicious links more visible in the UI and scrub RTLO chars from links. !2770 +- Don't process MR refs for guests in the notes. !2771 +- Sanitize user full name to clean up any URL to prevent mail clients from auto-linking URLs. !2828 +- Fixed XSS content in KaTex links. +- Disallows unauthorized users from accessing the pipelines section. +- Verify that LFS upload requests are genuine. +- Extract GitLab Pages using RubyZip. +- Prevent awarding emojis to notes whose parent is not visible to user. +- Prevent unauthorized replies when discussion is locked or confidential. +- Disable git v2 protocol temporarily. +- Fix showing ci status for guest users when public pipline are not set. +- Fix contributed projects info still visible when user enable private profile. +- Add subresources removal to member destroy service. +- Add more LFS validations to prevent forgery. +- Use common error for unauthenticated users when creating issues. +- Fix slow regex in project reference pattern. +- Fix private user email being visible in push (and tag push) webhooks. +- Fix wiki access rights when external wiki is enabled. +- Group guests are no longer able to see merge requests they don't have access to at group level. +- Fix path disclosure on project import error. +- Restrict project import visibility based on its group. +- Expose CI/CD trigger token only to the trigger owner. +- Notify only users who can access the project on project move. +- Alias GitHub and BitBucket OAuth2 callback URLs. + + ## 11.7.0 (2019-01-22) ### Security (14 changes, 1 of them is from the community) diff --git a/changelogs/unreleased/11-7-security-stored-xss-via-katex.yml b/changelogs/unreleased/11-7-security-stored-xss-via-katex.yml deleted file mode 100644 index a71ae1123f2..00000000000 --- a/changelogs/unreleased/11-7-security-stored-xss-via-katex.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fixed XSS content in KaTex links -merge_request: -author: -type: security diff --git a/changelogs/unreleased/extract-pages-with-rubyzip.yml b/changelogs/unreleased/extract-pages-with-rubyzip.yml deleted file mode 100644 index 8352e79d3e5..00000000000 --- a/changelogs/unreleased/extract-pages-with-rubyzip.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Extract GitLab Pages using RubyZip -merge_request: -author: -type: security diff --git a/changelogs/unreleased/fix-security-group-user-removal.yml b/changelogs/unreleased/fix-security-group-user-removal.yml deleted file mode 100644 index 09d09a96f84..00000000000 --- a/changelogs/unreleased/fix-security-group-user-removal.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Add subresources removal to member destroy service -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-11-7-22076-sanitize-url-in-names.yml b/changelogs/unreleased/security-11-7-22076-sanitize-url-in-names.yml deleted file mode 100644 index 6d0977fe419..00000000000 --- a/changelogs/unreleased/security-11-7-22076-sanitize-url-in-names.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -title: Sanitize user full name to clean up any URL to prevent mail clients from auto-linking - URLs -merge_request: 2828 -author: -type: security diff --git a/changelogs/unreleased/security-11-7-test-permissions.yml b/changelogs/unreleased/security-11-7-test-permissions.yml deleted file mode 100644 index cfb69fdcb1e..00000000000 --- a/changelogs/unreleased/security-11-7-test-permissions.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Disallows unauthorized users from accessing the pipelines section. -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-2767-verify-lfs-finalize-from-workhorse.yml b/changelogs/unreleased/security-2767-verify-lfs-finalize-from-workhorse.yml deleted file mode 100644 index e79e3263df7..00000000000 --- a/changelogs/unreleased/security-2767-verify-lfs-finalize-from-workhorse.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Verify that LFS upload requests are genuine -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-2769-idn-homograph-attack.yml b/changelogs/unreleased/security-2769-idn-homograph-attack.yml deleted file mode 100644 index a014b522c96..00000000000 --- a/changelogs/unreleased/security-2769-idn-homograph-attack.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Make potentially malicious links more visible in the UI and scrub RTLO chars from links -merge_request: 2770 -author: -type: security diff --git a/changelogs/unreleased/security-2776-fix-add-reaction-permissions.yml b/changelogs/unreleased/security-2776-fix-add-reaction-permissions.yml deleted file mode 100644 index 3ad92578c44..00000000000 --- a/changelogs/unreleased/security-2776-fix-add-reaction-permissions.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prevent awarding emojis to notes whose parent is not visible to user -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-2779-fix-email-comment-permissions-check.yml b/changelogs/unreleased/security-2779-fix-email-comment-permissions-check.yml deleted file mode 100644 index 2f76064d8a4..00000000000 --- a/changelogs/unreleased/security-2779-fix-email-comment-permissions-check.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prevent unauthorized replies when discussion is locked or confidential -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-2780-disable-git-v2-protocol.yml b/changelogs/unreleased/security-2780-disable-git-v2-protocol.yml deleted file mode 100644 index 30a08a98e83..00000000000 --- a/changelogs/unreleased/security-2780-disable-git-v2-protocol.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Disable git v2 protocol temporarily -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-commit-status-shown-for-guest-user.yml b/changelogs/unreleased/security-commit-status-shown-for-guest-user.yml deleted file mode 100644 index a80170091d0..00000000000 --- a/changelogs/unreleased/security-commit-status-shown-for-guest-user.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix showing ci status for guest users when public pipline are not set -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-contributed-projects.yml b/changelogs/unreleased/security-contributed-projects.yml deleted file mode 100644 index f745a2255ca..00000000000 --- a/changelogs/unreleased/security-contributed-projects.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix contributed projects info still visible when user enable private profile -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-do-not-process-mr-ref-for-guests.yml b/changelogs/unreleased/security-do-not-process-mr-ref-for-guests.yml deleted file mode 100644 index 0281dde11e6..00000000000 --- a/changelogs/unreleased/security-do-not-process-mr-ref-for-guests.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Don't process MR refs for guests in the notes -merge_request: 2771 -author: -type: security diff --git a/changelogs/unreleased/security-fix-lfs-import-project-ssrf-forgery.yml b/changelogs/unreleased/security-fix-lfs-import-project-ssrf-forgery.yml deleted file mode 100644 index b6315ec29d8..00000000000 --- a/changelogs/unreleased/security-fix-lfs-import-project-ssrf-forgery.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Add more LFS validations to prevent forgery -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-fix-new-issues-login-message.yml b/changelogs/unreleased/security-fix-new-issues-login-message.yml deleted file mode 100644 index 9dabf2438c9..00000000000 --- a/changelogs/unreleased/security-fix-new-issues-login-message.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Use common error for unauthenticated users when creating issues -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-fix-regex-dos.yml b/changelogs/unreleased/security-fix-regex-dos.yml deleted file mode 100644 index b08566d2f15..00000000000 --- a/changelogs/unreleased/security-fix-regex-dos.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix slow regex in project reference pattern -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-fix-user-email-tag-push-leak.yml b/changelogs/unreleased/security-fix-user-email-tag-push-leak.yml deleted file mode 100644 index 915ea7b5216..00000000000 --- a/changelogs/unreleased/security-fix-user-email-tag-push-leak.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix private user email being visible in push (and tag push) webhooks -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-fix-wiki-access-rights-with-external-wiki-enabled.yml b/changelogs/unreleased/security-fix-wiki-access-rights-with-external-wiki-enabled.yml deleted file mode 100644 index d5f20b87a90..00000000000 --- a/changelogs/unreleased/security-fix-wiki-access-rights-with-external-wiki-enabled.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix wiki access rights when external wiki is enabled -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-guests-can-see-list-of-merge-requests.yml b/changelogs/unreleased/security-guests-can-see-list-of-merge-requests.yml deleted file mode 100644 index f5b74011829..00000000000 --- a/changelogs/unreleased/security-guests-can-see-list-of-merge-requests.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -title: Group guests are no longer able to see merge requests they don't have access - to at group level -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-import-path-logging.yml b/changelogs/unreleased/security-import-path-logging.yml deleted file mode 100644 index 2ba2d88d82a..00000000000 --- a/changelogs/unreleased/security-import-path-logging.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix path disclosure on project import error -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-import-project-visibility.yml b/changelogs/unreleased/security-import-project-visibility.yml deleted file mode 100644 index 04ae172a9a1..00000000000 --- a/changelogs/unreleased/security-import-project-visibility.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Restrict project import visibility based on its group -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-pipeline-trigger-tokens-exposure.yml b/changelogs/unreleased/security-pipeline-trigger-tokens-exposure.yml deleted file mode 100644 index 97d743eead1..00000000000 --- a/changelogs/unreleased/security-pipeline-trigger-tokens-exposure.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Expose CI/CD trigger token only to the trigger owner -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-project-move-users.yml b/changelogs/unreleased/security-project-move-users.yml deleted file mode 100644 index 744df68651f..00000000000 --- a/changelogs/unreleased/security-project-move-users.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Notify only users who can access the project on project move. -merge_request: -author: -type: security diff --git a/changelogs/unreleased/sh-fix-issue-56663-11-7.yml b/changelogs/unreleased/sh-fix-issue-56663-11-7.yml deleted file mode 100644 index addf327b69d..00000000000 --- a/changelogs/unreleased/sh-fix-issue-56663-11-7.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Alias GitHub and BitBucket OAuth2 callback URLs -merge_request: -author: -type: security -- cgit v1.2.1