From 375e6dfde9b0ebd869a0825296bd0762205c735d Mon Sep 17 00:00:00 2001 From: GitLab Release Tools Bot Date: Thu, 30 May 2019 12:51:31 +0000 Subject: Update CHANGELOG.md for 11.11.1 [ci skip] --- CHANGELOG.md | 18 ++++++++++++++++++ ...sw-disable-dns-rebind-protection-settings-11-11.yml | 5 ----- .../security-58856-persistent-xss-in-note-objects.yml | 5 ----- changelogs/unreleased/security-60039.yml | 5 ----- .../security-60143-address-xss-issue-in-wiki-links.yml | 5 ----- ...-fix-confidential-issue-label-visibility-master.yml | 5 ----- ...ecurity-fix-project-existence-disclosure-master.yml | 5 ----- .../security-fix_milestones_search_api_leak.yml | 5 ----- .../security-http-hostname-override-11-11.yml | 5 ----- ...urity-id-leaked-password-in-import-url-frontend.yml | 5 ----- .../security-jej-prevent-web-sign-in-bypass.yml | 5 ----- changelogs/unreleased/security-pb-fix-get-archive.yml | 5 ----- .../unreleased/security-unsubscribing-from-issue.yml | 5 ----- 13 files changed, 18 insertions(+), 60 deletions(-) delete mode 100644 changelogs/unreleased/osw-disable-dns-rebind-protection-settings-11-11.yml delete mode 100644 changelogs/unreleased/security-58856-persistent-xss-in-note-objects.yml delete mode 100644 changelogs/unreleased/security-60039.yml delete mode 100644 changelogs/unreleased/security-60143-address-xss-issue-in-wiki-links.yml delete mode 100644 changelogs/unreleased/security-fix-confidential-issue-label-visibility-master.yml delete mode 100644 changelogs/unreleased/security-fix-project-existence-disclosure-master.yml delete mode 100644 changelogs/unreleased/security-fix_milestones_search_api_leak.yml delete mode 100644 changelogs/unreleased/security-http-hostname-override-11-11.yml delete mode 100644 changelogs/unreleased/security-id-leaked-password-in-import-url-frontend.yml delete mode 100644 changelogs/unreleased/security-jej-prevent-web-sign-in-bypass.yml delete mode 100644 changelogs/unreleased/security-pb-fix-get-archive.yml delete mode 100644 changelogs/unreleased/security-unsubscribing-from-issue.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index 88521222b8a..737137394bc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,24 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. +## 11.11.1 (2019-05-30) + +### Security (12 changes) + +- Add DNS rebinding protection settings. +- Prevent XSS injection in note imports. +- Prevent invalid branch for merge request. +- Filter relative links in wiki for XSS. +- Fix confidential issue label disclosure on milestone view. +- Fix url redaction for issue links. +- Resolve: Milestones leaked via search API. +- Protect Gitlab::HTTP against DNS rebinding attack. +- Add extra fields for handling basic auth on import by url page. +- Prevent bypass of restriction disabling web password sign in. +- Update Gitaly to fix GetArchive vulnerability. +- Hide confidential issue title on unsubscribe for anonymous users. + + ## 11.11.0 (2019-05-22) ### Security (1 change) diff --git a/changelogs/unreleased/osw-disable-dns-rebind-protection-settings-11-11.yml b/changelogs/unreleased/osw-disable-dns-rebind-protection-settings-11-11.yml deleted file mode 100644 index fc9a8bb8025..00000000000 --- a/changelogs/unreleased/osw-disable-dns-rebind-protection-settings-11-11.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Add DNS rebinding protection settings -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-58856-persistent-xss-in-note-objects.yml b/changelogs/unreleased/security-58856-persistent-xss-in-note-objects.yml deleted file mode 100644 index d9ad5af256a..00000000000 --- a/changelogs/unreleased/security-58856-persistent-xss-in-note-objects.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prevent XSS injection in note imports -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-60039.yml b/changelogs/unreleased/security-60039.yml deleted file mode 100644 index 5edbf32ec97..00000000000 --- a/changelogs/unreleased/security-60039.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prevent invalid branch for merge request -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-60143-address-xss-issue-in-wiki-links.yml b/changelogs/unreleased/security-60143-address-xss-issue-in-wiki-links.yml deleted file mode 100644 index 5b79258af54..00000000000 --- a/changelogs/unreleased/security-60143-address-xss-issue-in-wiki-links.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Filter relative links in wiki for XSS -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-fix-confidential-issue-label-visibility-master.yml b/changelogs/unreleased/security-fix-confidential-issue-label-visibility-master.yml deleted file mode 100644 index adfd8e1298f..00000000000 --- a/changelogs/unreleased/security-fix-confidential-issue-label-visibility-master.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix confidential issue label disclosure on milestone view -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-fix-project-existence-disclosure-master.yml b/changelogs/unreleased/security-fix-project-existence-disclosure-master.yml deleted file mode 100644 index 084439c71d9..00000000000 --- a/changelogs/unreleased/security-fix-project-existence-disclosure-master.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix url redaction for issue links -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-fix_milestones_search_api_leak.yml b/changelogs/unreleased/security-fix_milestones_search_api_leak.yml deleted file mode 100644 index 5691550b602..00000000000 --- a/changelogs/unreleased/security-fix_milestones_search_api_leak.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: 'Resolve: Milestones leaked via search API' -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-http-hostname-override-11-11.yml b/changelogs/unreleased/security-http-hostname-override-11-11.yml deleted file mode 100644 index f84f36a0010..00000000000 --- a/changelogs/unreleased/security-http-hostname-override-11-11.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Protect Gitlab::HTTP against DNS rebinding attack -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-id-leaked-password-in-import-url-frontend.yml b/changelogs/unreleased/security-id-leaked-password-in-import-url-frontend.yml deleted file mode 100644 index df636ec37fb..00000000000 --- a/changelogs/unreleased/security-id-leaked-password-in-import-url-frontend.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Add extra fields for handling basic auth on import by url page -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-jej-prevent-web-sign-in-bypass.yml b/changelogs/unreleased/security-jej-prevent-web-sign-in-bypass.yml deleted file mode 100644 index 02773fa1d7c..00000000000 --- a/changelogs/unreleased/security-jej-prevent-web-sign-in-bypass.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prevent bypass of restriction disabling web password sign in -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-pb-fix-get-archive.yml b/changelogs/unreleased/security-pb-fix-get-archive.yml deleted file mode 100644 index dca4fec7d61..00000000000 --- a/changelogs/unreleased/security-pb-fix-get-archive.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Update Gitaly to fix GetArchive vulnerability -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-unsubscribing-from-issue.yml b/changelogs/unreleased/security-unsubscribing-from-issue.yml deleted file mode 100644 index 3a33a457c69..00000000000 --- a/changelogs/unreleased/security-unsubscribing-from-issue.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Hide confidential issue title on unsubscribe for anonymous users -merge_request: -author: -type: security -- cgit v1.2.1