From f4ec125201e4cc0c33b6960cf44a865ae8b1f34d Mon Sep 17 00:00:00 2001 From: GitLab Release Tools Bot Date: Mon, 29 Jul 2019 14:48:18 +0000 Subject: Update CHANGELOG.md for 11.11.7 [ci skip] --- CHANGELOG.md | 15 +++++++++++++++ ...rity-2873-blocked-user-slash-command-bypass-master.yml | 5 ----- ...ecurity-60143-patch-additional-xss-vector-in-wikis.yml | 5 ----- changelogs/unreleased/security-bvl-filter-mr-params.yml | 5 ----- changelogs/unreleased/security-dns-ssrf-bypass.yml | 5 ----- .../security-fix-badges-leaked-to-unauthorized-users.yml | 5 ----- changelogs/unreleased/security-github-ssrf-redirect.yml | 5 ----- changelogs/unreleased/security-hide_moved_issue_id.yml | 5 ----- .../unreleased/security-mr-pipeline-permissions.yml | 5 ----- .../security-remove-take-trigger-ownership-feature.yml | 5 ----- 10 files changed, 15 insertions(+), 45 deletions(-) delete mode 100644 changelogs/unreleased/security-2873-blocked-user-slash-command-bypass-master.yml delete mode 100644 changelogs/unreleased/security-60143-patch-additional-xss-vector-in-wikis.yml delete mode 100644 changelogs/unreleased/security-bvl-filter-mr-params.yml delete mode 100644 changelogs/unreleased/security-dns-ssrf-bypass.yml delete mode 100644 changelogs/unreleased/security-fix-badges-leaked-to-unauthorized-users.yml delete mode 100644 changelogs/unreleased/security-github-ssrf-redirect.yml delete mode 100644 changelogs/unreleased/security-hide_moved_issue_id.yml delete mode 100644 changelogs/unreleased/security-mr-pipeline-permissions.yml delete mode 100644 changelogs/unreleased/security-remove-take-trigger-ownership-feature.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index 2545d3421a4..d7f4e80078d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,21 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. +## 11.11.7 + +### Security (9 changes) + +- Restrict slash commands to users who can log in. +- Patch XSS issue in wiki links. +- Filter merge request params on the new merge request page. +- Fix Server Side Request Forgery mitigation bypass. +- Show badges if pipelines are public otherwise default to project permissions. +- Do not allow localhost url redirection in GitHub Integration. +- Do not show moved issue id for users that cannot read issue. +- Use source project as permissions reference for MergeRequestsController#pipelines. +- Drop feature to take ownership of trigger token. + + ## 11.11.6 - Unreleased due to QA failure. diff --git a/changelogs/unreleased/security-2873-blocked-user-slash-command-bypass-master.yml b/changelogs/unreleased/security-2873-blocked-user-slash-command-bypass-master.yml deleted file mode 100644 index cd31fe0f35c..00000000000 --- a/changelogs/unreleased/security-2873-blocked-user-slash-command-bypass-master.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Restrict slash commands to users who can log in -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-60143-patch-additional-xss-vector-in-wikis.yml b/changelogs/unreleased/security-60143-patch-additional-xss-vector-in-wikis.yml deleted file mode 100644 index a8a26d5fc56..00000000000 --- a/changelogs/unreleased/security-60143-patch-additional-xss-vector-in-wikis.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Patch XSS issue in wiki links -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-bvl-filter-mr-params.yml b/changelogs/unreleased/security-bvl-filter-mr-params.yml deleted file mode 100644 index 4433ec73b7c..00000000000 --- a/changelogs/unreleased/security-bvl-filter-mr-params.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Filter merge request params on the new merge request page -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-dns-ssrf-bypass.yml b/changelogs/unreleased/security-dns-ssrf-bypass.yml deleted file mode 100644 index e48696ce5bd..00000000000 --- a/changelogs/unreleased/security-dns-ssrf-bypass.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix Server Side Request Forgery mitigation bypass -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-fix-badges-leaked-to-unauthorized-users.yml b/changelogs/unreleased/security-fix-badges-leaked-to-unauthorized-users.yml deleted file mode 100644 index 9526f3c559f..00000000000 --- a/changelogs/unreleased/security-fix-badges-leaked-to-unauthorized-users.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Show badges if pipelines are public otherwise default to project permissions. -erge_request: -author: -type: security diff --git a/changelogs/unreleased/security-github-ssrf-redirect.yml b/changelogs/unreleased/security-github-ssrf-redirect.yml deleted file mode 100644 index 36a36de3eb0..00000000000 --- a/changelogs/unreleased/security-github-ssrf-redirect.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Do not allow localhost url redirection in GitHub Integration -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-hide_moved_issue_id.yml b/changelogs/unreleased/security-hide_moved_issue_id.yml deleted file mode 100644 index 24353d797c9..00000000000 --- a/changelogs/unreleased/security-hide_moved_issue_id.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Do not show moved issue id for users that cannot read issue -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-mr-pipeline-permissions.yml b/changelogs/unreleased/security-mr-pipeline-permissions.yml deleted file mode 100644 index a317c93228c..00000000000 --- a/changelogs/unreleased/security-mr-pipeline-permissions.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Use source project as permissions reference for MergeRequestsController#pipelines -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-remove-take-trigger-ownership-feature.yml b/changelogs/unreleased/security-remove-take-trigger-ownership-feature.yml deleted file mode 100644 index 201f66e1f18..00000000000 --- a/changelogs/unreleased/security-remove-take-trigger-ownership-feature.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Drop feature to take ownership of trigger token. -merge_request: -author: -type: security -- cgit v1.2.1