From fd34ff13e9dbc5b09dd9e615b8ef5bef976fd687 Mon Sep 17 00:00:00 2001 From: GitLab Release Tools Bot Date: Wed, 2 Sep 2020 10:04:50 +0000 Subject: Update CHANGELOG.md for 13.1.9 [ci skip] --- CHANGELOG.md | 29 ++++++++++++++++++++++ ...79-check-validity-of-repository-mirror-urls.yml | 5 ---- .../unreleased/security-199-show-actual-group.yml | 6 ----- ...ity-209-dblessing-prevent-stale-otp-user-id.yml | 5 ---- .../security-212-regenerate-2fa-app-code.yml | 5 ---- ...3-delete-other-sessions-when-activating-2fa.yml | 5 ---- ...y-214-dblessing-revoke-session-on-pw-change.yml | 5 ---- .../security-216-access-to-private-projects.yml | 5 ---- ...security-217-dblessing-safe-omniauth-errors.yml | 5 ---- .../security-218-prevent-2fa-bypass-using-api.yml | 6 ----- ...ng-revoke-remember-me-on-session-revocation.yml | 5 ---- .../unreleased/security-223-webhook-dos-attack.yml | 5 ---- ...security-add-presence-validation-oauth-apps.yml | 5 ---- ...ity-api-auth-use-job-token-for-running-jobs.yml | 5 ---- ...ecurity-deploy-token-can-read-disabled-repo.yml | 5 ---- .../security-fix-conan-workhorse-params.yml | 5 ---- .../unreleased/security-graphql-type-check.yml | 5 ---- ...urity-improper-access-control-on-deploy-key.yml | 5 ---- .../security-pb-limit-profile-events.yml | 5 ---- ...curity-prevent-aws-external-id-manipulation.yml | 5 ---- .../security-projectmaintainer-edit-badges.yml | 5 ---- .../unreleased/security-upgrade-jquery-3-5.yml | 5 ---- .../security-websocket-extensions-update-0-1-5.yml | 5 ---- .../update-gitlab-runner-helm-chart-to-0-18-3.yml | 5 ---- 24 files changed, 29 insertions(+), 117 deletions(-) delete mode 100644 changelogs/unreleased/215879-check-validity-of-repository-mirror-urls.yml delete mode 100644 changelogs/unreleased/security-199-show-actual-group.yml delete mode 100644 changelogs/unreleased/security-209-dblessing-prevent-stale-otp-user-id.yml delete mode 100644 changelogs/unreleased/security-212-regenerate-2fa-app-code.yml delete mode 100644 changelogs/unreleased/security-213-delete-other-sessions-when-activating-2fa.yml delete mode 100644 changelogs/unreleased/security-214-dblessing-revoke-session-on-pw-change.yml delete mode 100644 changelogs/unreleased/security-216-access-to-private-projects.yml delete mode 100644 changelogs/unreleased/security-217-dblessing-safe-omniauth-errors.yml delete mode 100644 changelogs/unreleased/security-218-prevent-2fa-bypass-using-api.yml delete mode 100644 changelogs/unreleased/security-220-dblessing-revoke-remember-me-on-session-revocation.yml delete mode 100644 changelogs/unreleased/security-223-webhook-dos-attack.yml delete mode 100644 changelogs/unreleased/security-add-presence-validation-oauth-apps.yml delete mode 100644 changelogs/unreleased/security-api-auth-use-job-token-for-running-jobs.yml delete mode 100644 changelogs/unreleased/security-deploy-token-can-read-disabled-repo.yml delete mode 100644 changelogs/unreleased/security-fix-conan-workhorse-params.yml delete mode 100644 changelogs/unreleased/security-graphql-type-check.yml delete mode 100644 changelogs/unreleased/security-improper-access-control-on-deploy-key.yml delete mode 100644 changelogs/unreleased/security-pb-limit-profile-events.yml delete mode 100644 changelogs/unreleased/security-prevent-aws-external-id-manipulation.yml delete mode 100644 changelogs/unreleased/security-projectmaintainer-edit-badges.yml delete mode 100644 changelogs/unreleased/security-upgrade-jquery-3-5.yml delete mode 100644 changelogs/unreleased/security-websocket-extensions-update-0-1-5.yml delete mode 100644 changelogs/unreleased/update-gitlab-runner-helm-chart-to-0-18-3.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index 707b5a1746e..d8d5d739b19 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,35 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. +## 13.1.9 (2020-09-02) + +### Security (23 changes, 1 of them is from the community) + +- Check validity of project's import_url before mirroring repository. +- Show on two-factor authentication setup page groups that are the cause of this requirement. +- Prevent interrupted 2FA sign-in from signing-in incorrect user. +- Create new 2FA code each time user is entering 2FA setup page. +- Remove all sessions but current while enabling 2FA. +- Invalidate two factor sign-in when user password changes. +- Delete members invites created by users being deleted. +- Prevent OmniAuth from rendering arbitrary error messages. +- Prevent not-2fa authenticated users that are supposed to use it to consume api via session. +- Invalidate remember me when an active session is revoked. +- Add rate limit on webhooks testing feature. +- Add scope presence validation to OAuth Application creation. +- Allow only running job tokens for API authentication. +- Prevent Deploy Tokens to read project resources when repository is disabled. +- Change conan api to use proper workhorse validation. +- Ensure global ID is of Snippet type in GraphQL destroy mutation. +- Fix Improper Access Control on Deploy-Key. +- Set maximum limit for profile events. +- Persist EKS External ID before presenting it to the user. +- Prevent project maintainers from editing group badges. +- Upgrade jquery to v3.5. +- Update websocket-extensions gem to 0.1.5. (Vitor Meireles De Sousa) +- Update GitLab Runner Helm Chart to 0.18.3. + + ## 13.1.8 (2020-08-18) - No changes. diff --git a/changelogs/unreleased/215879-check-validity-of-repository-mirror-urls.yml b/changelogs/unreleased/215879-check-validity-of-repository-mirror-urls.yml deleted file mode 100644 index 0117d6a3ccf..00000000000 --- a/changelogs/unreleased/215879-check-validity-of-repository-mirror-urls.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Check validity of project's import_url before mirroring repository -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-199-show-actual-group.yml b/changelogs/unreleased/security-199-show-actual-group.yml deleted file mode 100644 index 91f5e4dea01..00000000000 --- a/changelogs/unreleased/security-199-show-actual-group.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -title: Show on two-factor authentication setup page groups that are the cause of this - requirement -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-209-dblessing-prevent-stale-otp-user-id.yml b/changelogs/unreleased/security-209-dblessing-prevent-stale-otp-user-id.yml deleted file mode 100644 index 8fe0892f39b..00000000000 --- a/changelogs/unreleased/security-209-dblessing-prevent-stale-otp-user-id.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prevent interrupted 2FA sign-in from signing-in incorrect user -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-212-regenerate-2fa-app-code.yml b/changelogs/unreleased/security-212-regenerate-2fa-app-code.yml deleted file mode 100644 index c07dcb168f0..00000000000 --- a/changelogs/unreleased/security-212-regenerate-2fa-app-code.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Create new 2FA code each time user is entering 2FA setup page -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-213-delete-other-sessions-when-activating-2fa.yml b/changelogs/unreleased/security-213-delete-other-sessions-when-activating-2fa.yml deleted file mode 100644 index c690af01c6a..00000000000 --- a/changelogs/unreleased/security-213-delete-other-sessions-when-activating-2fa.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Remove all sessions but current while enabling 2FA -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-214-dblessing-revoke-session-on-pw-change.yml b/changelogs/unreleased/security-214-dblessing-revoke-session-on-pw-change.yml deleted file mode 100644 index f8549721588..00000000000 --- a/changelogs/unreleased/security-214-dblessing-revoke-session-on-pw-change.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Invalidate two factor sign-in when user password changes -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-216-access-to-private-projects.yml b/changelogs/unreleased/security-216-access-to-private-projects.yml deleted file mode 100644 index bc54586fad3..00000000000 --- a/changelogs/unreleased/security-216-access-to-private-projects.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Delete members invites created by users being deleted -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-217-dblessing-safe-omniauth-errors.yml b/changelogs/unreleased/security-217-dblessing-safe-omniauth-errors.yml deleted file mode 100644 index 1262ae4f836..00000000000 --- a/changelogs/unreleased/security-217-dblessing-safe-omniauth-errors.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prevent OmniAuth from rendering arbitrary error messages -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-218-prevent-2fa-bypass-using-api.yml b/changelogs/unreleased/security-218-prevent-2fa-bypass-using-api.yml deleted file mode 100644 index 7f79c5fc412..00000000000 --- a/changelogs/unreleased/security-218-prevent-2fa-bypass-using-api.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -title: Prevent not-2fa authenticated users that are supposed to use it to consume - api via session -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-220-dblessing-revoke-remember-me-on-session-revocation.yml b/changelogs/unreleased/security-220-dblessing-revoke-remember-me-on-session-revocation.yml deleted file mode 100644 index 830002a19d7..00000000000 --- a/changelogs/unreleased/security-220-dblessing-revoke-remember-me-on-session-revocation.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Invalidate remember me when an active session is revoked -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-223-webhook-dos-attack.yml b/changelogs/unreleased/security-223-webhook-dos-attack.yml deleted file mode 100644 index ef1ab2c2415..00000000000 --- a/changelogs/unreleased/security-223-webhook-dos-attack.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Add rate limit on webhooks testing feature -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-add-presence-validation-oauth-apps.yml b/changelogs/unreleased/security-add-presence-validation-oauth-apps.yml deleted file mode 100644 index 01f6a825679..00000000000 --- a/changelogs/unreleased/security-add-presence-validation-oauth-apps.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Add scope presence validation to OAuth Application creation -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-api-auth-use-job-token-for-running-jobs.yml b/changelogs/unreleased/security-api-auth-use-job-token-for-running-jobs.yml deleted file mode 100644 index febfcd7fc13..00000000000 --- a/changelogs/unreleased/security-api-auth-use-job-token-for-running-jobs.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Allow only running job tokens for API authentication -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-deploy-token-can-read-disabled-repo.yml b/changelogs/unreleased/security-deploy-token-can-read-disabled-repo.yml deleted file mode 100644 index c18e4e9674f..00000000000 --- a/changelogs/unreleased/security-deploy-token-can-read-disabled-repo.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prevent Deploy Tokens to read project resources when repository is disabled -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-fix-conan-workhorse-params.yml b/changelogs/unreleased/security-fix-conan-workhorse-params.yml deleted file mode 100644 index cc2ec3452f7..00000000000 --- a/changelogs/unreleased/security-fix-conan-workhorse-params.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Change conan api to use proper workhorse validation -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-graphql-type-check.yml b/changelogs/unreleased/security-graphql-type-check.yml deleted file mode 100644 index 704cdebdb22..00000000000 --- a/changelogs/unreleased/security-graphql-type-check.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Ensure global ID is of Snippet type in GraphQL destroy mutation -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-improper-access-control-on-deploy-key.yml b/changelogs/unreleased/security-improper-access-control-on-deploy-key.yml deleted file mode 100644 index d10b9214922..00000000000 --- a/changelogs/unreleased/security-improper-access-control-on-deploy-key.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix Improper Access Control on Deploy-Key -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-pb-limit-profile-events.yml b/changelogs/unreleased/security-pb-limit-profile-events.yml deleted file mode 100644 index f724bcf7e09..00000000000 --- a/changelogs/unreleased/security-pb-limit-profile-events.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Set maximum limit for profile events -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-prevent-aws-external-id-manipulation.yml b/changelogs/unreleased/security-prevent-aws-external-id-manipulation.yml deleted file mode 100644 index c6b8331d103..00000000000 --- a/changelogs/unreleased/security-prevent-aws-external-id-manipulation.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Persist EKS External ID before presenting it to the user -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-projectmaintainer-edit-badges.yml b/changelogs/unreleased/security-projectmaintainer-edit-badges.yml deleted file mode 100644 index 936931d7f6b..00000000000 --- a/changelogs/unreleased/security-projectmaintainer-edit-badges.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prevent project maintainers from editing group badges -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-upgrade-jquery-3-5.yml b/changelogs/unreleased/security-upgrade-jquery-3-5.yml deleted file mode 100644 index d2a9a8fed6c..00000000000 --- a/changelogs/unreleased/security-upgrade-jquery-3-5.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Upgrade jquery to v3.5 -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-websocket-extensions-update-0-1-5.yml b/changelogs/unreleased/security-websocket-extensions-update-0-1-5.yml deleted file mode 100644 index b2f1776f153..00000000000 --- a/changelogs/unreleased/security-websocket-extensions-update-0-1-5.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Update websocket-extensions gem to 0.1.5 -merge_request: -author: Vitor Meireles De Sousa -type: security diff --git a/changelogs/unreleased/update-gitlab-runner-helm-chart-to-0-18-3.yml b/changelogs/unreleased/update-gitlab-runner-helm-chart-to-0-18-3.yml deleted file mode 100644 index e14369e28dd..00000000000 --- a/changelogs/unreleased/update-gitlab-runner-helm-chart-to-0-18-3.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Update GitLab Runner Helm Chart to 0.18.3 -merge_request: -author: -type: security -- cgit v1.2.1