diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-03-26 16:47:44 +0300 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-03-26 16:47:44 +0300 |
| commit | d2e0253fad0ef640d1ffad2cca3cbf3975150020 (patch) | |
| tree | e2232edbfdf9e58258ef35b9c26fdf66c575d3fc | |
| parent | f649a7dab8cde9c06ea4b0fb6975cb10bc9e4c84 (diff) | |
Add latest changes from gitlab-org/security/gitlab@12-8-stable-ee
20 files changed, 31 insertions, 86 deletions
diff --git a/CHANGELOG-EE.md b/CHANGELOG-EE.md index a2f417a16c6..18f0da6bd28 100644 --- a/CHANGELOG-EE.md +++ b/CHANGELOG-EE.md @@ -1,5 +1,12 @@ Please view this file on the master branch, on stable branches it's out of date. +## 12.8.8 (2020-03-26) + +### Security (1 change) + +- Add NPM package versions SemVer validation. + + ## 12.8.7 (2020-03-16) ### Fixed (1 change) diff --git a/CHANGELOG.md b/CHANGELOG.md index cc6df650d28..3f9b53846b9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,29 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. +## 12.8.8 (2020-03-26) + +### Security (17 changes) + +- Redact notes in moved confidential issues. +- Ignore empty remote_id params from Workhorse accelerated uploads. +- External user can not create personal snippet through API. +- Prevent malicious entry for group name. +- Restrict mirroring changes to admins only when mirroring is disabled. +- Reject all container registry requests from blocked users. +- Deny localhost requests on fogbugz importer. +- Change GitHub service integration token input to password. +- Add permission check for pipeline status of MR. +- Fix UploadRewriter Path Traversal vulnerability. +- Block hotlinking to repository archives. +- Restrict access to project pipeline metrics reports. +- vulnerability_feedback records should be restricted to a dev role and above. +- Exclude Carrierwave remote URL methods from import. +- Update Nokogiri to fix CVE-2020-7595. +- Prevent updating trigger by other maintainers. +- Fix XSS vulnerability in `admin/email` "Recipient Group" dropdown. + + ## 12.8.7 (2020-03-16) ### Fixed (1 change, 1 of them is from the community) diff --git a/GITALY_SERVER_VERSION b/GITALY_SERVER_VERSION index c9bb023a76e..aef81b964a7 100644 --- a/GITALY_SERVER_VERSION +++ b/GITALY_SERVER_VERSION @@ -1 +1 @@ -12.8.7 +12.8.8 diff --git a/changelogs/unreleased/security-120026-redact-notes-in-moved-confidential-issues.yml b/changelogs/unreleased/security-120026-redact-notes-in-moved-confidential-issues.yml deleted file mode 100644 index 54ee6ac9048..00000000000 --- a/changelogs/unreleased/security-120026-redact-notes-in-moved-confidential-issues.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Redact notes in moved confidential issues -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-193100-ignore-duplicate-multipart-params.yml b/changelogs/unreleased/security-193100-ignore-duplicate-multipart-params.yml deleted file mode 100644 index c871e1615e0..00000000000 --- a/changelogs/unreleased/security-193100-ignore-duplicate-multipart-params.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Ignore empty remote_id params from Workhorse accelerated uploads -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-59-prevent-create-api-snippet.yml b/changelogs/unreleased/security-59-prevent-create-api-snippet.yml deleted file mode 100644 index 135fdfe7153..00000000000 --- a/changelogs/unreleased/security-59-prevent-create-api-snippet.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: External user can not create personal snippet through API -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-backend-xss-admin-email.yml b/changelogs/unreleased/security-backend-xss-admin-email.yml deleted file mode 100644 index 82f97cd719a..00000000000 --- a/changelogs/unreleased/security-backend-xss-admin-email.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prevent malicious entry for group name -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-disable-mirroring-fix.yml b/changelogs/unreleased/security-disable-mirroring-fix.yml deleted file mode 100644 index 1b0a6a87515..00000000000 --- a/changelogs/unreleased/security-disable-mirroring-fix.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Restrict mirroring changes to admins only when mirroring is disabled -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-docker-blocked-users.yml b/changelogs/unreleased/security-docker-blocked-users.yml deleted file mode 100644 index 6e34506e7fd..00000000000 --- a/changelogs/unreleased/security-docker-blocked-users.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Reject all container registry requests from blocked users -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-fogbugz-importer-deny-localhost-requests.yml b/changelogs/unreleased/security-fogbugz-importer-deny-localhost-requests.yml deleted file mode 100644 index ecc05470717..00000000000 --- a/changelogs/unreleased/security-fogbugz-importer-deny-localhost-requests.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Deny localhost requests on fogbugz importer -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-mask-gh-service-password.yml b/changelogs/unreleased/security-mask-gh-service-password.yml deleted file mode 100644 index cabbee204eb..00000000000 --- a/changelogs/unreleased/security-mask-gh-service-password.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Change GitHub service integration token input to password -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-mr-pipeline-status-permission-check.yml b/changelogs/unreleased/security-mr-pipeline-status-permission-check.yml deleted file mode 100644 index 598804bd0a7..00000000000 --- a/changelogs/unreleased/security-mr-pipeline-status-permission-check.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Add permission check for pipeline status of MR -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-path-traversal-master.yml b/changelogs/unreleased/security-path-traversal-master.yml deleted file mode 100644 index d5e269823ea..00000000000 --- a/changelogs/unreleased/security-path-traversal-master.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix UploadRewriter Path Traversal vulnerability -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-repository-archive-hotlinking.yml b/changelogs/unreleased/security-repository-archive-hotlinking.yml deleted file mode 100644 index cf87ea488f0..00000000000 --- a/changelogs/unreleased/security-repository-archive-hotlinking.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Block hotlinking to repository archives -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-restrict-project-pipeline-metrics.yml b/changelogs/unreleased/security-restrict-project-pipeline-metrics.yml deleted file mode 100644 index 20c24aa6bdf..00000000000 --- a/changelogs/unreleased/security-restrict-project-pipeline-metrics.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Restrict access to project pipeline metrics reports -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-rf-vulnerability-metadata-fix.yml b/changelogs/unreleased/security-rf-vulnerability-metadata-fix.yml deleted file mode 100644 index 5de5fc761fd..00000000000 --- a/changelogs/unreleased/security-rf-vulnerability-metadata-fix.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: vulnerability_feedback records should be restricted to a dev role and above -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-ssrf-attachment-url.yml b/changelogs/unreleased/security-ssrf-attachment-url.yml deleted file mode 100644 index bb5e3e54574..00000000000 --- a/changelogs/unreleased/security-ssrf-attachment-url.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Exclude Carrierwave remote URL methods from import -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-update-nokogiri-cve-2020-7595.yml b/changelogs/unreleased/security-update-nokogiri-cve-2020-7595.yml deleted file mode 100644 index 58ad219f0eb..00000000000 --- a/changelogs/unreleased/security-update-nokogiri-cve-2020-7595.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Update Nokogiri to fix CVE-2020-7595 -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-updating-description-of-trigger-by-other-maintainer.yml b/changelogs/unreleased/security-updating-description-of-trigger-by-other-maintainer.yml deleted file mode 100644 index f7bef1589a2..00000000000 --- a/changelogs/unreleased/security-updating-description-of-trigger-by-other-maintainer.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prevent updating trigger by other maintainers -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-xss-vulnerability-in-admin-send-email-notification.yml b/changelogs/unreleased/security-xss-vulnerability-in-admin-send-email-notification.yml deleted file mode 100644 index fe31f1167eb..00000000000 --- a/changelogs/unreleased/security-xss-vulnerability-in-admin-send-email-notification.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix XSS vulnerability in `admin/email` "Recipient Group" dropdown -merge_request: -author: -type: security |