diff options
| author | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2018-11-27 14:38:03 +0300 |
|---|---|---|
| committer | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2018-11-27 14:38:03 +0300 |
| commit | 427a30c0b261f032eaf3a85c3b26bd108ca91235 (patch) | |
| tree | 56c0142cdd24194c5c4bffa9cfffc6ef9ec63302 | |
| parent | ecbdef090277848d409ed7f97f69f53bbac7a92c (diff) | |
Update CHANGELOG.md for 11.4.8
[ci skip]
25 files changed, 30 insertions, 122 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index ba343f14232..68efecb5b4e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,36 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. +## 11.4.8 (2018-11-27) + +### Security (24 changes) + +- Escape entity title while autocomplete template rendering to prevent XSS. !2571 +- Resolve reflected XSS in Ouath authorize window. +- Fix XSS in merge request source branch name. +- Escape user fullname while rendering autocomplete template to prevent XSS. +- Fix CRLF vulnerability in Project hooks. +- Fix possible XSS attack in Markdown urls with spaces. +- Redact sensitive information on gitlab-workhorse log. +- Do not follow redirects in Prometheus service when making http requests to the configured api url. +- Persist only SHA digest of PersonalAccessToken#token. +- Don't expose confidential information in commit message list. +- Provide email notification when a user changes their email address. +- Restrict Personal Access Tokens to API scope on web requests. +- Redact personal tokens in unsubscribe links. +- Fix SSRF in project integrations. +- Fixed ability to comment on locked/confidential issues. +- Fixed ability of guest users to edit/delete comments on locked or confidential issues. +- Fix milestone promotion authorization check. +- Monkey kubeclient to not follow any redirects. +- Configure mermaid to not render HTML content in diagrams. +- Fix a possible symlink time of check to time of use race condition in GitLab Pages. +- Removed ability to see private group names when the group id is entered in the url. +- Fix stored XSS for Environments. +- Prevent SSRF attacks in HipChat integration. +- Validate Wiki attachments are valid temporary files. + + ## 11.4.7 (2018-11-20) - No changes. diff --git a/changelogs/unreleased/51527-xss-in-mr-source-branch.yml b/changelogs/unreleased/51527-xss-in-mr-source-branch.yml deleted file mode 100644 index dae277b6413..00000000000 --- a/changelogs/unreleased/51527-xss-in-mr-source-branch.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix XSS in merge request source branch name -merge_request: -author: -type: security diff --git a/changelogs/unreleased/redact-links-dev.yml b/changelogs/unreleased/redact-links-dev.yml deleted file mode 100644 index 338e7965465..00000000000 --- a/changelogs/unreleased/redact-links-dev.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Redact personal tokens in unsubscribe links. -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-11-4-2717-fix-issue-title-xss.yml b/changelogs/unreleased/security-11-4-2717-fix-issue-title-xss.yml deleted file mode 100644 index 12dfa48c6aa..00000000000 --- a/changelogs/unreleased/security-11-4-2717-fix-issue-title-xss.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Escape entity title while autocomplete template rendering to prevent XSS -merge_request: 2571 -author: -type: security diff --git a/changelogs/unreleased/security-11-4-2717-xss-username-autocomplete.yml b/changelogs/unreleased/security-11-4-2717-xss-username-autocomplete.yml deleted file mode 100644 index d9b1015eeb4..00000000000 --- a/changelogs/unreleased/security-11-4-2717-xss-username-autocomplete.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Escape user fullname while rendering autocomplete template to prevent XSS -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-11-4-fj-crlf-injection.yml b/changelogs/unreleased/security-11-4-fj-crlf-injection.yml deleted file mode 100644 index 861167b8a6e..00000000000 --- a/changelogs/unreleased/security-11-4-fj-crlf-injection.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix CRLF vulnerability in Project hooks -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-11-4-xss-in-markdown-following-unrecognized-html-element.yml b/changelogs/unreleased/security-11-4-xss-in-markdown-following-unrecognized-html-element.yml deleted file mode 100644 index 16c4474aadd..00000000000 --- a/changelogs/unreleased/security-11-4-xss-in-markdown-following-unrecognized-html-element.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix possible XSS attack in Markdown urls with spaces -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-182-update-workhorse.yml b/changelogs/unreleased/security-182-update-workhorse.yml deleted file mode 100644 index 76850901b68..00000000000 --- a/changelogs/unreleased/security-182-update-workhorse.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Redact sensitive information on gitlab-workhorse log -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-2736-prometheus-ssrf.yml b/changelogs/unreleased/security-2736-prometheus-ssrf.yml deleted file mode 100644 index 9d0dda8a75f..00000000000 --- a/changelogs/unreleased/security-2736-prometheus-ssrf.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Do not follow redirects in Prometheus service when making http requests to the configured api url -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-51113-hash_personal_access_tokens.yml b/changelogs/unreleased/security-51113-hash_personal_access_tokens.yml deleted file mode 100644 index 4cebe814148..00000000000 --- a/changelogs/unreleased/security-51113-hash_personal_access_tokens.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Persist only SHA digest of PersonalAccessToken#token -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-bvl-exposure-in-commits-list.yml b/changelogs/unreleased/security-bvl-exposure-in-commits-list.yml deleted file mode 100644 index 0361fb0c041..00000000000 --- a/changelogs/unreleased/security-bvl-exposure-in-commits-list.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Don't expose confidential information in commit message list -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-email-change-notification.yml b/changelogs/unreleased/security-email-change-notification.yml deleted file mode 100644 index 45075ff20bb..00000000000 --- a/changelogs/unreleased/security-email-change-notification.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Provide email notification when a user changes their email address -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-fix-pat-web-access.yml b/changelogs/unreleased/security-fix-pat-web-access.yml deleted file mode 100644 index 62ffb908fe5..00000000000 --- a/changelogs/unreleased/security-fix-pat-web-access.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Restrict Personal Access Tokens to API scope on web requests -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-fix-uri-xss-applications.yml b/changelogs/unreleased/security-fix-uri-xss-applications.yml deleted file mode 100644 index 0eaa1b1c4a3..00000000000 --- a/changelogs/unreleased/security-fix-uri-xss-applications.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Resolve reflected XSS in Ouath authorize window -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-fix-webhook-ssrf-ipv6.yml b/changelogs/unreleased/security-fix-webhook-ssrf-ipv6.yml deleted file mode 100644 index 32c85a2a7da..00000000000 --- a/changelogs/unreleased/security-fix-webhook-ssrf-ipv6.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix SSRF in project integrations -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-guest-comments.yml b/changelogs/unreleased/security-guest-comments.yml deleted file mode 100644 index 2c99512433b..00000000000 --- a/changelogs/unreleased/security-guest-comments.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fixed ability to comment on locked/confidential issues. -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-guest-comments_2.yml b/changelogs/unreleased/security-guest-comments_2.yml deleted file mode 100644 index be6f2d6a490..00000000000 --- a/changelogs/unreleased/security-guest-comments_2.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fixed ability of guest users to edit/delete comments on locked or confidential issues. -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-issue_51301.yml b/changelogs/unreleased/security-issue_51301.yml deleted file mode 100644 index cf8ebb54b1c..00000000000 --- a/changelogs/unreleased/security-issue_51301.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix milestone promotion authorization check -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-kubeclient-ssrf.yml b/changelogs/unreleased/security-kubeclient-ssrf.yml deleted file mode 100644 index 45fc41029fc..00000000000 --- a/changelogs/unreleased/security-kubeclient-ssrf.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Monkey kubeclient to not follow any redirects. -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-mermaid-xss.yml b/changelogs/unreleased/security-mermaid-xss.yml deleted file mode 100644 index bcf93ef37ff..00000000000 --- a/changelogs/unreleased/security-mermaid-xss.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Configure mermaid to not render HTML content in diagrams -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-pages-toctou-race.yml b/changelogs/unreleased/security-pages-toctou-race.yml deleted file mode 100644 index 1c055f6087f..00000000000 --- a/changelogs/unreleased/security-pages-toctou-race.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -title: Fix a possible symlink time of check to time of use race condition in GitLab - Pages -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-private-group-11-5.yml b/changelogs/unreleased/security-private-group-11-5.yml deleted file mode 100644 index dbb7794dfed..00000000000 --- a/changelogs/unreleased/security-private-group-11-5.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -title: Removed ability to see private group names when the group id is entered in - the url. -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-stored-xss-for-environments.yml b/changelogs/unreleased/security-stored-xss-for-environments.yml deleted file mode 100644 index 5d78ca00942..00000000000 --- a/changelogs/unreleased/security-stored-xss-for-environments.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix stored XSS for Environments -merge_request: -author: -type: security diff --git a/changelogs/unreleased/sh-fix-hipchat-ssrf.yml b/changelogs/unreleased/sh-fix-hipchat-ssrf.yml deleted file mode 100644 index cdc95a34fcf..00000000000 --- a/changelogs/unreleased/sh-fix-hipchat-ssrf.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prevent SSRF attacks in HipChat integration -merge_request: -author: -type: security diff --git a/changelogs/unreleased/sh-fix-wiki-security-issue-53072.yml b/changelogs/unreleased/sh-fix-wiki-security-issue-53072.yml deleted file mode 100644 index ac6ab7cc3f4..00000000000 --- a/changelogs/unreleased/sh-fix-wiki-security-issue-53072.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Validate Wiki attachments are valid temporary files -merge_request: -author: -type: security |