diff options
author | GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> | 2020-03-26 15:18:04 +0300 |
---|---|---|
committer | GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> | 2020-03-26 15:18:04 +0300 |
commit | a1b8156d0f262631e60f6edd2114f3a107289c29 (patch) | |
tree | 027c4e5bd4a0a3cfa0f3dc99f9cae1eec3f16803 | |
parent | 6e7bc0480ac43d8cd1011531b56137cc05db9e37 (diff) |
Update CHANGELOG.md for 12.7.8
[ci skip]
18 files changed, 23 insertions, 85 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 1908a67a288..d8f5cff4262 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,29 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. +## 12.7.8 (2020-03-26) + +### Security (17 changes) + +- Redact notes in moved confidential issues. +- Ignore empty remote_id params from Workhorse accelerated uploads. +- External user can not create personal snippet through API. +- Prevent malicious entry for group name. +- Restrict mirroring changes to admins only when mirroring is disabled. +- Reject all container registry requests from blocked users. +- Deny localhost requests on fogbugz importer. +- Change GitHub service integration token input to password. +- Add permission check for pipeline status of MR. +- Fix UploadRewriter Path Traversal vulnerability. +- Block hotlinking to repository archives. +- Restrict access to project pipeline metrics reports. +- vulnerability_feedback records should be restricted to a dev role and above. +- Exclude Carrierwave remote URL methods from import. +- Update Nokogiri to fix CVE-2020-7595. +- Prevent updating trigger by other maintainers. +- Fix XSS vulnerability in `admin/email` "Recipient Group" dropdown. + + ## 12.7.7 ### Security (17 changes) diff --git a/changelogs/unreleased/security-120026-redact-notes-in-moved-confidential-issues.yml b/changelogs/unreleased/security-120026-redact-notes-in-moved-confidential-issues.yml deleted file mode 100644 index 54ee6ac9048..00000000000 --- a/changelogs/unreleased/security-120026-redact-notes-in-moved-confidential-issues.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Redact notes in moved confidential issues -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-193100-ignore-duplicate-multipart-params.yml b/changelogs/unreleased/security-193100-ignore-duplicate-multipart-params.yml deleted file mode 100644 index c871e1615e0..00000000000 --- a/changelogs/unreleased/security-193100-ignore-duplicate-multipart-params.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Ignore empty remote_id params from Workhorse accelerated uploads -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-59-prevent-create-api-snippet.yml b/changelogs/unreleased/security-59-prevent-create-api-snippet.yml deleted file mode 100644 index 135fdfe7153..00000000000 --- a/changelogs/unreleased/security-59-prevent-create-api-snippet.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: External user can not create personal snippet through API -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-backend-xss-admin-email.yml b/changelogs/unreleased/security-backend-xss-admin-email.yml deleted file mode 100644 index 82f97cd719a..00000000000 --- a/changelogs/unreleased/security-backend-xss-admin-email.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prevent malicious entry for group name -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-disable-mirroring-fix.yml b/changelogs/unreleased/security-disable-mirroring-fix.yml deleted file mode 100644 index 1b0a6a87515..00000000000 --- a/changelogs/unreleased/security-disable-mirroring-fix.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Restrict mirroring changes to admins only when mirroring is disabled -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-docker-blocked-users.yml b/changelogs/unreleased/security-docker-blocked-users.yml deleted file mode 100644 index 6e34506e7fd..00000000000 --- a/changelogs/unreleased/security-docker-blocked-users.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Reject all container registry requests from blocked users -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-fogbugz-importer-deny-localhost-requests.yml b/changelogs/unreleased/security-fogbugz-importer-deny-localhost-requests.yml deleted file mode 100644 index ecc05470717..00000000000 --- a/changelogs/unreleased/security-fogbugz-importer-deny-localhost-requests.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Deny localhost requests on fogbugz importer -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-mask-gh-service-password.yml b/changelogs/unreleased/security-mask-gh-service-password.yml deleted file mode 100644 index cabbee204eb..00000000000 --- a/changelogs/unreleased/security-mask-gh-service-password.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Change GitHub service integration token input to password -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-mr-pipeline-status-permission-check.yml b/changelogs/unreleased/security-mr-pipeline-status-permission-check.yml deleted file mode 100644 index 598804bd0a7..00000000000 --- a/changelogs/unreleased/security-mr-pipeline-status-permission-check.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Add permission check for pipeline status of MR -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-path-traversal-master.yml b/changelogs/unreleased/security-path-traversal-master.yml deleted file mode 100644 index d5e269823ea..00000000000 --- a/changelogs/unreleased/security-path-traversal-master.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix UploadRewriter Path Traversal vulnerability -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-repository-archive-hotlinking.yml b/changelogs/unreleased/security-repository-archive-hotlinking.yml deleted file mode 100644 index cf87ea488f0..00000000000 --- a/changelogs/unreleased/security-repository-archive-hotlinking.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Block hotlinking to repository archives -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-restrict-project-pipeline-metrics.yml b/changelogs/unreleased/security-restrict-project-pipeline-metrics.yml deleted file mode 100644 index 20c24aa6bdf..00000000000 --- a/changelogs/unreleased/security-restrict-project-pipeline-metrics.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Restrict access to project pipeline metrics reports -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-rf-vulnerability-metadata-fix.yml b/changelogs/unreleased/security-rf-vulnerability-metadata-fix.yml deleted file mode 100644 index 5de5fc761fd..00000000000 --- a/changelogs/unreleased/security-rf-vulnerability-metadata-fix.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: vulnerability_feedback records should be restricted to a dev role and above -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-ssrf-attachment-url.yml b/changelogs/unreleased/security-ssrf-attachment-url.yml deleted file mode 100644 index bb5e3e54574..00000000000 --- a/changelogs/unreleased/security-ssrf-attachment-url.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Exclude Carrierwave remote URL methods from import -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-update-nokogiri-cve-2020-7595.yml b/changelogs/unreleased/security-update-nokogiri-cve-2020-7595.yml deleted file mode 100644 index 58ad219f0eb..00000000000 --- a/changelogs/unreleased/security-update-nokogiri-cve-2020-7595.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Update Nokogiri to fix CVE-2020-7595 -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-updating-description-of-trigger-by-other-maintainer.yml b/changelogs/unreleased/security-updating-description-of-trigger-by-other-maintainer.yml deleted file mode 100644 index f7bef1589a2..00000000000 --- a/changelogs/unreleased/security-updating-description-of-trigger-by-other-maintainer.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prevent updating trigger by other maintainers -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-xss-vulnerability-in-admin-send-email-notification.yml b/changelogs/unreleased/security-xss-vulnerability-in-admin-send-email-notification.yml deleted file mode 100644 index fe31f1167eb..00000000000 --- a/changelogs/unreleased/security-xss-vulnerability-in-admin-send-email-notification.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix XSS vulnerability in `admin/email` "Recipient Group" dropdown -merge_request: -author: -type: security |