diff options
| author | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2018-11-27 02:51:30 +0300 |
|---|---|---|
| committer | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2018-11-27 02:51:30 +0300 |
| commit | 9eff3873a5d23ebeb238fb0c4b49c37ac98c1ab0 (patch) | |
| tree | ce32b441b1633cd447fdf8880ece67861c0f2b69 | |
| parent | 7529d55452aff9d669ad269b2c2375010360ab58 (diff) | |
Update CHANGELOG.md for 11.3.11
[ci skip]
34 files changed, 39 insertions, 167 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 00ade269250..24a72eae9a3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,45 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. +## 11.3.11 (2018-11-26) + +### Security (33 changes) + +- Filter user sensitive data from discussions JSON. !2537 +- Escape entity title while autocomplete template rendering to prevent XSS. !2557 +- Restrict Personal Access Tokens to API scope on web requests. +- Fix XSS in merge request source branch name. +- Escape user fullname while rendering autocomplete template to prevent XSS. +- Fix CRLF vulnerability in Project hooks. +- Fix possible XSS attack in Markdown urls with spaces. +- Redact sensitive information on gitlab-workhorse log. +- Set timeout for syntax highlighting. +- Do not follow redirects in Prometheus service when making http requests to the configured api url. +- Persist only SHA digest of PersonalAccessToken#token. +- Sanitize JSON data properly to fix XSS on Issue details page. +- Don't expose confidential information in commit message list. +- Markdown API no longer displays confidential title references unless authorized. +- Provide email notification when a user changes their email address. +- Properly filter private references from system notes. +- Redact personal tokens in unsubscribe links. +- Resolve reflected XSS in Ouath authorize window. +- Fix SSRF in project integrations. +- Fix stored XSS in merge requests from imported repository. +- Fixed ability to comment on locked/confidential issues. +- Fixed ability of guest users to edit/delete comments on locked or confidential issues. +- Fix milestone promotion authorization check. +- Monkey kubeclient to not follow any redirects. +- Configure mermaid to not render HTML content in diagrams. +- Redact confidential events in the API. +- Fix xss vulnerability sourced from package.json. +- Fix a possible symlink time of check to time of use race condition in GitLab Pages. +- Removed ability to see private group names when the group id is entered in the url. +- Fix stored XSS for Environments. +- Block loopback addresses in UrlBlocker. +- Prevent SSRF attacks in HipChat integration. +- Validate Wiki attachments are valid temporary files. + + ## 11.3.10 (2018-11-18) ### Security (1 change) diff --git a/changelogs/unreleased/51527-xss-in-mr-source-branch.yml b/changelogs/unreleased/51527-xss-in-mr-source-branch.yml deleted file mode 100644 index dae277b6413..00000000000 --- a/changelogs/unreleased/51527-xss-in-mr-source-branch.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix XSS in merge request source branch name -merge_request: -author: -type: security diff --git a/changelogs/unreleased/fix-events-finder-incomplete.yml b/changelogs/unreleased/fix-events-finder-incomplete.yml deleted file mode 100644 index f3a4e421d33..00000000000 --- a/changelogs/unreleased/fix-events-finder-incomplete.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Redact confidential events in the API -merge_request: -author: -type: security diff --git a/changelogs/unreleased/redact-links-dev.yml b/changelogs/unreleased/redact-links-dev.yml deleted file mode 100644 index 338e7965465..00000000000 --- a/changelogs/unreleased/redact-links-dev.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Redact personal tokens in unsubscribe links. -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-11-3-2717-fix-issue-title-xss.yml b/changelogs/unreleased/security-11-3-2717-fix-issue-title-xss.yml deleted file mode 100644 index c346b8734de..00000000000 --- a/changelogs/unreleased/security-11-3-2717-fix-issue-title-xss.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Escape entity title while autocomplete template rendering to prevent XSS -merge_request: 2557 -author: -type: security diff --git a/changelogs/unreleased/security-11-3-2717-xss-username-autocomplete.yml b/changelogs/unreleased/security-11-3-2717-xss-username-autocomplete.yml deleted file mode 100644 index d9b1015eeb4..00000000000 --- a/changelogs/unreleased/security-11-3-2717-xss-username-autocomplete.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Escape user fullname while rendering autocomplete template to prevent XSS -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-11-3-fj-crlf-injection.yml b/changelogs/unreleased/security-11-3-fj-crlf-injection.yml deleted file mode 100644 index 861167b8a6e..00000000000 --- a/changelogs/unreleased/security-11-3-fj-crlf-injection.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix CRLF vulnerability in Project hooks -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-11-3-xss-in-markdown-following-unrecognized-html-element.yml b/changelogs/unreleased/security-11-3-xss-in-markdown-following-unrecognized-html-element.yml deleted file mode 100644 index 16c4474aadd..00000000000 --- a/changelogs/unreleased/security-11-3-xss-in-markdown-following-unrecognized-html-element.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix possible XSS attack in Markdown urls with spaces -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-182-update-workhorse.yml b/changelogs/unreleased/security-182-update-workhorse.yml deleted file mode 100644 index 76850901b68..00000000000 --- a/changelogs/unreleased/security-182-update-workhorse.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Redact sensitive information on gitlab-workhorse log -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-2697-code-highlight-timeout.yml b/changelogs/unreleased/security-2697-code-highlight-timeout.yml deleted file mode 100644 index 66ad9ff822b..00000000000 --- a/changelogs/unreleased/security-2697-code-highlight-timeout.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Set timeout for syntax highlighting -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-2736-prometheus-ssrf.yml b/changelogs/unreleased/security-2736-prometheus-ssrf.yml deleted file mode 100644 index 9d0dda8a75f..00000000000 --- a/changelogs/unreleased/security-2736-prometheus-ssrf.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Do not follow redirects in Prometheus service when making http requests to the configured api url -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-51113-hash_personal_access_tokens.yml b/changelogs/unreleased/security-51113-hash_personal_access_tokens.yml deleted file mode 100644 index 4cebe814148..00000000000 --- a/changelogs/unreleased/security-51113-hash_personal_access_tokens.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Persist only SHA digest of PersonalAccessToken#token -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-acet-issue-details.yml b/changelogs/unreleased/security-acet-issue-details.yml deleted file mode 100644 index 64147a9d6e8..00000000000 --- a/changelogs/unreleased/security-acet-issue-details.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Sanitize JSON data properly to fix XSS on Issue details page -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-bvl-exposure-in-commits-list.yml b/changelogs/unreleased/security-bvl-exposure-in-commits-list.yml deleted file mode 100644 index 0361fb0c041..00000000000 --- a/changelogs/unreleased/security-bvl-exposure-in-commits-list.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Don't expose confidential information in commit message list -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-bw-confidential-titles-through-markdown-api.yml b/changelogs/unreleased/security-bw-confidential-titles-through-markdown-api.yml deleted file mode 100644 index e0231b7962f..00000000000 --- a/changelogs/unreleased/security-bw-confidential-titles-through-markdown-api.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Markdown API no longer displays confidential title references unless authorized -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-email-change-notification.yml b/changelogs/unreleased/security-email-change-notification.yml deleted file mode 100644 index 45075ff20bb..00000000000 --- a/changelogs/unreleased/security-email-change-notification.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Provide email notification when a user changes their email address -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-fix-leaking-private-project-namespace.yml b/changelogs/unreleased/security-fix-leaking-private-project-namespace.yml deleted file mode 100644 index 589d16c0c35..00000000000 --- a/changelogs/unreleased/security-fix-leaking-private-project-namespace.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Properly filter private references from system notes -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-fix-pat-web-access.yml b/changelogs/unreleased/security-fix-pat-web-access.yml deleted file mode 100644 index 62ffb908fe5..00000000000 --- a/changelogs/unreleased/security-fix-pat-web-access.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Restrict Personal Access Tokens to API scope on web requests -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-fix-uri-xss-applications.yml b/changelogs/unreleased/security-fix-uri-xss-applications.yml deleted file mode 100644 index 0eaa1b1c4a3..00000000000 --- a/changelogs/unreleased/security-fix-uri-xss-applications.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Resolve reflected XSS in Ouath authorize window -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-fix-webhook-ssrf-ipv6.yml b/changelogs/unreleased/security-fix-webhook-ssrf-ipv6.yml deleted file mode 100644 index 32c85a2a7da..00000000000 --- a/changelogs/unreleased/security-fix-webhook-ssrf-ipv6.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix SSRF in project integrations -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-fj-stored-xss-in-repository-imports.yml b/changelogs/unreleased/security-fj-stored-xss-in-repository-imports.yml deleted file mode 100644 index 7520aa624c7..00000000000 --- a/changelogs/unreleased/security-fj-stored-xss-in-repository-imports.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix stored XSS in merge requests from imported repository -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-guest-comments.yml b/changelogs/unreleased/security-guest-comments.yml deleted file mode 100644 index 2c99512433b..00000000000 --- a/changelogs/unreleased/security-guest-comments.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fixed ability to comment on locked/confidential issues. -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-guest-comments_2.yml b/changelogs/unreleased/security-guest-comments_2.yml deleted file mode 100644 index be6f2d6a490..00000000000 --- a/changelogs/unreleased/security-guest-comments_2.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fixed ability of guest users to edit/delete comments on locked or confidential issues. -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-issue_51301.yml b/changelogs/unreleased/security-issue_51301.yml deleted file mode 100644 index cf8ebb54b1c..00000000000 --- a/changelogs/unreleased/security-issue_51301.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix milestone promotion authorization check -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-kubeclient-ssrf.yml b/changelogs/unreleased/security-kubeclient-ssrf.yml deleted file mode 100644 index 45fc41029fc..00000000000 --- a/changelogs/unreleased/security-kubeclient-ssrf.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Monkey kubeclient to not follow any redirects. -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-mermaid-xss.yml b/changelogs/unreleased/security-mermaid-xss.yml deleted file mode 100644 index bcf93ef37ff..00000000000 --- a/changelogs/unreleased/security-mermaid-xss.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Configure mermaid to not render HTML content in diagrams -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-osw-user-info-leak-discussions-11-3.yml b/changelogs/unreleased/security-osw-user-info-leak-discussions-11-3.yml deleted file mode 100644 index 0276ffe032f..00000000000 --- a/changelogs/unreleased/security-osw-user-info-leak-discussions-11-3.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Filter user sensitive data from discussions JSON -merge_request: 2537 -author: -type: security diff --git a/changelogs/unreleased/security-package-json-xss.yml b/changelogs/unreleased/security-package-json-xss.yml deleted file mode 100644 index 6ab4854e44f..00000000000 --- a/changelogs/unreleased/security-package-json-xss.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix xss vulnerability sourced from package.json -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-pages-toctou-race.yml b/changelogs/unreleased/security-pages-toctou-race.yml deleted file mode 100644 index 1c055f6087f..00000000000 --- a/changelogs/unreleased/security-pages-toctou-race.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -title: Fix a possible symlink time of check to time of use race condition in GitLab - Pages -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-private-group-11-5.yml b/changelogs/unreleased/security-private-group-11-5.yml deleted file mode 100644 index dbb7794dfed..00000000000 --- a/changelogs/unreleased/security-private-group-11-5.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -title: Removed ability to see private group names when the group id is entered in - the url. -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-stored-xss-for-environments.yml b/changelogs/unreleased/security-stored-xss-for-environments.yml deleted file mode 100644 index 5d78ca00942..00000000000 --- a/changelogs/unreleased/security-stored-xss-for-environments.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix stored XSS for Environments -merge_request: -author: -type: security diff --git a/changelogs/unreleased/sh-block-other-localhost.yml b/changelogs/unreleased/sh-block-other-localhost.yml deleted file mode 100644 index a6a41f0bd81..00000000000 --- a/changelogs/unreleased/sh-block-other-localhost.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Block loopback addresses in UrlBlocker -merge_request: -author: -type: security diff --git a/changelogs/unreleased/sh-fix-hipchat-ssrf.yml b/changelogs/unreleased/sh-fix-hipchat-ssrf.yml deleted file mode 100644 index cdc95a34fcf..00000000000 --- a/changelogs/unreleased/sh-fix-hipchat-ssrf.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prevent SSRF attacks in HipChat integration -merge_request: -author: -type: security diff --git a/changelogs/unreleased/sh-fix-wiki-security-issue-53072.yml b/changelogs/unreleased/sh-fix-wiki-security-issue-53072.yml deleted file mode 100644 index ac6ab7cc3f4..00000000000 --- a/changelogs/unreleased/sh-fix-wiki-security-issue-53072.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Validate Wiki attachments are valid temporary files -merge_request: -author: -type: security |