diff options
author | Steve Azzopardi <steveazz@outlook.com> | 2018-11-29 10:57:31 +0300 |
---|---|---|
committer | Steve Azzopardi <steveazz@outlook.com> | 2018-11-29 10:57:31 +0300 |
commit | e9d0bd8e909d077567b3ce3f9629b1602c731b37 (patch) | |
tree | e112f7c5a2bffb4431ccd1e6eff0606f060c9a7c | |
parent | 083e20e74341cf1f6bceae89e797d9a28bffb2fb (diff) | |
parent | 883b511b8d19289d7637daba7a94bf0587475136 (diff) |
Merge branch 'master' of dev.gitlab.org:gitlab/gitlab-ee
-rw-r--r-- | CHANGELOG-EE.md | 36 | ||||
-rw-r--r-- | CHANGELOG.md | 90 |
2 files changed, 126 insertions, 0 deletions
diff --git a/CHANGELOG-EE.md b/CHANGELOG-EE.md index 4978c852aef..4b196236a9a 100644 --- a/CHANGELOG-EE.md +++ b/CHANGELOG-EE.md @@ -1,5 +1,17 @@ Please view this file on the master branch, on stable branches it's out of date. +## 11.5.1 (2018-11-26) + +### Security (6 changes) + +- Sanitize tracing external_urls before saving to DB and when displaying the URL to prevent XSS issues. +- Prevent reporter roles from viewing the Jaeger tracing settings page. +- Fix IDOR at /drafts/publish. +- Authorize users when listing board users and milestones. +- Resolve: Guest can set weight of a new issue. +- Fixes XSS with merge request approvers selection. + + ## 11.5.0 (2018-11-22) ### Security (2 changes) @@ -103,6 +115,17 @@ Please view this file on the master branch, on stable branches it's out of date. - Geo: Clarify Geo HA documentation. +## 11.4.8 (2018-11-27) + +### Security (5 changes) + +- Escape entity title while autocomplete template rendering to prevent XSS. !707 +- Authorize users when listing board users and milestones. +- Fix IDOR at /drafts/publish. +- Resolve: Guest can set weight of a new issue. +- Fixes XSS with merge request approvers selection. + + ## 11.4.7 (2018-11-20) ### Fixed (1 change) @@ -236,6 +259,19 @@ Please view this file on the master branch, on stable branches it's out of date. - API: Allow issue weight parameter to be greater than or equal to zero. +## 11.3.11 (2018-11-26) + +### Security (7 changes) + +- Escape entity title while autocomplete template rendering to prevent XSS. !697 +- Properly filter private references from system notes. +- Authorize users when listing board users and milestones. +- Project groups approvers no longer leak private groups info. +- Resolve: Guest can set weight of a new issue. +- Fixes XSS with merge request approvers selection. +- Protect against CSRF attacks when adding Slack app. + + ## 11.3.10 (2018-11-18) - No changes. diff --git a/CHANGELOG.md b/CHANGELOG.md index e9a3ac90abe..b35bd97f064 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,28 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. +## 11.5.1 (2018-11-26) + +### Security (16 changes) + +- Fix CRLF vulnerability in Project hooks. +- Fix possible XSS attack in Markdown urls with spaces. +- Redact sensitive information on gitlab-workhorse log. +- Do not follow redirects in Prometheus service when making http requests to the configured api url. +- Don't expose confidential information in commit message list. +- Provide email notification when a user changes their email address. +- Restrict Personal Access Tokens to API scope on web requests. +- Resolve reflected XSS in Ouath authorize window. +- Fix SSRF in project integrations. +- Fixed ability to comment on locked/confidential issues. +- Fixed ability of guest users to edit/delete comments on locked or confidential issues. +- Fix milestone promotion authorization check. +- Configure mermaid to not render HTML content in diagrams. +- Fix a possible symlink time of check to time of use race condition in GitLab Pages. +- Removed ability to see private group names when the group id is entered in the url. +- Fix stored XSS for Environments. + + ## 11.5.0 (2018-11-22) ### Security (10 changes, 1 of them is from the community) @@ -264,6 +286,36 @@ entry. - Disables stop environment button while the deploy is in progress. +## 11.4.8 (2018-11-27) + +### Security (24 changes) + +- Escape entity title while autocomplete template rendering to prevent XSS. !2571 +- Resolve reflected XSS in Ouath authorize window. +- Fix XSS in merge request source branch name. +- Escape user fullname while rendering autocomplete template to prevent XSS. +- Fix CRLF vulnerability in Project hooks. +- Fix possible XSS attack in Markdown urls with spaces. +- Redact sensitive information on gitlab-workhorse log. +- Do not follow redirects in Prometheus service when making http requests to the configured api url. +- Persist only SHA digest of PersonalAccessToken#token. +- Don't expose confidential information in commit message list. +- Provide email notification when a user changes their email address. +- Restrict Personal Access Tokens to API scope on web requests. +- Redact personal tokens in unsubscribe links. +- Fix SSRF in project integrations. +- Fixed ability to comment on locked/confidential issues. +- Fixed ability of guest users to edit/delete comments on locked or confidential issues. +- Fix milestone promotion authorization check. +- Monkey kubeclient to not follow any redirects. +- Configure mermaid to not render HTML content in diagrams. +- Fix a possible symlink time of check to time of use race condition in GitLab Pages. +- Removed ability to see private group names when the group id is entered in the url. +- Fix stored XSS for Environments. +- Prevent SSRF attacks in HipChat integration. +- Validate Wiki attachments are valid temporary files. + + ## 11.4.7 (2018-11-20) - No changes. @@ -544,6 +596,44 @@ entry. - Check frozen string in style builds. (gfyoung) +## 11.3.11 (2018-11-26) + +### Security (32 changes) + +- Filter user sensitive data from discussions JSON. !2537 +- Escape entity title while autocomplete template rendering to prevent XSS. !2557 +- Resolve reflected XSS in Ouath authorize window. +- Fix XSS in merge request source branch name. +- Fix CRLF vulnerability in Project hooks. +- Fix possible XSS attack in Markdown urls with spaces. +- Redact sensitive information on gitlab-workhorse log. +- Set timeout for syntax highlighting. +- Do not follow redirects in Prometheus service when making http requests to the configured api url. +- Persist only SHA digest of PersonalAccessToken#token. +- Sanitize JSON data properly to fix XSS on Issue details page. +- Don't expose confidential information in commit message list. +- Markdown API no longer displays confidential title references unless authorized. +- Provide email notification when a user changes their email address. +- Properly filter private references from system notes. +- Restrict Personal Access Tokens to API scope on web requests. +- Redact personal tokens in unsubscribe links. +- Fix SSRF in project integrations. +- Fix stored XSS in merge requests from imported repository. +- Fixed ability to comment on locked/confidential issues. +- Fixed ability of guest users to edit/delete comments on locked or confidential issues. +- Fix milestone promotion authorization check. +- Monkey kubeclient to not follow any redirects. +- Configure mermaid to not render HTML content in diagrams. +- Redact confidential events in the API. +- Fix xss vulnerability sourced from package.json. +- Fix a possible symlink time of check to time of use race condition in GitLab Pages. +- Removed ability to see private group names when the group id is entered in the url. +- Fix stored XSS for Environments. +- Block loopback addresses in UrlBlocker. +- Prevent SSRF attacks in HipChat integration. +- Validate Wiki attachments are valid temporary files. + + ## 11.3.10 (2018-11-18) ### Security (1 change) |