diff options
author | Jose Ivan Vargas <jvargas@gitlab.com> | 2017-09-07 00:34:16 +0300 |
---|---|---|
committer | Jose Ivan Vargas <jvargas@gitlab.com> | 2017-09-07 00:34:16 +0300 |
commit | bcc3048033c44b9482c9588617a7b0183e9f6f7e (patch) | |
tree | 67ee0e7dbeedb3d17049cb1b4dc0ff6d005bc378 | |
parent | e42dfe49fd59bcc60240a85afdcc78054e128e63 (diff) |
Update CHANGELOG.md for 9.3.11
[ci skip]
16 files changed, 18 insertions, 63 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index e55e878b129..3c36cc83888 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,24 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. +## 9.3.11 (2017-09-06) + +- [SECURITY] Upgrade mail and nokogiri gems due to security issues. !13662 (Markus Koller) +- [SECURITY] Prevent a persistent XSS in the commit author block. +- Improve support for external issue references. !12485 +- Use uploads/system directory for personal snippets. +- Remove uploads/appearance symlink. A leftover from a previous migration. +- Fix XSS issue in go-get handling. +- Remove hidden symlinks from project import files. +- Fix an infinite loop when handling user-supplied regular expressions. +- Fixes race condition in project uploads. +- Fixes race condition in project uploads. +- Disallow Git URLs that include a username or hostname beginning with a non-alphanumeric character. +- Disallow arbitrary properties in `th` and `td` `style` attributes. +- Resolve CSRF token leakage via pathname manipulation on environments page. +- Disallow the `name` attribute on all user-provided markup. +- Renders 404 if given project is not readable by the user on Todos dashboard. + ## 9.3.10 (2017-08-09) - Remove hidden symlinks from project import files. diff --git a/changelogs/unreleased/29943-environment-folder.yml b/changelogs/unreleased/29943-environment-folder.yml deleted file mode 100644 index 8434d07d86e..00000000000 --- a/changelogs/unreleased/29943-environment-folder.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -title: Resolve CSRF token leakage via pathname manipulation on environments page -merge_request: -author: diff --git a/changelogs/unreleased/33303-404-for-unauthorized-project.yml b/changelogs/unreleased/33303-404-for-unauthorized-project.yml deleted file mode 100644 index 5a5a337129e..00000000000 --- a/changelogs/unreleased/33303-404-for-unauthorized-project.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -title: Renders 404 if given project is not readable by the user on Todos dashboard -merge_request: -author: diff --git a/changelogs/unreleased/33359-pers-snippet-files-location.yml b/changelogs/unreleased/33359-pers-snippet-files-location.yml deleted file mode 100644 index 22fa301cb5e..00000000000 --- a/changelogs/unreleased/33359-pers-snippet-files-location.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -title: Use uploads/system directory for personal snippets -merge_request: -author: diff --git a/changelogs/unreleased/adam-external-issue-references-spike.yml b/changelogs/unreleased/adam-external-issue-references-spike.yml deleted file mode 100644 index aeec6688425..00000000000 --- a/changelogs/unreleased/adam-external-issue-references-spike.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -title: Improve support for external issue references -merge_request: 12485 -author: diff --git a/changelogs/unreleased/bvl-remove-appearance-symlink.yml b/changelogs/unreleased/bvl-remove-appearance-symlink.yml deleted file mode 100644 index 2b1c188528a..00000000000 --- a/changelogs/unreleased/bvl-remove-appearance-symlink.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -title: Remove uploads/appearance symlink. A leftover from a previous migration. -merge_request: -author: diff --git a/changelogs/unreleased/dm-go-get-xss.yml b/changelogs/unreleased/dm-go-get-xss.yml deleted file mode 100644 index bf0a7f4bd3d..00000000000 --- a/changelogs/unreleased/dm-go-get-xss.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -title: Fix XSS issue in go-get handling -merge_request: -author: diff --git a/changelogs/unreleased/fix-escape-commit-block.yml b/changelogs/unreleased/fix-escape-commit-block.yml deleted file mode 100644 index 0665c8e5db2..00000000000 --- a/changelogs/unreleased/fix-escape-commit-block.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prevent a persistent XSS in the commit author block -merge_request: -author: -type: security diff --git a/changelogs/unreleased/fix-gem-security-updates.yml b/changelogs/unreleased/fix-gem-security-updates.yml deleted file mode 100644 index dce11d08402..00000000000 --- a/changelogs/unreleased/fix-gem-security-updates.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Upgrade mail and nokogiri gems due to security issues -merge_request: 13662 -author: Markus Koller -type: security diff --git a/changelogs/unreleased/fix-import-symbolink-links.yml b/changelogs/unreleased/fix-import-symbolink-links.yml deleted file mode 100644 index 36e73821bdc..00000000000 --- a/changelogs/unreleased/fix-import-symbolink-links.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -title: Remove hidden symlinks from project import files -merge_request: -author: diff --git a/changelogs/unreleased/fix-re2-infinite-loop-nick.yml b/changelogs/unreleased/fix-re2-infinite-loop-nick.yml deleted file mode 100644 index 3c314ab2718..00000000000 --- a/changelogs/unreleased/fix-re2-infinite-loop-nick.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -title: Fix an infinite loop when handling user-supplied regular expressions -merge_request: -author: diff --git a/changelogs/unreleased/race-condition-in-project-uploads-fix-9-3.yml b/changelogs/unreleased/race-condition-in-project-uploads-fix-9-3.yml deleted file mode 100644 index adf9d77bce8..00000000000 --- a/changelogs/unreleased/race-condition-in-project-uploads-fix-9-3.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -title: Fixes race condition in project uploads -merge_request: -author: diff --git a/changelogs/unreleased/race-condition-in-project-uploads-fix-9-4.yml b/changelogs/unreleased/race-condition-in-project-uploads-fix-9-4.yml deleted file mode 100644 index adf9d77bce8..00000000000 --- a/changelogs/unreleased/race-condition-in-project-uploads-fix-9-4.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -title: Fixes race condition in project uploads -merge_request: -author: diff --git a/changelogs/unreleased/rs-alphanumeric-ssh-params.yml b/changelogs/unreleased/rs-alphanumeric-ssh-params.yml deleted file mode 100644 index 426b01cafad..00000000000 --- a/changelogs/unreleased/rs-alphanumeric-ssh-params.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Disallow Git URLs that include a username or hostname beginning with a non-alphanumeric - character -merge_request: -author: diff --git a/changelogs/unreleased/rs-issue-36098.yml b/changelogs/unreleased/rs-issue-36098.yml deleted file mode 100644 index 56b92705a80..00000000000 --- a/changelogs/unreleased/rs-issue-36098.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -title: Disallow arbitrary properties in `th` and `td` `style` attributes -merge_request: -author: diff --git a/changelogs/unreleased/rs-issue-36104.yml b/changelogs/unreleased/rs-issue-36104.yml deleted file mode 100644 index b050cd83175..00000000000 --- a/changelogs/unreleased/rs-issue-36104.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -title: Disallow the `name` attribute on all user-provided markup -merge_request: -author: |