Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGitLab Bot <gitlab-bot@gitlab.com>2020-11-02 12:37:30 +0300
committerGitLab Bot <gitlab-bot@gitlab.com>2020-11-02 12:37:30 +0300
commit2f70f228973da802c87bfab815aed6f86bfbe3e4 (patch)
treef8865f29d52c3d67945c6b50853df6a9355da902
parent01a049f93804d72250423bdd18284ba23a5ec9f6 (diff)
Add latest changes from gitlab-org/security/gitlab@13-3-stable-eev13.3.9
Diffstat
-rw-r--r--CHANGELOG.md15
-rw-r--r--GITALY_SERVER_VERSION2
-rw-r--r--changelogs/unreleased/security-10io-multipart-check-brackets-balance-in-param-names.yml5
-rw-r--r--changelogs/unreleased/security-10io-validate-nuget-package-name.yml5
-rw-r--r--changelogs/unreleased/security-255886.yml5
-rw-r--r--changelogs/unreleased/security-container-regex-backtrack.yml5
-rw-r--r--changelogs/unreleased/security-fix-terraform-state-exposed-object-storage-url.yml5
-rw-r--r--changelogs/unreleased/security-kubernetes-agent-internal-api.yml5
-rw-r--r--changelogs/unreleased/security-runner-csrf-milestone-13-6.yml5
-rw-r--r--changelogs/unreleased/security-stored-xss-build-dependencies.yml5
-rw-r--r--changelogs/unreleased/security-unauthorized-access-schedule-variables-milestone-13-6.yml5
11 files changed, 16 insertions, 46 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md
index fe68016cbb3..af3c353b184 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,21 @@
documentation](doc/development/changelog.md) for instructions on adding your own
entry.
+## 13.3.9 (2020-11-02)
+
+### Security (9 changes)
+
+- Add CSRF protection to runner pause and resume. !1021
+- Do not expose Terraform state record in API.
+- Path traversal to RCE via LFS upload.
+- Update container_repository_name_regex to prevent catastrophic backtracking.
+- Validate nuget package names.
+- Prevent private repo from being accessed via internal Kubernetes API.
+- Validate each upload param key in multipart.rb.
+- Fix XSS vulnerability for job build dependencies.
+- Fix unauthorized user is able to access schedule pipeline variables and values.
+
+
## 13.3.8 (2020-10-21)
### Fixed (2 changes)
diff --git a/GITALY_SERVER_VERSION b/GITALY_SERVER_VERSION
index 176df6ffec5..4feaa4d3ce1 100644
--- a/GITALY_SERVER_VERSION
+++ b/GITALY_SERVER_VERSION
@@ -1 +1 @@
-13.3.8 \ No newline at end of file
+13.3.9 \ No newline at end of file
diff --git a/changelogs/unreleased/security-10io-multipart-check-brackets-balance-in-param-names.yml b/changelogs/unreleased/security-10io-multipart-check-brackets-balance-in-param-names.yml
deleted file mode 100644
index e0d1a4e535d..00000000000
--- a/changelogs/unreleased/security-10io-multipart-check-brackets-balance-in-param-names.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Validate each upload param key in multipart.rb
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-10io-validate-nuget-package-name.yml b/changelogs/unreleased/security-10io-validate-nuget-package-name.yml
deleted file mode 100644
index aaf30711868..00000000000
--- a/changelogs/unreleased/security-10io-validate-nuget-package-name.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Validate nuget package names
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-255886.yml b/changelogs/unreleased/security-255886.yml
deleted file mode 100644
index 8fe8da59444..00000000000
--- a/changelogs/unreleased/security-255886.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Path traversal to RCE via LFS upload
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-container-regex-backtrack.yml b/changelogs/unreleased/security-container-regex-backtrack.yml
deleted file mode 100644
index c88fd526d47..00000000000
--- a/changelogs/unreleased/security-container-regex-backtrack.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Update container_repository_name_regex to prevent catastrophic backtracking
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-fix-terraform-state-exposed-object-storage-url.yml b/changelogs/unreleased/security-fix-terraform-state-exposed-object-storage-url.yml
deleted file mode 100644
index 1e37aed6ca0..00000000000
--- a/changelogs/unreleased/security-fix-terraform-state-exposed-object-storage-url.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Do not expose Terraform state record in API
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-kubernetes-agent-internal-api.yml b/changelogs/unreleased/security-kubernetes-agent-internal-api.yml
deleted file mode 100644
index 9ed192e90cc..00000000000
--- a/changelogs/unreleased/security-kubernetes-agent-internal-api.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Prevent private repo from being accessed via internal Kubernetes API
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-runner-csrf-milestone-13-6.yml b/changelogs/unreleased/security-runner-csrf-milestone-13-6.yml
deleted file mode 100644
index 4b661ecfdc9..00000000000
--- a/changelogs/unreleased/security-runner-csrf-milestone-13-6.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Add CSRF protection to runner pause and resume
-merge_request: 1021
-author:
-type: security
diff --git a/changelogs/unreleased/security-stored-xss-build-dependencies.yml b/changelogs/unreleased/security-stored-xss-build-dependencies.yml
deleted file mode 100644
index a5ce2bd0158..00000000000
--- a/changelogs/unreleased/security-stored-xss-build-dependencies.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Fix XSS vulnerability for job build dependencies
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-unauthorized-access-schedule-variables-milestone-13-6.yml b/changelogs/unreleased/security-unauthorized-access-schedule-variables-milestone-13-6.yml
deleted file mode 100644
index fc6702f8067..00000000000
--- a/changelogs/unreleased/security-unauthorized-access-schedule-variables-milestone-13-6.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Fix unauthorized user is able to access schedule pipeline variables and values
-merge_request:
-author:
-type: security
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-23 10:30:22 +0300