diff options
author | GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> | 2020-09-02 17:47:11 +0300 |
---|---|---|
committer | GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> | 2020-09-02 17:47:11 +0300 |
commit | e2d4c85dec083d517822e3a21165cd373b162d9b (patch) | |
tree | 9b407b789d3744a0e7ef594e9edd84130aa81a9c | |
parent | 4fa04f789e6fed5f0dfeafe718eeb7f56a5086e9 (diff) | |
parent | f0d1beb6f8f7027783731ef72278356a54f188de (diff) |
Merge remote-tracking branch 'dev/master'
-rw-r--r-- | CHANGELOG.md | 87 | ||||
-rw-r--r-- | changelogs/unreleased/security-223-webhook-dos-attack.yml | 5 | ||||
-rw-r--r-- | changelogs/unreleased/security-upgrade-jquery-3-5.yml | 5 |
3 files changed, 87 insertions, 10 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 60e1d7820da..728427806a2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,35 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. +## 13.3.3 (2020-09-02) + +### Security (23 changes, 1 of them is from the community) + +- Check validity of project's import_url before mirroring repository. +- Show on two-factor authentication setup page groups that are the cause of this requirement. +- Prevent interrupted 2FA sign-in from signing-in incorrect user. +- Create new 2FA code each time user is entering 2FA setup page. +- Remove all sessions but current while enabling 2FA. +- Invalidate two factor sign-in when user password changes. +- Delete members invites created by users being deleted. +- Prevent OmniAuth from rendering arbitrary error messages. +- Prevent not-2fa authenticated users that are supposed to use it to consume api via session. +- Invalidate remember me when an active session is revoked. +- Add rate limit on webhooks testing feature. +- Add scope presence validation to OAuth Application creation. +- Allow only running job tokens for API authentication. +- Prevent Deploy Tokens to read project resources when repository is disabled. +- Change conan api to use proper workhorse validation. +- Ensure global ID is of Snippet type in GraphQL destroy mutation. +- Fix Improper Access Control on Deploy-Key. +- Set maximum limit for profile events. +- Persist EKS External ID before presenting it to the user. +- Prevent project maintainers from editing group badges. +- Upgrade jquery to v3.5. +- Update websocket-extensions gem to 0.1.5. (Vitor Meireles De Sousa) +- Update GitLab Runner Helm Chart to 0.19.3. + + ## 13.3.2 (2020-08-28) ### Removed (1 change) @@ -553,6 +582,35 @@ entry. - Replace fa-pencil icon with GitLab SVG. !39648 +## 13.2.7 (2020-09-02) + +### Security (23 changes, 1 of them is from the community) + +- Check validity of project's import_url before mirroring repository. +- Show on two-factor authentication setup page groups that are the cause of this requirement. +- Prevent interrupted 2FA sign-in from signing-in incorrect user. +- Create new 2FA code each time user is entering 2FA setup page. +- Remove all sessions but current while enabling 2FA. +- Invalidate two factor sign-in when user password changes. +- Delete members invites created by users being deleted. +- Prevent OmniAuth from rendering arbitrary error messages. +- Prevent not-2fa authenticated users that are supposed to use it to consume api via session. +- Invalidate remember me when an active session is revoked. +- Add rate limit on webhooks testing feature. +- Add scope presence validation to OAuth Application creation. +- Allow only running job tokens for API authentication. +- Prevent Deploy Tokens to read project resources when repository is disabled. +- Change conan api to use proper workhorse validation. +- Ensure global ID is of Snippet type in GraphQL destroy mutation. +- Fix Improper Access Control on Deploy-Key. +- Set maximum limit for profile events. +- Persist EKS External ID before presenting it to the user. +- Prevent project maintainers from editing group badges. +- Upgrade jquery to v3.5. +- Update websocket-extensions gem to 0.1.5. (Vitor Meireles De Sousa) +- Update GitLab Runner Helm Chart to 0.18.3. + + ## 13.2.6 (2020-08-18) - No changes. @@ -1621,6 +1679,35 @@ entry. - Remove removeIssue logic from list model. (nuwe1) +## 13.1.9 (2020-09-02) + +### Security (23 changes, 1 of them is from the community) + +- Check validity of project's import_url before mirroring repository. +- Show on two-factor authentication setup page groups that are the cause of this requirement. +- Prevent interrupted 2FA sign-in from signing-in incorrect user. +- Create new 2FA code each time user is entering 2FA setup page. +- Remove all sessions but current while enabling 2FA. +- Invalidate two factor sign-in when user password changes. +- Delete members invites created by users being deleted. +- Prevent OmniAuth from rendering arbitrary error messages. +- Prevent not-2fa authenticated users that are supposed to use it to consume api via session. +- Invalidate remember me when an active session is revoked. +- Add rate limit on webhooks testing feature. +- Add scope presence validation to OAuth Application creation. +- Allow only running job tokens for API authentication. +- Prevent Deploy Tokens to read project resources when repository is disabled. +- Change conan api to use proper workhorse validation. +- Ensure global ID is of Snippet type in GraphQL destroy mutation. +- Fix Improper Access Control on Deploy-Key. +- Set maximum limit for profile events. +- Persist EKS External ID before presenting it to the user. +- Prevent project maintainers from editing group badges. +- Upgrade jquery to v3.5. +- Update websocket-extensions gem to 0.1.5. (Vitor Meireles De Sousa) +- Update GitLab Runner Helm Chart to 0.18.3. + + ## 13.1.8 (2020-08-18) - No changes. diff --git a/changelogs/unreleased/security-223-webhook-dos-attack.yml b/changelogs/unreleased/security-223-webhook-dos-attack.yml deleted file mode 100644 index ef1ab2c2415..00000000000 --- a/changelogs/unreleased/security-223-webhook-dos-attack.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Add rate limit on webhooks testing feature -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-upgrade-jquery-3-5.yml b/changelogs/unreleased/security-upgrade-jquery-3-5.yml deleted file mode 100644 index d2a9a8fed6c..00000000000 --- a/changelogs/unreleased/security-upgrade-jquery-3-5.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Upgrade jquery to v3.5 -merge_request: -author: -type: security |