diff options
author | GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> | 2019-08-28 21:38:06 +0300 |
---|---|---|
committer | GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> | 2019-08-28 21:38:06 +0300 |
commit | 3ba23e0229d70b1480af096fe8d1ae51d87417ab (patch) | |
tree | 2c58e7bb78717d96fc260701de76e9308507f203 /CHANGELOG.md | |
parent | 8e6b9e26522ce643c2e717164ed2bddf7773f630 (diff) |
Update CHANGELOG.md for 12.1.8
[ci skip]
Diffstat (limited to 'CHANGELOG.md')
-rw-r--r-- | CHANGELOG.md | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 62ec1dcdee8..4c78f845ce9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,33 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. +## 12.1.8 + +### Security (21 changes) + +- Ensure only authorised users can create notes on Merge Requests and Issues. +- Add :login_recaptcha_protection_enabled setting to prevent bots from brute-force attacks. +- Speed up regexp in namespace format by failing fast after reaching maximum namespace depth. +- Limit the size of issuable description and comments. +- Send TODOs for comments on commits correctly. +- Restrict MergeRequests#test_reports to authenticated users with read-access on Builds. +- Added image proxy to mitigate potential stealing of IP addresses. +- Filter out old system notes for epics in notes api endpoint response. +- Avoid exposing unaccessible repo data upon GFM post processing. +- Fix HTML injection for label description. +- Make sure HTML text is always escaped when replacing label/milestone references. +- Prevent DNS rebind on JIRA service integration. +- Use admin_group authorization in Groups::RunnersController. +- Prevent disclosure of merge request ID via email. +- Show cross-referenced MR-id in issues' activities only to authorized users. +- Enforce max chars and max render time in markdown math. +- Check permissions before responding in MergeController#pipeline_status. +- Remove EXIF from users/personal snippet uploads. +- Fix project import restricted visibility bypass via API. +- Fix weak session management by clearing password reset tokens after login (username/email) are updated. +- Fix SSRF via DNS rebinding in Kubernetes Integration. + + ## 12.1.7 - Unreleased due to QA failure. |