Update CHANGELOG.md for 13.4.2

[ci skip]
author: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> 2020-10-01 15:46:46 +0300
committer: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> 2020-10-01 15:46:46 +0300
commit: 83ea39eb031cf663a8136d0eb35539026a3f259e (patch)
tree: 46c32a7773365bea6cbddf8b6a68c93abbcde20b /CHANGELOG.md
parent: a27b8a5c104f492e4b0abac4c84385a615c4f6ba (diff)
1 files changed, 20 insertions, 0 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 19075b42f0a..63d0fb2b1c7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,26 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.
 
+## 13.4.2 (2020-10-01)
+
+### Security (14 changes)
+
+- Do not store session id in Redis.
+- Fix permission checks when updating confidentiality and milestone on issues or merge requests.
+- Purge unaccepted member invitations older than 90 days.
+- Adds feature flags plan limits.
+- Prevent SVG XSS via Web IDE.
+- Ensure user has no solo owned groups before triggering account deletion.
+- Security fix safe params helper.
+- Do not bypass admin mode when authenticated with deploy token.
+- Fixes release asset link filepath ReDoS.
+- Ensure global ID is of Annotation type in GraphQL destroy mutation.
+- Validate that membership expiry dates are not in the past.
+- Rate limit adding new email and re-sending email confirmation.
+- Fix redaction of confidential Todos.
+- Update GitLab Runner Helm Chart to 0.20.2.
+
+
 ## 13.4.0 (2020-09-22)
 
 ### Security (2 changes, 1 of them is from the community)
author	GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>	2020-10-01 15:46:46 +0300
committer	GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>	2020-10-01 15:46:46 +0300
commit	83ea39eb031cf663a8136d0eb35539026a3f259e (patch)
tree	46c32a7773365bea6cbddf8b6a68c93abbcde20b /CHANGELOG.md
parent	a27b8a5c104f492e4b0abac4c84385a615c4f6ba (diff)