diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-11-03 00:09:10 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-11-03 00:09:10 +0300 |
commit | a97f1426db3f521d2fcf699fa106a2ca4eddb801 (patch) | |
tree | 01ab04f8cd044e46998602cabe5bc77285bad782 /CHANGELOG.md | |
parent | 77cf68da37567a0432108d6755b6c7578e5b7dc8 (diff) |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'CHANGELOG.md')
-rw-r--r-- | CHANGELOG.md | 45 |
1 files changed, 45 insertions, 0 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 1615c30108d..fc7b8b76344 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,21 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. +## 13.5.2 (2020-11-02) + +### Security (9 changes) + +- Add CSRF protection to runner pause and resume. !1021 +- Do not expose Terraform state record in API. +- Path traversal to RCE via LFS upload. +- Update container_repository_name_regex to prevent catastrophic backtracking. +- Validate nuget package names. +- Prevent private repo from being accessed via internal Kubernetes API. +- Validate each upload param key in multipart.rb. +- Fix XSS vulnerability for job build dependencies. +- Fix unauthorized user is able to access schedule pipeline variables and values. + + ## 13.5.1 (2020-10-22) ### Other (1 change) @@ -583,6 +598,21 @@ entry. - Bump cluster applications CI template. !45472 +## 13.4.5 (2020-11-02) + +### Security (9 changes) + +- Add CSRF protection to runner pause and resume. !1021 +- Do not expose Terraform state record in API. +- Path traversal to RCE via LFS upload. +- Update container_repository_name_regex to prevent catastrophic backtracking. +- Validate nuget package names. +- Prevent private repo from being accessed via internal Kubernetes API. +- Validate each upload param key in multipart.rb. +- Fix XSS vulnerability for job build dependencies. +- Fix unauthorized user is able to access schedule pipeline variables and values. + + ## 13.4.4 (2020-10-15) ### Fixed (2 changes) @@ -1241,6 +1271,21 @@ entry. - Expand the visible highlight for collapsed diffs (re: !41393). !42343 +## 13.3.9 (2020-11-02) + +### Security (9 changes) + +- Add CSRF protection to runner pause and resume. !1021 +- Do not expose Terraform state record in API. +- Path traversal to RCE via LFS upload. +- Update container_repository_name_regex to prevent catastrophic backtracking. +- Validate nuget package names. +- Prevent private repo from being accessed via internal Kubernetes API. +- Validate each upload param key in multipart.rb. +- Fix XSS vulnerability for job build dependencies. +- Fix unauthorized user is able to access schedule pipeline variables and values. + + ## 13.3.8 (2020-10-21) ### Fixed (2 changes) |