diff options
author | Yorick Peterse <yorick@yorickpeterse.com> | 2019-10-30 17:22:45 +0300 |
---|---|---|
committer | Yorick Peterse <yorick@yorickpeterse.com> | 2019-10-30 17:22:45 +0300 |
commit | ad8eea383406037a207c80421e6e4bfa357f8044 (patch) | |
tree | 396b89ad72b9d7e35fab26c6ee22c978a12defbb /changelogs | |
parent | 228d752ff09362002cc904d28edee7d63cc3cef2 (diff) | |
parent | b0f939a79fe16ff760d6e589c8f9cd71c0fa1da7 (diff) |
Merge dev.gitlab.org@master into GitLab.com@master
Diffstat (limited to 'changelogs')
13 files changed, 63 insertions, 0 deletions
diff --git a/changelogs/unreleased/29986-remove-leaky-401-responses.yml b/changelogs/unreleased/29986-remove-leaky-401-responses.yml new file mode 100644 index 00000000000..3d60011b63f --- /dev/null +++ b/changelogs/unreleased/29986-remove-leaky-401-responses.yml @@ -0,0 +1,5 @@ +--- +title: Standardize error response when route is missing +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-2914-labels-visible-despite-no-access-to-issues-repositories.yml b/changelogs/unreleased/security-2914-labels-visible-despite-no-access-to-issues-repositories.yml new file mode 100644 index 00000000000..59af202a3bd --- /dev/null +++ b/changelogs/unreleased/security-2914-labels-visible-despite-no-access-to-issues-repositories.yml @@ -0,0 +1,5 @@ +--- +title: Do not display project labels that are not visible for user accessing group labels +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-2920-fix-notes-with-label-cross-reference.yml b/changelogs/unreleased/security-2920-fix-notes-with-label-cross-reference.yml new file mode 100644 index 00000000000..b2901411729 --- /dev/null +++ b/changelogs/unreleased/security-2920-fix-notes-with-label-cross-reference.yml @@ -0,0 +1,5 @@ +--- +title: Show cross-referenced label and milestones in issues' activities only to authorized users +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-64519-nested-graphql-query-can-cause-denial-of-service.yml b/changelogs/unreleased/security-64519-nested-graphql-query-can-cause-denial-of-service.yml new file mode 100644 index 00000000000..5ce37b0d032 --- /dev/null +++ b/changelogs/unreleased/security-64519-nested-graphql-query-can-cause-denial-of-service.yml @@ -0,0 +1,5 @@ +--- +title: Analyze incoming GraphQL queries and check for recursion +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-65756-ex-admin-attacker-can-comment-in-internal.yml b/changelogs/unreleased/security-65756-ex-admin-attacker-can-comment-in-internal.yml new file mode 100644 index 00000000000..3d9f480ba11 --- /dev/null +++ b/changelogs/unreleased/security-65756-ex-admin-attacker-can-comment-in-internal.yml @@ -0,0 +1,5 @@ +--- +title: Disallow unprivileged users from commenting on private repository commits +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-bvl-validate-force-remove-branch-on-mrs.yml b/changelogs/unreleased/security-bvl-validate-force-remove-branch-on-mrs.yml new file mode 100644 index 00000000000..50dc9c32c5d --- /dev/null +++ b/changelogs/unreleased/security-bvl-validate-force-remove-branch-on-mrs.yml @@ -0,0 +1,6 @@ +--- +title: Don't allow maintainers of a target project to delete the source branch of + a merge request from a fork +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-developer-transfer-project.yml b/changelogs/unreleased/security-developer-transfer-project.yml new file mode 100644 index 00000000000..fe533fc099a --- /dev/null +++ b/changelogs/unreleased/security-developer-transfer-project.yml @@ -0,0 +1,5 @@ +--- +title: Require Maintainer permission on group where project is transferred to +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-hide-private-members-in-project-member-autocomplete.yml b/changelogs/unreleased/security-hide-private-members-in-project-member-autocomplete.yml new file mode 100644 index 00000000000..5992e93bda2 --- /dev/null +++ b/changelogs/unreleased/security-hide-private-members-in-project-member-autocomplete.yml @@ -0,0 +1,3 @@ +--- +title: "Don't leak private members in project member autocomplete suggestions" +type: security diff --git a/changelogs/unreleased/security-id-fix-disclosure-of-private-repo-names.yml b/changelogs/unreleased/security-id-fix-disclosure-of-private-repo-names.yml new file mode 100644 index 00000000000..dfd7a2d11f9 --- /dev/null +++ b/changelogs/unreleased/security-id-fix-disclosure-of-private-repo-names.yml @@ -0,0 +1,5 @@ +--- +title: Return 404 on LFS request if project doesn't exist +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-mask-sentry-token-ce.yml b/changelogs/unreleased/security-mask-sentry-token-ce.yml new file mode 100644 index 00000000000..e9fe780a488 --- /dev/null +++ b/changelogs/unreleased/security-mask-sentry-token-ce.yml @@ -0,0 +1,4 @@ +--- +title: Mask sentry auth token in Error Tracking dashboard +author: +type: security diff --git a/changelogs/unreleased/security-open-redirect-internalredirect.yml b/changelogs/unreleased/security-open-redirect-internalredirect.yml new file mode 100644 index 00000000000..5ac65a4b355 --- /dev/null +++ b/changelogs/unreleased/security-open-redirect-internalredirect.yml @@ -0,0 +1,5 @@ +--- +title: Fixes a Open Redirect issue in `InternalRedirect`. +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-stored-xss-using-find-file.yml b/changelogs/unreleased/security-stored-xss-using-find-file.yml new file mode 100644 index 00000000000..41cd2f9494f --- /dev/null +++ b/changelogs/unreleased/security-stored-xss-using-find-file.yml @@ -0,0 +1,5 @@ +--- +title: Sanitize search text to prevent XSS +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-wiki-rdoc-content.yml b/changelogs/unreleased/security-wiki-rdoc-content.yml new file mode 100644 index 00000000000..f40f1abcd94 --- /dev/null +++ b/changelogs/unreleased/security-wiki-rdoc-content.yml @@ -0,0 +1,5 @@ +--- +title: Sanitize all wiki markup formats with GitLab sanitization pipelines +merge_request: +author: +type: security |