gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.

Age	Commit message (Collapse)	Author
2018-12-20	Update VERSION to 11.3.14v11.3.14 11-3-stable	GitLab Release Tools Bot

2018-12-20	Update CHANGELOG.md for 11.3.14	GitLab Release Tools Bot
	[ci skip]
2018-12-20	Merge branch 'security-import-symlink-11-3' of ↵	John Jarvis
	dev.gitlab.org:gitlab/gitlabhq into security-11-3
2018-12-13	Update VERSION to 11.3.13v11.3.13	GitLab Release Tools Bot

2018-12-13	Update CHANGELOG.md for 11.3.13	GitLab Release Tools Bot
	[ci skip]
2018-12-13	Merge branch 'security-2754-fix-lfs-import-11-3' into 'security-11-3'	John Jarvis
	[11.3] Validate LFS hrefs before downloading them See merge request gitlab/gitlabhq!2700
2018-12-06	Update VERSION to 11.3.12v11.3.12	GitLab Release Tools Bot

2018-12-06	Update CHANGELOG.md for 11.3.12	GitLab Release Tools Bot
	[ci skip]
2018-12-06	Merge branch 'security-54857-fix-templates-path-traversal-11-3' into ↵	Cindy Pallares
	'security-11-3' [11.3] Prevent a path traversal attack on global file templates See merge request gitlab/gitlabhq!2671
2018-11-27	Update VERSION to 11.3.11v11.3.11	GitLab Release Tools Bot

2018-11-27	Update CHANGELOG.md for 11.3.11	GitLab Release Tools Bot
	[ci skip]
2018-11-26	Merge branch 'security-fix-uri-xss-applications-11-3' into 'security-11-3'	Steve Azzopardi
	[11.3] Reflected XSS in OAuth Authorize window due to redirect_uri allowing arbitrary protocols See merge request gitlab/gitlabhq!2581
2018-11-26	Merge branch 'security-11-3-fj-crlf-injection' into 'security-11-3'	Steve Azzopardi
	[11.3] Fix CRLF issue in UrlValidator See merge request gitlab/gitlabhq!2654
2018-11-26	[11.3] Fix CRLF issue in UrlValidator	Francisco Javier López

2018-11-26	Merge branch 'security-182-update-workhorse-11-3' into 'security-11-3'	Steve Azzopardi
	[11.3] Redact sensitive information on workhorse log See merge request gitlab/gitlabhq!2586
2018-11-26	Merge branch 'security-11-3-fix-webhook-ssrf-ipv6' into 'security-11-3'	Steve Azzopardi
	[11.3] Fix SSRF in project integrations See merge request gitlab/gitlabhq!2609
2018-11-26	Merge branch 'security-email-change-notification-11-3' into 'security-11-3'	Steve Azzopardi
	[11.3] Resolve: "Provide email notification when a user changes their email address" See merge request gitlab/gitlabhq!2604
2018-11-26	Merge branch 'security-guest-comments-11-3' into 'security-11-3'	Steve Azzopardi
	[11.3] Fixed ability to comment on and edit/delete comments on locked or confidential issues See merge request gitlab/gitlabhq!2648
2018-11-26	[11.3] Fixed ability to comment on and edit/delete comments on locked or ↵	Chantal Rollison
	confidential issues
2018-11-26	Resolve reflected XSS in Ouath authorize window	James Lopez

2018-11-26	Merge branch 'security-11-3-pages-toctou-race' into 'security-11-3'	Steve Azzopardi
	[11.3] [pages] Possible symlink time of check to time of use race condition See merge request gitlab/gitlabhq!2651
2018-11-26	Merge branch 'security-fix-pat-web-access-11-3' into 'security-11-3'	Steve Azzopardi
	[11.3] Resolve "Personal access token with only `read_user` scope can be used to authenticate any web request" See merge request gitlab/gitlabhq!2657
2018-11-23	Update to gitlab-workhorse 6.1.2	Steve Azzopardi
	6.1.1 does not include the security fix, but 6.1.2 does.
2018-11-23	Merge branch ↵	Steve Azzopardi
	'security-11-3-xss-in-markdown-following-unrecognized-html-element' into 'security-11-3' [11.3] XSS in markdown following unrecognized HTML element See merge request gitlab/gitlabhq!2633
2018-11-23	Merge branch 'security-mermaid-xss-11-3' into 'security-11-3'	Steve Azzopardi
	[11.3] Fix XSS in mermaid diagrams See merge request gitlab/gitlabhq!2640
2018-11-23	Merge branch 'security-bvl-exposure-in-commits-list-11-3' into 'security-11-3'	Steve Azzopardi
	[11.3] Don't expose confidential information in commit message list See merge request gitlab/gitlabhq!2644
2018-11-23	Merge branch 'security-issue_51301-11-3' into 'security-11-3'	Steve Azzopardi
	[11.3] Resolve: Promoting a milestone is missing an authorization check See merge request gitlab/gitlabhq!2621
2018-11-23	Merge branch 'security-2736-prometheus-ssrf-11-3' into 'security-11-3'	Steve Azzopardi
	[11.3] Do not follow redirects in prometheus service See merge request gitlab/gitlabhq!2625
2018-11-23	Merge branch 'security-11-3-stored-xss-for-environments' into 'security-11-3'	Steve Azzopardi
	[11.3] Stored XSS for Environments See merge request gitlab/gitlabhq!2616
2018-11-23	Merge branch '11-3-stable' into security-11-3	Steve Azzopardi

2018-11-23	Merge branch 'security-private-group-11-3' into 'security-11-3'	Steve Azzopardi
	[11.3] Fixed read name of private groups See merge request gitlab/gitlabhq!2592
2018-11-23	Update code to use API scope on PAT auth	James Lopez

2018-11-21	Upgrade GitLab Pages to v1.1.1	Alessio Caiazza

2018-11-19	Don't use fragment cache on commit page	Bob Van Landuyt
	This makes sure the user viewing the commit does not get to see anything they're not allowed to see
2018-11-19	Configure mermaid to not render HTML content in diagrams	Winnie Hellmann
	(cherry picked from commit f2e9f22f7d3d84abeea5ba2918ee5ffcc55f2dad) Conflicts: app/assets/javascripts/behaviors/markdown/render_mermaid.js
2018-11-19	Add failing test for XSS in mermaid diagrams	Winnie Hellmann
	(cherry picked from commit fdea799d37ae9ca3f5e80f191a55be543a79857a)
2018-11-18	Update VERSION to 11.3.10v11.3.10	GitLab Release Tools Bot

2018-11-18	Update CHANGELOG.md for 11.3.10	GitLab Release Tools Bot
	[ci skip]
2018-11-18	Merge branch 'sh-fix-issue-54189-11-3' into 'security-11-3'	Steve Azzopardi
	[11.3] Prevent templated services from being imported See merge request gitlab/gitlabhq!2637
2018-11-18	Merge branch 'security-11-3-2717-xss-username-autocomplete' into 'security-11-3'	Steve Azzopardi
	[11.3] Escape user fullname while rendering autocomplete template to prevent XSS See merge request gitlab/gitlabhq!2608
2018-11-18	Merge branch 'sh-fix-issue-54189-11-3' into 'security-11-3'	Steve Azzopardi
	[11.3] Prevent templated services from being imported See merge request gitlab/gitlabhq!2637
2018-11-18	Merge branch 'security-11-3-2717-xss-username-autocomplete' into 'security-11-3'	Steve Azzopardi
	[11.3] Escape user fullname while rendering autocomplete template to prevent XSS See merge request gitlab/gitlabhq!2608
2018-11-18	Merge branch '11-3-stable' into security-11-3	Steve Azzopardi

2018-11-18	Prevent templated services from being imported	Stan Hu
	Templated services should only be created by admins and does not apply to project import/export. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/54189
2018-11-16	Sanitize output of SpacedLinkFilter	Brett Walker

2018-11-14	No redirects in prometheus service	rpereira2
	Do not allow redirects in the prometheus service to prevent SSRFs.
2018-11-14	Fix milestone promotion authorization	Felipe Artur
	Promoting milestone was missing an authorization check, guest users were being able to promote project milestones to group milestones.
2018-11-14	Validate URI scheme also for internal URI	Alessio Caiazza
	This is a backport for 11.3 stable branch. Gitlab::UrlBlocker ignores scheme when validating URI matching either config.gitlab or config.gitlab_shell This patch enforces matching config.gitlab.protocol for internal web and ssh for internal shell. A cleanup migration for stored XSS from environments table is included.
2018-11-12	Add changelog entry	Kushal Pandya

2018-11-12	Fix SSRF in project integrations	Francisco Javier López
	This commit fixes a SSRF vulnerability related to project hooks and ipv6 addresses. It also addresses a problem with ipv6 mapped addresses.