From 485f694691367dc77e5b955d3a6dd78be9728fde Mon Sep 17 00:00:00 2001 From: GitLab Release Tools Bot Date: Wed, 4 Mar 2020 14:43:03 +0000 Subject: Update CHANGELOG.md for 12.7.7 [ci skip] --- CHANGELOG.md | 23 ++++++++++++++++++++++ ...aring_group_to_update_project_authorization.yml | 5 ----- ...haring_group_to_respect_member_access_level.yml | 5 ----- changelogs/unreleased/36805-confidential-issue.yml | 5 ----- changelogs/unreleased/enfoce-group-member-2fa.yml | 5 ----- .../unreleased/security-49-xss-branch-names.yml | 5 ----- .../unreleased/security-709-secret-traversal.yml | 5 ----- changelogs/unreleased/security-badge-camo.yml | 5 ----- ...ty-check-mr-permissions-for-pipeline-widget.yml | 5 ----- .../security-deploy-token-registry-access.yml | 6 ------ .../security-deprecate-lfs-link-service.yml | 5 ----- ...security-disable-pipeline-webhook-recursion.yml | 5 ----- .../security-expire-confirmation-token.yml | 5 ----- .../unreleased/security-grafana-stored-xss.yml | 5 ----- .../security-graphql-diff-refs-empty-base-sha.yml | 5 ----- .../security-pb-fix-xss-dependency-link.yml | 5 ----- ...ty-recalculate_project_authorizations_run_2.yml | 5 ----- .../security-safe-sentry-error-culprit.yml | 5 ----- 18 files changed, 23 insertions(+), 86 deletions(-) delete mode 100644 changelogs/unreleased/199035-sharing_group_to_update_project_authorization.yml delete mode 100644 changelogs/unreleased/199415-sharing_group_to_respect_member_access_level.yml delete mode 100644 changelogs/unreleased/36805-confidential-issue.yml delete mode 100644 changelogs/unreleased/enfoce-group-member-2fa.yml delete mode 100644 changelogs/unreleased/security-49-xss-branch-names.yml delete mode 100644 changelogs/unreleased/security-709-secret-traversal.yml delete mode 100644 changelogs/unreleased/security-badge-camo.yml delete mode 100644 changelogs/unreleased/security-check-mr-permissions-for-pipeline-widget.yml delete mode 100644 changelogs/unreleased/security-deploy-token-registry-access.yml delete mode 100644 changelogs/unreleased/security-deprecate-lfs-link-service.yml delete mode 100644 changelogs/unreleased/security-disable-pipeline-webhook-recursion.yml delete mode 100644 changelogs/unreleased/security-expire-confirmation-token.yml delete mode 100644 changelogs/unreleased/security-grafana-stored-xss.yml delete mode 100644 changelogs/unreleased/security-graphql-diff-refs-empty-base-sha.yml delete mode 100644 changelogs/unreleased/security-pb-fix-xss-dependency-link.yml delete mode 100644 changelogs/unreleased/security-recalculate_project_authorizations_run_2.yml delete mode 100644 changelogs/unreleased/security-safe-sentry-error-culprit.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index eb47b8aaefe..1908a67a288 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,29 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. +## 12.7.7 + +### Security (17 changes) + +- Update ProjectAuthorization when deleting or updating GroupGroupLink. +- Respect member access level for group shares. +- Prevent an endless checking loop for two merge requests targeting each other. +- Update user 2fa when accepting a group invite. +- Fix for XSS in branch names. +- Prevent directory traversal through FileUploader. +- Run project badge images through the asset proxy. +- Check merge requests read permissions before showing them in the pipeline widget. +- Update container registry authentication to account for login request when checking permissions. +- Remove OID filtering during LFS imports. +- Protect against denial of service using pipeline webhook recursion. +- Expire account confirmation token. +- Prevent XSS in admin grafana URL setting. +- Don't require base_sha in DiffRefsType. +- Sanitize output by dependency linkers. +- Recalculate ProjectAuthorizations for all users. +- Escape special chars in Sentry error header. + + ## 12.7.6 ### Security (1 change) diff --git a/changelogs/unreleased/199035-sharing_group_to_update_project_authorization.yml b/changelogs/unreleased/199035-sharing_group_to_update_project_authorization.yml deleted file mode 100644 index 00d0b770296..00000000000 --- a/changelogs/unreleased/199035-sharing_group_to_update_project_authorization.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Update ProjectAuthorization when deleting or updating GroupGroupLink -merge_request: -author: -type: security diff --git a/changelogs/unreleased/199415-sharing_group_to_respect_member_access_level.yml b/changelogs/unreleased/199415-sharing_group_to_respect_member_access_level.yml deleted file mode 100644 index bab1bf82dc0..00000000000 --- a/changelogs/unreleased/199415-sharing_group_to_respect_member_access_level.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Respect member access level for group shares -merge_request: -author: -type: security diff --git a/changelogs/unreleased/36805-confidential-issue.yml b/changelogs/unreleased/36805-confidential-issue.yml deleted file mode 100644 index ea7b66b89db..00000000000 --- a/changelogs/unreleased/36805-confidential-issue.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prevent an endless checking loop for two merge requests targeting each other -merge_request: -author: -type: security diff --git a/changelogs/unreleased/enfoce-group-member-2fa.yml b/changelogs/unreleased/enfoce-group-member-2fa.yml deleted file mode 100644 index 1e10f678eda..00000000000 --- a/changelogs/unreleased/enfoce-group-member-2fa.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Update user 2fa when accepting a group invite -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-49-xss-branch-names.yml b/changelogs/unreleased/security-49-xss-branch-names.yml deleted file mode 100644 index d6ad72aa622..00000000000 --- a/changelogs/unreleased/security-49-xss-branch-names.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix for XSS in branch names -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-709-secret-traversal.yml b/changelogs/unreleased/security-709-secret-traversal.yml deleted file mode 100644 index 33944712a20..00000000000 --- a/changelogs/unreleased/security-709-secret-traversal.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prevent directory traversal through FileUploader -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-badge-camo.yml b/changelogs/unreleased/security-badge-camo.yml deleted file mode 100644 index b882bffdcaa..00000000000 --- a/changelogs/unreleased/security-badge-camo.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Run project badge images through the asset proxy -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-check-mr-permissions-for-pipeline-widget.yml b/changelogs/unreleased/security-check-mr-permissions-for-pipeline-widget.yml deleted file mode 100644 index 009b205ee94..00000000000 --- a/changelogs/unreleased/security-check-mr-permissions-for-pipeline-widget.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Check merge requests read permissions before showing them in the pipeline widget -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-deploy-token-registry-access.yml b/changelogs/unreleased/security-deploy-token-registry-access.yml deleted file mode 100644 index 3b7a0553b2e..00000000000 --- a/changelogs/unreleased/security-deploy-token-registry-access.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -title: Update container registry authentication to account for login request when - checking permissions -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-deprecate-lfs-link-service.yml b/changelogs/unreleased/security-deprecate-lfs-link-service.yml deleted file mode 100644 index 79bc69414eb..00000000000 --- a/changelogs/unreleased/security-deprecate-lfs-link-service.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Remove OID filtering during LFS imports -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-disable-pipeline-webhook-recursion.yml b/changelogs/unreleased/security-disable-pipeline-webhook-recursion.yml deleted file mode 100644 index a3491c1d42a..00000000000 --- a/changelogs/unreleased/security-disable-pipeline-webhook-recursion.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Protect against denial of service using pipeline webhook recursion -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-expire-confirmation-token.yml b/changelogs/unreleased/security-expire-confirmation-token.yml deleted file mode 100644 index 40d8063c409..00000000000 --- a/changelogs/unreleased/security-expire-confirmation-token.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Expire account confirmation token -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-grafana-stored-xss.yml b/changelogs/unreleased/security-grafana-stored-xss.yml deleted file mode 100644 index 5a98c6fd7ff..00000000000 --- a/changelogs/unreleased/security-grafana-stored-xss.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prevent XSS in admin grafana URL setting -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-graphql-diff-refs-empty-base-sha.yml b/changelogs/unreleased/security-graphql-diff-refs-empty-base-sha.yml deleted file mode 100644 index ba7906f72a8..00000000000 --- a/changelogs/unreleased/security-graphql-diff-refs-empty-base-sha.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Don't require base_sha in DiffRefsType -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-pb-fix-xss-dependency-link.yml b/changelogs/unreleased/security-pb-fix-xss-dependency-link.yml deleted file mode 100644 index a4726c3861a..00000000000 --- a/changelogs/unreleased/security-pb-fix-xss-dependency-link.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Sanitize output by dependency linkers -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-recalculate_project_authorizations_run_2.yml b/changelogs/unreleased/security-recalculate_project_authorizations_run_2.yml deleted file mode 100644 index ee2039806b6..00000000000 --- a/changelogs/unreleased/security-recalculate_project_authorizations_run_2.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Recalculate ProjectAuthorizations for all users -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-safe-sentry-error-culprit.yml b/changelogs/unreleased/security-safe-sentry-error-culprit.yml deleted file mode 100644 index 4261e2aa5dd..00000000000 --- a/changelogs/unreleased/security-safe-sentry-error-culprit.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Escape special chars in Sentry error header -merge_request: -author: -type: security -- cgit v1.2.3