From e11cc45d59ed614c14ae842e5ed5c87d53bd8f8e Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Tue, 27 Apr 2021 14:16:37 +0000 Subject: Add latest changes from gitlab-org/security/gitlab@13-10-stable-ee --- CHANGELOG.md | 12 ++++++++++++ GITALY_SERVER_VERSION | 2 +- ...27155-prevent-mutation-execution-with-read-api-tokens.yml | 5 ----- changelogs/unreleased/mermaid-8-9-2.yml | 5 ----- .../security-10io-dependency-proxy-and-deploy-tokens.yml | 5 ----- ...322500-disable-gitaly-branch-pagination-ff-by-default.yml | 5 ----- changelogs/unreleased/security-bump-carrierwave-to-1-3-2.yml | 5 ----- ...y-disallow-changing-timestamps-on-issue-create-update.yml | 5 ----- 8 files changed, 13 insertions(+), 31 deletions(-) delete mode 100644 changelogs/unreleased/327155-prevent-mutation-execution-with-read-api-tokens.yml delete mode 100644 changelogs/unreleased/mermaid-8-9-2.yml delete mode 100644 changelogs/unreleased/security-10io-dependency-proxy-and-deploy-tokens.yml delete mode 100644 changelogs/unreleased/security-322500-disable-gitaly-branch-pagination-ff-by-default.yml delete mode 100644 changelogs/unreleased/security-bump-carrierwave-to-1-3-2.yml delete mode 100644 changelogs/unreleased/security-disallow-changing-timestamps-on-issue-create-update.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index d80a50862b7..d9436b873d6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,18 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. +## 13.10.4 (2021-04-27) + +### Security (6 changes) + +- Prevent tokens with only read_api scope from executing mutations. +- Update mermaid to version 8.9.2. +- Do not allow deploy tokens in the dependency proxy authentication service. +- Disable keyset pagination for branches by default. +- Bump Carrierwave gem to v1.3.2. +- Restrict setting system_note_timestamp to owners. + + ## 13.10.3 (2021-04-13) ### Security (3 changes) diff --git a/GITALY_SERVER_VERSION b/GITALY_SERVER_VERSION index dee21658a83..402deed3074 100644 --- a/GITALY_SERVER_VERSION +++ b/GITALY_SERVER_VERSION @@ -1 +1 @@ -13.10.3 \ No newline at end of file +13.10.4 \ No newline at end of file diff --git a/changelogs/unreleased/327155-prevent-mutation-execution-with-read-api-tokens.yml b/changelogs/unreleased/327155-prevent-mutation-execution-with-read-api-tokens.yml deleted file mode 100644 index 1758390a5cb..00000000000 --- a/changelogs/unreleased/327155-prevent-mutation-execution-with-read-api-tokens.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prevent tokens with only read_api scope from executing mutations -merge_request: -author: -type: security diff --git a/changelogs/unreleased/mermaid-8-9-2.yml b/changelogs/unreleased/mermaid-8-9-2.yml deleted file mode 100644 index 7cb4731fa33..00000000000 --- a/changelogs/unreleased/mermaid-8-9-2.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Update mermaid to version 8.9.2 -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-10io-dependency-proxy-and-deploy-tokens.yml b/changelogs/unreleased/security-10io-dependency-proxy-and-deploy-tokens.yml deleted file mode 100644 index 26137a42420..00000000000 --- a/changelogs/unreleased/security-10io-dependency-proxy-and-deploy-tokens.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Do not allow deploy tokens in the dependency proxy authentication service -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-322500-disable-gitaly-branch-pagination-ff-by-default.yml b/changelogs/unreleased/security-322500-disable-gitaly-branch-pagination-ff-by-default.yml deleted file mode 100644 index 869cd7ab57c..00000000000 --- a/changelogs/unreleased/security-322500-disable-gitaly-branch-pagination-ff-by-default.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Disable keyset pagination for branches by default -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-bump-carrierwave-to-1-3-2.yml b/changelogs/unreleased/security-bump-carrierwave-to-1-3-2.yml deleted file mode 100644 index 4e31f9d855d..00000000000 --- a/changelogs/unreleased/security-bump-carrierwave-to-1-3-2.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Bump Carrierwave gem to v1.3.2 -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-disallow-changing-timestamps-on-issue-create-update.yml b/changelogs/unreleased/security-disallow-changing-timestamps-on-issue-create-update.yml deleted file mode 100644 index 7acd005abaa..00000000000 --- a/changelogs/unreleased/security-disallow-changing-timestamps-on-issue-create-update.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Restrict setting system_note_timestamp to owners -merge_request: -author: -type: security -- cgit v1.2.3