diff --git a/CHANGELOG.md b/CHANGELOG.md index 6687ef59383120832c42df93aad48f7372f82a52..5905107d7e6174b4e0c8081ef500fb18e6562e3d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,36 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. +## 11.7.1 (2019-01-28) + +### Security (24 changes) + +- Make potentially malicious links more visible in the UI and scrub RTLO chars from links. !2770 +- Don't process MR refs for guests in the notes. !2771 +- Sanitize user full name to clean up any URL to prevent mail clients from auto-linking URLs. !2828 +- Fixed XSS content in KaTex links. +- Disallows unauthorized users from accessing the pipelines section. +- Verify that LFS upload requests are genuine. +- Extract GitLab Pages using RubyZip. +- Prevent awarding emojis to notes whose parent is not visible to user. +- Prevent unauthorized replies when discussion is locked or confidential. +- Disable git v2 protocol temporarily. +- Fix showing ci status for guest users when public pipline are not set. +- Fix contributed projects info still visible when user enable private profile. +- Add subresources removal to member destroy service. +- Add more LFS validations to prevent forgery. +- Use common error for unauthenticated users when creating issues. +- Fix slow regex in project reference pattern. +- Fix private user email being visible in push (and tag push) webhooks. +- Fix wiki access rights when external wiki is enabled. +- Group guests are no longer able to see merge requests they don't have access to at group level. +- Fix path disclosure on project import error. +- Restrict project import visibility based on its group. +- Expose CI/CD trigger token only to the trigger owner. +- Notify only users who can access the project on project move. +- Alias GitHub and BitBucket OAuth2 callback URLs. + + ## 11.7.0 (2019-01-22) ### Security (14 changes, 1 of them is from the community) diff --git a/changelogs/unreleased/11-7-security-stored-xss-via-katex.yml b/changelogs/unreleased/11-7-security-stored-xss-via-katex.yml deleted file mode 100644 index a71ae1123f232c3799c4eef9f84ade090b971552..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/11-7-security-stored-xss-via-katex.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fixed XSS content in KaTex links -merge_request: -author: -type: security diff --git a/changelogs/unreleased/extract-pages-with-rubyzip.yml b/changelogs/unreleased/extract-pages-with-rubyzip.yml deleted file mode 100644 index 8352e79d3e557d7b8747865d072e6d54b6910412..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/extract-pages-with-rubyzip.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Extract GitLab Pages using RubyZip -merge_request: -author: -type: security diff --git a/changelogs/unreleased/fix-security-group-user-removal.yml b/changelogs/unreleased/fix-security-group-user-removal.yml deleted file mode 100644 index 09d09a96f848cf72a31fd5119d0648385e465d65..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/fix-security-group-user-removal.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Add subresources removal to member destroy service -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-11-7-22076-sanitize-url-in-names.yml b/changelogs/unreleased/security-11-7-22076-sanitize-url-in-names.yml deleted file mode 100644 index 6d0977fe4198fa6d980077a55d7c6cf8a7a52a3b..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-11-7-22076-sanitize-url-in-names.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -title: Sanitize user full name to clean up any URL to prevent mail clients from auto-linking - URLs -merge_request: 2828 -author: -type: security diff --git a/changelogs/unreleased/security-11-7-test-permissions.yml b/changelogs/unreleased/security-11-7-test-permissions.yml deleted file mode 100644 index cfb69fdcb1ed28b0e93fb19395a1b845d523b09c..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-11-7-test-permissions.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Disallows unauthorized users from accessing the pipelines section. -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-2767-verify-lfs-finalize-from-workhorse.yml b/changelogs/unreleased/security-2767-verify-lfs-finalize-from-workhorse.yml deleted file mode 100644 index e79e3263df78973919213478dcd46018bc66163f..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-2767-verify-lfs-finalize-from-workhorse.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Verify that LFS upload requests are genuine -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-2769-idn-homograph-attack.yml b/changelogs/unreleased/security-2769-idn-homograph-attack.yml deleted file mode 100644 index a014b522c96c802da28656e6edda3b40761a31bd..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-2769-idn-homograph-attack.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Make potentially malicious links more visible in the UI and scrub RTLO chars from links -merge_request: 2770 -author: -type: security diff --git a/changelogs/unreleased/security-2776-fix-add-reaction-permissions.yml b/changelogs/unreleased/security-2776-fix-add-reaction-permissions.yml deleted file mode 100644 index 3ad92578c441a1320a1f64f25c3360791610883f..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-2776-fix-add-reaction-permissions.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prevent awarding emojis to notes whose parent is not visible to user -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-2779-fix-email-comment-permissions-check.yml b/changelogs/unreleased/security-2779-fix-email-comment-permissions-check.yml deleted file mode 100644 index 2f76064d8a48252b13f47142b6d10b4d15abb861..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-2779-fix-email-comment-permissions-check.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prevent unauthorized replies when discussion is locked or confidential -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-2780-disable-git-v2-protocol.yml b/changelogs/unreleased/security-2780-disable-git-v2-protocol.yml deleted file mode 100644 index 30a08a98e8389aa3d5692867067e10d5e5f3409e..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-2780-disable-git-v2-protocol.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Disable git v2 protocol temporarily -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-commit-status-shown-for-guest-user.yml b/changelogs/unreleased/security-commit-status-shown-for-guest-user.yml deleted file mode 100644 index a80170091d033bdbf7ba3ca0ada253a30a342fdc..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-commit-status-shown-for-guest-user.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix showing ci status for guest users when public pipline are not set -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-contributed-projects.yml b/changelogs/unreleased/security-contributed-projects.yml deleted file mode 100644 index f745a2255ca2e3b910a9abd7113e2df57daa2e2f..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-contributed-projects.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix contributed projects info still visible when user enable private profile -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-do-not-process-mr-ref-for-guests.yml b/changelogs/unreleased/security-do-not-process-mr-ref-for-guests.yml deleted file mode 100644 index 0281dde11e654c09feeb565355bb5fb348b38a01..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-do-not-process-mr-ref-for-guests.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Don't process MR refs for guests in the notes -merge_request: 2771 -author: -type: security diff --git a/changelogs/unreleased/security-fix-lfs-import-project-ssrf-forgery.yml b/changelogs/unreleased/security-fix-lfs-import-project-ssrf-forgery.yml deleted file mode 100644 index b6315ec29d8bd251b3c4028a5b9e8d4067b6446c..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-fix-lfs-import-project-ssrf-forgery.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Add more LFS validations to prevent forgery -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-fix-new-issues-login-message.yml b/changelogs/unreleased/security-fix-new-issues-login-message.yml deleted file mode 100644 index 9dabf2438c9c729371128230cb0b2d466d3a82cf..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-fix-new-issues-login-message.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Use common error for unauthenticated users when creating issues -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-fix-regex-dos.yml b/changelogs/unreleased/security-fix-regex-dos.yml deleted file mode 100644 index b08566d2f1525301406ebd61414336bff3d24cfe..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-fix-regex-dos.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix slow regex in project reference pattern -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-fix-user-email-tag-push-leak.yml b/changelogs/unreleased/security-fix-user-email-tag-push-leak.yml deleted file mode 100644 index 915ea7b5216299bf1f3a3ebdd44b50f7b1fce484..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-fix-user-email-tag-push-leak.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix private user email being visible in push (and tag push) webhooks -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-fix-wiki-access-rights-with-external-wiki-enabled.yml b/changelogs/unreleased/security-fix-wiki-access-rights-with-external-wiki-enabled.yml deleted file mode 100644 index d5f20b87a9045101bf998175ec9570ebe0213f0d..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-fix-wiki-access-rights-with-external-wiki-enabled.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix wiki access rights when external wiki is enabled -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-guests-can-see-list-of-merge-requests.yml b/changelogs/unreleased/security-guests-can-see-list-of-merge-requests.yml deleted file mode 100644 index f5b740118292ccd87b6f2c743261ec78975e80db..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-guests-can-see-list-of-merge-requests.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -title: Group guests are no longer able to see merge requests they don't have access - to at group level -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-import-path-logging.yml b/changelogs/unreleased/security-import-path-logging.yml deleted file mode 100644 index 2ba2d88d82ad0538fd1ee09f522c25dfda1e12ab..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-import-path-logging.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix path disclosure on project import error -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-import-project-visibility.yml b/changelogs/unreleased/security-import-project-visibility.yml deleted file mode 100644 index 04ae172a9a1f453262f2f0f6b4ae0a888b5d58b7..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-import-project-visibility.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Restrict project import visibility based on its group -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-pipeline-trigger-tokens-exposure.yml b/changelogs/unreleased/security-pipeline-trigger-tokens-exposure.yml deleted file mode 100644 index 97d743eead13482cb8fd63ec73aadbc0e7349da2..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-pipeline-trigger-tokens-exposure.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Expose CI/CD trigger token only to the trigger owner -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-project-move-users.yml b/changelogs/unreleased/security-project-move-users.yml deleted file mode 100644 index 744df68651f1e98110d8ba7a8b0393ada37842fe..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-project-move-users.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Notify only users who can access the project on project move. -merge_request: -author: -type: security diff --git a/changelogs/unreleased/sh-fix-issue-56663-11-7.yml b/changelogs/unreleased/sh-fix-issue-56663-11-7.yml deleted file mode 100644 index addf327b69d35d0459844ab540dcc44c2e7e24f7..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/sh-fix-issue-56663-11-7.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Alias GitHub and BitBucket OAuth2 callback URLs -merge_request: -author: -type: security