diff --git a/CHANGELOG.md b/CHANGELOG.md index aad639454e71255abb219d25654ba0dbda6d4e7b..be14fd5ce96c4156639a4a24ae2f7abaac218c1e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,33 +2,6 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. -## 11.5.8 (2019-01-28) - -### Security (21 changes) - -- Make potentially malicious links more visible in the UI and scrub RTLO chars from links. !2770 -- Don't process MR refs for guests in the notes. !2771 -- Fixed XSS content in KaTex links. -- Verify that LFS upload requests are genuine. -- Extract GitLab Pages using RubyZip. -- Prevent awarding emojis to notes whose parent is not visible to user. -- Prevent unauthorized replies when discussion is locked or confidential. -- Disable git v2 protocol temporarily. -- Fix showing ci status for guest users when public pipline are not set. -- Fix contributed projects info still visible when user enable private profile. -- Disallows unauthorized users from accessing the pipelines section. -- Add more LFS validations to prevent forgery. -- Use common error for unauthenticated users when creating issues. -- Fix slow regex in project reference pattern. -- Fix private user email being visible in push (and tag push) webhooks. -- Fix wiki access rights when external wiki is enabled. -- Fix path disclosure on project import error. -- Restrict project import visibility based on its group. -- Expose CI/CD trigger token only to the trigger owner. -- Notify only users who can access the project on project move. -- Alias GitHub and BitBucket OAuth2 callback URLs. - - ## 11.5.7 (2019-01-15) ### Security (1 change) diff --git a/changelogs/unreleased/11-5-security-stored-xss-via-katex.yml b/changelogs/unreleased/11-5-security-stored-xss-via-katex.yml new file mode 100644 index 0000000000000000000000000000000000000000..a71ae1123f232c3799c4eef9f84ade090b971552 --- /dev/null +++ b/changelogs/unreleased/11-5-security-stored-xss-via-katex.yml @@ -0,0 +1,5 @@ +--- +title: Fixed XSS content in KaTex links +merge_request: +author: +type: security diff --git a/changelogs/unreleased/extract-pages-with-rubyzip.yml b/changelogs/unreleased/extract-pages-with-rubyzip.yml new file mode 100644 index 0000000000000000000000000000000000000000..8352e79d3e557d7b8747865d072e6d54b6910412 --- /dev/null +++ b/changelogs/unreleased/extract-pages-with-rubyzip.yml @@ -0,0 +1,5 @@ +--- +title: Extract GitLab Pages using RubyZip +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-11-5-test-permissions.yml b/changelogs/unreleased/security-11-5-test-permissions.yml new file mode 100644 index 0000000000000000000000000000000000000000..cfb69fdcb1ed28b0e93fb19395a1b845d523b09c --- /dev/null +++ b/changelogs/unreleased/security-11-5-test-permissions.yml @@ -0,0 +1,5 @@ +--- +title: Disallows unauthorized users from accessing the pipelines section. +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-2767-verify-lfs-finalize-from-workhorse.yml b/changelogs/unreleased/security-2767-verify-lfs-finalize-from-workhorse.yml new file mode 100644 index 0000000000000000000000000000000000000000..e79e3263df78973919213478dcd46018bc66163f --- /dev/null +++ b/changelogs/unreleased/security-2767-verify-lfs-finalize-from-workhorse.yml @@ -0,0 +1,5 @@ +--- +title: Verify that LFS upload requests are genuine +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-2769-idn-homograph-attack.yml b/changelogs/unreleased/security-2769-idn-homograph-attack.yml new file mode 100644 index 0000000000000000000000000000000000000000..a014b522c96c802da28656e6edda3b40761a31bd --- /dev/null +++ b/changelogs/unreleased/security-2769-idn-homograph-attack.yml @@ -0,0 +1,5 @@ +--- +title: Make potentially malicious links more visible in the UI and scrub RTLO chars from links +merge_request: 2770 +author: +type: security diff --git a/changelogs/unreleased/security-2776-fix-add-reaction-permissions.yml b/changelogs/unreleased/security-2776-fix-add-reaction-permissions.yml new file mode 100644 index 0000000000000000000000000000000000000000..3ad92578c441a1320a1f64f25c3360791610883f --- /dev/null +++ b/changelogs/unreleased/security-2776-fix-add-reaction-permissions.yml @@ -0,0 +1,5 @@ +--- +title: Prevent awarding emojis to notes whose parent is not visible to user +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-2779-fix-email-comment-permissions-check.yml b/changelogs/unreleased/security-2779-fix-email-comment-permissions-check.yml new file mode 100644 index 0000000000000000000000000000000000000000..2f76064d8a48252b13f47142b6d10b4d15abb861 --- /dev/null +++ b/changelogs/unreleased/security-2779-fix-email-comment-permissions-check.yml @@ -0,0 +1,5 @@ +--- +title: Prevent unauthorized replies when discussion is locked or confidential +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-2780-disable-git-v2-protocol.yml b/changelogs/unreleased/security-2780-disable-git-v2-protocol.yml new file mode 100644 index 0000000000000000000000000000000000000000..30a08a98e8389aa3d5692867067e10d5e5f3409e --- /dev/null +++ b/changelogs/unreleased/security-2780-disable-git-v2-protocol.yml @@ -0,0 +1,5 @@ +--- +title: Disable git v2 protocol temporarily +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-commit-status-shown-for-guest-user.yml b/changelogs/unreleased/security-commit-status-shown-for-guest-user.yml new file mode 100644 index 0000000000000000000000000000000000000000..a80170091d033bdbf7ba3ca0ada253a30a342fdc --- /dev/null +++ b/changelogs/unreleased/security-commit-status-shown-for-guest-user.yml @@ -0,0 +1,5 @@ +--- +title: Fix showing ci status for guest users when public pipline are not set +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-contributed-projects.yml b/changelogs/unreleased/security-contributed-projects.yml new file mode 100644 index 0000000000000000000000000000000000000000..f745a2255ca2e3b910a9abd7113e2df57daa2e2f --- /dev/null +++ b/changelogs/unreleased/security-contributed-projects.yml @@ -0,0 +1,5 @@ +--- +title: Fix contributed projects info still visible when user enable private profile +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-do-not-process-mr-ref-for-guests.yml b/changelogs/unreleased/security-do-not-process-mr-ref-for-guests.yml new file mode 100644 index 0000000000000000000000000000000000000000..0281dde11e654c09feeb565355bb5fb348b38a01 --- /dev/null +++ b/changelogs/unreleased/security-do-not-process-mr-ref-for-guests.yml @@ -0,0 +1,5 @@ +--- +title: Don't process MR refs for guests in the notes +merge_request: 2771 +author: +type: security diff --git a/changelogs/unreleased/security-fix-lfs-import-project-ssrf-forgery.yml b/changelogs/unreleased/security-fix-lfs-import-project-ssrf-forgery.yml new file mode 100644 index 0000000000000000000000000000000000000000..b6315ec29d8bd251b3c4028a5b9e8d4067b6446c --- /dev/null +++ b/changelogs/unreleased/security-fix-lfs-import-project-ssrf-forgery.yml @@ -0,0 +1,5 @@ +--- +title: Add more LFS validations to prevent forgery +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-fix-new-issues-login-message.yml b/changelogs/unreleased/security-fix-new-issues-login-message.yml new file mode 100644 index 0000000000000000000000000000000000000000..9dabf2438c9c729371128230cb0b2d466d3a82cf --- /dev/null +++ b/changelogs/unreleased/security-fix-new-issues-login-message.yml @@ -0,0 +1,5 @@ +--- +title: Use common error for unauthenticated users when creating issues +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-fix-regex-dos.yml b/changelogs/unreleased/security-fix-regex-dos.yml new file mode 100644 index 0000000000000000000000000000000000000000..b08566d2f1525301406ebd61414336bff3d24cfe --- /dev/null +++ b/changelogs/unreleased/security-fix-regex-dos.yml @@ -0,0 +1,5 @@ +--- +title: Fix slow regex in project reference pattern +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-fix-user-email-tag-push-leak.yml b/changelogs/unreleased/security-fix-user-email-tag-push-leak.yml new file mode 100644 index 0000000000000000000000000000000000000000..915ea7b5216299bf1f3a3ebdd44b50f7b1fce484 --- /dev/null +++ b/changelogs/unreleased/security-fix-user-email-tag-push-leak.yml @@ -0,0 +1,5 @@ +--- +title: Fix private user email being visible in push (and tag push) webhooks +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-fix-wiki-access-rights-with-external-wiki-enabled.yml b/changelogs/unreleased/security-fix-wiki-access-rights-with-external-wiki-enabled.yml new file mode 100644 index 0000000000000000000000000000000000000000..d5f20b87a9045101bf998175ec9570ebe0213f0d --- /dev/null +++ b/changelogs/unreleased/security-fix-wiki-access-rights-with-external-wiki-enabled.yml @@ -0,0 +1,5 @@ +--- +title: Fix wiki access rights when external wiki is enabled +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-import-path-logging.yml b/changelogs/unreleased/security-import-path-logging.yml new file mode 100644 index 0000000000000000000000000000000000000000..2ba2d88d82ad0538fd1ee09f522c25dfda1e12ab --- /dev/null +++ b/changelogs/unreleased/security-import-path-logging.yml @@ -0,0 +1,5 @@ +--- +title: Fix path disclosure on project import error +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-import-project-visibility.yml b/changelogs/unreleased/security-import-project-visibility.yml new file mode 100644 index 0000000000000000000000000000000000000000..04ae172a9a1f453262f2f0f6b4ae0a888b5d58b7 --- /dev/null +++ b/changelogs/unreleased/security-import-project-visibility.yml @@ -0,0 +1,5 @@ +--- +title: Restrict project import visibility based on its group +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-pipeline-trigger-tokens-exposure.yml b/changelogs/unreleased/security-pipeline-trigger-tokens-exposure.yml new file mode 100644 index 0000000000000000000000000000000000000000..97d743eead13482cb8fd63ec73aadbc0e7349da2 --- /dev/null +++ b/changelogs/unreleased/security-pipeline-trigger-tokens-exposure.yml @@ -0,0 +1,5 @@ +--- +title: Expose CI/CD trigger token only to the trigger owner +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-project-move-users.yml b/changelogs/unreleased/security-project-move-users.yml new file mode 100644 index 0000000000000000000000000000000000000000..744df68651f1e98110d8ba7a8b0393ada37842fe --- /dev/null +++ b/changelogs/unreleased/security-project-move-users.yml @@ -0,0 +1,5 @@ +--- +title: Notify only users who can access the project on project move. +merge_request: +author: +type: security diff --git a/changelogs/unreleased/sh-fix-issue-56663-11-5.yml b/changelogs/unreleased/sh-fix-issue-56663-11-5.yml new file mode 100644 index 0000000000000000000000000000000000000000..addf327b69d35d0459844ab540dcc44c2e7e24f7 --- /dev/null +++ b/changelogs/unreleased/sh-fix-issue-56663-11-5.yml @@ -0,0 +1,5 @@ +--- +title: Alias GitHub and BitBucket OAuth2 callback URLs +merge_request: +author: +type: security