From 33e143eaaa8e267c8bc2bde5faf2d9a0eb0fcb97 Mon Sep 17 00:00:00 2001 From: Robert Speicher Date: Tue, 29 Jan 2019 16:55:22 -0600 Subject: [PATCH] Revert "Update CHANGELOG.md for 11.5.8" This reverts commit 25241cd73aabe7598e6cbd6e957642d3d9805a3d. --- CHANGELOG.md | 27 ------------------- .../11-5-security-stored-xss-via-katex.yml | 5 ++++ .../unreleased/extract-pages-with-rubyzip.yml | 5 ++++ .../security-11-5-test-permissions.yml | 5 ++++ ...767-verify-lfs-finalize-from-workhorse.yml | 5 ++++ .../security-2769-idn-homograph-attack.yml | 5 ++++ ...rity-2776-fix-add-reaction-permissions.yml | 5 ++++ ...79-fix-email-comment-permissions-check.yml | 5 ++++ .../security-2780-disable-git-v2-protocol.yml | 5 ++++ ...ity-commit-status-shown-for-guest-user.yml | 5 ++++ .../security-contributed-projects.yml | 5 ++++ ...urity-do-not-process-mr-ref-for-guests.yml | 5 ++++ ...ty-fix-lfs-import-project-ssrf-forgery.yml | 5 ++++ .../security-fix-new-issues-login-message.yml | 5 ++++ .../unreleased/security-fix-regex-dos.yml | 5 ++++ .../security-fix-user-email-tag-push-leak.yml | 5 ++++ ...cess-rights-with-external-wiki-enabled.yml | 5 ++++ .../security-import-path-logging.yml | 5 ++++ .../security-import-project-visibility.yml | 5 ++++ ...urity-pipeline-trigger-tokens-exposure.yml | 5 ++++ .../security-project-move-users.yml | 5 ++++ .../unreleased/sh-fix-issue-56663-11-5.yml | 5 ++++ 22 files changed, 105 insertions(+), 27 deletions(-) create mode 100644 changelogs/unreleased/11-5-security-stored-xss-via-katex.yml create mode 100644 changelogs/unreleased/extract-pages-with-rubyzip.yml create mode 100644 changelogs/unreleased/security-11-5-test-permissions.yml create mode 100644 changelogs/unreleased/security-2767-verify-lfs-finalize-from-workhorse.yml create mode 100644 changelogs/unreleased/security-2769-idn-homograph-attack.yml create mode 100644 changelogs/unreleased/security-2776-fix-add-reaction-permissions.yml create mode 100644 changelogs/unreleased/security-2779-fix-email-comment-permissions-check.yml create mode 100644 changelogs/unreleased/security-2780-disable-git-v2-protocol.yml create mode 100644 changelogs/unreleased/security-commit-status-shown-for-guest-user.yml create mode 100644 changelogs/unreleased/security-contributed-projects.yml create mode 100644 changelogs/unreleased/security-do-not-process-mr-ref-for-guests.yml create mode 100644 changelogs/unreleased/security-fix-lfs-import-project-ssrf-forgery.yml create mode 100644 changelogs/unreleased/security-fix-new-issues-login-message.yml create mode 100644 changelogs/unreleased/security-fix-regex-dos.yml create mode 100644 changelogs/unreleased/security-fix-user-email-tag-push-leak.yml create mode 100644 changelogs/unreleased/security-fix-wiki-access-rights-with-external-wiki-enabled.yml create mode 100644 changelogs/unreleased/security-import-path-logging.yml create mode 100644 changelogs/unreleased/security-import-project-visibility.yml create mode 100644 changelogs/unreleased/security-pipeline-trigger-tokens-exposure.yml create mode 100644 changelogs/unreleased/security-project-move-users.yml create mode 100644 changelogs/unreleased/sh-fix-issue-56663-11-5.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index aad639454e7..be14fd5ce96 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,33 +2,6 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. -## 11.5.8 (2019-01-28) - -### Security (21 changes) - -- Make potentially malicious links more visible in the UI and scrub RTLO chars from links. !2770 -- Don't process MR refs for guests in the notes. !2771 -- Fixed XSS content in KaTex links. -- Verify that LFS upload requests are genuine. -- Extract GitLab Pages using RubyZip. -- Prevent awarding emojis to notes whose parent is not visible to user. -- Prevent unauthorized replies when discussion is locked or confidential. -- Disable git v2 protocol temporarily. -- Fix showing ci status for guest users when public pipline are not set. -- Fix contributed projects info still visible when user enable private profile. -- Disallows unauthorized users from accessing the pipelines section. -- Add more LFS validations to prevent forgery. -- Use common error for unauthenticated users when creating issues. -- Fix slow regex in project reference pattern. -- Fix private user email being visible in push (and tag push) webhooks. -- Fix wiki access rights when external wiki is enabled. -- Fix path disclosure on project import error. -- Restrict project import visibility based on its group. -- Expose CI/CD trigger token only to the trigger owner. -- Notify only users who can access the project on project move. -- Alias GitHub and BitBucket OAuth2 callback URLs. - - ## 11.5.7 (2019-01-15) ### Security (1 change) diff --git a/changelogs/unreleased/11-5-security-stored-xss-via-katex.yml b/changelogs/unreleased/11-5-security-stored-xss-via-katex.yml new file mode 100644 index 00000000000..a71ae1123f2 --- /dev/null +++ b/changelogs/unreleased/11-5-security-stored-xss-via-katex.yml @@ -0,0 +1,5 @@ +--- +title: Fixed XSS content in KaTex links +merge_request: +author: +type: security diff --git a/changelogs/unreleased/extract-pages-with-rubyzip.yml b/changelogs/unreleased/extract-pages-with-rubyzip.yml new file mode 100644 index 00000000000..8352e79d3e5 --- /dev/null +++ b/changelogs/unreleased/extract-pages-with-rubyzip.yml @@ -0,0 +1,5 @@ +--- +title: Extract GitLab Pages using RubyZip +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-11-5-test-permissions.yml b/changelogs/unreleased/security-11-5-test-permissions.yml new file mode 100644 index 00000000000..cfb69fdcb1e --- /dev/null +++ b/changelogs/unreleased/security-11-5-test-permissions.yml @@ -0,0 +1,5 @@ +--- +title: Disallows unauthorized users from accessing the pipelines section. +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-2767-verify-lfs-finalize-from-workhorse.yml b/changelogs/unreleased/security-2767-verify-lfs-finalize-from-workhorse.yml new file mode 100644 index 00000000000..e79e3263df7 --- /dev/null +++ b/changelogs/unreleased/security-2767-verify-lfs-finalize-from-workhorse.yml @@ -0,0 +1,5 @@ +--- +title: Verify that LFS upload requests are genuine +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-2769-idn-homograph-attack.yml b/changelogs/unreleased/security-2769-idn-homograph-attack.yml new file mode 100644 index 00000000000..a014b522c96 --- /dev/null +++ b/changelogs/unreleased/security-2769-idn-homograph-attack.yml @@ -0,0 +1,5 @@ +--- +title: Make potentially malicious links more visible in the UI and scrub RTLO chars from links +merge_request: 2770 +author: +type: security diff --git a/changelogs/unreleased/security-2776-fix-add-reaction-permissions.yml b/changelogs/unreleased/security-2776-fix-add-reaction-permissions.yml new file mode 100644 index 00000000000..3ad92578c44 --- /dev/null +++ b/changelogs/unreleased/security-2776-fix-add-reaction-permissions.yml @@ -0,0 +1,5 @@ +--- +title: Prevent awarding emojis to notes whose parent is not visible to user +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-2779-fix-email-comment-permissions-check.yml b/changelogs/unreleased/security-2779-fix-email-comment-permissions-check.yml new file mode 100644 index 00000000000..2f76064d8a4 --- /dev/null +++ b/changelogs/unreleased/security-2779-fix-email-comment-permissions-check.yml @@ -0,0 +1,5 @@ +--- +title: Prevent unauthorized replies when discussion is locked or confidential +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-2780-disable-git-v2-protocol.yml b/changelogs/unreleased/security-2780-disable-git-v2-protocol.yml new file mode 100644 index 00000000000..30a08a98e83 --- /dev/null +++ b/changelogs/unreleased/security-2780-disable-git-v2-protocol.yml @@ -0,0 +1,5 @@ +--- +title: Disable git v2 protocol temporarily +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-commit-status-shown-for-guest-user.yml b/changelogs/unreleased/security-commit-status-shown-for-guest-user.yml new file mode 100644 index 00000000000..a80170091d0 --- /dev/null +++ b/changelogs/unreleased/security-commit-status-shown-for-guest-user.yml @@ -0,0 +1,5 @@ +--- +title: Fix showing ci status for guest users when public pipline are not set +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-contributed-projects.yml b/changelogs/unreleased/security-contributed-projects.yml new file mode 100644 index 00000000000..f745a2255ca --- /dev/null +++ b/changelogs/unreleased/security-contributed-projects.yml @@ -0,0 +1,5 @@ +--- +title: Fix contributed projects info still visible when user enable private profile +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-do-not-process-mr-ref-for-guests.yml b/changelogs/unreleased/security-do-not-process-mr-ref-for-guests.yml new file mode 100644 index 00000000000..0281dde11e6 --- /dev/null +++ b/changelogs/unreleased/security-do-not-process-mr-ref-for-guests.yml @@ -0,0 +1,5 @@ +--- +title: Don't process MR refs for guests in the notes +merge_request: 2771 +author: +type: security diff --git a/changelogs/unreleased/security-fix-lfs-import-project-ssrf-forgery.yml b/changelogs/unreleased/security-fix-lfs-import-project-ssrf-forgery.yml new file mode 100644 index 00000000000..b6315ec29d8 --- /dev/null +++ b/changelogs/unreleased/security-fix-lfs-import-project-ssrf-forgery.yml @@ -0,0 +1,5 @@ +--- +title: Add more LFS validations to prevent forgery +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-fix-new-issues-login-message.yml b/changelogs/unreleased/security-fix-new-issues-login-message.yml new file mode 100644 index 00000000000..9dabf2438c9 --- /dev/null +++ b/changelogs/unreleased/security-fix-new-issues-login-message.yml @@ -0,0 +1,5 @@ +--- +title: Use common error for unauthenticated users when creating issues +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-fix-regex-dos.yml b/changelogs/unreleased/security-fix-regex-dos.yml new file mode 100644 index 00000000000..b08566d2f15 --- /dev/null +++ b/changelogs/unreleased/security-fix-regex-dos.yml @@ -0,0 +1,5 @@ +--- +title: Fix slow regex in project reference pattern +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-fix-user-email-tag-push-leak.yml b/changelogs/unreleased/security-fix-user-email-tag-push-leak.yml new file mode 100644 index 00000000000..915ea7b5216 --- /dev/null +++ b/changelogs/unreleased/security-fix-user-email-tag-push-leak.yml @@ -0,0 +1,5 @@ +--- +title: Fix private user email being visible in push (and tag push) webhooks +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-fix-wiki-access-rights-with-external-wiki-enabled.yml b/changelogs/unreleased/security-fix-wiki-access-rights-with-external-wiki-enabled.yml new file mode 100644 index 00000000000..d5f20b87a90 --- /dev/null +++ b/changelogs/unreleased/security-fix-wiki-access-rights-with-external-wiki-enabled.yml @@ -0,0 +1,5 @@ +--- +title: Fix wiki access rights when external wiki is enabled +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-import-path-logging.yml b/changelogs/unreleased/security-import-path-logging.yml new file mode 100644 index 00000000000..2ba2d88d82a --- /dev/null +++ b/changelogs/unreleased/security-import-path-logging.yml @@ -0,0 +1,5 @@ +--- +title: Fix path disclosure on project import error +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-import-project-visibility.yml b/changelogs/unreleased/security-import-project-visibility.yml new file mode 100644 index 00000000000..04ae172a9a1 --- /dev/null +++ b/changelogs/unreleased/security-import-project-visibility.yml @@ -0,0 +1,5 @@ +--- +title: Restrict project import visibility based on its group +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-pipeline-trigger-tokens-exposure.yml b/changelogs/unreleased/security-pipeline-trigger-tokens-exposure.yml new file mode 100644 index 00000000000..97d743eead1 --- /dev/null +++ b/changelogs/unreleased/security-pipeline-trigger-tokens-exposure.yml @@ -0,0 +1,5 @@ +--- +title: Expose CI/CD trigger token only to the trigger owner +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-project-move-users.yml b/changelogs/unreleased/security-project-move-users.yml new file mode 100644 index 00000000000..744df68651f --- /dev/null +++ b/changelogs/unreleased/security-project-move-users.yml @@ -0,0 +1,5 @@ +--- +title: Notify only users who can access the project on project move. +merge_request: +author: +type: security diff --git a/changelogs/unreleased/sh-fix-issue-56663-11-5.yml b/changelogs/unreleased/sh-fix-issue-56663-11-5.yml new file mode 100644 index 00000000000..addf327b69d --- /dev/null +++ b/changelogs/unreleased/sh-fix-issue-56663-11-5.yml @@ -0,0 +1,5 @@ +--- +title: Alias GitHub and BitBucket OAuth2 callback URLs +merge_request: +author: +type: security -- GitLab