diff --git a/CHANGELOG.md b/CHANGELOG.md index 5c147490d840c2ca06469dd23451fa53d88221eb..0e172971b3beb0b941986d6efebc4fdb32811d7a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,31 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. +## 11.4.13 (2018-12-28) + +### Security (19 changes) + +- Escape label and milestone titles to prevent XSS in GFM autocomplete. !2742 +- Validate LFS hrefs before downloading them. +- Ensure that build token is only used when running. +- Add subresources removal to member destroy service. +- Escape html entities in LabelReferenceFilter when no label found. +- Allow changing group CI/CD settings only for owners. +- Authorize before reading job information via API. +- Prevent leaking protected variables for ambiguous refs. +- Prevent leaking protected variables for ambiguous refs. +- Prevent a path traversal attack on global file templates. +- Prevent private snippets from being embeddable. +- Issuable no longer is visible to users when project can't be viewed. +- Don't expose cross project repositories through diffs when creating merge reqeusts. +- Fix SSRF with import_url and remote mirror url. +- Fix persistent symlink in project import. +- Set URL rel attribute for broken URLs. +- Project guests no longer are able to see refs page. +- Delete confidential todos for user when downgraded to Guest. +- Setting svg disposition as attachment in wikis. + + ## 11.4.12 (2018-12-20) ### Security (1 change) diff --git a/changelogs/unreleased/54427-label-xss.yml b/changelogs/unreleased/54427-label-xss.yml deleted file mode 100644 index 090d1832af21356558a7d0dbf2b9d3bd54c3049e..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/54427-label-xss.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Escape html entities in LabelReferenceFilter when no label found -merge_request: -author: -type: security diff --git a/changelogs/unreleased/54857-fix-templates-path-traversal.yml b/changelogs/unreleased/54857-fix-templates-path-traversal.yml deleted file mode 100644 index 0da02432c605192738901e08b46cfd9efaad9159..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/54857-fix-templates-path-traversal.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prevent a path traversal attack on global file templates -merge_request: -author: -type: security diff --git a/changelogs/unreleased/ensure-that-build-token-is-always-running.yml b/changelogs/unreleased/ensure-that-build-token-is-always-running.yml deleted file mode 100644 index ec1f73c70ab580e4a63ee40fc25f0115a75c88d3..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/ensure-that-build-token-is-always-running.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Ensure that build token is only used when running -merge_request: -author: -type: security diff --git a/changelogs/unreleased/fix-security-group-user-removal.yml b/changelogs/unreleased/fix-security-group-user-removal.yml deleted file mode 100644 index 09d09a96f848cf72a31fd5119d0648385e465d65..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/fix-security-group-user-removal.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Add subresources removal to member destroy service -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-11-4-54377-label-milestone-name-xss.yml b/changelogs/unreleased/security-11-4-54377-label-milestone-name-xss.yml deleted file mode 100644 index b20f9fd83ccd249d238f1b108bca55aae0491b6c..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-11-4-54377-label-milestone-name-xss.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Escape label and milestone titles to prevent XSS in GFM autocomplete -merge_request: 2742 -author: -type: security diff --git a/changelogs/unreleased/security-11-4-group-cicd-settings-accessible-to-maintainer.yml b/changelogs/unreleased/security-11-4-group-cicd-settings-accessible-to-maintainer.yml deleted file mode 100644 index 5586fa6cd8ebf3bc3d3f8a71dc657d84b325a994..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-11-4-group-cicd-settings-accessible-to-maintainer.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Allow changing group CI/CD settings only for owners. -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-11-4-guests-jobs-api.yml b/changelogs/unreleased/security-11-4-guests-jobs-api.yml deleted file mode 100644 index 83022e91acac8ac389ecef22e65964f68280f933..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-11-4-guests-jobs-api.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Authorize before reading job information via API. -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-11-4-secret-ci-variables-exposed.yml b/changelogs/unreleased/security-11-4-secret-ci-variables-exposed.yml deleted file mode 100644 index 702181065f511aae33de8a48da7dda6f6e28c99d..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-11-4-secret-ci-variables-exposed.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prevent leaking protected variables for ambiguous refs. -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-11-5-secret-ci-variables-exposed.yml b/changelogs/unreleased/security-11-5-secret-ci-variables-exposed.yml deleted file mode 100644 index 702181065f511aae33de8a48da7dda6f6e28c99d..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-11-5-secret-ci-variables-exposed.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prevent leaking protected variables for ambiguous refs. -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-2754-fix-lfs-import.yml b/changelogs/unreleased/security-2754-fix-lfs-import.yml deleted file mode 100644 index e8e74c9c3f6597525d01edc359cb969f5d4bd45e..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-2754-fix-lfs-import.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Validate LFS hrefs before downloading them -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-48259-private-snippet.yml b/changelogs/unreleased/security-48259-private-snippet.yml deleted file mode 100644 index 6cf1e5dc694f9a318108aa4ae10db6b362b69680..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-48259-private-snippet.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prevent private snippets from being embeddable -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-53543-user-keeps-access-to-mr-issue-when-removed-from-team.yml b/changelogs/unreleased/security-53543-user-keeps-access-to-mr-issue-when-removed-from-team.yml deleted file mode 100644 index ab12ba539c159a2527a331df373d1f71c70c2e09..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-53543-user-keeps-access-to-mr-issue-when-removed-from-team.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Issuable no longer is visible to users when project can't be viewed -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-bvl-fix-cross-project-mr-exposure.yml b/changelogs/unreleased/security-bvl-fix-cross-project-mr-exposure.yml deleted file mode 100644 index 11aae4428fb64ecc13f524820ccb9afa7344eb1d..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-bvl-fix-cross-project-mr-exposure.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Don't expose cross project repositories through diffs when creating merge reqeusts -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-fix-ssrf-import-url-remote-mirror.yml b/changelogs/unreleased/security-fix-ssrf-import-url-remote-mirror.yml deleted file mode 100644 index 7ba7aa21090323da455206be23807535f99064ee..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-fix-ssrf-import-url-remote-mirror.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix SSRF with import_url and remote mirror url -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-import-symlink.yml b/changelogs/unreleased/security-import-symlink.yml deleted file mode 100644 index fe1b6eccf9e73e365c85bc39894060839ddfcc8e..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-import-symlink.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix persistent symlink in project import -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-master-url-rel.yml b/changelogs/unreleased/security-master-url-rel.yml deleted file mode 100644 index 75f599f6bcd4a0eebdd23a10cc18e425be0e6c24..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-master-url-rel.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Set URL rel attribute for broken URLs. -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-refs-available-to-project-guest.yml b/changelogs/unreleased/security-refs-available-to-project-guest.yml deleted file mode 100644 index eb6804c52d342ae6374c877a4f1e1f5c6333eda3..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-refs-available-to-project-guest.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Project guests no longer are able to see refs page -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-todos_not_redacted_for_guests.yml b/changelogs/unreleased/security-todos_not_redacted_for_guests.yml deleted file mode 100644 index be0ae9a7193d38bcf82ca32a9aa8edca01358209..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-todos_not_redacted_for_guests.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Delete confidential todos for user when downgraded to Guest -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-wiki-svg-attachment.yml b/changelogs/unreleased/security-wiki-svg-attachment.yml deleted file mode 100644 index 02ddc443fa23ff65a2c574dcdcb853b1acceaf54..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-wiki-svg-attachment.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Setting svg disposition as attachment in wikis -merge_request: -author: -type: security