| ... | ... | @@ -2,6 +2,31 @@ |
|
|
|
documentation](doc/development/changelog.md) for instructions on adding your own
|
|
|
|
entry.
|
|
|
|
|
|
|
|
## 11.4.13 (2018-12-28)
|
|
|
|
|
|
|
|
### Security (19 changes)
|
|
|
|
|
|
|
|
- Escape label and milestone titles to prevent XSS in GFM autocomplete. !2742
|
|
|
|
- Validate LFS hrefs before downloading them.
|
|
|
|
- Ensure that build token is only used when running.
|
|
|
|
- Add subresources removal to member destroy service.
|
|
|
|
- Escape html entities in LabelReferenceFilter when no label found.
|
|
|
|
- Allow changing group CI/CD settings only for owners.
|
|
|
|
- Authorize before reading job information via API.
|
|
|
|
- Prevent leaking protected variables for ambiguous refs.
|
|
|
|
- Prevent leaking protected variables for ambiguous refs.
|
|
|
|
- Prevent a path traversal attack on global file templates.
|
|
|
|
- Prevent private snippets from being embeddable.
|
|
|
|
- Issuable no longer is visible to users when project can't be viewed.
|
|
|
|
- Don't expose cross project repositories through diffs when creating merge reqeusts.
|
|
|
|
- Fix SSRF with import_url and remote mirror url.
|
|
|
|
- Fix persistent symlink in project import.
|
|
|
|
- Set URL rel attribute for broken URLs.
|
|
|
|
- Project guests no longer are able to see refs page.
|
|
|
|
- Delete confidential todos for user when downgraded to Guest.
|
|
|
|
- Setting svg disposition as attachment in wikis.
|
|
|
|
|
|
|
|
|
|
|
|
## 11.4.12 (2018-12-20)
|
|
|
|
|
|
|
|
### Security (1 change)
|
| ... | ... | |
| ... | ... | |