diff --git a/CHANGELOG.md b/CHANGELOG.md index ba343f142326e6dc583bf8d297a5956f9bc62db1..68efecb5b4edd168b77137537c3afdcb3a11758a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,36 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. +## 11.4.8 (2018-11-27) + +### Security (24 changes) + +- Escape entity title while autocomplete template rendering to prevent XSS. !2571 +- Resolve reflected XSS in Ouath authorize window. +- Fix XSS in merge request source branch name. +- Escape user fullname while rendering autocomplete template to prevent XSS. +- Fix CRLF vulnerability in Project hooks. +- Fix possible XSS attack in Markdown urls with spaces. +- Redact sensitive information on gitlab-workhorse log. +- Do not follow redirects in Prometheus service when making http requests to the configured api url. +- Persist only SHA digest of PersonalAccessToken#token. +- Don't expose confidential information in commit message list. +- Provide email notification when a user changes their email address. +- Restrict Personal Access Tokens to API scope on web requests. +- Redact personal tokens in unsubscribe links. +- Fix SSRF in project integrations. +- Fixed ability to comment on locked/confidential issues. +- Fixed ability of guest users to edit/delete comments on locked or confidential issues. +- Fix milestone promotion authorization check. +- Monkey kubeclient to not follow any redirects. +- Configure mermaid to not render HTML content in diagrams. +- Fix a possible symlink time of check to time of use race condition in GitLab Pages. +- Removed ability to see private group names when the group id is entered in the url. +- Fix stored XSS for Environments. +- Prevent SSRF attacks in HipChat integration. +- Validate Wiki attachments are valid temporary files. + + ## 11.4.7 (2018-11-20) - No changes. diff --git a/changelogs/unreleased/51527-xss-in-mr-source-branch.yml b/changelogs/unreleased/51527-xss-in-mr-source-branch.yml deleted file mode 100644 index dae277b64132d7c6ef80a06b89da1db85b2f6a03..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/51527-xss-in-mr-source-branch.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix XSS in merge request source branch name -merge_request: -author: -type: security diff --git a/changelogs/unreleased/redact-links-dev.yml b/changelogs/unreleased/redact-links-dev.yml deleted file mode 100644 index 338e796546580173d6f56d7a0fba3160bbc4b452..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/redact-links-dev.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Redact personal tokens in unsubscribe links. -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-11-4-2717-fix-issue-title-xss.yml b/changelogs/unreleased/security-11-4-2717-fix-issue-title-xss.yml deleted file mode 100644 index 12dfa48c6aae560a2b0bf281f7e2ee6da1f0561b..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-11-4-2717-fix-issue-title-xss.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Escape entity title while autocomplete template rendering to prevent XSS -merge_request: 2571 -author: -type: security diff --git a/changelogs/unreleased/security-11-4-2717-xss-username-autocomplete.yml b/changelogs/unreleased/security-11-4-2717-xss-username-autocomplete.yml deleted file mode 100644 index d9b1015eeb45d668769868f1af2ba21322b8dd2d..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-11-4-2717-xss-username-autocomplete.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Escape user fullname while rendering autocomplete template to prevent XSS -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-11-4-fj-crlf-injection.yml b/changelogs/unreleased/security-11-4-fj-crlf-injection.yml deleted file mode 100644 index 861167b8a6e1a6d0e25385018c606999fa3dfbbb..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-11-4-fj-crlf-injection.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix CRLF vulnerability in Project hooks -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-11-4-xss-in-markdown-following-unrecognized-html-element.yml b/changelogs/unreleased/security-11-4-xss-in-markdown-following-unrecognized-html-element.yml deleted file mode 100644 index 16c4474aadd19587c17d08e97edc8b458c83059d..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-11-4-xss-in-markdown-following-unrecognized-html-element.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix possible XSS attack in Markdown urls with spaces -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-182-update-workhorse.yml b/changelogs/unreleased/security-182-update-workhorse.yml deleted file mode 100644 index 76850901b68f8510a71e4df49dd7edf1b8cae6c2..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-182-update-workhorse.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Redact sensitive information on gitlab-workhorse log -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-2736-prometheus-ssrf.yml b/changelogs/unreleased/security-2736-prometheus-ssrf.yml deleted file mode 100644 index 9d0dda8a75f37f742d1fec1960a1db0de7ba9123..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-2736-prometheus-ssrf.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Do not follow redirects in Prometheus service when making http requests to the configured api url -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-51113-hash_personal_access_tokens.yml b/changelogs/unreleased/security-51113-hash_personal_access_tokens.yml deleted file mode 100644 index 4cebe814148bc6141312afb1e3c6209aa2ab7d81..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-51113-hash_personal_access_tokens.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Persist only SHA digest of PersonalAccessToken#token -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-bvl-exposure-in-commits-list.yml b/changelogs/unreleased/security-bvl-exposure-in-commits-list.yml deleted file mode 100644 index 0361fb0c041590ec563773862f72c50ae93e6e93..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-bvl-exposure-in-commits-list.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Don't expose confidential information in commit message list -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-email-change-notification.yml b/changelogs/unreleased/security-email-change-notification.yml deleted file mode 100644 index 45075ff20bb5aa50efa3ce7c2067f170c186f321..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-email-change-notification.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Provide email notification when a user changes their email address -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-fix-pat-web-access.yml b/changelogs/unreleased/security-fix-pat-web-access.yml deleted file mode 100644 index 62ffb908fe532a1c9d50afd896d819c5cd33e15b..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-fix-pat-web-access.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Restrict Personal Access Tokens to API scope on web requests -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-fix-uri-xss-applications.yml b/changelogs/unreleased/security-fix-uri-xss-applications.yml deleted file mode 100644 index 0eaa1b1c4a30bab05dfc9d877a27a658237098d7..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-fix-uri-xss-applications.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Resolve reflected XSS in Ouath authorize window -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-fix-webhook-ssrf-ipv6.yml b/changelogs/unreleased/security-fix-webhook-ssrf-ipv6.yml deleted file mode 100644 index 32c85a2a7dac89afbd445d8fdfd691dc6cb9ff62..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-fix-webhook-ssrf-ipv6.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix SSRF in project integrations -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-guest-comments.yml b/changelogs/unreleased/security-guest-comments.yml deleted file mode 100644 index 2c99512433ba5d7d46517eb800381c8985fda963..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-guest-comments.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fixed ability to comment on locked/confidential issues. -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-guest-comments_2.yml b/changelogs/unreleased/security-guest-comments_2.yml deleted file mode 100644 index be6f2d6a49070986464b81b8a3c15974b5d53bae..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-guest-comments_2.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fixed ability of guest users to edit/delete comments on locked or confidential issues. -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-issue_51301.yml b/changelogs/unreleased/security-issue_51301.yml deleted file mode 100644 index cf8ebb54b1c8fb4f4687cfb2b38db432f709ab95..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-issue_51301.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix milestone promotion authorization check -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-kubeclient-ssrf.yml b/changelogs/unreleased/security-kubeclient-ssrf.yml deleted file mode 100644 index 45fc41029fce282d728868ea87f352ab833c2967..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-kubeclient-ssrf.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Monkey kubeclient to not follow any redirects. -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-mermaid-xss.yml b/changelogs/unreleased/security-mermaid-xss.yml deleted file mode 100644 index bcf93ef37ff38f027f733b347b20592f3eb3b671..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-mermaid-xss.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Configure mermaid to not render HTML content in diagrams -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-pages-toctou-race.yml b/changelogs/unreleased/security-pages-toctou-race.yml deleted file mode 100644 index 1c055f6087fd76581e52ff3aa1704afabde7ba47..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-pages-toctou-race.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -title: Fix a possible symlink time of check to time of use race condition in GitLab - Pages -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-private-group-11-5.yml b/changelogs/unreleased/security-private-group-11-5.yml deleted file mode 100644 index dbb7794dfede93776a84c96f33d8cc94a0d46b72..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-private-group-11-5.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -title: Removed ability to see private group names when the group id is entered in - the url. -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-stored-xss-for-environments.yml b/changelogs/unreleased/security-stored-xss-for-environments.yml deleted file mode 100644 index 5d78ca00942a72879c33c37e780242b7e9215fa5..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-stored-xss-for-environments.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix stored XSS for Environments -merge_request: -author: -type: security diff --git a/changelogs/unreleased/sh-fix-hipchat-ssrf.yml b/changelogs/unreleased/sh-fix-hipchat-ssrf.yml deleted file mode 100644 index cdc95a34fcf8eca16786188b20f9efecebd63ae5..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/sh-fix-hipchat-ssrf.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prevent SSRF attacks in HipChat integration -merge_request: -author: -type: security diff --git a/changelogs/unreleased/sh-fix-wiki-security-issue-53072.yml b/changelogs/unreleased/sh-fix-wiki-security-issue-53072.yml deleted file mode 100644 index ac6ab7cc3f4cd007ab9c5ebf4a24cdd26a7bb8ef..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/sh-fix-wiki-security-issue-53072.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Validate Wiki attachments are valid temporary files -merge_request: -author: -type: security