diff --git a/CHANGELOG.md b/CHANGELOG.md index 0d30fc6553fffd807099339bddb98bb71e5919db..62d0ff3f5444dc6454fc1ae4b5b4c8dac2498f75 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,22 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. +## 12.0.3 (2019-06-27) + +### Security (10 changes) + +- Persist tmp snippet uploads at users. +- Gate MR head_pipeline behind read_pipeline ability. +- Fix DoS vulnerability in color validation regex. +- Expose merge requests count based on user access. +- Fix Denial of Service for comments when rendering issues/MR comments. +- Add missing authorizations in GraphQL. +- Disable Rails SQL query cache when applying service templates. +- Prevent Billion Laughs attack. +- Correctly check permissions when creating snippet notes. +- Prevent the detection of merge request templates by unauthorized users. + + ## 12.0.2 (2019-06-25) ### Fixed (7 changes, 1 of them is from the community) diff --git a/changelogs/unreleased/osw-persist-tmp-snippet-uploads.yml b/changelogs/unreleased/osw-persist-tmp-snippet-uploads.yml deleted file mode 100644 index 9348626c41dd1b246c4b3c58b921f035fcbf40b8..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/osw-persist-tmp-snippet-uploads.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Persist tmp snippet uploads at users -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-12-0-mr-head-pipeline-leak.yml b/changelogs/unreleased/security-12-0-mr-head-pipeline-leak.yml deleted file mode 100644 index fe8c4dfb3c81889ceb26e096074d8d562f46f2b7..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-12-0-mr-head-pipeline-leak.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Gate MR head_pipeline behind read_pipeline ability. -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-2858-fix-color-validation.yml b/changelogs/unreleased/security-2858-fix-color-validation.yml deleted file mode 100644 index 3430207a2b6046e1d609bcb5a137d2b1c5581628..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-2858-fix-color-validation.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix DoS vulnerability in color validation regex -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-59581-related-merge-requests-count.yml b/changelogs/unreleased/security-59581-related-merge-requests-count.yml deleted file mode 100644 index 83faa2f7c1375cd55d9518d257784ec49c5311dd..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-59581-related-merge-requests-count.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Expose merge requests count based on user access -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-DOS_issue_comments_banzai.yml b/changelogs/unreleased/security-DOS_issue_comments_banzai.yml deleted file mode 100644 index 2405b1a4f5fa0135a00290278f5b4bf0e1c17cfe..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-DOS_issue_comments_banzai.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix Denial of Service for comments when rendering issues/MR comments -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-bvl-enforce-graphql-type-authorization.yml b/changelogs/unreleased/security-bvl-enforce-graphql-type-authorization.yml deleted file mode 100644 index 7dedb9f6230241edf4daeb8cb62476bcf76d4e89..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-bvl-enforce-graphql-type-authorization.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Add missing authorizations in GraphQL -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-fix-issue-59379-12-0.yml b/changelogs/unreleased/security-fix-issue-59379-12-0.yml deleted file mode 100644 index a6c3ce14dcee0977048b6e8410a87c64c2bb86ff..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-fix-issue-59379-12-0.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Disable Rails SQL query cache when applying service templates -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-fp-prevent-billion-laughs-attack.yml b/changelogs/unreleased/security-fp-prevent-billion-laughs-attack.yml deleted file mode 100644 index 4e0cf848931af561d9abebeb4e83807e64e741ad..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-fp-prevent-billion-laughs-attack.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prevent Billion Laughs attack -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-notes-in-private-snippets.yml b/changelogs/unreleased/security-notes-in-private-snippets.yml deleted file mode 100644 index 907d98cb16d3619fd45e873ee8e982bfae5d0238..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-notes-in-private-snippets.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Correctly check permissions when creating snippet notes -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-prevent-detection-of-merge-request-template-name.yml b/changelogs/unreleased/security-prevent-detection-of-merge-request-template-name.yml deleted file mode 100644 index d7bb884cb4b54490a6360d13b609d23042491c7e..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-prevent-detection-of-merge-request-template-name.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prevent the detection of merge request templates by unauthorized users -merge_request: -author: -type: security