diff --git a/CHANGELOG.md b/CHANGELOG.md index d0d21557e749547b07f4ac28f88f912a7f85a0de..85d56d8826e5956393ba1b303111dd28713c503b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,26 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. +## 11.10.8 (2019-06-27) + +### Security (10 changes) + +- Fix Denial of Service for comments when rendering issues/MR comments. +- Gate MR head_pipeline behind read_pipeline ability. +- Fix DoS vulnerability in color validation regex. +- Expose merge requests count based on user access. +- Persist tmp snippet uploads at users. +- Add missing authorizations in GraphQL. +- Disable Rails SQL query cache when applying service templates. +- Prevent Billion Laughs attack. +- Correctly check permissions when creating snippet notes. +- Prevent the detection of merge request templates by unauthorized users. + +### Performance (1 change) + +- Add improvements to global search of issues and merge requests. !27817 + + ## 11.10.7 (2019-06-26) ### Fixed (3 changes) diff --git a/changelogs/unreleased/fj-59522-improve-search-controller-performance.yml b/changelogs/unreleased/fj-59522-improve-search-controller-performance.yml deleted file mode 100644 index c513f3c3aebdf372e84aac014f9de97b89b5d00f..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/fj-59522-improve-search-controller-performance.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Add improvements to global search of issues and merge requests -merge_request: 27817 -author: -type: performance diff --git a/changelogs/unreleased/osw-persist-tmp-snippet-uploads.yml b/changelogs/unreleased/osw-persist-tmp-snippet-uploads.yml deleted file mode 100644 index 9348626c41dd1b246c4b3c58b921f035fcbf40b8..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/osw-persist-tmp-snippet-uploads.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Persist tmp snippet uploads at users -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-11-10-mr-head-pipeline-leak.yml b/changelogs/unreleased/security-11-10-mr-head-pipeline-leak.yml deleted file mode 100644 index fe8c4dfb3c81889ceb26e096074d8d562f46f2b7..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-11-10-mr-head-pipeline-leak.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Gate MR head_pipeline behind read_pipeline ability. -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-2858-fix-color-validation.yml b/changelogs/unreleased/security-2858-fix-color-validation.yml deleted file mode 100644 index 3430207a2b6046e1d609bcb5a137d2b1c5581628..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-2858-fix-color-validation.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix DoS vulnerability in color validation regex -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-59581-related-merge-requests-count.yml b/changelogs/unreleased/security-59581-related-merge-requests-count.yml deleted file mode 100644 index 83faa2f7c1375cd55d9518d257784ec49c5311dd..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-59581-related-merge-requests-count.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Expose merge requests count based on user access -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-DOS_issue_comments_banzai.yml b/changelogs/unreleased/security-DOS_issue_comments_banzai.yml deleted file mode 100644 index 2405b1a4f5fa0135a00290278f5b4bf0e1c17cfe..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-DOS_issue_comments_banzai.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix Denial of Service for comments when rendering issues/MR comments -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-bvl-enforce-graphql-type-authorization.yml b/changelogs/unreleased/security-bvl-enforce-graphql-type-authorization.yml deleted file mode 100644 index 7dedb9f6230241edf4daeb8cb62476bcf76d4e89..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-bvl-enforce-graphql-type-authorization.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Add missing authorizations in GraphQL -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-fix-issue-59379-11-10.yml b/changelogs/unreleased/security-fix-issue-59379-11-10.yml deleted file mode 100644 index a6c3ce14dcee0977048b6e8410a87c64c2bb86ff..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-fix-issue-59379-11-10.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Disable Rails SQL query cache when applying service templates -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-fp-prevent-billion-laughs-attack.yml b/changelogs/unreleased/security-fp-prevent-billion-laughs-attack.yml deleted file mode 100644 index 4e0cf848931af561d9abebeb4e83807e64e741ad..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-fp-prevent-billion-laughs-attack.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prevent Billion Laughs attack -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-notes-in-private-snippets.yml b/changelogs/unreleased/security-notes-in-private-snippets.yml deleted file mode 100644 index 907d98cb16d3619fd45e873ee8e982bfae5d0238..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-notes-in-private-snippets.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Correctly check permissions when creating snippet notes -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-prevent-detection-of-merge-request-template-name.yml b/changelogs/unreleased/security-prevent-detection-of-merge-request-template-name.yml deleted file mode 100644 index d7bb884cb4b54490a6360d13b609d23042491c7e..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-prevent-detection-of-merge-request-template-name.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prevent the detection of merge request templates by unauthorized users -merge_request: -author: -type: security