From 565fe0bffbafa4b26c0c09cd6bebce173e69057c Mon Sep 17 00:00:00 2001 From: GitLab Release Tools Bot Date: Thu, 27 Jun 2019 12:06:51 +0000 Subject: [PATCH] Update CHANGELOG.md for 11.10.8 [ci skip] --- CHANGELOG.md | 20 +++++++++++++++++++ ...-improve-search-controller-performance.yml | 5 ----- .../osw-persist-tmp-snippet-uploads.yml | 5 ----- .../security-11-10-mr-head-pipeline-leak.yml | 5 ----- .../security-2858-fix-color-validation.yml | 5 ----- ...ity-59581-related-merge-requests-count.yml | 5 ----- .../security-DOS_issue_comments_banzai.yml | 5 ----- ...bvl-enforce-graphql-type-authorization.yml | 5 ----- .../security-fix-issue-59379-11-10.yml | 5 ----- ...urity-fp-prevent-billion-laughs-attack.yml | 5 ----- .../security-notes-in-private-snippets.yml | 5 ----- ...tection-of-merge-request-template-name.yml | 5 ----- 12 files changed, 20 insertions(+), 55 deletions(-) delete mode 100644 changelogs/unreleased/fj-59522-improve-search-controller-performance.yml delete mode 100644 changelogs/unreleased/osw-persist-tmp-snippet-uploads.yml delete mode 100644 changelogs/unreleased/security-11-10-mr-head-pipeline-leak.yml delete mode 100644 changelogs/unreleased/security-2858-fix-color-validation.yml delete mode 100644 changelogs/unreleased/security-59581-related-merge-requests-count.yml delete mode 100644 changelogs/unreleased/security-DOS_issue_comments_banzai.yml delete mode 100644 changelogs/unreleased/security-bvl-enforce-graphql-type-authorization.yml delete mode 100644 changelogs/unreleased/security-fix-issue-59379-11-10.yml delete mode 100644 changelogs/unreleased/security-fp-prevent-billion-laughs-attack.yml delete mode 100644 changelogs/unreleased/security-notes-in-private-snippets.yml delete mode 100644 changelogs/unreleased/security-prevent-detection-of-merge-request-template-name.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index d0d21557e74..85d56d8826e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,26 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. +## 11.10.8 (2019-06-27) + +### Security (10 changes) + +- Fix Denial of Service for comments when rendering issues/MR comments. +- Gate MR head_pipeline behind read_pipeline ability. +- Fix DoS vulnerability in color validation regex. +- Expose merge requests count based on user access. +- Persist tmp snippet uploads at users. +- Add missing authorizations in GraphQL. +- Disable Rails SQL query cache when applying service templates. +- Prevent Billion Laughs attack. +- Correctly check permissions when creating snippet notes. +- Prevent the detection of merge request templates by unauthorized users. + +### Performance (1 change) + +- Add improvements to global search of issues and merge requests. !27817 + + ## 11.10.7 (2019-06-26) ### Fixed (3 changes) diff --git a/changelogs/unreleased/fj-59522-improve-search-controller-performance.yml b/changelogs/unreleased/fj-59522-improve-search-controller-performance.yml deleted file mode 100644 index c513f3c3aeb..00000000000 --- a/changelogs/unreleased/fj-59522-improve-search-controller-performance.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Add improvements to global search of issues and merge requests -merge_request: 27817 -author: -type: performance diff --git a/changelogs/unreleased/osw-persist-tmp-snippet-uploads.yml b/changelogs/unreleased/osw-persist-tmp-snippet-uploads.yml deleted file mode 100644 index 9348626c41d..00000000000 --- a/changelogs/unreleased/osw-persist-tmp-snippet-uploads.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Persist tmp snippet uploads at users -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-11-10-mr-head-pipeline-leak.yml b/changelogs/unreleased/security-11-10-mr-head-pipeline-leak.yml deleted file mode 100644 index fe8c4dfb3c8..00000000000 --- a/changelogs/unreleased/security-11-10-mr-head-pipeline-leak.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Gate MR head_pipeline behind read_pipeline ability. -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-2858-fix-color-validation.yml b/changelogs/unreleased/security-2858-fix-color-validation.yml deleted file mode 100644 index 3430207a2b6..00000000000 --- a/changelogs/unreleased/security-2858-fix-color-validation.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix DoS vulnerability in color validation regex -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-59581-related-merge-requests-count.yml b/changelogs/unreleased/security-59581-related-merge-requests-count.yml deleted file mode 100644 index 83faa2f7c13..00000000000 --- a/changelogs/unreleased/security-59581-related-merge-requests-count.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Expose merge requests count based on user access -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-DOS_issue_comments_banzai.yml b/changelogs/unreleased/security-DOS_issue_comments_banzai.yml deleted file mode 100644 index 2405b1a4f5f..00000000000 --- a/changelogs/unreleased/security-DOS_issue_comments_banzai.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix Denial of Service for comments when rendering issues/MR comments -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-bvl-enforce-graphql-type-authorization.yml b/changelogs/unreleased/security-bvl-enforce-graphql-type-authorization.yml deleted file mode 100644 index 7dedb9f6230..00000000000 --- a/changelogs/unreleased/security-bvl-enforce-graphql-type-authorization.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Add missing authorizations in GraphQL -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-fix-issue-59379-11-10.yml b/changelogs/unreleased/security-fix-issue-59379-11-10.yml deleted file mode 100644 index a6c3ce14dce..00000000000 --- a/changelogs/unreleased/security-fix-issue-59379-11-10.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Disable Rails SQL query cache when applying service templates -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-fp-prevent-billion-laughs-attack.yml b/changelogs/unreleased/security-fp-prevent-billion-laughs-attack.yml deleted file mode 100644 index 4e0cf848931..00000000000 --- a/changelogs/unreleased/security-fp-prevent-billion-laughs-attack.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prevent Billion Laughs attack -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-notes-in-private-snippets.yml b/changelogs/unreleased/security-notes-in-private-snippets.yml deleted file mode 100644 index 907d98cb16d..00000000000 --- a/changelogs/unreleased/security-notes-in-private-snippets.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Correctly check permissions when creating snippet notes -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-prevent-detection-of-merge-request-template-name.yml b/changelogs/unreleased/security-prevent-detection-of-merge-request-template-name.yml deleted file mode 100644 index d7bb884cb4b..00000000000 --- a/changelogs/unreleased/security-prevent-detection-of-merge-request-template-name.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prevent the detection of merge request templates by unauthorized users -merge_request: -author: -type: security -- GitLab