diff --git a/CHANGELOG.md b/CHANGELOG.md index c38e0242b1374f12a3ff27a8ef61ba4e945b1a5e..26f130d4b71bf2c386acbcdacd3f194f40e95d33 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,31 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. +## 11.6.1 (2018-12-28) + +### Security (15 changes) + +- Escape label and milestone titles to prevent XSS in GFM autocomplete. !2740 +- Prevent private snippets from being embeddable. +- Add subresources removal to member destroy service. +- Escape html entities in LabelReferenceFilter when no label found. +- Allow changing group CI/CD settings only for owners. +- Authorize before reading job information via API. +- Prevent leaking protected variables for ambiguous refs. +- Ensure that build token is only used when running. +- Issuable no longer is visible to users when project can't be viewed. +- Don't expose cross project repositories through diffs when creating merge reqeusts. +- Fix SSRF with import_url and remote mirror url. +- Fix persistent symlink in project import. +- Set URL rel attribute for broken URLs. +- Project guests no longer are able to see refs page. +- Delete confidential todos for user when downgraded to Guest. + +### Other (1 change) + +- Fix due date test. !23845 + + ## 11.6.0 (2018-12-22) ### Security (24 changes, 1 of them is from the community) diff --git a/changelogs/unreleased/54427-label-xss.yml b/changelogs/unreleased/54427-label-xss.yml deleted file mode 100644 index 090d1832af21356558a7d0dbf2b9d3bd54c3049e..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/54427-label-xss.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Escape html entities in LabelReferenceFilter when no label found -merge_request: -author: -type: security diff --git a/changelogs/unreleased/55402-broken-master-karma-test-failing-in-spec-javascripts-boards-components-issue_due_date_spec-js.yml b/changelogs/unreleased/55402-broken-master-karma-test-failing-in-spec-javascripts-boards-components-issue_due_date_spec-js.yml deleted file mode 100644 index d2ff095ce55db681f0ab25e7771ded5971503590..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/55402-broken-master-karma-test-failing-in-spec-javascripts-boards-components-issue_due_date_spec-js.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix due date test -merge_request: 23845 -author: -type: other diff --git a/changelogs/unreleased/ensure-that-build-token-is-always-running.yml b/changelogs/unreleased/ensure-that-build-token-is-always-running.yml deleted file mode 100644 index ec1f73c70ab580e4a63ee40fc25f0115a75c88d3..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/ensure-that-build-token-is-always-running.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Ensure that build token is only used when running -merge_request: -author: -type: security diff --git a/changelogs/unreleased/fix-security-group-user-removal.yml b/changelogs/unreleased/fix-security-group-user-removal.yml deleted file mode 100644 index 09d09a96f848cf72a31fd5119d0648385e465d65..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/fix-security-group-user-removal.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Add subresources removal to member destroy service -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-11-6-54377-label-milestone-name-xss.yml b/changelogs/unreleased/security-11-6-54377-label-milestone-name-xss.yml deleted file mode 100644 index f2911ce4698d232297d571ce01b5278e78e73f98..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-11-6-54377-label-milestone-name-xss.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Escape label and milestone titles to prevent XSS in GFM autocomplete -merge_request: 2740 -author: -type: security diff --git a/changelogs/unreleased/security-11-6-group-cicd-settings-accessible-to-maintainer.yml b/changelogs/unreleased/security-11-6-group-cicd-settings-accessible-to-maintainer.yml deleted file mode 100644 index 5586fa6cd8ebf3bc3d3f8a71dc657d84b325a994..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-11-6-group-cicd-settings-accessible-to-maintainer.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Allow changing group CI/CD settings only for owners. -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-11-6-guests-jobs-api.yml b/changelogs/unreleased/security-11-6-guests-jobs-api.yml deleted file mode 100644 index 83022e91acac8ac389ecef22e65964f68280f933..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-11-6-guests-jobs-api.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Authorize before reading job information via API. -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-11-6-secret-ci-variables-exposed.yml b/changelogs/unreleased/security-11-6-secret-ci-variables-exposed.yml deleted file mode 100644 index 702181065f511aae33de8a48da7dda6f6e28c99d..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-11-6-secret-ci-variables-exposed.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prevent leaking protected variables for ambiguous refs. -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-48259-private-snippet.yml b/changelogs/unreleased/security-48259-private-snippet.yml deleted file mode 100644 index 6cf1e5dc694f9a318108aa4ae10db6b362b69680..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-48259-private-snippet.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prevent private snippets from being embeddable -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-53543-user-keeps-access-to-mr-issue-when-removed-from-team.yml b/changelogs/unreleased/security-53543-user-keeps-access-to-mr-issue-when-removed-from-team.yml deleted file mode 100644 index ab12ba539c159a2527a331df373d1f71c70c2e09..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-53543-user-keeps-access-to-mr-issue-when-removed-from-team.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Issuable no longer is visible to users when project can't be viewed -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-bvl-fix-cross-project-mr-exposure.yml b/changelogs/unreleased/security-bvl-fix-cross-project-mr-exposure.yml deleted file mode 100644 index 11aae4428fb64ecc13f524820ccb9afa7344eb1d..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-bvl-fix-cross-project-mr-exposure.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Don't expose cross project repositories through diffs when creating merge reqeusts -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-fix-ssrf-import-url-remote-mirror.yml b/changelogs/unreleased/security-fix-ssrf-import-url-remote-mirror.yml deleted file mode 100644 index 7ba7aa21090323da455206be23807535f99064ee..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-fix-ssrf-import-url-remote-mirror.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix SSRF with import_url and remote mirror url -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-import-symlink.yml b/changelogs/unreleased/security-import-symlink.yml deleted file mode 100644 index fe1b6eccf9e73e365c85bc39894060839ddfcc8e..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-import-symlink.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix persistent symlink in project import -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-master-url-rel.yml b/changelogs/unreleased/security-master-url-rel.yml deleted file mode 100644 index 75f599f6bcd4a0eebdd23a10cc18e425be0e6c24..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-master-url-rel.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Set URL rel attribute for broken URLs. -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-refs-available-to-project-guest.yml b/changelogs/unreleased/security-refs-available-to-project-guest.yml deleted file mode 100644 index eb6804c52d342ae6374c877a4f1e1f5c6333eda3..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-refs-available-to-project-guest.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Project guests no longer are able to see refs page -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-todos_not_redacted_for_guests.yml b/changelogs/unreleased/security-todos_not_redacted_for_guests.yml deleted file mode 100644 index be0ae9a7193d38bcf82ca32a9aa8edca01358209..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-todos_not_redacted_for_guests.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Delete confidential todos for user when downgraded to Guest -merge_request: -author: -type: security