From 7dad11b96ea4540b1f83bc53826a3e03f9cdb5c8 Mon Sep 17 00:00:00 2001 From: GitLab Release Tools Bot Date: Fri, 28 Dec 2018 09:51:27 +0000 Subject: [PATCH] Update CHANGELOG.md for 11.6.1 [ci skip] --- CHANGELOG.md | 25 +++++++++++++++++++ changelogs/unreleased/54427-label-xss.yml | 5 ---- ...ards-components-issue_due_date_spec-js.yml | 5 ---- ...ure-that-build-token-is-always-running.yml | 5 ---- .../fix-security-group-user-removal.yml | 5 ---- ...ty-11-6-54377-label-milestone-name-xss.yml | 5 ---- ...cicd-settings-accessible-to-maintainer.yml | 5 ---- .../security-11-6-guests-jobs-api.yml | 5 ---- ...urity-11-6-secret-ci-variables-exposed.yml | 5 ---- .../security-48259-private-snippet.yml | 5 ---- ...ess-to-mr-issue-when-removed-from-team.yml | 5 ---- ...rity-bvl-fix-cross-project-mr-exposure.yml | 5 ---- ...rity-fix-ssrf-import-url-remote-mirror.yml | 5 ---- .../unreleased/security-import-symlink.yml | 5 ---- .../unreleased/security-master-url-rel.yml | 5 ---- ...curity-refs-available-to-project-guest.yml | 5 ---- ...security-todos_not_redacted_for_guests.yml | 5 ---- 17 files changed, 25 insertions(+), 80 deletions(-) delete mode 100644 changelogs/unreleased/54427-label-xss.yml delete mode 100644 changelogs/unreleased/55402-broken-master-karma-test-failing-in-spec-javascripts-boards-components-issue_due_date_spec-js.yml delete mode 100644 changelogs/unreleased/ensure-that-build-token-is-always-running.yml delete mode 100644 changelogs/unreleased/fix-security-group-user-removal.yml delete mode 100644 changelogs/unreleased/security-11-6-54377-label-milestone-name-xss.yml delete mode 100644 changelogs/unreleased/security-11-6-group-cicd-settings-accessible-to-maintainer.yml delete mode 100644 changelogs/unreleased/security-11-6-guests-jobs-api.yml delete mode 100644 changelogs/unreleased/security-11-6-secret-ci-variables-exposed.yml delete mode 100644 changelogs/unreleased/security-48259-private-snippet.yml delete mode 100644 changelogs/unreleased/security-53543-user-keeps-access-to-mr-issue-when-removed-from-team.yml delete mode 100644 changelogs/unreleased/security-bvl-fix-cross-project-mr-exposure.yml delete mode 100644 changelogs/unreleased/security-fix-ssrf-import-url-remote-mirror.yml delete mode 100644 changelogs/unreleased/security-import-symlink.yml delete mode 100644 changelogs/unreleased/security-master-url-rel.yml delete mode 100644 changelogs/unreleased/security-refs-available-to-project-guest.yml delete mode 100644 changelogs/unreleased/security-todos_not_redacted_for_guests.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index c38e0242b13..26f130d4b71 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,31 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. +## 11.6.1 (2018-12-28) + +### Security (15 changes) + +- Escape label and milestone titles to prevent XSS in GFM autocomplete. !2740 +- Prevent private snippets from being embeddable. +- Add subresources removal to member destroy service. +- Escape html entities in LabelReferenceFilter when no label found. +- Allow changing group CI/CD settings only for owners. +- Authorize before reading job information via API. +- Prevent leaking protected variables for ambiguous refs. +- Ensure that build token is only used when running. +- Issuable no longer is visible to users when project can't be viewed. +- Don't expose cross project repositories through diffs when creating merge reqeusts. +- Fix SSRF with import_url and remote mirror url. +- Fix persistent symlink in project import. +- Set URL rel attribute for broken URLs. +- Project guests no longer are able to see refs page. +- Delete confidential todos for user when downgraded to Guest. + +### Other (1 change) + +- Fix due date test. !23845 + + ## 11.6.0 (2018-12-22) ### Security (24 changes, 1 of them is from the community) diff --git a/changelogs/unreleased/54427-label-xss.yml b/changelogs/unreleased/54427-label-xss.yml deleted file mode 100644 index 090d1832af2..00000000000 --- a/changelogs/unreleased/54427-label-xss.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Escape html entities in LabelReferenceFilter when no label found -merge_request: -author: -type: security diff --git a/changelogs/unreleased/55402-broken-master-karma-test-failing-in-spec-javascripts-boards-components-issue_due_date_spec-js.yml b/changelogs/unreleased/55402-broken-master-karma-test-failing-in-spec-javascripts-boards-components-issue_due_date_spec-js.yml deleted file mode 100644 index d2ff095ce55..00000000000 --- a/changelogs/unreleased/55402-broken-master-karma-test-failing-in-spec-javascripts-boards-components-issue_due_date_spec-js.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix due date test -merge_request: 23845 -author: -type: other diff --git a/changelogs/unreleased/ensure-that-build-token-is-always-running.yml b/changelogs/unreleased/ensure-that-build-token-is-always-running.yml deleted file mode 100644 index ec1f73c70ab..00000000000 --- a/changelogs/unreleased/ensure-that-build-token-is-always-running.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Ensure that build token is only used when running -merge_request: -author: -type: security diff --git a/changelogs/unreleased/fix-security-group-user-removal.yml b/changelogs/unreleased/fix-security-group-user-removal.yml deleted file mode 100644 index 09d09a96f84..00000000000 --- a/changelogs/unreleased/fix-security-group-user-removal.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Add subresources removal to member destroy service -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-11-6-54377-label-milestone-name-xss.yml b/changelogs/unreleased/security-11-6-54377-label-milestone-name-xss.yml deleted file mode 100644 index f2911ce4698..00000000000 --- a/changelogs/unreleased/security-11-6-54377-label-milestone-name-xss.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Escape label and milestone titles to prevent XSS in GFM autocomplete -merge_request: 2740 -author: -type: security diff --git a/changelogs/unreleased/security-11-6-group-cicd-settings-accessible-to-maintainer.yml b/changelogs/unreleased/security-11-6-group-cicd-settings-accessible-to-maintainer.yml deleted file mode 100644 index 5586fa6cd8e..00000000000 --- a/changelogs/unreleased/security-11-6-group-cicd-settings-accessible-to-maintainer.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Allow changing group CI/CD settings only for owners. -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-11-6-guests-jobs-api.yml b/changelogs/unreleased/security-11-6-guests-jobs-api.yml deleted file mode 100644 index 83022e91aca..00000000000 --- a/changelogs/unreleased/security-11-6-guests-jobs-api.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Authorize before reading job information via API. -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-11-6-secret-ci-variables-exposed.yml b/changelogs/unreleased/security-11-6-secret-ci-variables-exposed.yml deleted file mode 100644 index 702181065f5..00000000000 --- a/changelogs/unreleased/security-11-6-secret-ci-variables-exposed.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prevent leaking protected variables for ambiguous refs. -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-48259-private-snippet.yml b/changelogs/unreleased/security-48259-private-snippet.yml deleted file mode 100644 index 6cf1e5dc694..00000000000 --- a/changelogs/unreleased/security-48259-private-snippet.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prevent private snippets from being embeddable -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-53543-user-keeps-access-to-mr-issue-when-removed-from-team.yml b/changelogs/unreleased/security-53543-user-keeps-access-to-mr-issue-when-removed-from-team.yml deleted file mode 100644 index ab12ba539c1..00000000000 --- a/changelogs/unreleased/security-53543-user-keeps-access-to-mr-issue-when-removed-from-team.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Issuable no longer is visible to users when project can't be viewed -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-bvl-fix-cross-project-mr-exposure.yml b/changelogs/unreleased/security-bvl-fix-cross-project-mr-exposure.yml deleted file mode 100644 index 11aae4428fb..00000000000 --- a/changelogs/unreleased/security-bvl-fix-cross-project-mr-exposure.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Don't expose cross project repositories through diffs when creating merge reqeusts -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-fix-ssrf-import-url-remote-mirror.yml b/changelogs/unreleased/security-fix-ssrf-import-url-remote-mirror.yml deleted file mode 100644 index 7ba7aa21090..00000000000 --- a/changelogs/unreleased/security-fix-ssrf-import-url-remote-mirror.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix SSRF with import_url and remote mirror url -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-import-symlink.yml b/changelogs/unreleased/security-import-symlink.yml deleted file mode 100644 index fe1b6eccf9e..00000000000 --- a/changelogs/unreleased/security-import-symlink.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix persistent symlink in project import -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-master-url-rel.yml b/changelogs/unreleased/security-master-url-rel.yml deleted file mode 100644 index 75f599f6bcd..00000000000 --- a/changelogs/unreleased/security-master-url-rel.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Set URL rel attribute for broken URLs. -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-refs-available-to-project-guest.yml b/changelogs/unreleased/security-refs-available-to-project-guest.yml deleted file mode 100644 index eb6804c52d3..00000000000 --- a/changelogs/unreleased/security-refs-available-to-project-guest.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Project guests no longer are able to see refs page -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-todos_not_redacted_for_guests.yml b/changelogs/unreleased/security-todos_not_redacted_for_guests.yml deleted file mode 100644 index be0ae9a7193..00000000000 --- a/changelogs/unreleased/security-todos_not_redacted_for_guests.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Delete confidential todos for user when downgraded to Guest -merge_request: -author: -type: security -- GitLab