From a0cf5c6854cecd78cf2b792596e8aae82f35e97f Mon Sep 17 00:00:00 2001 From: GitLab Release Tools Bot Date: Thu, 27 Jun 2019 12:08:17 +0000 Subject: [PATCH] Update CHANGELOG.md for 11.11.5 [ci skip] --- CHANGELOG.md | 16 ++++++++++++++++ .../osw-persist-tmp-snippet-uploads.yml | 5 ----- .../security-11-11-mr-head-pipeline-leak.yml | 5 ----- .../security-2858-fix-color-validation.yml | 5 ----- ...curity-59581-related-merge-requests-count.yml | 5 ----- .../security-DOS_issue_comments_banzai.yml | 5 ----- ...ty-bvl-enforce-graphql-type-authorization.yml | 5 ----- ...security-fp-prevent-billion-laughs-attack.yml | 5 ----- .../security-notes-in-private-snippets.yml | 5 ----- ...-detection-of-merge-request-template-name.yml | 5 ----- .../unreleased/sh-service-template-bug.yml | 5 ----- 11 files changed, 16 insertions(+), 50 deletions(-) delete mode 100644 changelogs/unreleased/osw-persist-tmp-snippet-uploads.yml delete mode 100644 changelogs/unreleased/security-11-11-mr-head-pipeline-leak.yml delete mode 100644 changelogs/unreleased/security-2858-fix-color-validation.yml delete mode 100644 changelogs/unreleased/security-59581-related-merge-requests-count.yml delete mode 100644 changelogs/unreleased/security-DOS_issue_comments_banzai.yml delete mode 100644 changelogs/unreleased/security-bvl-enforce-graphql-type-authorization.yml delete mode 100644 changelogs/unreleased/security-fp-prevent-billion-laughs-attack.yml delete mode 100644 changelogs/unreleased/security-notes-in-private-snippets.yml delete mode 100644 changelogs/unreleased/security-prevent-detection-of-merge-request-template-name.yml delete mode 100644 changelogs/unreleased/sh-service-template-bug.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index bcb344a73b2..50a12aa24f0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,22 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. +## 11.11.5 (2019-06-27) + +### Security (10 changes) + +- Disable Rails SQL query cache when applying service templates. !30060 +- Add missing authorizations in GraphQL. +- Fix DoS vulnerability in color validation regex. +- Expose merge requests count based on user access. +- Fix Denial of Service for comments when rendering issues/MR comments. +- Gate MR head_pipeline behind read_pipeline ability. +- Prevent Billion Laughs attack. +- Correctly check permissions when creating snippet notes. +- Prevent the detection of merge request templates by unauthorized users. +- Persist tmp snippet uploads at users. + + ## 11.11.4 (2019-06-26) ### Fixed (3 changes) diff --git a/changelogs/unreleased/osw-persist-tmp-snippet-uploads.yml b/changelogs/unreleased/osw-persist-tmp-snippet-uploads.yml deleted file mode 100644 index 9348626c41d..00000000000 --- a/changelogs/unreleased/osw-persist-tmp-snippet-uploads.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Persist tmp snippet uploads at users -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-11-11-mr-head-pipeline-leak.yml b/changelogs/unreleased/security-11-11-mr-head-pipeline-leak.yml deleted file mode 100644 index fe8c4dfb3c8..00000000000 --- a/changelogs/unreleased/security-11-11-mr-head-pipeline-leak.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Gate MR head_pipeline behind read_pipeline ability. -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-2858-fix-color-validation.yml b/changelogs/unreleased/security-2858-fix-color-validation.yml deleted file mode 100644 index 3430207a2b6..00000000000 --- a/changelogs/unreleased/security-2858-fix-color-validation.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix DoS vulnerability in color validation regex -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-59581-related-merge-requests-count.yml b/changelogs/unreleased/security-59581-related-merge-requests-count.yml deleted file mode 100644 index 83faa2f7c13..00000000000 --- a/changelogs/unreleased/security-59581-related-merge-requests-count.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Expose merge requests count based on user access -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-DOS_issue_comments_banzai.yml b/changelogs/unreleased/security-DOS_issue_comments_banzai.yml deleted file mode 100644 index 2405b1a4f5f..00000000000 --- a/changelogs/unreleased/security-DOS_issue_comments_banzai.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix Denial of Service for comments when rendering issues/MR comments -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-bvl-enforce-graphql-type-authorization.yml b/changelogs/unreleased/security-bvl-enforce-graphql-type-authorization.yml deleted file mode 100644 index 7dedb9f6230..00000000000 --- a/changelogs/unreleased/security-bvl-enforce-graphql-type-authorization.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Add missing authorizations in GraphQL -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-fp-prevent-billion-laughs-attack.yml b/changelogs/unreleased/security-fp-prevent-billion-laughs-attack.yml deleted file mode 100644 index 4e0cf848931..00000000000 --- a/changelogs/unreleased/security-fp-prevent-billion-laughs-attack.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prevent Billion Laughs attack -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-notes-in-private-snippets.yml b/changelogs/unreleased/security-notes-in-private-snippets.yml deleted file mode 100644 index 907d98cb16d..00000000000 --- a/changelogs/unreleased/security-notes-in-private-snippets.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Correctly check permissions when creating snippet notes -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-prevent-detection-of-merge-request-template-name.yml b/changelogs/unreleased/security-prevent-detection-of-merge-request-template-name.yml deleted file mode 100644 index d7bb884cb4b..00000000000 --- a/changelogs/unreleased/security-prevent-detection-of-merge-request-template-name.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prevent the detection of merge request templates by unauthorized users -merge_request: -author: -type: security diff --git a/changelogs/unreleased/sh-service-template-bug.yml b/changelogs/unreleased/sh-service-template-bug.yml deleted file mode 100644 index be5d719c6b2..00000000000 --- a/changelogs/unreleased/sh-service-template-bug.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Disable Rails SQL query cache when applying service templates -merge_request: 30060 -author: -type: security -- GitLab