diff --git a/CHANGELOG.md b/CHANGELOG.md index ce794c18d78170e42d75dc3bbc88e927a45eb87d..89e05a9de80842afe1a958ee0920367a22467448 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,21 +2,6 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. -## 11.11.6 - -### Security (9 changes) - -- Restrict slash commands to users who can log in. -- Patch XSS issue in wiki links. -- Filter merge request params on the new merge request page. -- Fix Server Side Request Forgery mitigation bypass. -- Show badges if pipelines are public otherwise default to project permissions. -- Do not allow localhost url redirection in GitHub Integration. -- Do not show moved issue id for users that cannot read issue. -- Use source project as permissions reference for MergeRequestsController#pipelines. -- Drop feature to take ownership of trigger token. - - ## 11.11.5 (2019-06-27) - No changes. diff --git a/changelogs/unreleased/security-2873-blocked-user-slash-command-bypass-master.yml b/changelogs/unreleased/security-2873-blocked-user-slash-command-bypass-master.yml new file mode 100644 index 0000000000000000000000000000000000000000..cd31fe0f35c2dafc7c4a5f5fe1f60a985826fed7 --- /dev/null +++ b/changelogs/unreleased/security-2873-blocked-user-slash-command-bypass-master.yml @@ -0,0 +1,5 @@ +--- +title: Restrict slash commands to users who can log in +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-60143-patch-additional-xss-vector-in-wikis.yml b/changelogs/unreleased/security-60143-patch-additional-xss-vector-in-wikis.yml new file mode 100644 index 0000000000000000000000000000000000000000..a8a26d5fc5605d4d0842d279f4583040d8e34369 --- /dev/null +++ b/changelogs/unreleased/security-60143-patch-additional-xss-vector-in-wikis.yml @@ -0,0 +1,5 @@ +--- +title: Patch XSS issue in wiki links +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-bvl-filter-mr-params.yml b/changelogs/unreleased/security-bvl-filter-mr-params.yml new file mode 100644 index 0000000000000000000000000000000000000000..4433ec73b7c93784e7bd3166f6519ddad2ece546 --- /dev/null +++ b/changelogs/unreleased/security-bvl-filter-mr-params.yml @@ -0,0 +1,5 @@ +--- +title: Filter merge request params on the new merge request page +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-dns-ssrf-bypass.yml b/changelogs/unreleased/security-dns-ssrf-bypass.yml new file mode 100644 index 0000000000000000000000000000000000000000..e48696ce5bd425f64564570f9b5fad2f84fe194f --- /dev/null +++ b/changelogs/unreleased/security-dns-ssrf-bypass.yml @@ -0,0 +1,5 @@ +--- +title: Fix Server Side Request Forgery mitigation bypass +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-fix-badges-leaked-to-unauthorized-users.yml b/changelogs/unreleased/security-fix-badges-leaked-to-unauthorized-users.yml new file mode 100644 index 0000000000000000000000000000000000000000..9526f3c559f1cd41ac8d158ea1de4d310a8b5b7b --- /dev/null +++ b/changelogs/unreleased/security-fix-badges-leaked-to-unauthorized-users.yml @@ -0,0 +1,5 @@ +--- +title: Show badges if pipelines are public otherwise default to project permissions. +erge_request: +author: +type: security diff --git a/changelogs/unreleased/security-github-ssrf-redirect.yml b/changelogs/unreleased/security-github-ssrf-redirect.yml new file mode 100644 index 0000000000000000000000000000000000000000..36a36de3eb0e5e03f82936676076418fbb58bed4 --- /dev/null +++ b/changelogs/unreleased/security-github-ssrf-redirect.yml @@ -0,0 +1,5 @@ +--- +title: Do not allow localhost url redirection in GitHub Integration +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-hide_moved_issue_id.yml b/changelogs/unreleased/security-hide_moved_issue_id.yml new file mode 100644 index 0000000000000000000000000000000000000000..24353d797c9ab10c39b3ba2771b32f76089973c1 --- /dev/null +++ b/changelogs/unreleased/security-hide_moved_issue_id.yml @@ -0,0 +1,5 @@ +--- +title: Do not show moved issue id for users that cannot read issue +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-mr-pipeline-permissions.yml b/changelogs/unreleased/security-mr-pipeline-permissions.yml new file mode 100644 index 0000000000000000000000000000000000000000..a317c93228cb13d87dd0981424f368dcd87114d7 --- /dev/null +++ b/changelogs/unreleased/security-mr-pipeline-permissions.yml @@ -0,0 +1,5 @@ +--- +title: Use source project as permissions reference for MergeRequestsController#pipelines +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-remove-take-trigger-ownership-feature.yml b/changelogs/unreleased/security-remove-take-trigger-ownership-feature.yml new file mode 100644 index 0000000000000000000000000000000000000000..201f66e1f18fb1939e77e1df91775e953b31f7a7 --- /dev/null +++ b/changelogs/unreleased/security-remove-take-trigger-ownership-feature.yml @@ -0,0 +1,5 @@ +--- +title: Drop feature to take ownership of trigger token. +merge_request: +author: +type: security