From b3cca6f544c82bdbe738875c76ca57176d52cc00 Mon Sep 17 00:00:00 2001 From: Robert Speicher Date: Mon, 29 Jul 2019 08:57:34 -0500 Subject: [PATCH] Revert "Update CHANGELOG.md for 11.11.6" This reverts commit 9afc6928d2c898dea6fbb4845e037e9ecd57ad24. --- CHANGELOG.md | 15 --------------- ...3-blocked-user-slash-command-bypass-master.yml | 5 +++++ ...60143-patch-additional-xss-vector-in-wikis.yml | 5 +++++ .../unreleased/security-bvl-filter-mr-params.yml | 5 +++++ .../unreleased/security-dns-ssrf-bypass.yml | 5 +++++ ...ty-fix-badges-leaked-to-unauthorized-users.yml | 5 +++++ .../unreleased/security-github-ssrf-redirect.yml | 5 +++++ .../unreleased/security-hide_moved_issue_id.yml | 5 +++++ .../security-mr-pipeline-permissions.yml | 5 +++++ ...rity-remove-take-trigger-ownership-feature.yml | 5 +++++ 10 files changed, 45 insertions(+), 15 deletions(-) create mode 100644 changelogs/unreleased/security-2873-blocked-user-slash-command-bypass-master.yml create mode 100644 changelogs/unreleased/security-60143-patch-additional-xss-vector-in-wikis.yml create mode 100644 changelogs/unreleased/security-bvl-filter-mr-params.yml create mode 100644 changelogs/unreleased/security-dns-ssrf-bypass.yml create mode 100644 changelogs/unreleased/security-fix-badges-leaked-to-unauthorized-users.yml create mode 100644 changelogs/unreleased/security-github-ssrf-redirect.yml create mode 100644 changelogs/unreleased/security-hide_moved_issue_id.yml create mode 100644 changelogs/unreleased/security-mr-pipeline-permissions.yml create mode 100644 changelogs/unreleased/security-remove-take-trigger-ownership-feature.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index ce794c18d78..89e05a9de80 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,21 +2,6 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. -## 11.11.6 - -### Security (9 changes) - -- Restrict slash commands to users who can log in. -- Patch XSS issue in wiki links. -- Filter merge request params on the new merge request page. -- Fix Server Side Request Forgery mitigation bypass. -- Show badges if pipelines are public otherwise default to project permissions. -- Do not allow localhost url redirection in GitHub Integration. -- Do not show moved issue id for users that cannot read issue. -- Use source project as permissions reference for MergeRequestsController#pipelines. -- Drop feature to take ownership of trigger token. - - ## 11.11.5 (2019-06-27) - No changes. diff --git a/changelogs/unreleased/security-2873-blocked-user-slash-command-bypass-master.yml b/changelogs/unreleased/security-2873-blocked-user-slash-command-bypass-master.yml new file mode 100644 index 00000000000..cd31fe0f35c --- /dev/null +++ b/changelogs/unreleased/security-2873-blocked-user-slash-command-bypass-master.yml @@ -0,0 +1,5 @@ +--- +title: Restrict slash commands to users who can log in +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-60143-patch-additional-xss-vector-in-wikis.yml b/changelogs/unreleased/security-60143-patch-additional-xss-vector-in-wikis.yml new file mode 100644 index 00000000000..a8a26d5fc56 --- /dev/null +++ b/changelogs/unreleased/security-60143-patch-additional-xss-vector-in-wikis.yml @@ -0,0 +1,5 @@ +--- +title: Patch XSS issue in wiki links +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-bvl-filter-mr-params.yml b/changelogs/unreleased/security-bvl-filter-mr-params.yml new file mode 100644 index 00000000000..4433ec73b7c --- /dev/null +++ b/changelogs/unreleased/security-bvl-filter-mr-params.yml @@ -0,0 +1,5 @@ +--- +title: Filter merge request params on the new merge request page +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-dns-ssrf-bypass.yml b/changelogs/unreleased/security-dns-ssrf-bypass.yml new file mode 100644 index 00000000000..e48696ce5bd --- /dev/null +++ b/changelogs/unreleased/security-dns-ssrf-bypass.yml @@ -0,0 +1,5 @@ +--- +title: Fix Server Side Request Forgery mitigation bypass +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-fix-badges-leaked-to-unauthorized-users.yml b/changelogs/unreleased/security-fix-badges-leaked-to-unauthorized-users.yml new file mode 100644 index 00000000000..9526f3c559f --- /dev/null +++ b/changelogs/unreleased/security-fix-badges-leaked-to-unauthorized-users.yml @@ -0,0 +1,5 @@ +--- +title: Show badges if pipelines are public otherwise default to project permissions. +erge_request: +author: +type: security diff --git a/changelogs/unreleased/security-github-ssrf-redirect.yml b/changelogs/unreleased/security-github-ssrf-redirect.yml new file mode 100644 index 00000000000..36a36de3eb0 --- /dev/null +++ b/changelogs/unreleased/security-github-ssrf-redirect.yml @@ -0,0 +1,5 @@ +--- +title: Do not allow localhost url redirection in GitHub Integration +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-hide_moved_issue_id.yml b/changelogs/unreleased/security-hide_moved_issue_id.yml new file mode 100644 index 00000000000..24353d797c9 --- /dev/null +++ b/changelogs/unreleased/security-hide_moved_issue_id.yml @@ -0,0 +1,5 @@ +--- +title: Do not show moved issue id for users that cannot read issue +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-mr-pipeline-permissions.yml b/changelogs/unreleased/security-mr-pipeline-permissions.yml new file mode 100644 index 00000000000..a317c93228c --- /dev/null +++ b/changelogs/unreleased/security-mr-pipeline-permissions.yml @@ -0,0 +1,5 @@ +--- +title: Use source project as permissions reference for MergeRequestsController#pipelines +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-remove-take-trigger-ownership-feature.yml b/changelogs/unreleased/security-remove-take-trigger-ownership-feature.yml new file mode 100644 index 00000000000..201f66e1f18 --- /dev/null +++ b/changelogs/unreleased/security-remove-take-trigger-ownership-feature.yml @@ -0,0 +1,5 @@ +--- +title: Drop feature to take ownership of trigger token. +merge_request: +author: +type: security -- GitLab