From 7278d3f14262a093ce700db2da5ded6a6ade17f7 Mon Sep 17 00:00:00 2001 From: GitLab Release Tools Bot Date: Tue, 26 Nov 2019 17:12:51 +0000 Subject: [PATCH] Update CHANGELOG.md for 12.3.7 [ci skip] --- CHANGELOG.md | 15 +++++++++++++++ ...ty-28802-respect-fork-parent-visibility-ee.yml | 5 ----- .../security-2943-encrypt-plaintext-tokens.yml | 5 ----- ...urity-ag-cycle-analytics-guest-permissions.yml | 5 ----- ...ity-dns-rebind-ssrf-in-slack-notifications.yml | 5 ----- ...urity-dos-issue-and-commit-comments-master.yml | 5 ----- .../security-exclude_ids_attribute_cleaning.yml | 5 ----- ...filter-related-branches-from-activity-feed.yml | 6 ------ .../security-fix-xss-in-label-namespace.yml | 5 ----- 9 files changed, 15 insertions(+), 41 deletions(-) delete mode 100644 changelogs/unreleased/security-28802-respect-fork-parent-visibility-ee.yml delete mode 100644 changelogs/unreleased/security-2943-encrypt-plaintext-tokens.yml delete mode 100644 changelogs/unreleased/security-ag-cycle-analytics-guest-permissions.yml delete mode 100644 changelogs/unreleased/security-dns-rebind-ssrf-in-slack-notifications.yml delete mode 100644 changelogs/unreleased/security-dos-issue-and-commit-comments-master.yml delete mode 100644 changelogs/unreleased/security-exclude_ids_attribute_cleaning.yml delete mode 100644 changelogs/unreleased/security-filter-related-branches-from-activity-feed.yml delete mode 100644 changelogs/unreleased/security-fix-xss-in-label-namespace.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index 5c51f879b4f..1c71567317b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -735,6 +735,21 @@ entry. - Remove Postgresql specific setup tasks and move to schema.rb. +## 12.3.7 + +### Security (9 changes) + +- Check permissions before showing a forked project's source. +- Encrypt application setting tokens. +- Update Workhorse and Gitaly to fix a security issue. +- Hide commit counts from guest users in Cycle Analytics. +- Limit potential for DNS rebind SSRF in chat notifications. +- Fix 500 error caused by invalid byte sequences in links. +- Ensure are cleaned by ImportExport::AttributeCleaner. +- Remove notes regarding Related Branches from Issue activity feeds for guest users. +- Escape namespace in label references to prevent XSS. + + ## 12.3.4 ### Fixed (2 changes) diff --git a/changelogs/unreleased/security-28802-respect-fork-parent-visibility-ee.yml b/changelogs/unreleased/security-28802-respect-fork-parent-visibility-ee.yml deleted file mode 100644 index 8872b73a0cc..00000000000 --- a/changelogs/unreleased/security-28802-respect-fork-parent-visibility-ee.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Check permissions before showing a forked project's source -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-2943-encrypt-plaintext-tokens.yml b/changelogs/unreleased/security-2943-encrypt-plaintext-tokens.yml deleted file mode 100644 index d040565da73..00000000000 --- a/changelogs/unreleased/security-2943-encrypt-plaintext-tokens.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Encrypt application setting tokens -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-ag-cycle-analytics-guest-permissions.yml b/changelogs/unreleased/security-ag-cycle-analytics-guest-permissions.yml deleted file mode 100644 index c7a3b8923cd..00000000000 --- a/changelogs/unreleased/security-ag-cycle-analytics-guest-permissions.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Hide commit counts from guest users in Cycle Analytics. -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-dns-rebind-ssrf-in-slack-notifications.yml b/changelogs/unreleased/security-dns-rebind-ssrf-in-slack-notifications.yml deleted file mode 100644 index 5f9713ef844..00000000000 --- a/changelogs/unreleased/security-dns-rebind-ssrf-in-slack-notifications.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Limit potential for DNS rebind SSRF in chat notifications -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-dos-issue-and-commit-comments-master.yml b/changelogs/unreleased/security-dos-issue-and-commit-comments-master.yml deleted file mode 100644 index c84cebdcca0..00000000000 --- a/changelogs/unreleased/security-dos-issue-and-commit-comments-master.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix 500 error caused by invalid byte sequences in links -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-exclude_ids_attribute_cleaning.yml b/changelogs/unreleased/security-exclude_ids_attribute_cleaning.yml deleted file mode 100644 index 08fc1393f20..00000000000 --- a/changelogs/unreleased/security-exclude_ids_attribute_cleaning.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Ensure are cleaned by ImportExport::AttributeCleaner -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-filter-related-branches-from-activity-feed.yml b/changelogs/unreleased/security-filter-related-branches-from-activity-feed.yml deleted file mode 100644 index 78d87ef37a5..00000000000 --- a/changelogs/unreleased/security-filter-related-branches-from-activity-feed.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -title: Remove notes regarding Related Branches from Issue activity feeds for guest - users -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-fix-xss-in-label-namespace.yml b/changelogs/unreleased/security-fix-xss-in-label-namespace.yml deleted file mode 100644 index 342cf3e68cb..00000000000 --- a/changelogs/unreleased/security-fix-xss-in-label-namespace.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Escape namespace in label references to prevent XSS -merge_request: -author: -type: security -- GitLab