diff --git a/CHANGELOG.md b/CHANGELOG.md index cc6df650d281b917e9652dab0e62236106edd039..3f9b53846b91ea52c4f1e386bbb861512ef4ab64 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,29 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. +## 12.8.8 (2020-03-26) + +### Security (17 changes) + +- Redact notes in moved confidential issues. +- Ignore empty remote_id params from Workhorse accelerated uploads. +- External user can not create personal snippet through API. +- Prevent malicious entry for group name. +- Restrict mirroring changes to admins only when mirroring is disabled. +- Reject all container registry requests from blocked users. +- Deny localhost requests on fogbugz importer. +- Change GitHub service integration token input to password. +- Add permission check for pipeline status of MR. +- Fix UploadRewriter Path Traversal vulnerability. +- Block hotlinking to repository archives. +- Restrict access to project pipeline metrics reports. +- vulnerability_feedback records should be restricted to a dev role and above. +- Exclude Carrierwave remote URL methods from import. +- Update Nokogiri to fix CVE-2020-7595. +- Prevent updating trigger by other maintainers. +- Fix XSS vulnerability in `admin/email` "Recipient Group" dropdown. + + ## 12.8.7 (2020-03-16) ### Fixed (1 change, 1 of them is from the community) diff --git a/changelogs/unreleased/security-120026-redact-notes-in-moved-confidential-issues.yml b/changelogs/unreleased/security-120026-redact-notes-in-moved-confidential-issues.yml deleted file mode 100644 index 54ee6ac9048cbf4e2e420b56f87dedd60a3573d2..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-120026-redact-notes-in-moved-confidential-issues.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Redact notes in moved confidential issues -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-193100-ignore-duplicate-multipart-params.yml b/changelogs/unreleased/security-193100-ignore-duplicate-multipart-params.yml deleted file mode 100644 index c871e1615e0bff59ca54b0eb6d959d8320ab3e57..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-193100-ignore-duplicate-multipart-params.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Ignore empty remote_id params from Workhorse accelerated uploads -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-59-prevent-create-api-snippet.yml b/changelogs/unreleased/security-59-prevent-create-api-snippet.yml deleted file mode 100644 index 135fdfe715353383c2d9aabf38bf8083c3e27918..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-59-prevent-create-api-snippet.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: External user can not create personal snippet through API -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-backend-xss-admin-email.yml b/changelogs/unreleased/security-backend-xss-admin-email.yml deleted file mode 100644 index 82f97cd719a212bc3cc6f7bb3d756439e3954dd1..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-backend-xss-admin-email.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prevent malicious entry for group name -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-disable-mirroring-fix.yml b/changelogs/unreleased/security-disable-mirroring-fix.yml deleted file mode 100644 index 1b0a6a875150ebad8b84b47a3d0ce9fee3254604..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-disable-mirroring-fix.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Restrict mirroring changes to admins only when mirroring is disabled -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-docker-blocked-users.yml b/changelogs/unreleased/security-docker-blocked-users.yml deleted file mode 100644 index 6e34506e7fde83fb1f5a25ad28d73cd4be5db2a8..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-docker-blocked-users.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Reject all container registry requests from blocked users -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-fogbugz-importer-deny-localhost-requests.yml b/changelogs/unreleased/security-fogbugz-importer-deny-localhost-requests.yml deleted file mode 100644 index ecc0547071779a2c8ece6d77360608a00e010742..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-fogbugz-importer-deny-localhost-requests.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Deny localhost requests on fogbugz importer -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-mask-gh-service-password.yml b/changelogs/unreleased/security-mask-gh-service-password.yml deleted file mode 100644 index cabbee204eb6cfa406e4e6a263df06d38664e774..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-mask-gh-service-password.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Change GitHub service integration token input to password -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-mr-pipeline-status-permission-check.yml b/changelogs/unreleased/security-mr-pipeline-status-permission-check.yml deleted file mode 100644 index 598804bd0a716ea12435fe243f91924d2aeff8f1..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-mr-pipeline-status-permission-check.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Add permission check for pipeline status of MR -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-path-traversal-master.yml b/changelogs/unreleased/security-path-traversal-master.yml deleted file mode 100644 index d5e269823ea5f7a8feaac397cf01cd932e243079..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-path-traversal-master.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix UploadRewriter Path Traversal vulnerability -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-repository-archive-hotlinking.yml b/changelogs/unreleased/security-repository-archive-hotlinking.yml deleted file mode 100644 index cf87ea488f05e2cd5fabe6fb57d5ab65532f56a6..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-repository-archive-hotlinking.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Block hotlinking to repository archives -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-restrict-project-pipeline-metrics.yml b/changelogs/unreleased/security-restrict-project-pipeline-metrics.yml deleted file mode 100644 index 20c24aa6bdfca012c84631bf02703f699161ffcb..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-restrict-project-pipeline-metrics.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Restrict access to project pipeline metrics reports -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-rf-vulnerability-metadata-fix.yml b/changelogs/unreleased/security-rf-vulnerability-metadata-fix.yml deleted file mode 100644 index 5de5fc761fdb79ff28b45cfb13ce079924210c6c..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-rf-vulnerability-metadata-fix.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: vulnerability_feedback records should be restricted to a dev role and above -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-ssrf-attachment-url.yml b/changelogs/unreleased/security-ssrf-attachment-url.yml deleted file mode 100644 index bb5e3e545745c81f4901ed202e7b3bcf31bc96e4..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-ssrf-attachment-url.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Exclude Carrierwave remote URL methods from import -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-update-nokogiri-cve-2020-7595.yml b/changelogs/unreleased/security-update-nokogiri-cve-2020-7595.yml deleted file mode 100644 index 58ad219f0eb8b3f2e2b004d1090fb521ffd02f32..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-update-nokogiri-cve-2020-7595.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Update Nokogiri to fix CVE-2020-7595 -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-updating-description-of-trigger-by-other-maintainer.yml b/changelogs/unreleased/security-updating-description-of-trigger-by-other-maintainer.yml deleted file mode 100644 index f7bef1589a2251f7e73f76c6d82914654b9fb405..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-updating-description-of-trigger-by-other-maintainer.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prevent updating trigger by other maintainers -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-xss-vulnerability-in-admin-send-email-notification.yml b/changelogs/unreleased/security-xss-vulnerability-in-admin-send-email-notification.yml deleted file mode 100644 index fe31f1167eb834464f049db77c8a8248549e35ba..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-xss-vulnerability-in-admin-send-email-notification.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix XSS vulnerability in `admin/email` "Recipient Group" dropdown -merge_request: -author: -type: security