From ad9642d6719b77aa9ad0e55bfb2baca588f4b5ba Mon Sep 17 00:00:00 2001 From: GitLab Release Tools Bot Date: Thu, 26 Mar 2020 12:17:47 +0000 Subject: [PATCH] Update CHANGELOG.md for 12.8.8 [ci skip] --- CHANGELOG.md | 23 +++++++++++++++++++ ...act-notes-in-moved-confidential-issues.yml | 5 ---- ...3100-ignore-duplicate-multipart-params.yml | 5 ---- ...security-59-prevent-create-api-snippet.yml | 5 ---- .../security-backend-xss-admin-email.yml | 5 ---- .../security-disable-mirroring-fix.yml | 5 ---- .../security-docker-blocked-users.yml | 5 ---- ...gbugz-importer-deny-localhost-requests.yml | 5 ---- .../security-mask-gh-service-password.yml | 5 ---- ...ty-mr-pipeline-status-permission-check.yml | 5 ---- .../security-path-traversal-master.yml | 5 ---- ...security-repository-archive-hotlinking.yml | 5 ---- ...rity-restrict-project-pipeline-metrics.yml | 5 ---- ...security-rf-vulnerability-metadata-fix.yml | 5 ---- .../security-ssrf-attachment-url.yml | 5 ---- ...security-update-nokogiri-cve-2020-7595.yml | 5 ---- ...ription-of-trigger-by-other-maintainer.yml | 5 ---- ...ility-in-admin-send-email-notification.yml | 5 ---- 18 files changed, 23 insertions(+), 85 deletions(-) delete mode 100644 changelogs/unreleased/security-120026-redact-notes-in-moved-confidential-issues.yml delete mode 100644 changelogs/unreleased/security-193100-ignore-duplicate-multipart-params.yml delete mode 100644 changelogs/unreleased/security-59-prevent-create-api-snippet.yml delete mode 100644 changelogs/unreleased/security-backend-xss-admin-email.yml delete mode 100644 changelogs/unreleased/security-disable-mirroring-fix.yml delete mode 100644 changelogs/unreleased/security-docker-blocked-users.yml delete mode 100644 changelogs/unreleased/security-fogbugz-importer-deny-localhost-requests.yml delete mode 100644 changelogs/unreleased/security-mask-gh-service-password.yml delete mode 100644 changelogs/unreleased/security-mr-pipeline-status-permission-check.yml delete mode 100644 changelogs/unreleased/security-path-traversal-master.yml delete mode 100644 changelogs/unreleased/security-repository-archive-hotlinking.yml delete mode 100644 changelogs/unreleased/security-restrict-project-pipeline-metrics.yml delete mode 100644 changelogs/unreleased/security-rf-vulnerability-metadata-fix.yml delete mode 100644 changelogs/unreleased/security-ssrf-attachment-url.yml delete mode 100644 changelogs/unreleased/security-update-nokogiri-cve-2020-7595.yml delete mode 100644 changelogs/unreleased/security-updating-description-of-trigger-by-other-maintainer.yml delete mode 100644 changelogs/unreleased/security-xss-vulnerability-in-admin-send-email-notification.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index cc6df650d28..3f9b53846b9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,29 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. +## 12.8.8 (2020-03-26) + +### Security (17 changes) + +- Redact notes in moved confidential issues. +- Ignore empty remote_id params from Workhorse accelerated uploads. +- External user can not create personal snippet through API. +- Prevent malicious entry for group name. +- Restrict mirroring changes to admins only when mirroring is disabled. +- Reject all container registry requests from blocked users. +- Deny localhost requests on fogbugz importer. +- Change GitHub service integration token input to password. +- Add permission check for pipeline status of MR. +- Fix UploadRewriter Path Traversal vulnerability. +- Block hotlinking to repository archives. +- Restrict access to project pipeline metrics reports. +- vulnerability_feedback records should be restricted to a dev role and above. +- Exclude Carrierwave remote URL methods from import. +- Update Nokogiri to fix CVE-2020-7595. +- Prevent updating trigger by other maintainers. +- Fix XSS vulnerability in `admin/email` "Recipient Group" dropdown. + + ## 12.8.7 (2020-03-16) ### Fixed (1 change, 1 of them is from the community) diff --git a/changelogs/unreleased/security-120026-redact-notes-in-moved-confidential-issues.yml b/changelogs/unreleased/security-120026-redact-notes-in-moved-confidential-issues.yml deleted file mode 100644 index 54ee6ac9048..00000000000 --- a/changelogs/unreleased/security-120026-redact-notes-in-moved-confidential-issues.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Redact notes in moved confidential issues -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-193100-ignore-duplicate-multipart-params.yml b/changelogs/unreleased/security-193100-ignore-duplicate-multipart-params.yml deleted file mode 100644 index c871e1615e0..00000000000 --- a/changelogs/unreleased/security-193100-ignore-duplicate-multipart-params.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Ignore empty remote_id params from Workhorse accelerated uploads -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-59-prevent-create-api-snippet.yml b/changelogs/unreleased/security-59-prevent-create-api-snippet.yml deleted file mode 100644 index 135fdfe7153..00000000000 --- a/changelogs/unreleased/security-59-prevent-create-api-snippet.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: External user can not create personal snippet through API -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-backend-xss-admin-email.yml b/changelogs/unreleased/security-backend-xss-admin-email.yml deleted file mode 100644 index 82f97cd719a..00000000000 --- a/changelogs/unreleased/security-backend-xss-admin-email.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prevent malicious entry for group name -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-disable-mirroring-fix.yml b/changelogs/unreleased/security-disable-mirroring-fix.yml deleted file mode 100644 index 1b0a6a87515..00000000000 --- a/changelogs/unreleased/security-disable-mirroring-fix.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Restrict mirroring changes to admins only when mirroring is disabled -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-docker-blocked-users.yml b/changelogs/unreleased/security-docker-blocked-users.yml deleted file mode 100644 index 6e34506e7fd..00000000000 --- a/changelogs/unreleased/security-docker-blocked-users.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Reject all container registry requests from blocked users -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-fogbugz-importer-deny-localhost-requests.yml b/changelogs/unreleased/security-fogbugz-importer-deny-localhost-requests.yml deleted file mode 100644 index ecc05470717..00000000000 --- a/changelogs/unreleased/security-fogbugz-importer-deny-localhost-requests.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Deny localhost requests on fogbugz importer -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-mask-gh-service-password.yml b/changelogs/unreleased/security-mask-gh-service-password.yml deleted file mode 100644 index cabbee204eb..00000000000 --- a/changelogs/unreleased/security-mask-gh-service-password.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Change GitHub service integration token input to password -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-mr-pipeline-status-permission-check.yml b/changelogs/unreleased/security-mr-pipeline-status-permission-check.yml deleted file mode 100644 index 598804bd0a7..00000000000 --- a/changelogs/unreleased/security-mr-pipeline-status-permission-check.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Add permission check for pipeline status of MR -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-path-traversal-master.yml b/changelogs/unreleased/security-path-traversal-master.yml deleted file mode 100644 index d5e269823ea..00000000000 --- a/changelogs/unreleased/security-path-traversal-master.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix UploadRewriter Path Traversal vulnerability -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-repository-archive-hotlinking.yml b/changelogs/unreleased/security-repository-archive-hotlinking.yml deleted file mode 100644 index cf87ea488f0..00000000000 --- a/changelogs/unreleased/security-repository-archive-hotlinking.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Block hotlinking to repository archives -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-restrict-project-pipeline-metrics.yml b/changelogs/unreleased/security-restrict-project-pipeline-metrics.yml deleted file mode 100644 index 20c24aa6bdf..00000000000 --- a/changelogs/unreleased/security-restrict-project-pipeline-metrics.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Restrict access to project pipeline metrics reports -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-rf-vulnerability-metadata-fix.yml b/changelogs/unreleased/security-rf-vulnerability-metadata-fix.yml deleted file mode 100644 index 5de5fc761fd..00000000000 --- a/changelogs/unreleased/security-rf-vulnerability-metadata-fix.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: vulnerability_feedback records should be restricted to a dev role and above -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-ssrf-attachment-url.yml b/changelogs/unreleased/security-ssrf-attachment-url.yml deleted file mode 100644 index bb5e3e54574..00000000000 --- a/changelogs/unreleased/security-ssrf-attachment-url.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Exclude Carrierwave remote URL methods from import -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-update-nokogiri-cve-2020-7595.yml b/changelogs/unreleased/security-update-nokogiri-cve-2020-7595.yml deleted file mode 100644 index 58ad219f0eb..00000000000 --- a/changelogs/unreleased/security-update-nokogiri-cve-2020-7595.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Update Nokogiri to fix CVE-2020-7595 -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-updating-description-of-trigger-by-other-maintainer.yml b/changelogs/unreleased/security-updating-description-of-trigger-by-other-maintainer.yml deleted file mode 100644 index f7bef1589a2..00000000000 --- a/changelogs/unreleased/security-updating-description-of-trigger-by-other-maintainer.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prevent updating trigger by other maintainers -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-xss-vulnerability-in-admin-send-email-notification.yml b/changelogs/unreleased/security-xss-vulnerability-in-admin-send-email-notification.yml deleted file mode 100644 index fe31f1167eb..00000000000 --- a/changelogs/unreleased/security-xss-vulnerability-in-admin-send-email-notification.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix XSS vulnerability in `admin/email` "Recipient Group" dropdown -merge_request: -author: -type: security -- GitLab