[ci skip]

[ci skip]

Prepare 13.1.11-ee release

See merge request gitlab-org/gitlab!41343

Drew Blessing authored 4 years ago and GitLab Release Tools Bot committed 4 years ago

Update the 2FA user check to use timestamps

See merge request gitlab-org/gitlab!41327

(cherry picked from commit a69a59e5)

ebb99365 Update the 2FA user check to use timestamps

Douglas Barbosa Alexandre authored 4 years ago and GitLab Release Tools Bot committed 4 years ago

Fix ActiveRecord::IrreversibleOrderError during restore from backup

See merge request gitlab-org/gitlab!40789

(cherry picked from commit 43afd667)

fc715de9 Fix ActiveRecord::IrreversibleOrderError during restore from backup
20015839 Move application setting schema check into create_from_defaults

Michael Kozono authored 4 years ago and GitLab Release Tools Bot committed 4 years ago

Geo - Create repository updated events when mirrors are updated

Closes #235674

See merge request gitlab-org/gitlab!39295

(cherry picked from commit 035c81a1)

8b2c59c6 Create Geo repository updated events when mirrors are updated
58e27660 Add CHANGELOG entry

Update docs in 13-1-stable-ee to support updated lint test

See merge request gitlab-org/gitlab!41129

[ci skip]

[ci skip]

Protect OAuth endpoints from brute force/password stuffing

See merge request gitlab-org/security/gitlab!792

Signed-off-by: Rémy Coutable <remy@rymai.me>

[ci skip]

[ci skip]

[ci skip]

Security check validity of repository mirror urls

See merge request gitlab-org/security/gitlab!833

Add scopes presence validation on OAuth Application creation

See merge request gitlab-org/security/gitlab!907

Previously if the import URL contained passwords that may look like
hostnames or ports when unescaped, `Addressable::URI` would fail to
parse.

Since we really don't care about the username/password component, remove
them from Gitlab::UrlSanitizer and then check the resulting value.

For security reasons, we need to check the validity of remote URLs to
avoid users specifying blocked URLs (such as localhost)

George Koltsov authored 4 years ago and Drew Blessing committed 4 years ago

- Update OAuth Applications controllers to disallow empty scopes
  application creation

2FA requirement bypass using the API

See merge request gitlab-org/security/gitlab!876

mksionek authored 4 years ago and GitLab Release Tools Bot committed 4 years ago

Change the way of treating nil current user

Add specs to new class

Add changelog entry

Add specs for new auth method

Rename Verificator to verifier

Rename method in verifier

Add cr remarks

Add cr remarks

Set maximum limit for profile events

See merge request gitlab-org/security/gitlab!879

GitLab Runner version upgrade

See merge request gitlab-org/security/gitlab!886

Malicious user can block gitlab.com users by exploiting 2FA inheritance logic

See merge request gitlab-org/security/gitlab!801

Previously created sessions remain active after activating 2FA

See merge request gitlab-org/security/gitlab!865

Delete members invites created by users being deleted

See merge request gitlab-org/security/gitlab!830

Pre-generation & Static 2FA Authenticator Secret Code can cause risks to accounts

See merge request gitlab-org/security/gitlab!808

Disabled Repository functionality - Still Able To Access The Project Files and Container Registry via Deploy Token

See merge request gitlab-org/security/gitlab!889

Improper Access Control on Deploy-Key

See merge request gitlab-org/security/gitlab!892

Validate Snippet global id in GraphQL destroy mutation

See merge request gitlab-org/security/gitlab!730

Merge branch 'security-220-dblessing-revoke-remember-me-on-session-revocation-13-1' into '13-1-stable-ee'

Invalidate remember me when an active session is revoked

See merge request gitlab-org/security/gitlab!855

Rate limit on webhooks testing feature

See merge request gitlab-org/security/gitlab!827