[merge-train skip]

[ci skip]

[ci skip]

[ci skip]

Fix prometheus DoS through Workhorse

See merge request gitlab-org/security/gitlab!1145

Deny implicit flow for confidential apps

See merge request gitlab-org/security/gitlab!1140

Set all trusted OAuth apps as confidential

See merge request gitlab-org/security/gitlab!1151

Fix regex backtracking issue in package_name_regex

See merge request gitlab-org/security/gitlab!1110

Fix stealing API token and Prometheus DoS through GitLab Pages

See merge request gitlab-org/security/gitlab!1137

vshushlin authored 4 years ago and GitLab Release Tools Bot committed 4 years ago

it includes 2 security fixes

Update non-negative integer regex to protect against regex DoS

See merge request gitlab-org/security/gitlab!1130

Forbid public cache for private repos

See merge request gitlab-org/security/gitlab!1148

Alper Akgun authored 4 years ago and Mayra Cabrera committed 4 years ago

Fix Redis HLL weekly keys

See merge request gitlab-org/gitlab!50358

Migrate all trusted apps to confidential to avoid
potential access token leak abusing implicit flow

When project is public but the repository is private, we don't
want to cache it as public. In this case, anybody will be able
to see the cached version of the private content during 60s
after an eligible user has viewed it.

Run test at a fixed time

See merge request gitlab-org/gitlab!50488

Albert Salim authored 4 years ago and Patrick Bajao committed 4 years ago

Due to how HLLRedisCounter#weekly_redis_keys converts
dates to calendar week, it would result in an empty
array when the calendar week of end_date occurs before
the calendar week of start_date.

For example, given start_date 2020-12-01 and
end_date 2021-01-01, the calendar week would be reversed,
resulting in empty array from #weekly_redis_keys

[merge-train skip]

[ci skip]

[ci skip]

[ci skip]

Prepare 13.6.3-ee release

See merge request gitlab-org/gitlab!49686

Simon Knox authored 4 years ago and GitLab Release Tools Bot committed 4 years ago

Merge branch '291160-merge-request-doesn-t-fully-render-when-user-is-a-tool-admin-if-not-part-of-project' into 'master'

Fix MR rendering issue when user is tool admin

See merge request gitlab-org/gitlab!49258

(cherry picked from commit 982e2c63)

6721d25c Resolve if user is tool admin on MR
2b3183eb Move changelog out of ee as it affects FOSS also

Kamil Trzcińśki authored 4 years ago and GitLab Release Tools Bot committed 4 years ago

Merge branch '291088-pages-uploader-considers-object-storage-enabled-even-if-bucket-isn-t-configured' into 'master'

Fix pages object storage bucket

See merge request gitlab-org/gitlab!49251

(cherry picked from commit 597d5a94)

12c2b28f Fix pages object storage settings

Imre (Admin) authored 4 years ago and GitLab Release Tools Bot committed 4 years ago

Merge branch '285076-400-bad-request-during-authentication-due-to-password-format-length-or-special-chars' into 'master'

Resolve ""400 Bad Request" during authentication due to password format (length or special chars)"

See merge request gitlab-org/gitlab!49044

(cherry picked from commit 37f4b059)

496c3612 Add other method to handle strings middleware
218bcfa2 Fix rubocop offence
9a281ff0 Modify string_malformed middleware
d90dcc29 Reformat new specs
227ec822 Add changelog entry

Jan Provaznik authored 4 years ago and GitLab Release Tools Bot committed 4 years ago

Resolve Members page 500 error after Invitation sent via API

See merge request gitlab-org/gitlab!48937

(cherry picked from commit 27da16c9)

ba13e6cf Add case to revoke access for requestor that was also invited
2464e35e Remove requested_at being set at invite create
24c0a1c7 Remove requested_at search from invitations tests
d3d9ecee Replace requested_at with created_at for Invitations api
63a59d96 Review feedback: Add changelog and remove spacing

Brandon Labuschagne authored 4 years ago and GitLab Release Tools Bot committed 4 years ago

Fix container_registry url for relative urls

See merge request gitlab-org/gitlab!48661

(cherry picked from commit 6de7a81f)

d0828119 Fix container_registry url for relative urls
8c3d539a Add missing changelog

Imre (Admin) authored 4 years ago and GitLab Release Tools Bot committed 4 years ago

Fix error 500s creating projects concurrently

See merge request gitlab-org/gitlab!48571

(cherry picked from commit 5552304f)

f1543604 Fix error 500s creating projects concurrently

Stan Hu authored 4 years ago and GitLab Release Tools Bot committed 4 years ago

Add Ruby 2.7.2 requirement in version-specific update guide

See merge request gitlab-org/gitlab!48563

(cherry picked from commit c5200338)

1fa3771a Add Ruby 2.7.2 requirement in version-specific update guide

Stan Hu authored 4 years ago and GitLab Release Tools Bot committed 4 years ago

Update Rake check and docs to require Ruby 2.7

See merge request gitlab-org/gitlab!48552

(cherry picked from commit 30ab0ede)

ad40138b Update docs to require Ruby 2.7
dc2796b3 Make Rake task check for Ruby 2.7.2
3be5a596 Update requirements to indicate Ruby 2.7

Evan Read authored 4 years ago and GitLab Release Tools Bot committed 4 years ago

docs: Adds information to clarify busy status feature

See merge request gitlab-org/gitlab!48415

(cherry picked from commit 4e612b80)

307aac2f Adds information to clarfy busy status feature
b8cf808e Apply 2 suggestion(s) to 1 file(s)
e8988ddf Apply 1 suggestion(s) to 1 file(s)

[merge-train skip]

[ci skip]

[ci skip]

[ci skip]

Do not expose starred projects of users with private profile via API

See merge request gitlab-org/security/gitlab!1105