[merge-train skip]

[ci skip]

[ci skip]

Do not create a pipeline on MR refresh if source branch was deleted

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4523



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Igor Drozdov <idrozdov@gitlab.com>
Co-authored-by: Patrick Bajao <ebajao@gitlab.com>

Patrick Bajao authored 4 months ago and GitLab Release Tools Bot committed 4 months ago

Merge branch 'security-mr-delete-source-branch-no-pipeline-17-3' into '17-3-stable-ee'

See merge request gitlab-org/security/gitlab!4523

Changelog: security

Escape OAuth application name on authorize page

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4518



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Andrew Evans <aevans@gitlab.com>
Reviewed-by: Andrew Evans <aevans@gitlab.com>
Co-authored-by: Drew Blessing <drew@gitlab.com>

Drew Blessing authored 4 months ago and GitLab Release Tools Bot committed 4 months ago

Merge branch 'security-dblessing_oauth_authorization_html_escape-17-3' into '17-3-stable-ee'

See merge request gitlab-org/security/gitlab!4518

Changelog: security

Prevent guest access to project templates

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4449



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Ash McKenzie <amckenzie@gitlab.com>
Reviewed-by: Ash McKenzie <amckenzie@gitlab.com>
Co-authored-by: Emma Park <epark@gitlab.com>

Emma Park authored 4 months ago and GitLab Release Tools Bot committed 4 months ago

Merge branch 'security-462108/disclose-project-templates-17-3' into '17-3-stable-ee'

See merge request gitlab-org/security/gitlab!4449

Changelog: security

Remove access to local requests via cube query service

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4493



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Halil Coban <hcoban@gitlab.com>
Co-authored-by: Max Woolf <max@woolf.io>

Max Woolf authored 4 months ago and GitLab Release Tools Bot committed 4 months ago

Merge branch 'security-product-analytics-ssrf-cube-localhost-17-3' into '17-3-stable-ee'

See merge request gitlab-org/security/gitlab!4493

Changelog: security

External webhook token should be set

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4511



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Dylan Griffith <dyl.griffith@gmail.com>
Co-authored-by: Ash McKenzie <amckenzie@gitlab.com>

Jerry Seto authored 4 months ago and GitLab Release Tools Bot committed 4 months ago

Merge branch 'security-revert-19072-alt-17-4-17-3' into '17-3-stable-ee'

See merge request gitlab-org/security/gitlab!4511

Changelog: security

Skip content when listing conflict files with types

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4514



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Jarka Košanová <jarka@gitlab.com>
Co-authored-by: Patrick Bajao <ebajao@gitlab.com>

Patrick Bajao authored 4 months ago and GitLab Release Tools Bot committed 4 months ago

Merge branch 'security-mr-conflicts-slow-17-3' into '17-3-stable-ee'

See merge request gitlab-org/security/gitlab!4514

Changelog: security

Hide version info from unauthorized users

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4501



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Gary Holtz <gholtz@gitlab.com>
Co-authored-by: Paul Gascou-Vaillancourt <paul.gascvail@gmail.com>

Paul Gascou-Vaillancourt authored 4 months ago and GitLab Release Tools Bot committed 4 months ago

Merge branch 'security-instance-version-publicly-disclosed-17-3' into '17-3-stable-ee'

See merge request gitlab-org/security/gitlab!4501

Changelog: security

Prevent deploy keys from pushing code to an archived project

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4487



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Ethan Urie <eurie@gitlab.com>
Co-authored-by: Tiger <twatson@gitlab.com>

Tiger Watson authored 4 months ago and GitLab Release Tools Bot committed 4 months ago

Merge branch 'security-prevent-deploy-key-pushing-to-archived-project-17-3' into '17-3-stable-ee'

See merge request gitlab-org/security/gitlab!4487

Changelog: security

Ensure restricted visibility levels is an array - 17.3 backport

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/168015



Merged-by: Stan Hu <stanhu@gmail.com>
Approved-by: Stan Hu <stanhu@gmail.com>
Co-authored-by: Alex Pooley <apooley@gitlab.com>

Changelog: fixed

Skip multi-version upgrade job for stable branch MRs

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/166881



Merged-by: Mayra Cabrera <mcabrera@gitlab.com>
Approved-by: Mayra Cabrera <mcabrera@gitlab.com>
Co-authored-by: Nailia Iskhakova <niskhakova@gitlab.com>

To resolve CI pipelines in backports

Signed-off-by: Nailia Iskhakova <niskhakova@gitlab.com>

[merge-train skip]

[ci skip]

[ci skip]

Implement input sanitization for SummarizeComments

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4411



Merged-by: Mayra Cabrera <mcabrera@gitlab.com>
Approved-by: Ethan Urie <eurie@gitlab.com>
Approved-by: Mayra Cabrera <mcabrera@gitlab.com>
Co-authored-by: dillonwheeler <dwheeler@gitlab.com>

Dillon Wheeler authored 5 months ago and Mayra Cabrera committed 5 months ago

Merge branch 'security-duo-chat-issue-summary-prompt-injection-1-17-3' into '17-3-stable-ee'

See merge request gitlab-org/security/gitlab!4411

Changelog: security

Hide system notes with invalid references

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4483



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Bob Van Landuyt <bob@gitlab.com>
Co-authored-by: Heinrich Lee Yu <heinrich@gitlab.com>

Heinrich Lee Yu authored 5 months ago and GitLab Release Tools Bot committed 5 months ago

Merge branch 'security-hide-system-notes-with-invalid-references-17-3' into '17-3-stable-ee'

See merge request gitlab-org/security/gitlab!4483

Changelog: security

Reset dependency proxy maven credentials when registry url is changed

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4458



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Dzmitry (Dima) Meshcharakou <12459192-dmeshcharakou@users.noreply.gitlab.com>
Co-authored-by: Radamanthus Batnag <rbatnag@gitlab.com>

Rad Batnag authored 5 months ago and GitLab Release Tools Bot committed 5 months ago

Merge branch 'security-1180-fix-dependency-proxy-leak-17-3' into '17-3-stable-ee'

See merge request gitlab-org/security/gitlab!4458

Changelog: security

Update OpenSSL v3 callout to delay update to GitLab 17.7

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/166934



Merged-by: Stan Hu <stanhu@gmail.com>
Approved-by: Ash McKenzie <amckenzie@gitlab.com>

This gives users more time to prepare for the upgrade.

[merge-train skip]

Fix Code Review AI features policies to check duo features enabled toggle

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/166302



Merged-by: Gary Holtz <gholtz@gitlab.com>
Approved-by: Gary Holtz <gholtz@gitlab.com>
Approved-by: mo khan <mo@mokhan.ca>
Co-authored-by: Patrick Bajao <ebajao@gitlab.com>

Improve OpenSSL callout message

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/166181



Merged-by: Stan Hu <stanhu@gmail.com>
Approved-by: Drew Blessing <drew@gitlab.com>
Co-authored-by: Drew Blessing <drew@gitlab.com>

The previous message made it sound like everything needed to use
OpenSSL 3. Revise this message to make it clear that TLS 1.2+
is needed for TLS connections, and ensure that we mention ciphers
and bits of encryption.

Fix Code Review AI features policies to check duo features enabled toggle

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/165021



Merged-by: Jarka Košanová <jarka@gitlab.com>
Approved-by: Jan Provaznik <jprovaznik@gitlab.com>
Approved-by: Jarka Košanová <jarka@gitlab.com>
Reviewed-by: Jarka Košanová <jarka@gitlab.com>
Reviewed-by: Patrick Bajao <ebajao@gitlab.com>
Reviewed-by: Gosia Ksionek <mksionek@gitlab.com>
Co-authored-by: Patrick Bajao <ebajao@gitlab.com>

(cherry picked from commit 2a2568ed)

3ed56e62 Fix Duo for CLI policy to check instance setting for SM
a9d74e74 Fix Generate Commit Message policy to check project settings
fce8d092 Remove unneeded use of safe navigation operator

Co-authored-by: Jarka Košanová <jarka@gitlab.com>