[merge-train skip]

[ci skip]

[ci skip]

Do not create a pipeline on MR refresh if source branch was deleted

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4524



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Igor Drozdov <idrozdov@gitlab.com>
Co-authored-by: Patrick Bajao <ebajao@gitlab.com>

Patrick Bajao authored 4 months ago and GitLab Release Tools Bot committed 4 months ago

Merge branch 'security-mr-delete-source-branch-no-pipeline-17-2' into '17-2-stable-ee'

See merge request gitlab-org/security/gitlab!4524

Changelog: security

Escape OAuth application name on authorize page

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4519



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Andrew Evans <aevans@gitlab.com>
Reviewed-by: Andrew Evans <aevans@gitlab.com>
Co-authored-by: Drew Blessing <drew@gitlab.com>

Drew Blessing authored 4 months ago and GitLab Release Tools Bot committed 4 months ago

Merge branch 'security-dblessing_oauth_authorization_html_escape-17-2' into '17-2-stable-ee'

See merge request gitlab-org/security/gitlab!4519

Changelog: security

Prevent guest access to project templates

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4450



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Ash McKenzie <amckenzie@gitlab.com>
Reviewed-by: Ash McKenzie <amckenzie@gitlab.com>
Co-authored-by: Emma Park <epark@gitlab.com>

Emma Park authored 4 months ago and GitLab Release Tools Bot committed 4 months ago

Merge branch 'security-462108/disclose-project-templates-17-2' into '17-2-stable-ee'

See merge request gitlab-org/security/gitlab!4450

Changelog: security

Remove access to local requests via cube query service

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4494



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Halil Coban <hcoban@gitlab.com>
Co-authored-by: Max Woolf <max@woolf.io>

Max Woolf authored 4 months ago and GitLab Release Tools Bot committed 4 months ago

Merge branch 'security-product-analytics-ssrf-cube-localhost-17-2' into '17-2-stable-ee'

See merge request gitlab-org/security/gitlab!4494

Changelog: security

External webhook token should be set

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4512



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Dylan Griffith <dyl.griffith@gmail.com>
Co-authored-by: Ash McKenzie <amckenzie@gitlab.com>

Jerry Seto authored 4 months ago and GitLab Release Tools Bot committed 4 months ago

Merge branch 'security-revert-19072-alt-17-2' into '17-2-stable-ee'

See merge request gitlab-org/security/gitlab!4512

Changelog: security

Skip content when listing conflict files with types

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4515



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Jarka Košanová <jarka@gitlab.com>
Co-authored-by: Patrick Bajao <ebajao@gitlab.com>

Patrick Bajao authored 4 months ago and GitLab Release Tools Bot committed 4 months ago

Merge branch 'security-mr-conflicts-slow-17-2' into '17-2-stable-ee'

See merge request gitlab-org/security/gitlab!4515

Changelog: security

Hide version info from unauthorized users

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4502



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Gary Holtz <gholtz@gitlab.com>
Co-authored-by: Paul Gascou-Vaillancourt <paul.gascvail@gmail.com>

Paul Gascou-Vaillancourt authored 4 months ago and GitLab Release Tools Bot committed 4 months ago

Merge branch 'security-instance-version-publicly-disclosed-17-2' into '17-2-stable-ee'

See merge request gitlab-org/security/gitlab!4502

Changelog: security

Prevent deploy keys from pushing code to an archived project

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4488



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Ethan Urie <eurie@gitlab.com>
Co-authored-by: Tiger <twatson@gitlab.com>

Tiger Watson authored 4 months ago and GitLab Release Tools Bot committed 4 months ago

Merge branch 'security-prevent-deploy-key-pushing-to-archived-project-17-2' into '17-2-stable-ee'

See merge request gitlab-org/security/gitlab!4488

Changelog: security

Ensure restricted visibility levels is an array - 17.2 backport

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/168016



Merged-by: Stan Hu <stanhu@gmail.com>
Approved-by: Stan Hu <stanhu@gmail.com>
Co-authored-by: Alex Pooley <apooley@gitlab.com>

Changelog: fixed

Skip multi-version upgrade job for stable branch MRs

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/166883



Merged-by: Mayra Cabrera <mcabrera@gitlab.com>
Approved-by: Mayra Cabrera <mcabrera@gitlab.com>
Co-authored-by: Nailia Iskhakova <niskhakova@gitlab.com>

To resolve CI pipelines in backports

Signed-off-by: Nailia Iskhakova <niskhakova@gitlab.com>

[merge-train skip]

[ci skip]

[ci skip]

Implement input sanitization for SummarizeComments

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4412



Merged-by: Mayra Cabrera <mcabrera@gitlab.com>
Approved-by: Ethan Urie <eurie@gitlab.com>
Approved-by: Mayra Cabrera <mcabrera@gitlab.com>
Co-authored-by: dillonwheeler <dwheeler@gitlab.com>

Dillon Wheeler authored 5 months ago and Mayra Cabrera committed 5 months ago

Merge branch 'security-duo-chat-issue-summary-prompt-injection-1-17-2' into '17-2-stable-ee'

See merge request gitlab-org/security/gitlab!4412

Changelog: security

Hide system notes with invalid references

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4484



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Bob Van Landuyt <bob@gitlab.com>
Co-authored-by: Heinrich Lee Yu <heinrich@gitlab.com>

Heinrich Lee Yu authored 5 months ago and GitLab Release Tools Bot committed 5 months ago

Merge branch 'security-hide-system-notes-with-invalid-references-17-2' into '17-2-stable-ee'

See merge request gitlab-org/security/gitlab!4484

Changelog: security

Reset dependency proxy maven credentials when registry url is changed

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4459



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Dzmitry (Dima) Meshcharakou <12459192-dmeshcharakou@users.noreply.gitlab.com>
Co-authored-by: Radamanthus Batnag <rbatnag@gitlab.com>

Rad Batnag authored 5 months ago and GitLab Release Tools Bot committed 5 months ago

Merge branch 'security-1180-fix-dependency-proxy-leak-17-2' into '17-2-stable-ee'

See merge request gitlab-org/security/gitlab!4459

Changelog: security

Update OpenSSL v3 callout to delay update to GitLab 17.7

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/166935



Merged-by: Stan Hu <stanhu@gmail.com>
Approved-by: Ash McKenzie <amckenzie@gitlab.com>

This gives users more time to prepare for the upgrade.

[merge-train skip]

Improve OpenSSL callout message

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/166183



Merged-by: Stan Hu <stanhu@gmail.com>
Approved-by: Drew Blessing <drew@gitlab.com>
Co-authored-by: Drew Blessing <drew@gitlab.com>

The previous message made it sound like everything needed to use
OpenSSL 3. Revise this message to make it clear that TLS 1.2+
is needed for TLS connections, and ensure that we mention ciphers
and bits of encryption.

[merge-train skip]

[ci skip]