[merge-train skip]

[ci skip]

[ci skip]

Implement input sanitization for SummarizeComments

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4411



Merged-by: Mayra Cabrera <mcabrera@gitlab.com>
Approved-by: Ethan Urie <eurie@gitlab.com>
Approved-by: Mayra Cabrera <mcabrera@gitlab.com>
Co-authored-by: dillonwheeler <dwheeler@gitlab.com>

Dillon Wheeler authored 5 months ago and Mayra Cabrera committed 5 months ago

Merge branch 'security-duo-chat-issue-summary-prompt-injection-1-17-3' into '17-3-stable-ee'

See merge request gitlab-org/security/gitlab!4411

Changelog: security

Hide system notes with invalid references

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4483



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Bob Van Landuyt <bob@gitlab.com>
Co-authored-by: Heinrich Lee Yu <heinrich@gitlab.com>

Heinrich Lee Yu authored 5 months ago and GitLab Release Tools Bot committed 5 months ago

Merge branch 'security-hide-system-notes-with-invalid-references-17-3' into '17-3-stable-ee'

See merge request gitlab-org/security/gitlab!4483

Changelog: security

Reset dependency proxy maven credentials when registry url is changed

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4458



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Dzmitry (Dima) Meshcharakou <12459192-dmeshcharakou@users.noreply.gitlab.com>
Co-authored-by: Radamanthus Batnag <rbatnag@gitlab.com>

Rad Batnag authored 5 months ago and GitLab Release Tools Bot committed 5 months ago

Merge branch 'security-1180-fix-dependency-proxy-leak-17-3' into '17-3-stable-ee'

See merge request gitlab-org/security/gitlab!4458

Changelog: security

Update OpenSSL v3 callout to delay update to GitLab 17.7

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/166934



Merged-by: Stan Hu <stanhu@gmail.com>
Approved-by: Ash McKenzie <amckenzie@gitlab.com>

This gives users more time to prepare for the upgrade.

[merge-train skip]

Fix Code Review AI features policies to check duo features enabled toggle

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/166302



Merged-by: Gary Holtz <gholtz@gitlab.com>
Approved-by: Gary Holtz <gholtz@gitlab.com>
Approved-by: mo khan <mo@mokhan.ca>
Co-authored-by: Patrick Bajao <ebajao@gitlab.com>

Improve OpenSSL callout message

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/166181



Merged-by: Stan Hu <stanhu@gmail.com>
Approved-by: Drew Blessing <drew@gitlab.com>
Co-authored-by: Drew Blessing <drew@gitlab.com>

The previous message made it sound like everything needed to use
OpenSSL 3. Revise this message to make it clear that TLS 1.2+
is needed for TLS connections, and ensure that we mention ciphers
and bits of encryption.

Fix Code Review AI features policies to check duo features enabled toggle

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/165021



Merged-by: Jarka Košanová <jarka@gitlab.com>
Approved-by: Jan Provaznik <jprovaznik@gitlab.com>
Approved-by: Jarka Košanová <jarka@gitlab.com>
Reviewed-by: Jarka Košanová <jarka@gitlab.com>
Reviewed-by: Patrick Bajao <ebajao@gitlab.com>
Reviewed-by: Gosia Ksionek <mksionek@gitlab.com>
Co-authored-by: Patrick Bajao <ebajao@gitlab.com>

(cherry picked from commit 2a2568ed)

3ed56e62 Fix Duo for CLI policy to check instance setting for SM
a9d74e74 Fix Generate Commit Message policy to check project settings
fce8d092 Remove unneeded use of safe navigation operator

Co-authored-by: Jarka Košanová <jarka@gitlab.com>

[merge-train skip]

[ci skip]

[ci skip]

Update ruby-saml and omniauth-saml

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/166059



Merged-by: Stan Hu <stanhu@gmail.com>
Approved-by: Andrew Evans <aevans@gitlab.com>
Approved-by: Greg Alfaro <galfaro@gitlab.com>
Approved-by: Stan Hu <stanhu@gmail.com>
Co-authored-by: Drew Blessing <drew@gitlab.com>

Upgrade bundler for the GitLab Backup CLI gem

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/166063



Merged-by: Stan Hu <stanhu@gmail.com>
Approved-by: Drew Blessing <drew@gitlab.com>
Approved-by: Stan Hu <stanhu@gmail.com>
Approved-by: Jennifer Li <jli@gitlab.com>
Co-authored-by: Gabriel Mazetto <gabriel@gitlab.com>

[merge-train skip]

[ci skip]

[ci skip]

Revert "Merge branch 'security-psk-fix-external-wiki-integration-dos-17-3' into '17-3-stable-ee'"

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4453



Merged-by: Mayra Cabrera <mcabrera@gitlab.com>
Approved-by: Mayra Cabrera <mcabrera@gitlab.com>
Co-authored-by: John T Skarbek <jtslear@gmail.com>

Ameya Darshan authored 5 months ago and Mayra Cabrera committed 5 months ago

Merge branch 'revert-89504a1f' into '17-3-stable-ee'

See merge request gitlab-org/security/gitlab!4453

Changelog: security

Improve OpenSSL 3 upgrading warning notes

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/165585



Merged-by: Stan Hu <stanhu@gmail.com>
Approved-by: Achilleas Pipinellis <axil@gitlab.com>
Approved-by: Eduardo Sanz García <esanz-garcia@gitlab.com>

Fix the vulnerability in the glm_source parameter

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4436



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Gabriel Mazetto <gabriel@gitlab.com>
Co-authored-by: Doug Stull <dstull@gitlab.com>

Doug Stull authored 5 months ago and GitLab Release Tools Bot committed 5 months ago

Merge branch 'cherry-pick-98bf5baa-3' into '17-3-stable-ee'

See merge request gitlab-org/security/gitlab!4436

Changelog: security

Improve GraphQL log security

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4400



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Dzmitry (Dima) Meshcharakou <12459192-dmeshcharakou@users.noreply.gitlab.com>
Reviewed-by: Dzmitry (Dima) Meshcharakou <12459192-dmeshcharakou@users.noreply.gitlab.com>
Co-authored-by: Radamanthus Batnag <rbatnag@gitlab.com>

Rad Batnag authored 5 months ago and GitLab Release Tools Bot committed 5 months ago

Merge branch 'security-1164-confidential-issue-17-3' into '17-3-stable-ee'

See merge request gitlab-org/security/gitlab!4400

Changelog: security

Add permissions check to project creations from a project template

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4443



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Gavin Hinfey <ghinfey@gitlab.com>
Co-authored-by: Fred Reinink <freinink@gitlab.com>

Fred Reinink authored 5 months ago and GitLab Release Tools Bot committed 5 months ago

Merge branch 'security-custom-templates-source-code-disclosure-17-3' into '17-3-stable-ee'

See merge request gitlab-org/security/gitlab!4443

Changelog: security

Fix credentials disclosure in mirroring failure

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4446



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Vasilii Iakliushin <viakliushin@gitlab.com>
Co-authored-by: Olaoluwa Oluro <olaoluro@gitlab.com>

Ola Oluro authored 5 months ago and GitLab Release Tools Bot committed 5 months ago

Merge branch 'security-scp-url-sanitizer-17-3' into '17-3-stable-ee'

See merge request gitlab-org/security/gitlab!4446

Changelog: security

Redirect url in the link validated for being external

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4440



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Drew Blessing <drew@gitlab.com>
Co-authored-by: smriti <sgarg@gitlab.com>