Skip to content
Snippets Groups Projects
Commit 3649904e authored by GitLab Release Tools Bot's avatar GitLab Release Tools Bot
Browse files

Update CHANGELOG.md for 11.4.13 

[ci skip]
parent 11174c34
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 25 additions and 95 deletions
CHANGELOG.md
+ 25
0
View file @ 3649904e
@@ -2,6 +2,31 @@
documentation](doc/development/changelog.md) for instructions on adding your own
entry.
 
## 11.4.13 (2018-12-28)
### Security (19 changes)
- Escape label and milestone titles to prevent XSS in GFM autocomplete. !2742
- Validate LFS hrefs before downloading them.
- Ensure that build token is only used when running.
- Add subresources removal to member destroy service.
- Escape html entities in LabelReferenceFilter when no label found.
- Allow changing group CI/CD settings only for owners.
- Authorize before reading job information via API.
- Prevent leaking protected variables for ambiguous refs.
- Prevent leaking protected variables for ambiguous refs.
- Prevent a path traversal attack on global file templates.
- Prevent private snippets from being embeddable.
- Issuable no longer is visible to users when project can't be viewed.
- Don't expose cross project repositories through diffs when creating merge reqeusts.
- Fix SSRF with import_url and remote mirror url.
- Fix persistent symlink in project import.
- Set URL rel attribute for broken URLs.
- Project guests no longer are able to see refs page.
- Delete confidential todos for user when downgraded to Guest.
- Setting svg disposition as attachment in wikis.
## 11.4.12 (2018-12-20)
 
### Security (1 change)
changelogs/unreleased/54427-label-xss.yml deleted 100644 → 0
+ 0
5
View file @ 11174c34
---
title: Escape html entities in LabelReferenceFilter when no label found
merge_request:
author:
type: security
changelogs/unreleased/54857-fix-templates-path-traversal.yml deleted 100644 → 0
+ 0
5
View file @ 11174c34
---
title: Prevent a path traversal attack on global file templates
merge_request:
author:
type: security
changelogs/unreleased/ensure-that-build-token-is-always-running.yml deleted 100644 → 0
+ 0
5
View file @ 11174c34
---
title: Ensure that build token is only used when running
merge_request:
author:
type: security
changelogs/unreleased/fix-security-group-user-removal.yml deleted 100644 → 0
+ 0
5
View file @ 11174c34
---
title: Add subresources removal to member destroy service
merge_request:
author:
type: security
changelogs/unreleased/security-11-4-54377-label-milestone-name-xss.yml deleted 100644 → 0
+ 0
5
View file @ 11174c34
---
title: Escape label and milestone titles to prevent XSS in GFM autocomplete
merge_request: 2742
author:
type: security
changelogs/unreleased/security-11-4-group-cicd-settings-accessible-to-maintainer.yml deleted 100644 → 0
+ 0
5
View file @ 11174c34
---
title: Allow changing group CI/CD settings only for owners.
merge_request:
author:
type: security
changelogs/unreleased/security-11-4-guests-jobs-api.yml deleted 100644 → 0
+ 0
5
View file @ 11174c34
---
title: Authorize before reading job information via API.
merge_request:
author:
type: security
changelogs/unreleased/security-11-4-secret-ci-variables-exposed.yml deleted 100644 → 0
+ 0
5
View file @ 11174c34
---
title: Prevent leaking protected variables for ambiguous refs.
merge_request:
author:
type: security
changelogs/unreleased/security-11-5-secret-ci-variables-exposed.yml deleted 100644 → 0
+ 0
5
View file @ 11174c34
---
title: Prevent leaking protected variables for ambiguous refs.
merge_request:
author:
type: security
changelogs/unreleased/security-2754-fix-lfs-import.yml deleted 100644 → 0
+ 0
5
View file @ 11174c34
---
title: Validate LFS hrefs before downloading them
merge_request:
author:
type: security
changelogs/unreleased/security-48259-private-snippet.yml deleted 100644 → 0
+ 0
5
View file @ 11174c34
---
title: Prevent private snippets from being embeddable
merge_request:
author:
type: security
changelogs/unreleased/security-53543-user-keeps-access-to-mr-issue-when-removed-from-team.yml deleted 100644 → 0
+ 0
5
View file @ 11174c34
---
title: Issuable no longer is visible to users when project can't be viewed
merge_request:
author:
type: security
changelogs/unreleased/security-bvl-fix-cross-project-mr-exposure.yml deleted 100644 → 0
+ 0
5
View file @ 11174c34
---
title: Don't expose cross project repositories through diffs when creating merge reqeusts
merge_request:
author:
type: security
changelogs/unreleased/security-fix-ssrf-import-url-remote-mirror.yml deleted 100644 → 0
+ 0
5
View file @ 11174c34
---
title: Fix SSRF with import_url and remote mirror url
merge_request:
author:
type: security
changelogs/unreleased/security-import-symlink.yml deleted 100644 → 0
+ 0
5
View file @ 11174c34
---
title: Fix persistent symlink in project import
merge_request:
author:
type: security
changelogs/unreleased/security-master-url-rel.yml deleted 100644 → 0
+ 0
5
View file @ 11174c34
---
title: Set URL rel attribute for broken URLs.
merge_request:
author:
type: security
changelogs/unreleased/security-refs-available-to-project-guest.yml deleted 100644 → 0
+ 0
5
View file @ 11174c34
---
title: Project guests no longer are able to see refs page
merge_request:
author:
type: security
changelogs/unreleased/security-todos_not_redacted_for_guests.yml deleted 100644 → 0
+ 0
5
View file @ 11174c34
---
title: Delete confidential todos for user when downgraded to Guest
merge_request:
author:
type: security
changelogs/unreleased/security-wiki-svg-attachment.yml deleted 100644 → 0
+ 0
5
View file @ 11174c34
---
title: Setting svg disposition as attachment in wikis
merge_request:
author:
type: security
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment