Commits · v14.1.2-ee · Maxime Orefice / GitLab

Aug 03, 2021
- Update VERSION files · 0bf9b154
  GitLab Release Tools Bot authored 3 years ago
  
  [merge-train skip]
  View commits for tag v14.1.2-ee v14.1.2-ee
  
  0bf9b154
- Update changelog for 14.1.2 · 79bbec00
  GitLab Release Tools Bot authored 3 years ago
  
  [ci skip]
  79bbec00
- Update Gitaly version to 14.1.2 · fbdc9137
  GitLab Release Tools Bot authored 3 years ago
  
  [ci skip]
  fbdc9137
- Merge branch 'security-validate-project-members-14-1' into '14-1-stable-ee' · 6024b648
  GitLab Release Tools Bot authored 3 years ago
  
  Don't allow to add users to project with email different than group sett See merge request gitlab-org/security/gitlab!1564
  6024b648
- Merge branch 'security-nfriend-hide-project-ci-cd-analytics-for-guests-14-1' into '14-1-stable-ee' · a4a62de2
  Henri Philipps authored 3 years ago
  
  Hide project-level CI/CD Analytics page for Guest users See merge request gitlab-org/security/gitlab!1600
  a4a62de2
- Merge branch... · e299beb1
  GitLab Release Tools Bot authored 3 years ago
  
  Merge branch 'security-not-allow-to-impersonate-tokens-while-impersonation-is-off-14-1' into '14-1-stable-ee' Block pushing with impersonation token if impersonation is disabled See merge request gitlab-org/security/gitlab!1583
  e299beb1
- Add project member validation for domain limitation · d17016dd
  mksionek authored 3 years ago
  
  Changelog: security
  d17016dd
Aug 02, 2021
- Hide project-level CI/CD Analytics for Guests · ce3b41da
  Nathan Friend authored 3 years ago
  
  This commit updates the project-level CI/CD Analytics page to not be accessible by Guest users of private projects. Changelog: security
  Unverified
  
  ce3b41da
- Merge branch 'security-jivanvl-fix-pipeline-show-page-permissions-14-1' into '14-1-stable-ee' · be958e37
  GitLab Release Tools Bot authored 3 years ago
  
  Add permissions check to pipelines#show action See merge request gitlab-org/security/gitlab!1612
  be958e37
- Merge branch 'security-336301-let-only-guest-members-edit-metadata-14-1' into '14-1-stable-ee' · 033c5baf
  GitLab Release Tools Bot authored 3 years ago
  
  Disallow non-members to set issue metadata on issue create See merge request gitlab-org/security/gitlab!1586
  033c5baf
- Merge branch 'security-email-invite-error-message-14-1' into '14-1-stable-ee' · f708e843
  GitLab Release Tools Bot authored 3 years ago
  
  Do not show email address in error message See merge request gitlab-org/security/gitlab!1596
  f708e843
- Merge branch 'security-300265-14-1' into '14-1-stable-ee' · 85b6a555
  GitLab Release Tools Bot authored 3 years ago
  
  Misleading username could lead to impersonation in using SSH Certificates See merge request gitlab-org/security/gitlab!1609
  85b6a555
- Merge branch 'security-impersonation-tokens-listed-14-1' into '14-1-stable-ee' · dcbea6f2
  GitLab Release Tools Bot authored 3 years ago
  
  Remove impersonation token from api response for non-admin user See merge request gitlab-org/security/gitlab!1565
  dcbea6f2
- Merge branch 'security-security_dblessing_invite_link_any_email-14-1' into '14-1-stable-ee' · e0cac0ed
  GitLab Release Tools Bot authored 3 years ago
  
  Only allow invite to be accepted by user with matching email See merge request gitlab-org/security/gitlab!1632
  e0cac0ed
- Merge branch 'security-djadmin-branch-name-xss-14-1' into '14-1-stable-ee' · 9fcffe9d
  Robert Speicher authored 3 years ago
  
  Add html escaping for default branch name See merge request gitlab-org/security/gitlab!1630
  9fcffe9d
- Merge branch 'security-security_dblessing_omniauth_logging-14-1' into '14-1-stable-ee' · 33d40608
  GitLab Release Tools Bot authored 3 years ago
  
  Configure OmniAuth to use GitLab AppLogger See merge request gitlab-org/security/gitlab!1615
  33d40608
- Merge branch... · 05d486af
  GitLab Release Tools Bot authored 3 years ago
  
  Merge branch 'security-prevent-guests-from-creating-issues-with-sentry-error-14-1' into '14-1-stable-ee' Prevent Guest users from creating issues linked to Sentry errors See merge request gitlab-org/security/gitlab!1587
  05d486af
- Merge branch 'security-customers_dot_oauth_app_id_14-1' into '14-1-stable-ee' · e82c2de0
  GitLab Release Tools Bot authored 3 years ago
  
  Use oauth_app id instead of uid See merge request gitlab-org/security/gitlab!1603
  e82c2de0
- Merge branch 'security-oauth-0-5-6-14-1' into '14-1-stable-ee' · b13f7232
  GitLab Release Tools Bot authored 3 years ago
  
  Updates oauth to 0.5.6 See merge request gitlab-org/security/gitlab!1592
  b13f7232
- Merge branch 'security-fix-protected-environment-access-cleanup-14-1' into '14-1-stable-ee' · 2e4d589d
  GitLab Release Tools Bot authored 3 years ago
  
  Unauthorized User Can Trigger Deployment to the Protected Environment See merge request gitlab-org/security/gitlab!1606
  2e4d589d
- Merge branch 'security-fix-tag-ref-detection-14-1' into '14-1-stable-ee' · fc51066b
  GitLab Release Tools Bot authored 3 years ago
  
  Fix tag ref detection for pipelines See merge request gitlab-org/security/gitlab!1591
  fc51066b
- Merge branch 'security_299039_restrict_access_for_reporter_and_below_14_1' into '14-1-stable-ee' · 39c696de
  GitLab Release Tools Bot authored 3 years ago
  
  Restrict access to instance-level security features for reporters See merge request gitlab-org/security/gitlab!1561
  39c696de
- Merge branch 'security/sh-mermaid-avoid-html-injection-13-11' into '14-1-stable-ee' · 3039bd55
  GitLab Release Tools Bot authored 3 years ago
  
  [14.1] Fix XSS in Mermaid Markdown rendering See merge request gitlab-org/security/gitlab!1488
  3039bd55
- Merge branch 'security-282445-read-todo-target-14-1' into '14-1-stable-ee' · 808bf085
  GitLab Release Tools Bot authored 3 years ago
  
  Filter todos whose target users no longer have access to [RUN AS-IF-FOSS] See merge request gitlab-org/security/gitlab!1556
  808bf085
Jul 30, 2021

Only allow invite to be accepted by user with matching email · 9d9e439c

Drew Blessing authored 3 years ago

Previously, any user was able to accept an invite even if the
user's email addresses didn't match the invite. A note was
displayed but the invite could still be accepted. With this
change, a user without a matching, confirmed email address
is unable to accept the invite.

Changelog: security

Unverified

9d9e439c

Add html escaping for default branch name · 54910100

Dheeraj Joshi authored 3 years ago

This escapes html chars for default branch
name value in initializing repository instructions

This is to prevent XSS vulnerability

Changelog: security

54910100

Jul 28, 2021
- Update VERSION files · f331f932
  GitLab Release Tools Bot authored 3 years ago
  
  [merge-train skip]
  View commits for tag v14.1.1-ee v14.1.1-ee
  
  f331f932
- Update changelog for 14.1.1 · 3f7205e2
  GitLab Release Tools Bot authored 3 years ago
  
  [ci skip]
  3f7205e2
- Update Gitaly version to 14.1.1 · 8c355694
  GitLab Release Tools Bot authored 3 years ago
  
  [ci skip]
  8c355694
Jul 27, 2021

Merge branch '14-1-stable-ee-patch-1' into '14-1-stable-ee' · 074da50f
Robert Speicher authored 3 years ago
```
Prepare 14.1.1-ee release

See merge request gitlab-org/gitlab!66726
```
074da50f
Revert backfill on ci_build_trace_sections · a67a8d73
Andreas Brandl authored 3 years ago and GitLab Release Tools Bot committed 3 years ago
```
See https://gitlab.com/gitlab-org/gitlab/-/merge_requests/66627

Changelog: other
```
a67a8d73
Merge branch 'leipert-browserslist-ugh-14-1-backport' into '14-1-stable-ee' · 860e41b9
Robert Speicher authored 3 years ago
```
Disable browserslist warning in CI jobs - 14.1 backport

See merge request gitlab-org/gitlab!66950
```
860e41b9

Disable browserslist warning in CI jobs · 40e10fa6

Lukas Eipert authored 3 years ago

browserslist throws a warning if certain dependencies are too old. As we
generally are not backporting browserslist updates, this can lead to
errors in CI. Previously we have caught the error in rake, but they have
changed the error message so it is failing again.

By simply setting the BROWSERSLIST_IGNORE_OLD_DATA env variable, we can
circumvent this issue.

40e10fa6

Configure OmniAuth to use GitLab AppLogger · 0b234f00

Drew Blessing authored 3 years ago

OmniAuth logger was not being configured properly and some logs
were being dropped. This change ensures OmniAuth log messages
are output to `application.log` and/or `application_json.log`
as appropriate depending on configuration.

Changelog: security

Unverified

0b234f00

Add permissions check to pipelines#show action · 6901d52d

Jose Ivan Vargas Lopez authored 3 years ago

This check renders a 404 in case the user trying
to access the pipeline details page doesn't have enough
permissions

Changelog: security

6901d52d

Prevent impersonation in gitlab-shell SSH certs · 82a878ba
Robert May authored 3 years ago
```
Updates the gitlab-shell version to include a security patch.

Changelog: security
```
82a878ba

Fix Protected Environment Accesses Cleanup · 0c954547

Shinya Maeda authored 3 years ago

Protected Environment Accesses were not automatically cleaned up
when a user was removed from the project membership.
Also, the leftover user/group entry in the access list
couldn't be removed manually.

This commit fixes these security related bugs.

Changelog: security
EE: true

0c954547

Jul 23, 2021

Use oauth_app id instead of uid · 9c49cbbb

Ryan Cobb authored 3 years ago

Fix to use oauth application internal id instead of uid

Changelog: security
EE: true

9c49cbbb

Merge branch 'mk-whats-new-141' into 'master' · 2e94b5e6

Doug Stull authored 3 years ago and

GitLab Release Tools Bot committed 3 years ago

Create 14.1 What's new entry

See merge request gitlab-org/gitlab!66570

(cherry picked from commit 78e23268)

52b889bb Create 14.1 What's new entry 
e0e43721 Add registration features entry

2e94b5e6

Prevent terms from being created if blank · 29e5ebe2
Mayra Cabrera authored 3 years ago and GitLab Release Tools Bot committed 3 years ago
```
See https://gitlab.com/gitlab-org/gitlab/-/merge_requests/66437

Changelog: fixed
```
29e5ebe2

Admin message

Admin message