diff --git a/CHANGELOG.md b/CHANGELOG.md index c550eccd5fc82285d408ea0f8278b573745fc5aa..f7173896a0aaec43c502e90d2358246f3ea625e2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,33 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. +## 12.1.7 + +### Security (21 changes) + +- Ensure only authorised users can create notes on Merge Requests and Issues. +- Add :login_recaptcha_protection_enabled setting to prevent bots from brute-force attacks. +- Speed up regexp in namespace format by failing fast after reaching maximum namespace depth. +- Limit the size of issuable description and comments. +- Send TODOs for comments on commits correctly. +- Restrict MergeRequests#test_reports to authenticated users with read-access on Builds. +- Added image proxy to mitigate potential stealing of IP addresses. +- Filter out old system notes for epics in notes api endpoint response. +- Avoid exposing unaccessible repo data upon GFM post processing. +- Fix HTML injection for label description. +- Make sure HTML text is always escaped when replacing label/milestone references. +- Prevent DNS rebind on JIRA service integration. +- Use admin_group authorization in Groups::RunnersController. +- Prevent disclosure of merge request ID via email. +- Show cross-referenced MR-id in issues' activities only to authorized users. +- Enforce max chars and max render time in markdown math. +- Check permissions before responding in MergeController#pipeline_status. +- Remove EXIF from users/personal snippet uploads. +- Fix project import restricted visibility bypass via API. +- Fix weak session management by clearing password reset tokens after login (username/email) are updated. +- Fix SSRF via DNS rebinding in Kubernetes Integration. + + ## 12.1.6 ### Security (2 changes) diff --git a/changelogs/unreleased/ce-60465-prevent-comments-on-private-mrs.yml b/changelogs/unreleased/ce-60465-prevent-comments-on-private-mrs.yml deleted file mode 100644 index ba970162447457243ddec8920d18183b590defd8..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/ce-60465-prevent-comments-on-private-mrs.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -title: Ensure only authorised users can create notes on Merge Requests and Issues -type: security diff --git a/changelogs/unreleased/security-59549-add-capcha-for-failed-logins.yml b/changelogs/unreleased/security-59549-add-capcha-for-failed-logins.yml deleted file mode 100644 index 55f9e36c39cda304cc5a2127b4bcdd94c475589f..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-59549-add-capcha-for-failed-logins.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Add :login_recaptcha_protection_enabled setting to prevent bots from brute-force attacks. -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-61974-limit-issue-comment-size-2.yml b/changelogs/unreleased/security-61974-limit-issue-comment-size-2.yml deleted file mode 100644 index 962171dc6f82a241bac5ecfc155b439760176680..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-61974-limit-issue-comment-size-2.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Speed up regexp in namespace format by failing fast after reaching maximum namespace depth -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-61974-limit-issue-comment-size.yml b/changelogs/unreleased/security-61974-limit-issue-comment-size.yml deleted file mode 100644 index 6d5ef057d8303cd3e38abdd850bfc06670426f5b..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-61974-limit-issue-comment-size.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Limit the size of issuable description and comments -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-64711-fix-commit-todos.yml b/changelogs/unreleased/security-64711-fix-commit-todos.yml deleted file mode 100644 index ce4b3cdeeaf8f67677e801fbb2253d49833c0a07..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-64711-fix-commit-todos.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Send TODOs for comments on commits correctly -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-ci-metrics-permissions.yml b/changelogs/unreleased/security-ci-metrics-permissions.yml deleted file mode 100644 index 51c6493442a0a2c122ba02ac05b93bd2c0758317..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-ci-metrics-permissions.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -title: Restrict MergeRequests#test_reports to authenticated users with read-access - on Builds -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-enable-image-proxy.yml b/changelogs/unreleased/security-enable-image-proxy.yml deleted file mode 100644 index 88b49ffd9e88a36fbb9207e4f68ad683359e8b75..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-enable-image-proxy.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Added image proxy to mitigate potential stealing of IP addresses -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-epic-notes-api-reveals-historical-info-ce-master.yml b/changelogs/unreleased/security-epic-notes-api-reveals-historical-info-ce-master.yml deleted file mode 100644 index c639098721e479260a1ce7130e0a5f9a667426dc..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-epic-notes-api-reveals-historical-info-ce-master.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Filter out old system notes for epics in notes api endpoint response -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-exposed-default-branch.yml b/changelogs/unreleased/security-exposed-default-branch.yml deleted file mode 100644 index bf32617ee8adee7ad3116c1c18fe29b8d93f85ee..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-exposed-default-branch.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Avoid exposing unaccessible repo data upon GFM post processing -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-fix-html-injection-for-label-description-ce-master.yml b/changelogs/unreleased/security-fix-html-injection-for-label-description-ce-master.yml deleted file mode 100644 index 07124ac399bc206c6e5b3141d5c7748660f95e74..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-fix-html-injection-for-label-description-ce-master.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix HTML injection for label description -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-fix-markdown-xss.yml b/changelogs/unreleased/security-fix-markdown-xss.yml deleted file mode 100644 index 7ef19f13fd51f6024533b5c613fffcc361a9c542..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-fix-markdown-xss.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Make sure HTML text is always escaped when replacing label/milestone references. -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-fix_jira_ssrf_vulnerability.yml b/changelogs/unreleased/security-fix_jira_ssrf_vulnerability.yml deleted file mode 100644 index 25518dd2d05afd5fa4cbaafe4c15dca42c75d6b3..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-fix_jira_ssrf_vulnerability.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prevent DNS rebind on JIRA service integration -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-group-runners-permissions.yml b/changelogs/unreleased/security-group-runners-permissions.yml deleted file mode 100644 index 6c74be30b6de9154da7daca3131d3aa4be0c2442..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-group-runners-permissions.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Use admin_group authorization in Groups::RunnersController -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-hide_merge_request_ids_on_emails.yml b/changelogs/unreleased/security-hide_merge_request_ids_on_emails.yml deleted file mode 100644 index cd8c9590a702fe2a46515c776c1da5a4fb713650..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-hide_merge_request_ids_on_emails.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prevent disclosure of merge request ID via email -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-id-filter-timeline-activities-for-guests.yml b/changelogs/unreleased/security-id-filter-timeline-activities-for-guests.yml deleted file mode 100644 index 0fa5f89e2c069193175c94e52055488079413f25..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-id-filter-timeline-activities-for-guests.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Show cross-referenced MR-id in issues' activities only to authorized users -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-katex-dos-12-1.yml b/changelogs/unreleased/security-katex-dos-12-1.yml deleted file mode 100644 index df803a5eafdd61c709a8ae642caea140fac620f7..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-katex-dos-12-1.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Enforce max chars and max render time in markdown math -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-mr-head-pipeline-leak.yml b/changelogs/unreleased/security-mr-head-pipeline-leak.yml deleted file mode 100644 index b15b353ff41bdf128af2c552d8c90543af774960..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-mr-head-pipeline-leak.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Check permissions before responding in MergeController#pipeline_status -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-personal-snippets.yml b/changelogs/unreleased/security-personal-snippets.yml deleted file mode 100644 index 95f61993b9863d0c1e25a0e39a20c7eb7d3552e2..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-personal-snippets.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Remove EXIF from users/personal snippet uploads. -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-project-import-bypass.yml b/changelogs/unreleased/security-project-import-bypass.yml deleted file mode 100644 index fc7b823509ccac284ca9fe336cb52315878886c6..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-project-import-bypass.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix project import restricted visibility bypass via API -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-sarcila-fix-weak-session-management.yml b/changelogs/unreleased/security-sarcila-fix-weak-session-management.yml deleted file mode 100644 index a37a309951964760fb3fbad75a0accec99d228c4..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-sarcila-fix-weak-session-management.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -title: Fix weak session management by clearing password reset tokens after login (username/email) - are updated -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-ssrf-kubernetes-dns.yml b/changelogs/unreleased/security-ssrf-kubernetes-dns.yml deleted file mode 100644 index 4d6335e4b08011716eb2b631b8908bf647282efe..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/security-ssrf-kubernetes-dns.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix SSRF via DNS rebinding in Kubernetes Integration -merge_request: -author: -type: security