[ci skip]

Display only information visible to current user on Milestone detail

See merge request gitlab/gitlabhq!2918

Display only labels and assignees of issues
visible by the currently logged user
Display only issues visible to user in the burndown chart

Display the correct number of MRs a user has access to

See merge request gitlab/gitlabhq!2928

Filter impersonated sessions from active sessions and remove ability to revoke session

See merge request gitlab/gitlabhq!2982

Forbid creating discussions for users with restricted access

See merge request gitlab/gitlabhq!2891

Check issue milestone availability

See merge request gitlab/gitlabhq!2905

Prevent Releases links API to leak tag existence

See merge request gitlab/gitlabhq!2909

Disable issue board policies when issues are disabled

See merge request gitlab/gitlabhq!2911

Show only MRs visible to user on milestone detail

See merge request gitlab/gitlabhq!2924

Don't allow non-members to see private related MRs

See merge request gitlab/gitlabhq!2931

Validate session key when authorizing with GCP to create a cluster

See merge request gitlab/gitlabhq!2935

Fix git clone revealing private repo's presence

See merge request gitlab/gitlabhq!2939

Check snippet attached file to be moved is within designated directory

See merge request gitlab/gitlabhq!2942

Fix blind SSRF in Prometheus Integration

See merge request gitlab/gitlabhq!2945

Check validity before querying so that if the dns entry for the api_url
has been changed to something invalid after the model was saved and
checked for validity, it will not query. This is to solve a toctou
(time of check to time of use) issue.

Fix leaking private repository information in API

See merge request gitlab/gitlabhq!2949

Arbitrary file read via MergeRequestDiff

See merge request gitlab/gitlabhq!2952

Remove link after issue move when no permissions

See merge request gitlab/gitlabhq!2956

Block local URLs for Kubernetes integration

See merge request gitlab/gitlabhq!2960

Merge branch 'security-add-public-internal-groups-as-members-to-your-project-idor-11-7' into '11-7-stable'

Add public/internal groups as members to your Project(IDOR)

See merge request gitlab/gitlabhq!2963

Catch possible Addressable::URI::InvalidURIError

See merge request gitlab/gitlabhq!2967

Stop linking to unrecognized package sources

See merge request gitlab/gitlabhq!2970

[11.7] Prevent disclosing project milestone titles

See merge request gitlab/gitlabhq!2974

Limit number of characters allowed in mermaidjs

See merge request gitlab/gitlabhq!2979

Session ID is used as a parameter for the revoke session endpoint but it
should never be included in the HTML as an attacker could obtain it via
XSS.

Prevent unauthorized users having access to milestone titles
through autocomplete endpoint.

Use existing `public_url` validation to block various local urls. Note
that this validation will allow local urls if the "Allow requests to the
local network from hooks and services" admin setting is enabled.

Block KubeClient from using local addresses

It will also respect `allow_local_requests_from_hooks_and_services` so
if that is enabled KubeClinet will allow local addresses

Previously one could move any temp/ sub folder around.

Align spec with actual usage, as currently we pass temp file path to
FileMover.

Don't show new issue link after move
when a user does not have permissions
to display the new issue