Automatic merge of gitlab-org/gitlab-ce master

755884fd · GitLab Bot · fad2e6c4 · 9b06890d · 755884fd · 755884fd
Commit 755884fd authored Jul 03, 2019 by GitLab Bot
Showing with 54 additions and 5 deletions

CHANGELOG.md CHANGELOG.md +38 -0

changelogs/unreleased/security-mr-head-pipeline-leak.yml changelogs/unreleased/security-mr-head-pipeline-leak.yml +5 -0

doc/api/project_aliases.md doc/api/project_aliases.md +11 -5

No files found.
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,23 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.

+## 12.0.3 (2019-06-27)
+
+- No changes.
+### Security (10 changes)
+
+- Persist tmp snippet uploads at users.
+- Gate MR head_pipeline behind read_pipeline ability.
+- Fix DoS vulnerability in color validation regex.
+- Expose merge requests count based on user access.
+- Fix Denial of Service for comments when rendering issues/MR comments.
+- Add missing authorizations in GraphQL.
+- Disable Rails SQL query cache when applying service templates.
+- Prevent Billion Laughs attack.
+- Correctly check permissions when creating snippet notes.
+- Prevent the detection of merge request templates by unauthorized users.
+
+
 ## 12.0.2 (2019-06-25)

 ### Fixed (7 changes, 1 of them is from the community)
@@ -584,6 +601,27 @@ entry.
 - Fix scrolling to top on assignee change. !29500


+## 11.10.8 (2019-06-27)
+
+- No changes.
+### Security (10 changes)
+
+- Fix Denial of Service for comments when rendering issues/MR comments.
+- Gate MR head_pipeline behind read_pipeline ability.
+- Fix DoS vulnerability in color validation regex.
+- Expose merge requests count based on user access.
+- Persist tmp snippet uploads at users.
+- Add missing authorizations in GraphQL.
+- Disable Rails SQL query cache when applying service templates.
+- Prevent Billion Laughs attack.
+- Correctly check permissions when creating snippet notes.
+- Prevent the detection of merge request templates by unauthorized users.
+
+### Performance (1 change)
+
+- Add improvements to global search of issues and merge requests. !27817
+
+
 ## 11.10.6 (2019-06-04)

 ### Fixed (7 changes, 1 of them is from the community)

--- a/changelogs/unreleased/security-mr-head-pipeline-leak.yml
+++ b/changelogs/unreleased/security-mr-head-pipeline-leak.yml
+---
+title: Gate MR head_pipeline behind read_pipeline ability.
+merge_request:
+author:
+type: security
--- a/doc/api/project_aliases.md
+++ b/doc/api/project_aliases.md
@@ -68,13 +68,19 @@ Add a new alias for a project. Responds with a 201 when successful,
 POST /project_aliases
 ```

-| Attribute    | Type   | Required | Description                                   |
-|--------------|--------|----------|-----------------------------------------------|
-| `project_id` | string | yes      | The ID or URL-encoded path of the project.    |
-| `name`       | string | yes      | The name of the alias. Must be unique.        |
+| Attribute    | Type           | Required | Description                            |
+|--------------|----------------|----------|----------------------------------------|
+| `project_id` | integer/string | yes      | The ID or path of the project.         |
+| `name`       | string         | yes      | The name of the alias. Must be unique. |

 ```
-curl --request POST "https://gitlab.example.com/api/v4/project_aliases" --form "project_id=gitlab-org%2Fgitlab-ee" --form "name=gitlab-ee"
+curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/project_aliases" --form "project_id=1" --form "name=gitlab-ee"
+```
+
+or
+
+```
+curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/project_aliases" --form "project_id=gitlab-org/gitlab-ee" --form "name=gitlab-ee"
 ```

 Example response: