Commit d6407d4e authored by Jose Ivan Vargas's avatar Jose Ivan Vargas

Update CHANGELOG.md for 9.3.11

[ci skip]
parent c5c3d701
......@@ -453,6 +453,22 @@ entry.
- Log rescued exceptions to Sentry.
- Remove remaining N+1 queries in merge requests API with emojis and labels.
## 9.3.11 (2017-09-06)
- [SECURITY] Upgrade mail and nokogiri gems due to security issues. !13662 (Markus Koller)
- [SECURITY] Prevent a persistent XSS in the commit author block.
- Improve support for external issue references. !12485
- Use uploads/system directory for personal snippets.
- Remove uploads/appearance symlink. A leftover from a previous migration.
- Fix XSS issue in go-get handling.
- Fix an infinite loop when handling user-supplied regular expressions.
- Fixes race condition in project uploads.
- Fixes race condition in project uploads.
- Disallow arbitrary properties in `th` and `td` `style` attributes.
- Resolve CSRF token leakage via pathname manipulation on environments page.
- Disallow the `name` attribute on all user-provided markup.
- Renders 404 if given project is not readable by the user on Todos dashboard.
## 9.3.10 (2017-08-09)
- Remove hidden symlinks from project import files.
......
---
title: Upgrade mail and nokogiri gems due to security issues
merge_request: 13662
author: Markus Koller
type: security
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment