summaryrefslogtreecommitdiff
path: root/changelogs/unreleased
diff options
context:
space:
mode:
Diffstat (limited to 'changelogs/unreleased')
-rw-r--r--changelogs/unreleased/2802-security-add-public-internal-groups-as-members-to-your-project-idor.yml6
-rw-r--r--changelogs/unreleased/51971-milestones-visibility.yml5
-rw-r--r--changelogs/unreleased/57534_filter_impersonated_sessions.yml6
-rw-r--r--changelogs/unreleased/security-2797-milestone-mrs.yml5
-rw-r--r--changelogs/unreleased/security-2798-fix-boards-policy.yml5
-rw-r--r--changelogs/unreleased/security-2799-emails.yml5
-rw-r--r--changelogs/unreleased/security-50334.yml5
-rw-r--r--changelogs/unreleased/security-55468-check-validity-before-querying.yml5
-rw-r--r--changelogs/unreleased/security-56348.yml5
-rw-r--r--changelogs/unreleased/security-commit-private-related-mr.yml5
-rw-r--r--changelogs/unreleased/security-fj-diff-import-file-read-fix.yml5
-rw-r--r--changelogs/unreleased/security-id-restricted-access-to-private-repo.yml5
-rw-r--r--changelogs/unreleased/security-issue_54789_2.yml5
-rw-r--r--changelogs/unreleased/security-kubernetes-google-login-csrf.yml5
-rw-r--r--changelogs/unreleased/security-kubernetes-local-ssrf.yml5
-rw-r--r--changelogs/unreleased/security-mermaid.yml5
-rw-r--r--changelogs/unreleased/security-osw-stop-linking-to-packages.yml5
-rw-r--r--changelogs/unreleased/security-protect-private-repo-information.yml5
-rw-r--r--changelogs/unreleased/security-shared-project-private-group.yml5
-rw-r--r--changelogs/unreleased/security-tags-oracle.yml5
20 files changed, 102 insertions, 0 deletions
diff --git a/changelogs/unreleased/2802-security-add-public-internal-groups-as-members-to-your-project-idor.yml b/changelogs/unreleased/2802-security-add-public-internal-groups-as-members-to-your-project-idor.yml
new file mode 100644
index 00000000000..27ad151cd06
--- /dev/null
+++ b/changelogs/unreleased/2802-security-add-public-internal-groups-as-members-to-your-project-idor.yml
@@ -0,0 +1,6 @@
+---
+title: Remove the possibility to share a project with a group that a user is not a member
+ of
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/51971-milestones-visibility.yml b/changelogs/unreleased/51971-milestones-visibility.yml
new file mode 100644
index 00000000000..818f0071e6c
--- /dev/null
+++ b/changelogs/unreleased/51971-milestones-visibility.yml
@@ -0,0 +1,5 @@
+---
+title: Check if desired milestone for an issue is available
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/57534_filter_impersonated_sessions.yml b/changelogs/unreleased/57534_filter_impersonated_sessions.yml
new file mode 100644
index 00000000000..80aea0ab1bc
--- /dev/null
+++ b/changelogs/unreleased/57534_filter_impersonated_sessions.yml
@@ -0,0 +1,6 @@
+---
+title: Do not display impersonated sessions under active sessions and remove ability
+ to revoke session
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-2797-milestone-mrs.yml b/changelogs/unreleased/security-2797-milestone-mrs.yml
new file mode 100644
index 00000000000..5bb104ec403
--- /dev/null
+++ b/changelogs/unreleased/security-2797-milestone-mrs.yml
@@ -0,0 +1,5 @@
+---
+title: Show only merge requests visible to user on milestone detail page
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-2798-fix-boards-policy.yml b/changelogs/unreleased/security-2798-fix-boards-policy.yml
new file mode 100644
index 00000000000..10e8ac3a787
--- /dev/null
+++ b/changelogs/unreleased/security-2798-fix-boards-policy.yml
@@ -0,0 +1,5 @@
+---
+title: Disable issue boards API when issues are disabled
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-2799-emails.yml b/changelogs/unreleased/security-2799-emails.yml
new file mode 100644
index 00000000000..dbf1207810e
--- /dev/null
+++ b/changelogs/unreleased/security-2799-emails.yml
@@ -0,0 +1,5 @@
+---
+title: Don't show new issue link after move when a user does not have permissions
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-50334.yml b/changelogs/unreleased/security-50334.yml
new file mode 100644
index 00000000000..828ef82b517
--- /dev/null
+++ b/changelogs/unreleased/security-50334.yml
@@ -0,0 +1,5 @@
+---
+title: Fix git clone revealing private repo's presence
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-55468-check-validity-before-querying.yml b/changelogs/unreleased/security-55468-check-validity-before-querying.yml
new file mode 100644
index 00000000000..8bb11a97f52
--- /dev/null
+++ b/changelogs/unreleased/security-55468-check-validity-before-querying.yml
@@ -0,0 +1,5 @@
+---
+title: Fix blind SSRF in Prometheus integration by checking URL before querying
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-56348.yml b/changelogs/unreleased/security-56348.yml
new file mode 100644
index 00000000000..a289e4e9077
--- /dev/null
+++ b/changelogs/unreleased/security-56348.yml
@@ -0,0 +1,5 @@
+---
+title: Check snippet attached file to be moved is within designated directory
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-commit-private-related-mr.yml b/changelogs/unreleased/security-commit-private-related-mr.yml
new file mode 100644
index 00000000000..c4de200b0d8
--- /dev/null
+++ b/changelogs/unreleased/security-commit-private-related-mr.yml
@@ -0,0 +1,5 @@
+---
+title: Don't allow non-members to see private related MRs.
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-fj-diff-import-file-read-fix.yml b/changelogs/unreleased/security-fj-diff-import-file-read-fix.yml
new file mode 100644
index 00000000000..e98d4e89712
--- /dev/null
+++ b/changelogs/unreleased/security-fj-diff-import-file-read-fix.yml
@@ -0,0 +1,5 @@
+---
+title: Fix arbitrary file read via diffs during import
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-id-restricted-access-to-private-repo.yml b/changelogs/unreleased/security-id-restricted-access-to-private-repo.yml
new file mode 100644
index 00000000000..7d7478d297b
--- /dev/null
+++ b/changelogs/unreleased/security-id-restricted-access-to-private-repo.yml
@@ -0,0 +1,5 @@
+---
+title: Forbid creating discussions for users with restricted access
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-issue_54789_2.yml b/changelogs/unreleased/security-issue_54789_2.yml
new file mode 100644
index 00000000000..8ecb72a2ae3
--- /dev/null
+++ b/changelogs/unreleased/security-issue_54789_2.yml
@@ -0,0 +1,5 @@
+---
+title: Do not disclose milestone titles for unauthorized users
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-kubernetes-google-login-csrf.yml b/changelogs/unreleased/security-kubernetes-google-login-csrf.yml
new file mode 100644
index 00000000000..2f87100a8dd
--- /dev/null
+++ b/changelogs/unreleased/security-kubernetes-google-login-csrf.yml
@@ -0,0 +1,5 @@
+---
+title: Validate session key when authorizing with GCP to create a cluster
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-kubernetes-local-ssrf.yml b/changelogs/unreleased/security-kubernetes-local-ssrf.yml
new file mode 100644
index 00000000000..7a2ad092339
--- /dev/null
+++ b/changelogs/unreleased/security-kubernetes-local-ssrf.yml
@@ -0,0 +1,5 @@
+---
+title: Block local URLs for Kubernetes integration
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-mermaid.yml b/changelogs/unreleased/security-mermaid.yml
new file mode 100644
index 00000000000..ec42b5a1615
--- /dev/null
+++ b/changelogs/unreleased/security-mermaid.yml
@@ -0,0 +1,5 @@
+---
+title: Limit mermaid rendering to 5K characters
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-osw-stop-linking-to-packages.yml b/changelogs/unreleased/security-osw-stop-linking-to-packages.yml
new file mode 100644
index 00000000000..078f06140fe
--- /dev/null
+++ b/changelogs/unreleased/security-osw-stop-linking-to-packages.yml
@@ -0,0 +1,5 @@
+---
+title: Stop linking to unrecognized package sources
+merge_request: 55518
+author:
+type: security
diff --git a/changelogs/unreleased/security-protect-private-repo-information.yml b/changelogs/unreleased/security-protect-private-repo-information.yml
new file mode 100644
index 00000000000..8b1a528206d
--- /dev/null
+++ b/changelogs/unreleased/security-protect-private-repo-information.yml
@@ -0,0 +1,5 @@
+---
+title: Fix leaking private repository information in API
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-shared-project-private-group.yml b/changelogs/unreleased/security-shared-project-private-group.yml
new file mode 100644
index 00000000000..3b21daa5491
--- /dev/null
+++ b/changelogs/unreleased/security-shared-project-private-group.yml
@@ -0,0 +1,5 @@
+---
+title: Fixed ability to see private groups by users not belonging to given group
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-tags-oracle.yml b/changelogs/unreleased/security-tags-oracle.yml
new file mode 100644
index 00000000000..eb8ad6f646c
--- /dev/null
+++ b/changelogs/unreleased/security-tags-oracle.yml
@@ -0,0 +1,5 @@
+---
+title: Prevent releases links API to leak tag existance
+merge_request:
+author:
+type: security
View Lorry Controller Status