From 2f70f228973da802c87bfab815aed6f86bfbe3e4 Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Mon, 2 Nov 2020 09:37:30 +0000 Subject: Add latest changes from gitlab-org/security/gitlab@13-3-stable-ee --- CHANGELOG.md | 15 +++++++++++++++ GITALY_SERVER_VERSION | 2 +- ...io-multipart-check-brackets-balance-in-param-names.yml | 5 ----- .../security-10io-validate-nuget-package-name.yml | 5 ----- changelogs/unreleased/security-255886.yml | 5 ----- .../unreleased/security-container-regex-backtrack.yml | 5 ----- ...ity-fix-terraform-state-exposed-object-storage-url.yml | 5 ----- .../unreleased/security-kubernetes-agent-internal-api.yml | 5 ----- .../unreleased/security-runner-csrf-milestone-13-6.yml | 5 ----- .../unreleased/security-stored-xss-build-dependencies.yml | 5 ----- ...uthorized-access-schedule-variables-milestone-13-6.yml | 5 ----- 11 files changed, 16 insertions(+), 46 deletions(-) delete mode 100644 changelogs/unreleased/security-10io-multipart-check-brackets-balance-in-param-names.yml delete mode 100644 changelogs/unreleased/security-10io-validate-nuget-package-name.yml delete mode 100644 changelogs/unreleased/security-255886.yml delete mode 100644 changelogs/unreleased/security-container-regex-backtrack.yml delete mode 100644 changelogs/unreleased/security-fix-terraform-state-exposed-object-storage-url.yml delete mode 100644 changelogs/unreleased/security-kubernetes-agent-internal-api.yml delete mode 100644 changelogs/unreleased/security-runner-csrf-milestone-13-6.yml delete mode 100644 changelogs/unreleased/security-stored-xss-build-dependencies.yml delete mode 100644 changelogs/unreleased/security-unauthorized-access-schedule-variables-milestone-13-6.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index fe68016cbb3..af3c353b184 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,21 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. +## 13.3.9 (2020-11-02) + +### Security (9 changes) + +- Add CSRF protection to runner pause and resume. !1021 +- Do not expose Terraform state record in API. +- Path traversal to RCE via LFS upload. +- Update container_repository_name_regex to prevent catastrophic backtracking. +- Validate nuget package names. +- Prevent private repo from being accessed via internal Kubernetes API. +- Validate each upload param key in multipart.rb. +- Fix XSS vulnerability for job build dependencies. +- Fix unauthorized user is able to access schedule pipeline variables and values. + + ## 13.3.8 (2020-10-21) ### Fixed (2 changes) diff --git a/GITALY_SERVER_VERSION b/GITALY_SERVER_VERSION index 176df6ffec5..4feaa4d3ce1 100644 --- a/GITALY_SERVER_VERSION +++ b/GITALY_SERVER_VERSION @@ -1 +1 @@ -13.3.8 \ No newline at end of file +13.3.9 \ No newline at end of file diff --git a/changelogs/unreleased/security-10io-multipart-check-brackets-balance-in-param-names.yml b/changelogs/unreleased/security-10io-multipart-check-brackets-balance-in-param-names.yml deleted file mode 100644 index e0d1a4e535d..00000000000 --- a/changelogs/unreleased/security-10io-multipart-check-brackets-balance-in-param-names.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Validate each upload param key in multipart.rb -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-10io-validate-nuget-package-name.yml b/changelogs/unreleased/security-10io-validate-nuget-package-name.yml deleted file mode 100644 index aaf30711868..00000000000 --- a/changelogs/unreleased/security-10io-validate-nuget-package-name.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Validate nuget package names -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-255886.yml b/changelogs/unreleased/security-255886.yml deleted file mode 100644 index 8fe8da59444..00000000000 --- a/changelogs/unreleased/security-255886.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Path traversal to RCE via LFS upload -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-container-regex-backtrack.yml b/changelogs/unreleased/security-container-regex-backtrack.yml deleted file mode 100644 index c88fd526d47..00000000000 --- a/changelogs/unreleased/security-container-regex-backtrack.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Update container_repository_name_regex to prevent catastrophic backtracking -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-fix-terraform-state-exposed-object-storage-url.yml b/changelogs/unreleased/security-fix-terraform-state-exposed-object-storage-url.yml deleted file mode 100644 index 1e37aed6ca0..00000000000 --- a/changelogs/unreleased/security-fix-terraform-state-exposed-object-storage-url.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Do not expose Terraform state record in API -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-kubernetes-agent-internal-api.yml b/changelogs/unreleased/security-kubernetes-agent-internal-api.yml deleted file mode 100644 index 9ed192e90cc..00000000000 --- a/changelogs/unreleased/security-kubernetes-agent-internal-api.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prevent private repo from being accessed via internal Kubernetes API -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-runner-csrf-milestone-13-6.yml b/changelogs/unreleased/security-runner-csrf-milestone-13-6.yml deleted file mode 100644 index 4b661ecfdc9..00000000000 --- a/changelogs/unreleased/security-runner-csrf-milestone-13-6.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Add CSRF protection to runner pause and resume -merge_request: 1021 -author: -type: security diff --git a/changelogs/unreleased/security-stored-xss-build-dependencies.yml b/changelogs/unreleased/security-stored-xss-build-dependencies.yml deleted file mode 100644 index a5ce2bd0158..00000000000 --- a/changelogs/unreleased/security-stored-xss-build-dependencies.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix XSS vulnerability for job build dependencies -merge_request: -author: -type: security diff --git a/changelogs/unreleased/security-unauthorized-access-schedule-variables-milestone-13-6.yml b/changelogs/unreleased/security-unauthorized-access-schedule-variables-milestone-13-6.yml deleted file mode 100644 index fc6702f8067..00000000000 --- a/changelogs/unreleased/security-unauthorized-access-schedule-variables-milestone-13-6.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fix unauthorized user is able to access schedule pipeline variables and values -merge_request: -author: -type: security -- cgit v1.2.1