Update CHANGELOG.md for 11.5.6

[ci skip]
parent f6d8c63b
......@@ -2,6 +2,33 @@
documentation](doc/development/changelog.md) for instructions on adding your own
entry.
## 11.5.6 (2018-12-28)
### Security (17 changes)
- Escape label and milestone titles to prevent XSS in GFM autocomplete. !2741
- Validate LFS hrefs before downloading them.
- Ensure that build token is only used when running.
- Add subresources removal to member destroy service.
- Prevent a path traversal attack on global file templates.
- Allow changing group CI/CD settings only for owners.
- Authorize before reading job information via API.
- Prevent leaking protected variables for ambiguous refs.
- Escape html entities in LabelReferenceFilter when no label found.
- Prevent private snippets from being embeddable.
- Issuable no longer is visible to users when project can't be viewed.
- Don't expose cross project repositories through diffs when creating merge reqeusts.
- Fix SSRF with import_url and remote mirror url.
- Fix persistent symlink in project import.
- Set URL rel attribute for broken URLs.
- Project guests no longer are able to see refs page.
- Delete confidential todos for user when downgraded to Guest.
### Other (1 change)
- Fix due date test. !23845
## 11.5.5 (2018-12-20)
### Security (1 change)
......
---
title: Escape html entities in LabelReferenceFilter when no label found
merge_request:
author:
type: security
---
title: Prevent a path traversal attack on global file templates
merge_request:
author:
type: security
---
title: Ensure that build token is only used when running
merge_request:
author:
type: security
---
title: Add subresources removal to member destroy service
merge_request:
author:
type: security
---
title: Escape label and milestone titles to prevent XSS in GFM autocomplete
merge_request: 2741
author:
type: security
---
title: Allow changing group CI/CD settings only for owners.
merge_request:
author:
type: security
---
title: Authorize before reading job information via API.
merge_request:
author:
type: security
---
title: Prevent leaking protected variables for ambiguous refs.
merge_request:
author:
type: security
---
title: Validate LFS hrefs before downloading them
merge_request:
author:
type: security
---
title: Prevent private snippets from being embeddable
merge_request:
author:
type: security
---
title: Issuable no longer is visible to users when project can't be viewed
merge_request:
author:
type: security
---
title: Don't expose cross project repositories through diffs when creating merge reqeusts
merge_request:
author:
type: security
---
title: Fix SSRF with import_url and remote mirror url
merge_request:
author:
type: security
---
title: Fix persistent symlink in project import
merge_request:
author:
type: security
---
title: Set URL rel attribute for broken URLs.
merge_request:
author:
type: security
---
title: Project guests no longer are able to see refs page
merge_request:
author:
type: security
---
title: Delete confidential todos for user when downgraded to Guest
merge_request:
author:
type: security
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment