Add latest changes from gitlab-org/security/gitlab@13-5-stable-ee

187cae1b · GitLab Bot · d79daf5b · 187cae1b · 187cae1b · d79daf5b
Commit 187cae1b authored Nov 02, 2020 by GitLab Bot
11 changed files
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,21 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.

+## 13.5.2 (2020-11-02)
+
+### Security (9 changes)
+
+- Add CSRF protection to runner pause and resume. !1021
+- Do not expose Terraform state record in API.
+- Path traversal to RCE via LFS upload.
+- Update container_repository_name_regex to prevent catastrophic backtracking.
+- Validate nuget package names.
+- Prevent private repo from being accessed via internal Kubernetes API.
+- Validate each upload param key in multipart.rb.
+- Fix XSS vulnerability for job build dependencies.
+- Fix unauthorized user is able to access schedule pipeline variables and values.
+
+
 ## 13.5.1 (2020-10-22)

 ### Other (1 change)

--- a/GITALY_SERVER_VERSION
+++ b/GITALY_SERVER_VERSION
-13.5.1
\ No newline at end of file
+13.5.2
\ No newline at end of file
--- a/changelogs/unreleased/security-10io-multipart-check-brackets-balance-in-param-names.yml
+++ b/changelogs/unreleased/security-10io-multipart-check-brackets-balance-in-param-names.yml
---
-title: Validate each upload param key in multipart.rb
-merge_request:
-author:
-type: security
--- a/changelogs/unreleased/security-10io-validate-nuget-package-name.yml
+++ b/changelogs/unreleased/security-10io-validate-nuget-package-name.yml
---
-title: Validate nuget package names
-merge_request:
-author:
-type: security
--- a/changelogs/unreleased/security-255886.yml
+++ b/changelogs/unreleased/security-255886.yml
---
-title: Path traversal to RCE via LFS upload
-merge_request:
-author:
-type: security
--- a/changelogs/unreleased/security-container-regex-backtrack.yml
+++ b/changelogs/unreleased/security-container-regex-backtrack.yml
---
-title: Update container_repository_name_regex to prevent catastrophic backtracking
-merge_request:
-author:
-type: security
--- a/changelogs/unreleased/security-fix-terraform-state-exposed-object-storage-url.yml
+++ b/changelogs/unreleased/security-fix-terraform-state-exposed-object-storage-url.yml
---
-title: Do not expose Terraform state record in API
-merge_request:
-author:
-type: security
--- a/changelogs/unreleased/security-kubernetes-agent-internal-api.yml
+++ b/changelogs/unreleased/security-kubernetes-agent-internal-api.yml
---
-title: Prevent private repo from being accessed via internal Kubernetes API
-merge_request:
-author:
-type: security
--- a/changelogs/unreleased/security-runner-csrf-milestone-13-6.yml
+++ b/changelogs/unreleased/security-runner-csrf-milestone-13-6.yml
---
-title: Add CSRF protection to runner pause and resume
-merge_request: 1021
-author:
-type: security
--- a/changelogs/unreleased/security-stored-xss-build-dependencies.yml
+++ b/changelogs/unreleased/security-stored-xss-build-dependencies.yml
---
-title: Fix XSS vulnerability for job build dependencies
-merge_request:
-author:
-type: security
--- a/changelogs/unreleased/security-unauthorized-access-schedule-variables-milestone-13-6.yml
+++ b/changelogs/unreleased/security-unauthorized-access-schedule-variables-milestone-13-6.yml
---
-title: Fix unauthorized user is able to access schedule pipeline variables and values
-merge_request:
-author:
-type: security