Automatic merge of gitlab-org/gitlab-ce master

CHANGELOG.md

@@ -2,6 +2,23 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.
 
+## 12.0.3 (2019-06-27)
+
+- No changes.
+### Security (10 changes)
+
+- Persist tmp snippet uploads at users.
+- Gate MR head_pipeline behind read_pipeline ability.
+- Fix DoS vulnerability in color validation regex.
+- Expose merge requests count based on user access.
+- Fix Denial of Service for comments when rendering issues/MR comments.
+- Add missing authorizations in GraphQL.
+- Disable Rails SQL query cache when applying service templates.
+- Prevent Billion Laughs attack.
+- Correctly check permissions when creating snippet notes.
+- Prevent the detection of merge request templates by unauthorized users.
+
+
 ## 12.0.2 (2019-06-25)
 
 ### Fixed (7 changes, 1 of them is from the community)
@@ -584,6 +601,27 @@ entry.
 - Fix scrolling to top on assignee change. !29500
 
 
+## 11.10.8 (2019-06-27)
+
+- No changes.
+### Security (10 changes)
+
+- Fix Denial of Service for comments when rendering issues/MR comments.
+- Gate MR head_pipeline behind read_pipeline ability.
+- Fix DoS vulnerability in color validation regex.
+- Expose merge requests count based on user access.
+- Persist tmp snippet uploads at users.
+- Add missing authorizations in GraphQL.
+- Disable Rails SQL query cache when applying service templates.
+- Prevent Billion Laughs attack.
+- Correctly check permissions when creating snippet notes.
+- Prevent the detection of merge request templates by unauthorized users.
+
+### Performance (1 change)
+
+- Add improvements to global search of issues and merge requests. !27817
+
+
 ## 11.10.6 (2019-06-04)
 
 ### Fixed (7 changes, 1 of them is from the community)

changelogs/unreleased/security-mr-head-pipeline-leak.yml

+---
+title: Gate MR head_pipeline behind read_pipeline ability.
+merge_request:
+author:
+type: security

doc/api/project_aliases.md

@@ -68,13 +68,19 @@ Add a new alias for a project. Responds with a 201 when successful,
 POST /project_aliases
 ```
 
-| Attribute    | Type   | Required | Description                                   |
-|--------------|--------|----------|-----------------------------------------------|
-| `project_id` | string | yes      | The ID or URL-encoded path of the project.    |
-| `name`       | string | yes      | The name of the alias. Must be unique.        |
+| Attribute    | Type           | Required | Description                            |
+|--------------|----------------|----------|----------------------------------------|
+| `project_id` | integer/string | yes      | The ID or path of the project.         |
+| `name`       | string         | yes      | The name of the alias. Must be unique. |
 
 ```
-curl --request POST "https://gitlab.example.com/api/v4/project_aliases" --form "project_id=gitlab-org%2Fgitlab-ee" --form "name=gitlab-ee"
+curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/project_aliases" --form "project_id=1" --form "name=gitlab-ee"
+```
+
+or
+
+```
+curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/project_aliases" --form "project_id=gitlab-org/gitlab-ee" --form "name=gitlab-ee"
 ```
 
 Example response: