Update CHANGELOG.md for 12.9.1

[ci skip]
parent f06671c8
......@@ -2,6 +2,32 @@
documentation](doc/development/changelog.md) for instructions on adding your own
entry.
## 12.9.1 (2020-03-26)
### Security (16 changes)
- Add permission check for pipeline status of MR.
- Ignore empty remote_id params from Workhorse accelerated uploads.
- External user can not create personal snippet through API.
- Prevent malicious entry for group name.
- Restrict mirroring changes to admins only when mirroring is disabled.
- Reject all container registry requests from blocked users.
- Deny localhost requests on fogbugz importer.
- Redact notes in moved confidential issues.
- Fix UploadRewriter Path Traversal vulnerability.
- Block hotlinking to repository archives.
- Restrict access to project pipeline metrics reports.
- vulnerability_feedback records should be restricted to a dev role and above.
- Exclude Carrierwave remote URL methods from import.
- Update Nokogiri to fix CVE-2020-7595.
- Prevent updating trigger by other maintainers.
- Fix XSS vulnerability in `admin/email` "Recipient Group" dropdown.
### Fixed (1 change)
- Fix updating the authorized_keys file. !27798
## 12.9.0 (2020-03-22)
### Security (1 change)
......
---
title: Fix updating the authorized_keys file
merge_request: 27798
author:
type: fixed
---
title: Redact notes in moved confidential issues
merge_request:
author:
type: security
---
title: Ignore empty remote_id params from Workhorse accelerated uploads
merge_request:
author:
type: security
---
title: External user can not create personal snippet through API
merge_request:
author:
type: security
---
title: Prevent malicious entry for group name
merge_request:
author:
type: security
---
title: Restrict mirroring changes to admins only when mirroring is disabled
merge_request:
author:
type: security
---
title: Reject all container registry requests from blocked users
merge_request:
author:
type: security
---
title: Deny localhost requests on fogbugz importer
merge_request:
author:
type: security
---
title: Add permission check for pipeline status of MR
merge_request:
author:
type: security
---
title: Fix UploadRewriter Path Traversal vulnerability
merge_request:
author:
type: security
---
title: Block hotlinking to repository archives
merge_request:
author:
type: security
---
title: Restrict access to project pipeline metrics reports
merge_request:
author:
type: security
---
title: vulnerability_feedback records should be restricted to a dev role and above
merge_request:
author:
type: security
---
title: Exclude Carrierwave remote URL methods from import
merge_request:
author:
type: security
---
title: Update Nokogiri to fix CVE-2020-7595
merge_request:
author:
type: security
---
title: Prevent updating trigger by other maintainers
merge_request:
author:
type: security
---
title: Fix XSS vulnerability in `admin/email` "Recipient Group" dropdown
merge_request:
author:
type: security
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment