Merge remote-tracking branch 'dev/master'

CHANGELOG-EE.md

 Please view this file on the master branch, on stable branches it's out of date.
 
+## 13.2.3 (2020-08-05)
+
+- No changes.
+
 ## 13.2.2 (2020-07-29)
 
 - No changes.
@@ -372,6 +376,10 @@ Please view this file on the master branch, on stable branches it's out of date.
 - Resolve duplicate use of shorcuts-tree. !36732
 
 
+## 13.1.6 (2020-08-05)
+
+- No changes.
+
 ## 13.1.5 (2020-07-23)
 
 ### Fixed (2 changes)
@@ -553,6 +561,14 @@ Please view this file on the master branch, on stable branches it's out of date.
 - Relocate Go models. !34338 (Ethan Reesor (@firelizzard))
 
 
+## 13.0.12 (2020-08-05)
+
+- No changes.
+
+## 13.0.11 (2020-08-05)
+
+This version has been skipped due to packaging problems.
+
 ## 13.0.10 (2020-07-09)
 
 ### Fixed (1 change)

CHANGELOG.md

@@ -2,6 +2,24 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.
 
+## 13.2.3 (2020-08-05)
+
+### Security (12 changes)
+
+- Update kramdown gem to version 2.3.0.
+- Enforce 2FA on Doorkeeper controllers.
+- Revoke OAuth grants when a user revokes an application.
+- Refresh project authorizations when transferring groups.
+- Stop excess logs from failure to send invite email when group no longer exists.
+- Verify confirmed email for OAuth Authorize POST endpoint.
+- Fix XSS in Markdown reference tooltips.
+- Fix XSS in milestone tooltips.
+- Fix xss vulnerability on jobs view.
+- Block 40-character hexadecimal branches.
+- Prevent a temporary access escalation before group memberships are recalculated when specialized project share workers are enabled.
+- Update GitLab Runner Helm Chart to 0.18.2.
+
+
 ## 13.2.2 (2020-07-29)
 
 ### Fixed (3 changes)
@@ -1029,6 +1047,23 @@ entry.
 - Remove removeIssue logic from list model. (nuwe1)
 
 
+## 13.1.6 (2020-08-05)
+
+### Security (11 changes)
+
+- Add decompressed archive size validation on Project/Group Import. !562
+- Enforce 2FA on Doorkeeper controllers.
+- Refresh project authorizations when transferring groups.
+- Stop excess logs from failure to send invite email when group no longer exists.
+- Verify confirmed email for OAuth Authorize POST endpoint.
+- Revoke OAuth grants when a user revokes an application.
+- Fix XSS in Markdown reference tooltips.
+- Fix XSS in milestone tooltips.
+- Fix xss vulnerability on jobs view.
+- Block 40-character hexadecimal branches.
+- Update GitLab Runner Helm Chart to 0.17.2.
+
+
 ## 13.1.5 (2020-07-23)
 
 - No changes.
@@ -1563,6 +1598,26 @@ entry.
 - Remove removeIssue logic from list model. (nuwe1)
 
 
+## 13.0.12 (2020-08-05)
+
+### Security (10 changes)
+
+- Add decompressed archive size validation on Project/Group Import. !562
+- Enforce 2FA on Doorkeeper controllers.
+- Refresh project authorizations when transferring groups.
+- Stop excess logs from failure to send invite email when group no longer exists.
+- Verify confirmed email for OAuth Authorize POST endpoint.
+- Revoke OAuth grants when a user revokes an application.
+- Fix XSS in Markdown reference tooltips.
+- Fix XSS in milestone tooltips.
+- Fix xss vulnerability on jobs view.
+- Block 40-character hexadecimal branches.
+
+
+## 13.0.11 (2020-08-05)
+
+This version has been skipped due to packaging problems.
+
 ## 13.0.10 (2020-07-09)
 
 ### Fixed (1 change)

changelogs/unreleased/211-update-kramdown.yml

----
-title: Update kramdown gem to version 2.3.0
-merge_request:
-author:
-type: security

changelogs/unreleased/security-195-2fa-applications-view.yml

----
-title: Enforce 2FA on Doorkeeper controllers
-merge_request:
-author:
-type: security

changelogs/unreleased/security-200-dblessing-insufficient-oauth-revocation.yml

----
-title: Revoke OAuth grants when a user revokes an application
-merge_request:
-author:
-type: security

changelogs/unreleased/security-202687-members-transfer-problem.yml

----
-title: Refresh project authorizations when transferring groups
-merge_request:
-author:
-type: security

changelogs/unreleased/security-check-group-exists-before-email.yml

----
-title: Stop excess logs from failure to send invite email when group no longer exists
-merge_request:
-author:
-type: security

changelogs/unreleased/security-dblessing-oauth-vuln-2.yml

----
-title: Verify confirmed email for OAuth Authorize POST endpoint
-merge_request:
-author:
-type: security

changelogs/unreleased/security-fix-import-decompr-issue.yml

----
-title: Add decompressed archive size validation on Project/Group Import
-merge_request: 562
-author:
-type: security

changelogs/unreleased/security-fix-xss-in-markdown-reference-tooltips.yml

----
-title: Fix XSS in Markdown reference tooltips
-merge_request:
-author:
-type: security

changelogs/unreleased/security-fix-xss-in-milestone-tooltip.yml

----
-title: Fix XSS in milestone tooltips
-merge_request:
-author:
-type: security

changelogs/unreleased/security-jobs-view-xss.yml

----
-title: Fix xss vulnerability on jobs view
-merge_request:
-author:
-type: security

changelogs/unreleased/security-rm-202690.yml

----
-title: Block 40-character hexadecimal branches
-merge_request:
-author:
-type: security

changelogs/unreleased/security-specialized_project_share_worker_to_respect_access_level.yml

----
-title: Prevent a temporary access escalation before group memberships are recalculated when specialized project share workers are enabled
-merge_request:
-author:
-type: security