Add latest changes from gitlab-org/security/gitlab@13-6-stable-ee

f508fb8a · GitLab Bot · 449338db · f508fb8a · f508fb8a · 449338db
Commit f508fb8a authored Dec 07, 2020 by GitLab Bot
12 changed files
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,22 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.

+## 13.6.2 (2020-12-07)
+
+### Security (10 changes)
+
+- Validate zoom links to start with https only. !1055
+- Require at least 3 characters when searching for project in the Explore page.
+- Do not show emails of users in confirmation page.
+- Forbid setting a gitlabUserList strategy to a list from another project.
+- Fix mermaid resource consumption in GFM fields.
+- Ensure group and project memberships are not leaked via API for users with private profiles.
+- GraphQL User: do not expose email if set to private.
+- Filter search parameter to prevent data leaks.
+- Do not expose starred projects of users with private profile via API.
+- Do not show starred & contributed projects of users with private profile.
+
+
 ## 13.6.1 (2020-11-23)

 ### Fixed (5 changes)

--- a/GITALY_SERVER_VERSION
+++ b/GITALY_SERVER_VERSION
-13.6.1
\ No newline at end of file
+13.6.2
\ No newline at end of file
--- a/changelogs/unreleased/security-290-graphql-exposed-email.yml
+++ b/changelogs/unreleased/security-290-graphql-exposed-email.yml
---
-title: 'GraphQL User: do not expose email if set to private'
-merge_request:
-author:
-type: security
--- a/changelogs/unreleased/security-296-private_profile_exposure.yml
+++ b/changelogs/unreleased/security-296-private_profile_exposure.yml
---
-title: Ensure group and project memberships are not leaked via API for users with private profiles
-merge_request:
-author:
-type: security
--- a/changelogs/unreleased/security-hide-email-in-confirmation-page.yml
+++ b/changelogs/unreleased/security-hide-email-in-confirmation-page.yml
---
-title: Do not show emails of users in confirmation page
-merge_request:
-author:
-type: security
--- a/changelogs/unreleased/security-idor-ff-user-list.yml
+++ b/changelogs/unreleased/security-idor-ff-user-list.yml
---
-title: Forbid setting a gitlabUserList strategy to a list from another project
-merge_request:
-author:
-type: security
--- a/changelogs/unreleased/security-mermaid-rc-13-6.yml
+++ b/changelogs/unreleased/security-mermaid-rc-13-6.yml
---
-title: Fix mermaid resource consumption in GFM fields
-merge_request:
-author:
-type: security
--- a/changelogs/unreleased/security-prevent-short-searches-in-explore-projects.yml
+++ b/changelogs/unreleased/security-prevent-short-searches-in-explore-projects.yml
---
-title: Require at least 3 characters when searching for project in the Explore page
-merge_request:
-author:
-type: security
--- a/changelogs/unreleased/security-project-import-zoom-xss.yml
+++ b/changelogs/unreleased/security-project-import-zoom-xss.yml
---
-title: Validate zoom links to start with https only
-merge_request: 1055
-author:
-type: security
--- a/changelogs/unreleased/security-search-term-logged.yml
+++ b/changelogs/unreleased/security-search-term-logged.yml
---
-title: Filter search parameter to prevent data leaks
-merge_request:
-author:
-type: security
--- a/changelogs/unreleased/security-starred-projects-api-fix.yml
+++ b/changelogs/unreleased/security-starred-projects-api-fix.yml
---
-title: Do not expose starred projects of users with private profile via API
-merge_request:
-author:
-type: security
--- a/changelogs/unreleased/security-starred-projects-private-profile.yml
+++ b/changelogs/unreleased/security-starred-projects-private-profile.yml
---
-title: Do not show starred & contributed projects of users with private profile
-merge_request:
-author:
-type: security