- Jul 27, 2023
-
-
Steve Abrams authored
Update gitlab-qa gem to v10.3.0.1 See merge request !127699 Merged-by:
Steve Abrams <sabrams@gitlab.com> Approved-by:
Steve Abrams <sabrams@gitlab.com> Co-authored-by:
Andrejs Cunskis <acunskis@gitlab.com>
-
GitLab Release Tools Bot authored
[merge-train skip]
-
GitLab Release Tools Bot authored
[ci skip]
-
GitLab Release Tools Bot authored
[ci skip]
-
Steve Abrams authored
Cherry-pick danger fixes into 15.11 See merge request !127680 Merged-by:
Steve Abrams <sabrams@gitlab.com> Approved-by:
Steve Abrams <sabrams@gitlab.com> Co-authored-by:
Lin Jen-Shin <jen-shin@gitlab.com> Co-authored-by:
Jennifer Li <jli@gitlab.com>
-
Adjust stable branch logic for package-and-test See merge request !118668 Merged-by:
Jennifer Li <jli@gitlab.com> Approved-by:
Steve Abrams <sabrams@gitlab.com> Approved-by:
Jennifer Li <jli@gitlab.com> Reviewed-by:
Mayra Cabrera <mcabrera@gitlab.com> Reviewed-by:
Steve Abrams <sabrams@gitlab.com> Co-authored-by:
Mayra Cabrera <mcabrera@gitlab.com>
-
Steve Abrams authored
Disable IAT verification by default See merge request !127520 Merged-by:
Steve Abrams <sabrams@gitlab.com> Approved-by:
Drew Blessing <drew@gitlab.com> Approved-by:
Andrejs Cunskis <acunskis@gitlab.com> Approved-by:
Steve Abrams <sabrams@gitlab.com> Reviewed-by:
Mayra Cabrera <mcabrera@gitlab.com> Co-authored-by:
Stan Hu <stanhu@gmail.com>
-
Andrejs Cunskis authored
-
- Jul 25, 2023
-
-
Stan Hu authored
!117468 in GitLab 15.11 updated the ruby-jwt gem to v2.5.0. In v2.2.0, ruby-jwt removed the `iat_leeway` parameter (https://github.com/jwt/ruby-jwt/pull/274). As a result, if a gitlab-shell host creates a JWT token with an issued-at (IAT) claim that is slightly behind the host handling API the request, users will receive a 401 error. Disable this IAT verification by default since it's not serving a useful purpose, since expiration times are already validated. We already made a similar change in Geo. Relates to #417543 Changelog: fixed
-
- Jul 14, 2023
-
-
GitLab Release Tools Bot authored
[merge-train skip]
-
GitLab Release Tools Bot authored
[ci skip]
-
GitLab Release Tools Bot authored
[ci skip]
-
- Jul 05, 2023
-
-
GitLab Release Tools Bot authored
-
- Jul 04, 2023
-
-
GitLab Release Tools Bot authored
[merge-train skip]
-
GitLab Release Tools Bot authored
[ci skip]
-
GitLab Release Tools Bot authored
[ci skip]
-
Mayra Cabrera authored
Add authorization to the subscriptions group controller See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3381 Merged-by:
Mayra Cabrera <mcabrera@gitlab.com> Approved-by:
Doug Stull <dstull@gitlab.com> Approved-by:
Thong Kuah <tkuah@gitlab.com> Co-authored-by:
Doug Stull <dstull@gitlab.com>
-
Merge branch 'security-416797-fix-auth-issue-15-11' into '15-11-stable-ee' See merge request gitlab-org/security/gitlab!3381 Changelog: security
-
- Jun 29, 2023
-
-
GitLab Release Tools Bot authored
-
- Jun 28, 2023
-
-
GitLab Release Tools Bot authored
[merge-train skip]
-
GitLab Release Tools Bot authored
[ci skip]
-
GitLab Release Tools Bot authored
[ci skip]
-
John Skarbek authored
Revert 'security-leaked-ci-job-token-permission-15-11' from '15-11'" See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3375 Merged-by:
John Skarbek <jskarbek@gitlab.com> Approved-by:
Dominic Couture <dcouture@gitlab.com> Approved-by:
A Browne <abrowne@gitlab.com> Co-authored-by:
Max Fan <mfan@gitlab.com>
-
Merge branch 'revert-822d17d7' into '15-11-stable-ee' See merge request gitlab-org/security/gitlab!3375 Changelog: security
-
GitLab Release Tools Bot authored
Use fully qualified ref when loading code owner file See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3354 Merged-by:
GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> Approved-by:
Vasilii Iakliushin <viakliushin@gitlab.com> Co-authored-by:
Joe Woodward <jwoodward@gitlab.com>
-
Merge branch 'security-410123-bypass-code-owner-approvals-15-11' into '15-11-stable-ee' See merge request gitlab-org/security/gitlab!3354 Changelog: security
-
GitLab Release Tools Bot authored
Maintainer can leak masked webhook secrets by manipulating URL masking See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3361 Merged-by:
GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> Approved-by:
Luke Duncalfe <lduncalfe@gitlab.com> Co-authored-by:
bmarjanovic <bmarjanovic@gitlab.com>
-
Merge branch 'security-410433-confidential-issue-15-11' into '15-11-stable-ee' See merge request gitlab-org/security/gitlab!3361 Changelog: security
-
GitLab Release Tools Bot authored
Remove approvals when the only commit gets amended See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3368 Merged-by:
GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> Approved-by:
Patrick Bajao <ebajao@gitlab.com> Co-authored-by:
David Kim <dkim@gitlab.com>
-
Merge branch 'security-fix-907-15-11' into '15-11-stable-ee' See merge request gitlab-org/security/gitlab!3368 Changelog: security
-
GitLab Release Tools Bot authored
Fix for fork permissions check in compare controller See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3344 Merged-by:
GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> Approved-by:
Vasilii Iakliushin <viakliushin@gitlab.com> Co-authored-by:
Robert May <rmay@gitlab.com>
-
Merge branch 'security-408137-15-11' into '15-11-stable-ee' See merge request gitlab-org/security/gitlab!3344 Changelog: security
-
GitLab Release Tools Bot authored
Webhook token leaked in Sidekiq logs if log format is 'default' See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3347 Merged-by:
GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> Approved-by:
Roy Zwambag <rzwambag@gitlab.com> Co-authored-by:
bmarjanovic <bmarjanovic@gitlab.com>
-
Merge branch 'security-409034-confidential-issue-15-11' into '15-11-stable-ee' See merge request gitlab-org/security/gitlab!3347 Changelog: security
-
GitLab Release Tools Bot authored
Mitigate epic reference filter ReDOS See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3339 Merged-by:
GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> Approved-by:
Vitali Tatarintev <vtatarintev@gitlab.com> Co-authored-by:
Brett Walker <bwalker@gitlab.com>
-
Merge branch 'security-untrusted-epic-reference-15-11' into '15-11-stable-ee' See merge request gitlab-org/security/gitlab!3339 Changelog: security
-
GitLab Release Tools Bot authored
Increasing security for CI_JOB_TOKEN on public and internal projects See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3319 Merged-by:
GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> Approved-by:
A Browne <abrowne@gitlab.com> Co-authored-by:
Max Fan <mfan@gitlab.com>
-
Merge branch 'security-leaked-ci-job-token-permission-15-11' into '15-11-stable-ee' See merge request gitlab-org/security/gitlab!3319 Changelog: security
-
GitLab Release Tools Bot authored
Merge branch 'security-dblessing_fix_html_injection_admin_unconfirmed_user-15-11' into '15-11-stable-ee' Sanitize user email addresses in admin confirm user dialog See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3332 Merged-by:
GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> Approved-by:
Kassio Borges <kborges@gitlab.com> Co-authored-by:
Drew Blessing <drew@gitlab.com>
-
Merge branch 'security-dblessing_fix_html_injection_admin_unconfirmed_user-15-11' into '15-11-stable-ee' See merge request gitlab-org/security/gitlab!3332 Changelog: security
-