It looks like our app is affected because we are using JWT authentication. We do verify the qsh claim but we should still follow the steps described here.
Setting priority2 because the change will be enforced by Jun 7, 2021.
Edited
Designs
Child items
...
Show closed items
Linked items
0
Link issues together to show that they're related or that one is blocking others.
Learn more.
@Andysoiron@mnohr I wonder if we should also backport this change, to reduce the breakage for users on older GitLab versions. I guess technically we could treat it as a security fix, except that the vulnerability was on the Jira side rather than GitLab.
@toupeira I think we may need to do that. If we make the change in %14.0, then customers will not get the fix until mid-June. That only gives customers a couple of weeks until this is enforced.
Atlassian has introduced a breaking change that will be enforced on June 7, 2021. This date is after we are able to implement and release the fix (%14.0, June 22).
@.luke yes as far as I understand the description from Atlassian this is all we need to do. In addition to that we should do some testing to make sure it still works