Skip to content

11.6.1-ce.0
Compare
Choose a tag to compare
@pozgo pozgo released this 01 Jan 12:35
· 39 commits to master since this release
11.6.1-ce.0
e5f061b
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

11.6.1 (2018-12-28)

Security (15 changes)

  • Escape label and milestone titles to prevent XSS in GFM autocomplete. !2740
  • Prevent private snippets from being embeddable.
  • Add subresources removal to member destroy service.
  • Escape html entities in LabelReferenceFilter when no label found.
  • Allow changing group CI/CD settings only for owners.
  • Authorize before reading job information via API.
  • Prevent leaking protected variables for ambiguous refs.
  • Ensure that build token is only used when running.
  • Issuable no longer is visible to users when project can't be viewed.
  • Don't expose cross project repositories through diffs when creating merge reqeusts.
  • Fix SSRF with import_url and remote mirror url.
  • Fix persistent symlink in project import.
  • Set URL rel attribute for broken URLs.
  • Project guests no longer are able to see refs page.
  • Delete confidential todos for user when downgraded to Guest.

Other (1 change)

  • Fix due date test. !23845
Assets 2
Loading