11.6.4-ce.0

11.6.4 (2019-01-15)

Security (1 change)

• Validate bundle files before unpacking them.

11.6.3-ce.0

11.6.3 (2019-01-04)

Fixed (1 change)

• Fix clone URL not showing if protocol is HTTPS. !24131

11.6.2-ce.0

11.6.2 (2019-01-02)

Fixed (7 changes)

• Hide cluster features that don't work yet with Group Clusters. !23935
• Fix a 500 error that could occur until all migrations are done. !23939
• Fix missing Git clone button when protocol restriction setting enabled. !24015
• Fix clone dropdown parent inheritance issues in HAML. !24029
• Fix content-disposition in blobs and files API endpoint. !24078
• Fixed markdown toolbar buttons.
• Adjust line-height of blame view line numbers.

11.6.1-ce.0

11.6.1 (2018-12-28)

Security (15 changes)

• Escape label and milestone titles to prevent XSS in GFM autocomplete. !2740
• Prevent private snippets from being embeddable.
• Add subresources removal to member destroy service.
• Escape html entities in LabelReferenceFilter when no label found.
• Allow changing group CI/CD settings only for owners.
• Authorize before reading job information via API.
• Prevent leaking protected variables for ambiguous refs.
• Ensure that build token is only used when running.
• Issuable no longer is visible to users when project can't be viewed.
• Don't expose cross project repositories through diffs when creating merge reqeusts.
• Fix SSRF with import_url and remote mirror url.
• Fix persistent symlink in project import.
• Set URL rel attribute for broken URLs.
• Project guests no longer are able to see refs page.
• Delete confidential todos for user when downgraded to Guest.

Other (1 change)

• Fix due date test. !23845

11.6.0-ce.0

11.6.0 (2018-12-22)

Security (24 changes, 1 of them is from the community)

• Fix possible XSS attack in Markdown urls with spaces. !2599
• Update rack to 2.0.6 (for QA environments). !23171 (Takuya Noguchi)
• Bump nokogiri, loofah, and rack gems for security updates. !23204
• Encrypt runners tokens. !23412
• Encrypt CI/CD builds authentication tokens. !23436
• Configure mermaid to not render HTML content in diagrams.
• Fix a possible symlink time of check to time of use race condition in GitLab Pages.
• Removed ability to see private group names when the group id is entered in the url.
• Fix stored XSS for Environments.
• Fix persistent symlink in project import.
• Fixed ability of guest users to edit/delete comments on locked or confidential issues.
• Fixed ability to comment on locked/confidential issues.
• Fix CRLF vulnerability in Project hooks.
• Fix SSRF in project integrations.
• Resolve reflected XSS in Ouath authorize window.
• Restrict Personal Access Tokens to API scope on web requests.
• Provide email notification when a user changes their email address.
• Don't expose confidential information in commit message list.
• Validate LFS hrefs before downloading them.
• Do not follow redirects in Prometheus service when making http requests to the configured api url.
• Escape user fullname while rendering autocomplete template to prevent XSS.
• Redact sensitive information on gitlab-workhorse log.
• Fix milestone promotion authorization check.
• Prevent a path traversal attack on global file templates.

Removed (1 change)

• Remove obsolete gitlab_shell rake tasks. !22417

Fixed (86 changes, 13 of them are from the community)

• Remove limit of 100 when searching repository code. !8671
• Show error message when attempting to reopen an MR and there is an open MR for the same branch. !16447 (Akos Gyimesi)
• Fix a bug where internal email pattern wasn't respected. !22516
• Fix project selector consistency in groups issues / MRs / boards pages. !22612 (Heinrich Lee Yu)
• Add empty state for graphs with no values. !22630
• Fix navigating by unresolved discussions on Merge Request page. !22789
• Fix "merged with [commit]" info for merge requests being merged automatically by other actions. !22794
• Fixing regression issues on pages settings and details. !22821
• Remove duplicate primary button in dashboard snippets on small viewports. !22902 (George Tsiolis)
• Fix API::Namespaces routing to accept namepaces with dots. !22912
• Switch kubernetes:active with checking in Auto-DevOps.gitlab-ci.yml. !22929
• Avoid Gitaly RPC errors when fetching diff stats. !22995
• Removes promote to group label for anonymous user. !23042 (Jacopo Beschi @jacopo-beschi)
• Fix enabling project deploy key for admins. !23043
• Align issue status label and confidential icon. !23046 (George Tsiolis)
• Fix default sorting for subgroups and projects list. !23058 (Jacopo Beschi @jacopo-beschi)
• Hashed Storage: allow migration to be retried in partially migrated projects. !23087
• Fix line height of numbers in file blame view. !23090 (Johann Hubert Sonntagbauer)
• Fixes an issue where default values from models would override values set in the interface (e.g. users would be set to external even though their emails matches the internal email address pattern). !23114
• Remove display of local Sidekiq process in /admin/sidekiq. !23118
• Fix unrelated deployment status in MR widget. !23175
• Respect confirmed flag on secondary emails. !23181
• Restrict member access level to be higher than that of any parent group. !23226
• Return real deployment status to frontend. !23270
• Handle force_remove_source_branch when creating merge request. !23281
• Avoid creating invalid refs using rugged, shelling out for writing refs. !23286
• Remove needless auto-capitalization on Wiki page titles. !23288
• Modify the wording for the knative cluster application to match upstream. !23289 (Chris Baumbauer)
• Change container width for project import. !23318 (George Tsiolis)
• Validate chunk size when persist. !23341
• Resolve Main navbar is broken in certain viewport widths. !23348
• Gracefully handle references with null bytes. !23365
• Display commit ID for commit diff discussion on merge request. !23370
• Pass commit when posting diff discussions. !23371
• Fix flash notice styling for fluid layout. !23382
• Add monkey patch to unicorn to fix eof? problem. !23385
• Commits API: Preserve file content in move operations if unspecified. !23387
• Disable password autocomplete in mirror form fill. !23402
• Fix "protected branches only" checkbox not set properly at init. !23409
• Support RSA and ECDSA algorithms in Omniauth JWT provider. !23411 (Michael Tsyganov)
• Make KUBECONFIG nil if KUBE_TOKEN is nil. !23414
• Allow search and sort users at same time on admin users page. !23439
• Fix: Unstar icon button is misaligned. !23444
• Fix error when searching for group issues with priority or popularity sort. !23445
• Fix Order By dropdown menu styling in tablet and mobile screens. !23446
• Fix collapsing discussion replies. !23462
• Gracefully handle unknown/invalid GPG keys. !23492
• Fix multiple commits shade overlapping vertical discussion line. !23515
• Use read_repository scope on read-only files API. !23534
• Avoid 500's when serializing legacy diff notes. !23544
• Fix web hook functionality when the database encryption key is too short. !23573
• Hide Knative from group cluster applications until supported. !23577
• Add top padding for nested environment items loading icon. !23580 (George Tsiolis)
• Improve help and validation sections of maximum build timeout inputs. !23586
• Fix milestone select in issue sidebar of issue boards. !23625
• Fix gitlab:web_hook tasks. !23635
• Avoid caching BroadcastMessage as an ActiveRecord object. !23662
• Only allow strings in URL::Sanitizer.valid?. !23675
• Fix a frozen string error in app/mailers/notify.rb. !23683
• Fix a frozen string error in lib/gitlab/utils.rb. !23690
• Fix MR resolved discussion counts being too low. !23710
• Fix a potential frozen string error in app/mailers/notify.rb. !23728
• Remove unnecessary div from MarkdownField to apply list styles correctly. !23733
• Display reply field if resolved discussion has no replies. !23801
• Restore kubernetes:active in Auto-DevOps.gitlab-ci.yml (reverts 22929). !23826
• Fix mergeUrlParams with fragment URL. !54218 (Thomas Holder)
• Fixed multiple diff line discussions not expanding.
• Fixed diff files expanding not loading commit content.
• Fixed styling of image comment badges on commits.
• Resolve possible cherry pick API race condition.
• When user clicks linenumber in MR changes, highlight that line.
• Remove old webhook logs after 90 days, as documented, instead of after 2.
• Add an external IP address to the knative cluster application page. (Chris Baumbauer)
• Fixed duplicate discussions getting added to diff lines.
• Fix deadlock on ChunkedIO.
• Show tree collapse button for merge request commit diffs.
• Use approximate count for big tables for usage statistics.
• Lock writes to trace stream.
• Ensure that SVG sprite icons are properly rendered in IE11.
• Make new branch form fields' fonts consistent.
• Open first 10 merge request files in IDE.
• Prevent user from navigating away from file edit without commit.
• Prevent empty button being rendered in empty state.
• Adds margins between tags when a job is stuck.
• Fix Image Lazy Loader for some older browsers.
• Correctly styles tags in sidebar for job page.

Changed (34 changes, 9 of them are from the community)

• Include new link in breadcrumb for issues, merge requests, milestones, and labels. !18515 (George Tsiolis)
• Allow sorting issues and MRs in reverse order. !21438
• Design improvements to project overview page. !22196
• Remove auto deactivation when failed to create a pipeline via pipeline schedules. !22243
• Use group clusters when deploying (DeploymentPlatform). !22308
• Improve initial discussion rendering performance. !22607
• removes partially matching of No Label filter and makes it case-insensitive. !22622 (Jacopo Beschi @jacopo-beschi)
• Use search bar for filtering in dashboard issues / MRs. !22641 (Heinrich Lee Yu)
• Show different empty state for filtered issues and MRs. !22775 (Heinrich Lee Yu)
• Relocate JSONWebToken::HMACToken from EE. !22906
• Resolve Add border around the repository file tree. !23018
• Change breadcrumb title for contribution charts. !23071 (George Tsiolis)
• Update environments metrics empty state. !23074 (George Tsiolis)
• Refine cursor positioning in Markdown Editor for wrap tags. !23085 (Johann Hubert Sonntagbauer)
• Use reports syntax for SAST in Auto DevOps. !23163
• SystemCheck: Use a more reliable way to detect current Ruby version. !23291
• Changed frontmatter filtering to support YAML, JSON, TOML, and arbitrary languages. !23331 (Travis Miller)
• Don't remove failed install pods after installing GitLab managed applications. !23350
• Expose merge request pipeline variables. !23398
• Scope default MR search in WebIDE dropdown to current project. !23400
• Show user contributions in correct timezone within user profile. !23419
• Redesign of MR header sections (CE). !23465
• Auto DevOps: Add echo for each branch of the deploy() function where we run helm upgrade. !23499
• Updates service to update Kubernetes project namespaces and restricted service account if present. !23525
• Adjust divider margin to comply with design specs. !23548
• Adjust dropdown item and header padding to comply with design specs. !23552
• Truncate merge request titles with periods instead of ellipsis. !23558
• Remove close icon from projects dropdown in issue boards. !23567
• Change dropdown divider color to gray-200 (#dfdfdf). !23592
• Define the default value for only/except policies. !23765
• Don't show Memo...

11.5.5-ce.0

11.5.5 (2018-12-20)

Security (1 change)

• Fix persistent symlink in project import.

11.5.3-ce.0

11.5.3 (2018-12-06)

Security (1 change)

• Prevent a path traversal attack on global file templates.

11.5.2-ce.0

11.5.2 (2018-12-03)

Removed (1 change)

• Removed Site Statistics optimization as it was causing problems. !23314

Fixed (6 changes, 1 of them is from the community)

• Display impersonation token value only after creation. !22916
• Fix not render emoji in filter dropdown. !23112 (Hiroyuki Sato)
• Fixes stuck tooltip on stop env button. !23244
• Correctly handle data-loss scenarios when encrypting columns. !23306
• Clear BatchLoader context between Sidekiq jobs. !23308
• Fix handling of filenames with hash characters in tree view. !23368

11.5.1-ce.0

11.5.1 (2018-11-26)

Security (17 changes)

• Escape user fullname while rendering autocomplete template to prevent XSS.
• Fix CRLF vulnerability in Project hooks.
• Fix possible XSS attack in Markdown urls with spaces.
• Redact sensitive information on gitlab-workhorse log.
• Do not follow redirects in Prometheus service when making http requests to the configured api url.
• Don't expose confidential information in commit message list.
• Provide email notification when a user changes their email address.
• Restrict Personal Access Tokens to API scope on web requests.
• Resolve reflected XSS in Ouath authorize window.
• Fix SSRF in project integrations.
• Fixed ability to comment on locked/confidential issues.
• Fixed ability of guest users to edit/delete comments on locked or confidential issues.
• Fix milestone promotion authorization check.
• Configure mermaid to not render HTML content in diagrams.
• Fix a possible symlink time of check to time of use race condition in GitLab Pages.
• Removed ability to see private group names when the group id is entered in the url.
• Fix stored XSS for Environments.

11.5.0-ce.0

11.5.0 (2018-11-22)

Security (10 changes, 1 of them is from the community)

• Escape entity title while autocomplete template rendering to prevent XSS. !2556
• Update moment to 2.22.2. !22648 (Takuya Noguchi)
• Redact personal tokens in unsubscribe links.
• Escape user fullname while rendering autocomplete template to prevent XSS.
• Persist only SHA digest of PersonalAccessToken#token.
• Monkey kubeclient to not follow any redirects.
• Prevent SSRF attacks in HipChat integration.
• Prevent templated services from being imported.
• Validate Wiki attachments are valid temporary files.
• Fix XSS in merge request source branch name.

Removed (2 changes)

• Remove Git circuit breaker. !22212
• Remove Koding integration and documentation. !22334

Fixed (74 changes, 15 of them are from the community)

• Hide all tables on Pipeline when no Jobs for the Pipeline. !18540 (Takuya Noguchi)
• Fixing count on Milestones. !21446
• Use case insensitve username lookups. !21728 (William George)
• Correctly process Bamboo API result array. !21970 (Alex Lossent)
• Fix 'merged with' UI being displayed when merge request has no merge commit. !22022
• Fix broken file name navigation on MRs. !22109
• Fix incorrect spacing between buttons when commenting on a MR. !22135
• Vertical align Pipeline Graph in Commit Page. !22173 (Johann Hubert Sonntagbauer)
• Reject invalid branch names in repository compare controller. !22186
• Fix size of emojis of user status in user menu. !22194
• Use the standard PIP_CACHE_DIR for Python dependency caching template. !22211 (Takuya Noguchi)
• Fix bug with wiki attachments content disposition. !22220
• Does not allow a SSH URI when importing new projects. !22309
• fix duplicated key in license management job auto devops gitlab ci template. !22311 (Adam Lemanski)
• Fix commit signature error when project is disabled. !22344
• Show available clusters when installed or updated. !22356
• Fix auto-corrected upload URLs in webhooks. !22361
• Fix a bug displaying certain wiki pages. !22377
• Fix prometheus graphs in firefox. !22400
• Resolve assign-me quick action doesn't work if there is extra white space. !22402
• Remove base64 encoding from files that contain plain text. !22425
• Strip whitespace around GitHub personal access tokens. !22432
• Fix 500 error when testing webhooks with redirect loops. !22447 (Heinrich Lee Yu)
• Fix rendering of 'Protected' value on Runner details page. !22459
• Fix bug stopping non-admin users from changing visibility level on group creation. !22468
• Make Issue Board sidebar show project-specific labels based on selected Issue. !22475
• Fix EOF detection with CI artifacts metadata. !22479
• Fix transient spec error in the bar_chart component. !22495
• Resolve LFS not correctly showing enabled. !22501
• If user was not found, service hooks won't run on post receive background job. !22519
• Fix broken "Show whitespace changes" button on MRs. !22539
• Always show new issue button in boards' Open list. !22557 (Heinrich Lee Yu)
• Add transparent background to markdown header tabs. !22565 (George Tsiolis)
• Use gitlab_environment for ldap rake task. !22582
• Add commit message to commit tree anchor title. !22585
• Cache pipeline status per SHA. !22589
• Change HELM_HOST in Auto-DevOps template to work behind proxy. !22596 (Sergej Nikolaev [email protected])
• Show user status for label events in system notes. !22609
• Fix extra merge request versions created from forked merge requests. !22611
• Remove PersonalAccessTokensFinder#find_by method. !22617
• Fix search "all in GitLab" not working with relative URLs. !22644
• Fix quick links button styles. !22657 (George Tsiolis)
• Fix #53298: JupyterHub restarts should work without errors. !22671 (Amit Rathi)
• Fix incompatibility with IE11 due to non-transpiled gitlab-ui components. !22695
• Fix bug when links in tabs of the labels index pages ends with .html. !22716
• Fixed label removal from issue. !22762
• Align toggle sidebar button across all browsers and OSs. !22771
• Disable replication lag check for Aurora PostgreSQL databases. !22786
• Render unescaped link for failed pipeline status. !22807
• Fix misaligned approvers dropdown. !22832
• Fix bug with wiki page create message. !22849
• Fix rendering of filter bar tokens for special values. !22865 (Heinrich Lee Yu)
• Align sign in button. !22888 (George Tsiolis)
• Fix error handling bugs in kubernetes integration. !22922
• Fix deployment jobs using nil KUBE_TOKEN due to migration issue. !23009
• Avoid returning deployment metrics url to MR widget when the deployment is not successful. !23010
• Fix a race condition intermittently breaking GitLab startup. !23028
• Adds margin after a deleted branch name in the activity feed. !23038
• Ignore environment validation failure. !23100
• Fixes broken borders for reports section in MR widget.
• Adds CI favicon back to jobs page.
• Redirect to the pipeline builds page when a build is canceled. (Eva Kadlecova)
• Fixed diff stats not showing when performance bar is enabled.
• Show expand all diffs button when a single diff file is collapsed.
• Clear fetched file templates when changing template type in Web IDE.
• Fix bug causing not all emails to show up in commit email selectbox.
• Remove duplicate escape in job sidebar.
• Fixing styling issues on the scheduled pipelines page.
• Renders stuck block when runners are stuck.
• Removes extra border from test reports in the merge request widget.
• Only render link to branch when branch still exists in pipeline page.
• Fixed source project not filtering in merge request creation compare form.
• Do not reload self on hooks when creating deployment.
• Fixes broken test in master.

Changed (38 changes, 12 of them are from the community)

• Link button in markdown editor recognize URLs. !1983 (Johann Hubert Sonntagbauer)
• Replace i to icons in vue components. !20748 (George Tsiolis)
• Remove Linguist gem, reducing Rails memory usage by 128MB per process. !21008
• Issue board card design. !21229
• On deletion of a file in sub directory in web IDE redirect to the sub directory instead of project root. !21465 (George Thomas @thegeorgeous)
• Change single-item breadcrumbs to page titles. !22155
• Improving branch filter sorting by listing exact matches first and added support for begins_with (^) and ends_with ($) matching. !22166 (Jason Rutherford)
• Remove legacy unencrypted webhook columns from the database. !22199
• Show canary status in the performance bar. !22222
• Add failure reason for execution timeout. !22224
• Rename "scheduled" label/badge of delayed jobs to "delayed". !22245
• Update the empty state on wiki-only projects to display an empty state that is more consistent with the rest of the system. !22262
• Add IID headers to E-Mail notifications. !22263
• Allow finding the common ancestor for multiple revisions through the API. !22295
• Add status to Deployment. !22380
• Add dynamic timer to delayed jobs. !22382
• No longer require a deploy to start Prometheus monitoring. !22401
• Secret Variables renamed to CI Variables in the codebase, to match UX. !22414 (Marcel Amirault @Ravlen)
• Automatically navigate to last board visited. !22430
• Use merge request prefix symbol in event feed title. !22449 (George Tsiolis)
• Update Ruby version in README. !22466 (J.D. Bean)
• Reword error message for internal CI unknown pipeline status. !22474
• Bump mermaid to 8.0.0-rc.8. !22509 (@blackst0ne)
• Update Todo icons in collapsed sidebar for Issues and MRs. !22534
• Support backward compatibility when introduce new failure reason. !22566
• Add dynamic timer for delayed jobs in pipelines list. !22621
• Truncate milestone title on collapsed sidebar. !22624 (George Tsiolis)
• Standardize milestones filter in APIs to None / Any. !22637 (Heinrich Lee Yu)
• Add dynamic timer for delayed jobs in job list. !22656
• Allowing issues with single letter identifiers to be linked to external issue tracker (f.ex T-123). !22717 (Dídac Rodríguez Arbonès)
• Update project and group labels empty state. !22745 (George Tsiolis)
• Fix environment status in merge request widget. !22799
• Paginate Bitbucket Server importer projects. !22825
• Drop allow_overflow option in TimeHelper.duration_in_numbers. !52284
• Add 'only history' option to notes filter.
• Adds filtered dropdown with changed files in review.
• Expose {closed,merged}_{at,by} in merge requests API index.
• Make all legacy security reports to use raw format.

Performance (27 changes, 6 of them are from the community)

• Add preload for routes and namespaces for issues controller. !21651
• Enhance performance of counting local LFS objects. !22143
• Use cached readme contents when available. !22325
• Experimental support for running Puma multithreaded web-server. !22372
• Enhance performance of counting local Uploads. !22522
• Reduce SQL queries needed to load open merge requests. !22709
• Significantly cut memory usage and SQL queries when reloading diffs. !22725
• Optimize merge request refresh by using the database to check commit SHAs. !22731
• Remove dind from license_management auto-devops job definition. !22732
• Add index to find stuck merge requests. !22749
• Allow Rails concurrency when running in Puma. !22751
• Improve performance of rendering large reports. !22835
• Improves performance of stuck import jobs detection. !22879
• Rewrite SnippetsFinder to improve performance by a factor of 1500.
• Enable more frozen string in lib/**/*.rb. (gfyoung)
• Enable some frozen string in lib/gitlab. (gfyoung)
• Enable even more frozen string in lib/**/*.rb. (gfyoung)
• Improve performance of tree rendering in repositories with lots of items.
• Remove gitlab-ui's tooltip from global.
• Remove gitlab-ui's progress bar from global.
• Remove gitlab-ui's pagination from global.
• ...