GitLab EE - 16.9.1
Security
(2024-02-20)
Fixed (2 changes)
- Fix Duo Chat CORS issue by updating web-ide package
- Fix deny_all_requests_except_allowed of AddressableUrlValidator
Security (10 changes)
- Add a limit to CodeOwners reference extractor regex (merge request)
- Ensure LDAP user cannot sign in with password (merge request)
- Ensure LDAP users cannot reset local password to bypass LDAP (merge request)
- Disallow assigning higher role than current user (merge request)
- Check project read access in Environment and Operations dashboard (merge request)
- Fix Stored-XSS in user's profile page: Change markup used for pronouns (merge request)
- Invalidate markdown cache to clear up stored XSS (merge request)
- Disallow users to modify deploy key title (merge request)
- Adds authorization for analytics settings (merge request)
- Use merge_head_diff for codeowners when merge request is mergeable (merge request)
Security
Security wording was detected, but no CVEs were found.
Details
date
Feb. 20, 2024, midnight
name
16.9.1
type
Patch
👇
Register or login to:
- 🔍View and search all GitLab EE releases.
- 🛠️Create and share lists to track your tools.
- 🚨Setup notifications for major, security, feature or patch updates.
- 🚀Much more coming soon!