[merge-train skip]

[merge-train skip]

[ci skip]

[ci skip]

Fix clickouse-server version in CI

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3808



Merged-by: Jenny Kim <yjeankim@gitlab.com>
Approved-by: Tiffany Rea <trea@gitlab.com>
Approved-by: Drew Blessing <drew@gitlab.com>
Co-authored-by: Imre Farkas <ifarkas@gitlab.com>

Merge branch 'security-fix_clickhouse_version-16-4' into '16-4-stable-ee'

See merge request gitlab-org/security/gitlab!3808

Changelog: security

User password reset accepts multiple email addresses

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3795



Merged-by: Ahmad Tolba <atolba@gitlab.com>
Approved-by: Imre Farkas <ifarkas@gitlab.com>
Approved-by: Bogdan Denkovych <bdenkovych@gitlab.com>
Co-authored-by: Bogdan Denkovych <bdenkovych@gitlab.com>
Co-authored-by: Drew Blessing <drew@gitlab.com>

Merge branch 'security-dblessing_password_reset-16-4' into '16-4-stable-ee'

See merge request gitlab-org/security/gitlab!3795

Changelog: security

[merge-train skip]

[ci skip]

[ci skip]

Prevent tag names starting with SHA-1 and SHA-256 values

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3748



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: David Fernandez <dfernandez@gitlab.com>
Co-authored-by: Joe Woodward <j@joewoodward.me>

Merge branch 'security-431345-tag-naming-commit-sha-16-4' into '16-4-stable-ee'

See merge request gitlab-org/security/gitlab!3748

Changelog: security

Pass encoded file paths to router

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3737



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Jacques Erasmus <jerasmus@gitlab.com>
Co-authored-by: psjakubowska <psedlak-jakubowska@gitlab.com>

Merge branch 'security-file-names-double-encoding-16-4' into '16-4-stable-ee'

See merge request gitlab-org/security/gitlab!3737

Changelog: security

Validate access level of user while rotating token

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3752



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Aboobacker MK <akarakath@gitlab.com>
Co-authored-by: smriti <sgarg@gitlab.com>

Merge branch 'security-1007_rotate_api_role_escalation_issue-16-4' into '16-4-stable-ee'

See merge request gitlab-org/security/gitlab!3752

Changelog: security

Fix large time_spent value causing GraphQL error `Integer out of bounds`

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3753



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Sylvester Chin <schin@gitlab.com>
Co-authored-by: Eulyeon Ko <eko@gitlab.com>

Merge branch 'security-ek-fix-timespent-overflow-16-4' into '16-4-stable-ee'

See merge request gitlab-org/security/gitlab!3753

Changelog: security

Merge branch 'security-protected-branches-require-direct-group-membership-16-4' into '16-4-stable-ee'

Restrict Protected branch access via group to direct members

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3728



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Igor Drozdov <idrozdov@gitlab.com>
Co-authored-by: j.seto <jseto@gitlab.com>

Merge branch 'security-protected-branches-require-direct-group-membership-16-4' into '16-4-stable-ee'

See merge request gitlab-org/security/gitlab!3728

Changelog: security

Remove the ability to fork and create MR for auditors

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3740



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Smriti Garg <sgarg@gitlab.com>
Co-authored-by: Aboobacker MK <akarakath@gitlab.com>

Merge branch 'security-prevent_auditor_from_forking_and_mr-16-4' into '16-4-stable-ee'

See merge request gitlab-org/security/gitlab!3740

Changelog: security

Restrict passing variables on the pipeline schedule API

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3725



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Kevin Morrison <kmorrison@gitlab.com>
Approved-by: Albert Salim <asalim@gitlab.com>
Co-authored-by: Dmytro Biryukov <dbiryukov@gitlab.com>

Merge branch 'security-security_bypass_predefined_vars_fix_mr-1008-16-4' into '16-4-stable-ee'

See merge request gitlab-org/security/gitlab!3725

Changelog: security

Smartcard auth: encrypt client cert in params

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3731



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Aboobacker MK <akarakath@gitlab.com>
Co-authored-by: Imre Farkas <ifarkas@gitlab.com>

Merge branch 'security-smartcard_encrypted_public_cert_in_redirect-16-4' into '16-4-stable-ee'

See merge request gitlab-org/security/gitlab!3731

Changelog: security

[16.4 Backport] Fix Admin Mode bug in DeactivateDormantUsersWorker

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/138913



Merged-by: Mayra Cabrera <mcabrera@gitlab.com>
Approved-by: Alper Akgun <aakgun@gitlab.com>
Approved-by: Mayra Cabrera <mcabrera@gitlab.com>
Co-authored-by: Alper Akgun <aakgun@gitlab.com>

Fix Admin Mode bug in DeactivateDormantUsersWorker

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/136907



Merged-by: Alper Akgun <aakgun@gitlab.com>
Approved-by: Josianne Hyson <jhyson@gitlab.com>
Approved-by: Smriti Garg <sgarg@gitlab.com>
Reviewed-by: Josianne Hyson <jhyson@gitlab.com>
Reviewed-by: Huzaifa Iftikhar <hiftikhar@gitlab.com>
Co-authored-by: Cody West <cwest@gitlab.com>
Co-authored-by: Josianne Hyson <jhyson@gitlab.com>

(cherry picked from commit 460c393d)

c889133c Skip DeactivateService authorization in cron
e9f51558 Switch to session bypass
0db4f4bc Add admin mode user deactivation tests
5f3e44ad Call original for better testing
67d4689b Remove authorization skip
efda2a7a Apply review suggestions

[merge-train skip]

[ci skip]

[ci skip]

Merge branch 'security-enforce-ref-protection-on-pipeline-schedule-updates-16-4' into '16-4-stable-ee'

Enforce ref protection on pipeline schedule updates

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3657



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Gary Holtz <gholtz@gitlab.com>
Co-authored-by: Hordur Freyr Yngvason <hfyngvason@gitlab.com>

Merge branch 'security-enforce-ref-protection-on-pipeline-schedule-updates-16-4' into '16-4-stable-ee'

See merge request gitlab-org/security/gitlab!3657

Changelog: security

Update mermaid version for DOS security fixes

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3672



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Dheeraj Joshi <djoshi@gitlab.com>
Co-authored-by: Deepika Guliani <dguliani@gitlab.com>

Merge branch 'security-999-update-mermaid-10-6-fix' into '16-4-stable-ee'

See merge request gitlab-org/security/gitlab!3672

Changelog: security

Prevent guest users from being able to add emojis in confidential issues

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3689



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Heinrich Lee Yu <heinrich@gitlab.com>
Co-authored-by: Eugenia Grieff <egrieff@gitlab.com>