[merge-train skip]

[ci skip]

[ci skip]

Add a limit to CodeOwners reference extractor regex

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3861



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Joe Woodward <jwoodward@gitlab.com>
Co-authored-by: Robert May <rmay@gitlab.com>

Merge branch 'security-435036-16-7' into '16-7-stable-ee'

See merge request gitlab-org/security/gitlab!3861

Changelog: security

Ensure LDAP user cannot sign in with password

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3893



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Smriti Garg <sgarg@gitlab.com>
Co-authored-by: Drew Blessing <drew@gitlab.com>

Merge branch 'security-security_prevent_ldap_user_password_sign_in-16-7' into '16-7-stable-ee'

See merge request gitlab-org/security/gitlab!3893

Changelog: security

Ensure LDAP users cannot reset local password to bypass LDAP

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3881



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Doug Stull <dstull@gitlab.com>
Co-authored-by: Drew Blessing <drew@gitlab.com>

Merge branch 'security-security_dblessing_ldap_password_reset_fix-16-7' into '16-7-stable-ee'

See merge request gitlab-org/security/gitlab!3881

Changelog: security

Disallow assigning higher role than current user

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3852



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Aboobacker MK <akarakath@gitlab.com>
Co-authored-by: Jarka Košanová <jarka@gitlab.com>

Merge branch 'security-admin-member-perm-16-7' into '16-7-stable-ee'

See merge request gitlab-org/security/gitlab!3852

Changelog: security

Check project read access in Environments and Operations dashboard

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3871



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Ameya Darshan <adarshan@gitlab.com>
Approved-by: Dylan Griffith <dyl.griffith@gmail.com>
Co-authored-by: Pam Artiaga <partiaga@gitlab.com>

Merge branch 'security-424766-fix-environments-projects-dashboard-16-7' into '16-7-stable-ee'

See merge request gitlab-org/security/gitlab!3871

Changelog: security

Invalidate markdown cache to clear up stored XSS

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3886



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Roy Zwambag <rzwambag@gitlab.com>
Co-authored-by: bmarjanovic <bmarjanovic@gitlab.com>

Merge branch 'security-441094-confidential-issue-16-7' into '16-7-stable-ee'

See merge request gitlab-org/security/gitlab!3886

Changelog: security

Disallow users to modify deploy key title

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3865



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Hunter Stewart <hustewart@gitlab.com>
Co-authored-by: Anna Vovchenko <avovchenko@gitlab.com>

Merge branch 'security-disallow-users-to-modify-deploy-key-title-16-7' into '16-7-stable-ee'

See merge request gitlab-org/security/gitlab!3865

Changelog: security

Adds authorization for analytics settings

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3857



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Tetiana Chupryna <tchupryna@gitlab.com>
Co-authored-by: Surabhi Suman <ssuman@gitlab.com>

Merge branch 'security-authorize-analytics-settings-16-7' into '16-7-stable-ee'

See merge request gitlab-org/security/gitlab!3857

Changelog: security

Use merge_head_diff for codeowners when merge request is mergeable

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3869



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Piotr Skorupa <pskorupa@gitlab.com>
Co-authored-by: j.seto <jseto@gitlab.com>

Merge branch 'security-437988-codeowner-approval-16-7' into '16-7-stable-ee'

See merge request gitlab-org/security/gitlab!3869

Changelog: security

Fix X.509 commit signing for OpenSSL 3

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/144357



Merged-by: Mayra Cabrera <mcabrera@gitlab.com>
Approved-by: Mayra Cabrera <mcabrera@gitlab.com>
Co-authored-by: Stan Hu <stanhu@gmail.com>

OpenSSL v3+ reports `PKCS12_parse: parse error` while OpenSSL v1.1
reports `PKCS12_parse: mac verify failure`. Unfortunately, we can't
tell what underlying library is used, so just look for an error.

OpenSSL v3 no longer allows mutating `OpenSSL::PKey::EC` types:
https://github.com/ruby/openssl/commit/6848d2d969

Changelog: fixed

The change in OpenSSL 3 along with
https://github.com/ruby/ruby/commit/cff5bd63065da3ca53e877b086c2671884ae16dd
caused the formatting of `OpenSSL::X509::Extension#value` to change
from this in OpenSSL 1.1:

```
keyid:<some fingerprint>\n
```

To this in OpenSSL 3 with no trailing newline:

```
<some fingerprint>
```

Since `Gitlab::X509::Signature#issuer_subject_key_identifier` was
using `delete!`, the missing newline caused this method to return
`nil`, which effectively prevented any signature from working.

To cut down on string allocations and avoid this bug, return the
`key_identifier` after `String#gsub!` and `String#chomp!` are run.

Changelog: fixed

[merge-train skip]

[ci skip]

[ci skip]

Fix CI component input Regexp

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3855



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Avielle Wolfe <awolfe@gitlab.com>
Co-authored-by: Furkan Ayhan <furkanayhn@gmail.com>

Merge branch 'security-1039-433147-inputs-regexp-dos-16-7' into '16-7-stable-ee'

See merge request gitlab-org/security/gitlab!3855

Changelog: security

Merge branch 'security-435500-project-maintainers-can-bypass-block-branch-modification-policies-16-7' into '16-7-stable-ee'

Make scan result policies block renaming branches

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3838



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Sashi Kumar Kumaresan <skumar@gitlab.com>
Co-authored-by: Dominic Bauer <dbauer@gitlab.com>

Merge branch 'security-435500-project-maintainers-can-bypass-block-branch-modification-policies-16-7' into '16-7-stable-ee'

See merge request gitlab-org/security/gitlab!3838

Changelog: security

Merge branch 'security-fix-resource-exhaustion-in-vulnerability-count-by-day-16-7' into '16-7-stable-ee'

Limit vulnerabilitiesCountByDay date range to 1 year

See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/3827



Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com>
Approved-by: Tetiana Chupryna <tchupryna@gitlab.com>
Co-authored-by: Brian Williams <bwilliams@gitlab.com>

Merge branch 'security-fix-resource-exhaustion-in-vulnerability-count-by-day-16-7' into '16-7-stable-ee'

See merge request gitlab-org/security/gitlab!3827

Changelog: security

Backport UUID migration finalization to 16.7

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/143500



Merged-by: Mayra Cabrera <mcabrera@gitlab.com>
Approved-by: Mayra Cabrera <mcabrera@gitlab.com>
Approved-by: Gregory Havenga <11164960-ghavenga@users.noreply.gitlab.com>
Co-authored-by: Simon Tomlinson <stomlinson@gitlab.com>

Finalize UUID backfilling before column type migration cleanup occurs

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/142537



Merged-by: Simon Tomlinson <stomlinson@gitlab.com>
Approved-by: Simon Tomlinson <stomlinson@gitlab.com>
Reviewed-by: Simon Tomlinson <stomlinson@gitlab.com>
Co-authored-by: Michał Zając <mzajac@gitlab.com>

(cherry picked from commit fad8d4ed)

e4a4b4b8 Finalize UUID backfilling before column type migration cleanup occurs

Update dependency prometheus-client-mmap to '~> 1.1', '>= 1.1.1'

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/143174



Merged-by: Mayra Cabrera <mcabrera@gitlab.com>
Approved-by: Mayra Cabrera <mcabrera@gitlab.com>
Co-authored-by: Rémy Coutable <remy@rymai.me>
Co-authored-by: Stan Hu <stanhu@gmail.com>

This backports
https://gitlab.com/gitlab-org/gitlab/-/merge_requests/143159 to solve
high committed RAM usage identified in
https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/8373.

This reverts
https://gitlab.com/gitlab-org/ruby/gems/prometheus-client-mmap/-/merge_requests/137.

Changelog: fixed