Add comment about patch

gitlab Debian release 12.5.4-2

debian/changelog

@@ -1,3 +1,19 @@
+gitlab (12.5.4-2+fto10+2) buster-fasttrack; urgency=medium
+
+  * Add gitlab 12.5.6 security release as a patch (Fixes: CVE-2019-20142,
+    CVE-2019-20143, CVE-2019-20144, CVE-2019-20145, CVE-2019-20146,
+    CVE-2019-20147, CVE-2019-20148, CVE-2020-5197). We cannot update to
+    12.6.2 directly because gitaly 1.78 no longer builds with golang 1.11.
+  * Update minimum versions of ruby-akismet and ruby-asana.
+
+ -- Pirate Praveen <praveen@debian.org>  Sat, 04 Jan 2020 02:11:59 +0530
+
+gitlab (12.5.4-2+fto10+1) buster-fasttrack; urgency=medium
+
+  * Rebuild for buster-fasttrack.
+
+ -- Pirate Praveen <praveen@debian.org>  Tue, 31 Dec 2019 15:59:14 +0530
+
 gitlab (12.5.4-2) experimental; urgency=medium
 
   * Update minimum version of ruby-gpgme to 2.0.19
@@ -5,6 +21,12 @@ gitlab (12.5.4-2) experimental; urgency=medium
 
  -- Pirate Praveen <praveen@debian.org>  Tue, 31 Dec 2019 15:48:16 +0530
 
+gitlab (12.5.4-1+fto10+1) buster-fasttrack; urgency=medium
+
+  * Rebuild for buster-fasttrack.
+
+ -- Pirate Praveen <praveen@debian.org>  Tue, 31 Dec 2019 14:26:58 +0530
+
 gitlab (12.5.4-1) experimental; urgency=medium
 
   * New upstream version 12.5.4
@@ -51,6 +73,25 @@ gitlab (12.4.6-1) experimental; urgency=medium
 
  -- Pirate Praveen <praveen@debian.org>  Thu, 26 Dec 2019 21:03:03 +0530
 
+gitlab (12.3.9-1+fto10+1) buster-fasttrack; urgency=medium
+
+  * Rebuild for buster-fasttrack.
+
+ -- Pirate Praveen <praveen@debian.org>  Fri, 20 Dec 2019 20:04:38 +0530
+
+gitlab (12.2.9-5+fto10+2) buster-fasttrack; urgency=medium
+
+  * Update minimum version of yarnpkg to 1.19~
+  * Check if yarn cache directory is present before updating permissions
+
+ -- Pirate Praveen <praveen@debian.org>  Fri, 29 Nov 2019 20:57:21 +0530
+
+gitlab (12.2.9-5+fto10+1) buster-fasttrack; urgency=medium
+
+  * Rebuild for buster-fasttrack.
+
+ -- Pirate Praveen <praveen@debian.org>  Fri, 29 Nov 2019 14:13:02 +0530
+
 gitlab (12.2.9-5) experimental; urgency=medium
 
   * Bump minimum version of ruby-font-awesome-rails to allow rails 5.2.3
@@ -90,6 +131,19 @@ gitlab (12.2.9-2) experimental; urgency=medium
 
  -- Utkarsh Gupta <guptautkarsh2102@gmail.com>  Sat, 02 Nov 2019 01:40:43 +0530
 
+gitlab (12.2.9-1+fto10+2) buster-fasttrack; urgency=medium
+
+  * Update minimum version for rm_confifile maintscript option (Closes:
+    #944596)
+
+ -- Pirate Praveen <praveen@debian.org>  Fri, 15 Nov 2019 19:11:34 +0530
+
+gitlab (12.2.9-1+fto10+1) buster-fasttrack; urgency=medium
+
+  * Rebuild for buster-fasttrack.
+
+ -- Utkarsh Gupta <guptautkarsh2102@gmail.com>  Thu, 31 Oct 2019 02:19:25 +0530
+
 gitlab (12.2.9-1) experimental; urgency=high
 
   * New upstream version 12.2.9 (Fixes: CVE-2019-18446 CVE-2019-18447
@@ -112,6 +166,12 @@ gitlab (12.2.8-2) experimental; urgency=medium
 
  -- Pirate Praveen <praveen@debian.org>  Thu, 24 Oct 2019 23:47:12 +0530
 
+gitlab (12.1.14-1+fto10+2) buster-fasttrack; urgency=medium
+
+  * Update minimum version of gitaly to 1.53.3 (Closes: #942633)
+
+ -- Pirate Praveen <praveen@debian.org>  Tue, 22 Oct 2019 19:14:19 +0530
+
 gitlab (12.2.8-1) experimental; urgency=medium
 
   [ Dmitry Smirnov ]
@@ -133,6 +193,12 @@ gitlab (12.2.8-1) experimental; urgency=medium
 
  -- Sruthi Chandran <srud@debian.org>  Sun, 20 Oct 2019 22:59:27 +0530
 
+gitlab (12.1.14-1+fto10+1) buster-fasttrack; urgency=medium
+
+  * Rebuild for buster-fasttrack.
+
+ -- Utkarsh Gupta <guptautkarsh2102@gmail.com>  Tue, 08 Oct 2019 21:29:31 +0530
+
 gitlab (12.1.14-1) experimental; urgency=medium
 
   [ Pirate Praveen ]
@@ -145,6 +211,12 @@ gitlab (12.1.14-1) experimental; urgency=medium
 
  -- Utkarsh Gupta <guptautkarsh2102@gmail.com>  Mon, 07 Oct 2019 21:29:31 +0530
 
+gitlab (12.1.13-2+fto10+1) buster-fasttrack; urgency=medium
+
+  * Rebuild for buster-fasttrack.
+
+ -- Pirate Praveen <praveen@debian.org>  Sun, 06 Oct 2019 23:51:32 +0530
+
 gitlab (12.1.13-2) experimental; urgency=medium
 
   * Fix last version of initializers/active_record_verbose_query_logs.rb (this
@@ -193,6 +265,12 @@ gitlab (12.0.9-2) experimental; urgency=medium
 
  -- Utkarsh Gupta <guptautkarsh2102@gmail.com>  Mon, 16 Sep 2019 22:37:08 +0530
 
+gitlab (12.0.9-1+fto10+1) buster-fasttrack; urgency=high
+
+  * Rebuild for buster-fasttrack.
+
+ -- Utkarsh Gupta <guptautkarsh2102@gmail.com>  Thu, 12 Sep 2019 13:58:29 +0530
+
 gitlab (12.0.9-1) experimental; urgency=high
 
   * Team Upload
@@ -201,6 +279,12 @@ gitlab (12.0.9-1) experimental; urgency=high
 
  -- Nilesh <npatra974@gmail.com>  Wed, 11 Sep 2019 10:12:18 -0400
 
+gitlab (12.0.8-3+fto10+1) buster-fasttrack; urgency=medium
+
+  * Rebuild for buster-fasttrack.
+
+ -- Pirate Praveen <praveen@debian.org>  Wed, 11 Sep 2019 12:12:02 +0530
+
 gitlab (12.0.8-3) experimental; urgency=medium
 
   * Update minimum version of ruby-gitaly-proto dependency
@@ -227,6 +311,12 @@ gitlab (12.0.8-1) experimental; urgency=high
 
  -- Sruthi Chandran <srud@debian.org>  Sat, 07 Sep 2019 21:38:23 +0530
 
+gitlab (11.11.8+dfsg-1+fto10+1) buster-fasttrack; urgency=medium
+
+  * Rebuild for buster-fasttrack.
+
+ -- Pirate Praveen <praveen@debian.org>  Wed, 14 Aug 2019 17:39:22 +0530
+
 gitlab (11.11.8+dfsg-1) experimental; urgency=medium
 
   * New upstream security release 11.11.8+dfsg (Closes: #934708)
@@ -235,6 +325,12 @@ gitlab (11.11.8+dfsg-1) experimental; urgency=medium
 
  -- Sruthi Chandran <srud@debian.org>  Wed, 14 Aug 2019 17:14:06 +0530
 
+gitlab (11.11.7+dfsg-1+ft10+1) buster-fasttrack; urgency=medium
+
+  * Rebuild for buster-fasttrack
+
+ -- Pirate Praveen <praveen@debian.org>  Sun, 11 Aug 2019 13:00:50 +0530
+
 gitlab (11.11.7+dfsg-1) experimental; urgency=medium
 
   [ Pirate Praveen ]
@@ -266,6 +362,12 @@ gitlab (11.11.7+dfsg-1) experimental; urgency=medium
 
  -- Pirate Praveen <praveen@debian.org>  Sun, 11 Aug 2019 13:00:50 +0530
 
+gitlab (11.10.8+dfsg-1+fto10+1) buster-fasttrack; urgency=medium
+
+  * Rebuild for buster-fasttrack.
+
+ -- Pirate Praveen <praveen@debian.org>  Sun, 07 Jul 2019 14:50:54 +0530
+
 gitlab (11.10.8+dfsg-1) experimental; urgency=medium
 
   [ Pirate Praveen ]
@@ -283,6 +385,12 @@ gitlab (11.10.8+dfsg-1) experimental; urgency=medium
 
  -- Pirate Praveen <praveen@debian.org>  Sun, 07 Jul 2019 13:14:52 +0530
 
+gitlab (11.10.5+dfsg-1+fto10+1) buster-fasttrack; urgency=medium
+
+  * Rebuild for buster-fasttrack.
+
+ -- Pirate Praveen <praveen@debian.org>  Wed, 05 Jun 2019 14:18:57 +0530
+
 gitlab (11.10.5+dfsg-1) experimental; urgency=medium
 
   [ Pirate Praveen ]
@@ -367,6 +475,12 @@ gitlab (11.8.3-1) unstable; urgency=high
 
  -- Sruthi Chandran <srud@disroot.org>  Fri, 22 Mar 2019 00:19:33 +0530
 
+gitlab (11.8.2-3+fto10+1) buster-fasttrack; urgency=medium
+
+  * Rebuild for buster-fasttrack
+
+ -- Pirate Praveen <praveen@debian.org>  Sun, 17 Mar 2019 18:52:41 +0530
+
 gitlab (11.8.2-3) unstable; urgency=medium
 
   * Add link to gitlab page on Debian wiki in README.Debian
@@ -379,6 +493,12 @@ gitlab (11.8.2-3) unstable; urgency=medium
 
  -- Pirate Praveen <praveen@debian.org>  Sun, 17 Mar 2019 18:34:25 +0530
 
+gitlab (11.8.2-2+fto10+1) buster-fasttrack; urgency=medium
+
+  * Rebuild for buster-fasttrack
+
+ -- Pirate Praveen <praveen@debian.org>  Sat, 16 Mar 2019 14:27:36 +0530
+
 gitlab (11.8.2-2) unstable; urgency=medium
 
   [ Sruthi Chandran ]

debian/control

@@ -73,7 +73,7 @@ Depends: ${shlibs:Depends}, ${misc:Depends},
  ruby-jwt (>= 2.1~),
 # Spam and anti-bot protection
  ruby-recaptcha (>= 4.11~),
- ruby-akismet (>= 2.0~),
+ ruby-akismet (>= 3.0~),
  ruby-invisible-captcha (>= 0.12.1~),
 # Two-factor authentication
  ruby-devise-two-factor (>= 3.0~),
@@ -211,7 +211,7 @@ Depends: ${shlibs:Depends}, ${misc:Depends},
 # Hangouts Chat integration
  ruby-hangouts-chat (>= 0.0.5),
 # Asana integration
- ruby-asana (>= 0.8.1~),
+ ruby-asana (>= 0.9~),
 # FogBugz integration
  ruby-fogbugz (>= 0.2.1-3~),
 # Kubernetes integration
@@ -313,7 +313,7 @@ Depends: ${shlibs:Depends}, ${misc:Depends},
 # Gitaly GRPC client
  ruby-gitaly (>= 1.70+dfsg~),
  ruby-grpc (>= 1.19~),
- ruby-google-protobuf (>= 3.7~),
+ ruby-google-protobuf (>= 3.7.1~),
 #
  ruby-toml-rb (>= 1.0.0-2~),
 # Feature toggles

debian/gitlab.examples

@@ -0,0 +1,3 @@
+doc/ci/examples/*
+debian/gems-compat/activerecord-5.1.6.1/examples/*
+debian/gems-compat/omniauth-google-oauth2-0.6.1/examples/*

debian/patches/gitlab-v12.5.4..v12.5.6.diff

@@ -0,0 +1,718 @@
+https://gitlab.com/gitlab-org/gitlab-foss/compare/v12.5.4...v12.5.6
+Created by git diff v12.5.4..v12.5.6 in upstream git repo
+
+--- a/CHANGELOG-EE.md
++++ b/CHANGELOG-EE.md
+@@ -1,5 +1,16 @@
+ Please view this file on the master branch, on stable branches it's out of date.
+ 
++## 12.5.5
++
++- No changes.
++
++## 12.5.4
++
++### Security (1 change)
++
++- Fix stale Elasticsearch permissions when moving group from public group to private parent group.
++
++
+ ## 12.5.3
+ 
+ ### Performance (1 change)
+--- a/CHANGELOG.md
++++ b/CHANGELOG.md
+@@ -2,9 +2,35 @@
+ documentation](doc/development/changelog.md) for instructions on adding your own
+ entry.
+ 
++## 12.5.6
++
++### Security (5 changes)
++
++- GraphQL: Add timeout to all queries.
++- Return only runners from groups where user is owner for user CI owned runners.
++- Filter out notification settings for projects that a user does not have at least read access.
++- Hide project name and path when unsusbcribing from an issue or merge request.
++- Fix 500 error caused by invalid byte sequences in uploads links.
++
++
++## 12.5.5
++
++### Security (1 change)
++
++- Upgrade Akismet gem to v3.0.0. !21786
++
++### Fixed (2 changes)
++
++- Fix error in updating runner session. !20902
++- Fix Asana integration. !21501
++
++
+ ## 12.5.4
+ 
+-- No changes.
++### Security (1 change)
++
++- Update maven_file_name_regex for full string match.
++
+ 
+ ## 12.5.3
+ 
+--- a/Gemfile
++++ b/Gemfile
+@@ -50,7 +50,7 @@
+ 
+ # Spam and anti-bot protection
+ gem 'recaptcha', '~> 4.11', require: 'recaptcha/rails'
+-gem 'akismet', '~> 2.0'
++gem 'akismet', '~> 3.0'
+ gem 'invisible_captcha', '~> 0.12.1'
+ 
+ # Two-factor authentication
+@@ -231,7 +231,7 @@
+ gem 'hangouts-chat', '~> 0.0.5'
+ 
+ # Asana integration
+-gem 'asana', '~> 0.8.1'
++gem 'asana', '~> 0.9'
+ 
+ # FogBugz integration
+ gem 'ruby-fogbugz', '~> 0.2.1'
+--- a/Gemfile.lock
++++ b/Gemfile.lock
+@@ -58,16 +58,16 @@
+     addressable (2.5.2)
+       public_suffix (>= 2.0.2, < 4.0)
+     aes_key_wrap (1.0.1)
+-    akismet (2.0.0)
++    akismet (3.0.0)
+     apollo_upload_server (2.0.0.beta.3)
+       graphql (>= 1.8)
+       rails (>= 4.2)
+     arel (9.0.0)
+-    asana (0.8.1)
++    asana (0.9.3)
+       faraday (~> 0.9)
+       faraday_middleware (~> 0.9)
+       faraday_middleware-multi_json (~> 0.0)
+-      oauth2 (~> 1.0)
++      oauth2 (~> 1.4)
+     asciidoctor (2.0.10)
+     asciidoctor-include-ext (0.3.1)
+       asciidoctor (>= 1.5.6, < 3.0.0)
+@@ -1117,9 +1117,9 @@
+   activerecord-explain-analyze (~> 0.1)
+   acts-as-taggable-on (~> 6.0)
+   addressable (~> 2.5.2)
+-  akismet (~> 2.0)
++  akismet (~> 3.0)
+   apollo_upload_server (~> 2.0.0.beta3)
+-  asana (~> 0.8.1)
++  asana (~> 0.9)
+   asciidoctor (~> 2.0.10)
+   asciidoctor-include-ext (~> 0.3.1)
+   asciidoctor-plantuml (= 0.0.10)
+--- a/VERSION
++++ b/VERSION
+@@ -1 +1 @@
+-12.5.4
++12.5.6
+--- a/app/controllers/profiles/notifications_controller.rb
++++ b/app/controllers/profiles/notifications_controller.rb
+@@ -11,6 +11,7 @@
+       exclude_group_ids: @group_notifications.select(:source_id)
+     ).execute.map { |group| current_user.notification_settings_for(group, inherit: true) }
+     @project_notifications = current_user.notification_settings.for_projects.order(:id)
++                             .select { |notification| current_user.can?(:read_project, notification.source) }
+     @global_notification_setting = current_user.global_notification_setting
+   end
+   # rubocop: enable CodeReuse/ActiveRecord
+--- a/app/helpers/notifications_helper.rb
++++ b/app/helpers/notifications_helper.rb
+@@ -116,4 +116,8 @@
+   def show_unsubscribe_title?(noteable)
+     can?(current_user, "read_#{noteable.to_ability_name}".to_sym, noteable)
+   end
++
++  def can_read_project?(project)
++    can?(current_user, :read_project, project)
++  end
+ end
+--- a/app/models/ci/build.rb
++++ b/app/models/ci/build.rb
+@@ -53,7 +53,7 @@
+ 
+     has_one :runner_session, class_name: 'Ci::BuildRunnerSession', validate: true, inverse_of: :build
+ 
+-    accepts_nested_attributes_for :runner_session
++    accepts_nested_attributes_for :runner_session, update_only: true
+     accepts_nested_attributes_for :job_variables
+ 
+     delegate :url, to: :runner_session, prefix: true, allow_nil: true
+--- a/app/models/project_services/asana_service.rb
++++ b/app/models/project_services/asana_service.rb
+@@ -81,12 +81,12 @@
+   def check_commit(message, push_msg)
+     # matches either:
+     # - #1234
+-    # - https://app.asana.com/0/0/1234
++    # - https://app.asana.com/0/{project_gid}/{task_gid}
+     # optionally preceded with:
+     # - fix/ed/es/ing
+     # - close/s/d
+     # - closing
+-    issue_finder = %r{(fix\w*|clos[ei]\w*+)?\W*(?:https://app\.asana\.com/\d+/\d+/(\d+)|#(\d+))}i
++    issue_finder = %r{(fix\w*|clos[ei]\w*+)?\W*(?:https://app\.asana\.com/\d+/\w+/(\w+)|#(\w+))}i
+ 
+     message.scan(issue_finder).each do |tuple|
+       # tuple will be
+@@ -94,7 +94,7 @@
+       taskid = tuple[2] || tuple[1]
+ 
+       begin
+-        task = Asana::Task.find_by_id(client, taskid)
++        task = Asana::Resources::Task.find_by_id(client, taskid)
+         task.add_comment(text: "#{push_msg} #{message}")
+ 
+         if tuple[0]
+--- a/app/models/user.rb
++++ b/app/models/user.rb
+@@ -1307,7 +1307,7 @@
+         .select('ci_runners.*')
+ 
+       group_runners = Ci::RunnerNamespace
+-        .where(namespace_id: owned_or_maintainers_groups.select(:id))
++        .where(namespace_id: owned_groups.select(:id))
+         .joins(:runner)
+         .select('ci_runners.*')
+ 
+--- a/app/views/sent_notifications/unsubscribe.html.haml
++++ b/app/views/sent_notifications/unsubscribe.html.haml
+@@ -1,13 +1,16 @@
+ - noteable = @sent_notification.noteable
+ - noteable_type = @sent_notification.noteable_type.titleize.downcase
+ - noteable_text = show_unsubscribe_title?(noteable) ? %(#{noteable.title} (#{noteable.to_reference})) : %(#{noteable.to_reference})
+-- page_title _("Unsubscribe"), noteable_text, noteable_type.pluralize, @sent_notification.project.full_name
++- show_project_path = can_read_project?(@sent_notification.project)
++- project_path = show_project_path ? @sent_notification.project.full_name : _("GitLab / Unsubscribe")
++- noteable_url = show_project_path ? url_for([@sent_notification.project.namespace.becomes(Namespace), @sent_notification.project, noteable]) : breadcrumb_title_link
++- page_title _('Unsubscribe'), noteable_text, noteable_type.pluralize, project_path
+ 
+ %h3.page-title
+   = _("Unsubscribe from %{type}") % { type: noteable_type }
+ 
+ %p
+-  - link_to_noteable_text = link_to(noteable_text, url_for([@sent_notification.project.namespace.becomes(Namespace), @sent_notification.project, noteable]))
++  - link_to_noteable_text = link_to(noteable_text, noteable_url)
+   = _("Are you sure you want to unsubscribe from the %{type}: %{link_to_noteable_text}?").html_safe % { type: noteable_type, link_to_noteable_text: link_to_noteable_text }
+ 
+ %p
+--- a/config/initializers/graphql.rb
++++ b/config/initializers/graphql.rb
+@@ -5,3 +5,7 @@
+ 
+ GraphQL::Schema::Object.accepts_definition(:authorize)
+ GraphQL::Schema::Field.accepts_definition(:authorize)
++
++GitlabSchema.middleware << GraphQL::Schema::TimeoutMiddleware.new(max_seconds: ENV.fetch('GITLAB_RAILS_GRAPHQL_TIMEOUT', 30).to_i) do |timeout_error, query|
++  Gitlab::GraphqlLogger.error(message: timeout_error.to_s, query: query.query_string, query_variables: query.provided_variables)
++end
+--- a/lib/banzai/filter/relative_link_filter.rb
++++ b/lib/banzai/filter/relative_link_filter.rb
+@@ -116,7 +116,7 @@
+       end
+ 
+       def process_link_to_upload_attr(html_attr)
+-        path_parts = [Addressable::URI.unescape(html_attr.value)]
++        path_parts = [unescape_and_scrub_uri(html_attr.value)]
+ 
+         if project
+           path_parts.unshift(relative_url_root, project.full_path)
+@@ -172,7 +172,7 @@
+       end
+ 
+       def cleaned_file_path(uri)
+-        Addressable::URI.unescape(uri.path).scrub.delete("\0").chomp("/")
++        unescape_and_scrub_uri(uri.path).delete("\0").chomp("/")
+       end
+ 
+       def relative_file_path(uri)
+@@ -184,7 +184,7 @@
+       def request_path
+         return unless context[:requested_path]
+ 
+-        Addressable::URI.unescape(context[:requested_path]).chomp("/")
++        unescape_and_scrub_uri(context[:requested_path]).chomp("/")
+       end
+ 
+       # Convert a relative path into its correct location based on the currently
+@@ -266,6 +266,12 @@
+       def repository
+         @repository ||= project&.repository
+       end
++
++      private
++
++      def unescape_and_scrub_uri(uri)
++        Addressable::URI.unescape(uri).scrub
++      end
+     end
+   end
+ end
+--- a/locale/gitlab.pot
++++ b/locale/gitlab.pot
+@@ -8193,6 +8193,9 @@
+ msgid "GitHub import"
+ msgstr ""
+ 
++msgid "GitLab / Unsubscribe"
++msgstr ""
++
+ msgid "GitLab CI Linter has been moved"
+ msgstr ""
+ 
+--- a/qa/Dockerfile
++++ b/qa/Dockerfile
+@@ -11,7 +11,7 @@
+ # Update APT sources and install some dependencies
+ #
+ RUN sed -i "s/httpredir.debian.org/ftp.us.debian.org/" /etc/apt/sources.list
+-RUN apt-get update && apt-get install -y wget unzip xvfb
++RUN apt-get update && apt-get install -y wget unzip xvfb lsb-release
+ 
+ ##
+ # Install some packages from backports
+--- a/spec/controllers/profiles/notifications_controller_spec.rb
++++ b/spec/controllers/profiles/notifications_controller_spec.rb
+@@ -52,6 +52,35 @@
+         end.to exceed_query_limit(control)
+       end
+     end
++
++    context 'with project notifications' do
++      let!(:notification_setting) { create(:notification_setting, source: project, user: user, level: :watch) }
++
++      before do
++        sign_in(user)
++        get :show
++      end
++
++      context 'when project is public' do
++        let(:project) { create(:project, :public) }
++
++        it 'shows notification setting for project' do
++          expect(assigns(:project_notifications).map(&:source_id)).to include(project.id)
++        end
++      end
++
++      context 'when project is public' do
++        let(:project) { create(:project, :private) }
++
++        it 'shows notification setting for project' do
++          # notification settings for given project were created before project was set to private
++          expect(user.notification_settings.for_projects.map(&:source_id)).to include(project.id)
++
++          # check that notification settings for project where user does not have access are filtered
++          expect(assigns(:project_notifications)).to be_empty
++        end
++      end
++    end
+   end
+ 
+   describe 'POST update' do
+--- a/spec/controllers/sent_notifications_controller_spec.rb
++++ b/spec/controllers/sent_notifications_controller_spec.rb
+@@ -56,7 +56,7 @@
+           get(:unsubscribe, params: { id: sent_notification.reply_key })
+         end
+ 
+-        shared_examples 'unsubscribing as anonymous' do
++        shared_examples 'unsubscribing as anonymous' do |project_visibility|
+           it 'does not unsubscribe the user' do
+             expect(noteable.subscribed?(user, target_project)).to be_truthy
+           end
+@@ -69,6 +69,18 @@
+             expect(response.status).to eq(200)
+             expect(response).to render_template :unsubscribe
+           end
++
++          if project_visibility == :private
++            it 'does not show project name or path' do
++              expect(response.body).not_to include(noteable.project.name)
++              expect(response.body).not_to include(noteable.project.full_name)
++            end
++          else
++            it 'shows project name or path' do
++              expect(response.body).to include(noteable.project.name)
++              expect(response.body).to include(noteable.project.full_name)
++            end
++          end
+         end
+ 
+         context 'when project is public' do
+@@ -79,7 +91,7 @@
+               expect(response.body).to include(issue.title)
+             end
+ 
+-            it_behaves_like 'unsubscribing as anonymous'
++            it_behaves_like 'unsubscribing as anonymous', :public
+           end
+ 
+           context 'when unsubscribing from confidential issue' do
+@@ -90,7 +102,7 @@
+               expect(response.body).to include(confidential_issue.to_reference)
+             end
+ 
+-            it_behaves_like 'unsubscribing as anonymous'
++            it_behaves_like 'unsubscribing as anonymous', :public
+           end
+ 
+           context 'when unsubscribing from merge request' do
+@@ -100,7 +112,12 @@
+               expect(response.body).to include(merge_request.title)
+             end
+ 
+-            it_behaves_like 'unsubscribing as anonymous'
++            it 'shows project name or path' do
++              expect(response.body).to include(issue.project.name)
++              expect(response.body).to include(issue.project.full_name)
++            end
++
++            it_behaves_like 'unsubscribing as anonymous', :public
+           end
+         end
+ 
+@@ -110,11 +127,11 @@
+           context 'when unsubscribing from issue' do
+             let(:noteable) { issue }
+ 
+-            it 'shows issue title' do
++            it 'does not show issue title' do
+               expect(response.body).not_to include(issue.title)
+             end
+ 
+-            it_behaves_like 'unsubscribing as anonymous'
++            it_behaves_like 'unsubscribing as anonymous', :private
+           end
+ 
+           context 'when unsubscribing from confidential issue' do
+@@ -125,17 +142,17 @@
+               expect(response.body).to include(confidential_issue.to_reference)
+             end
+ 
+-            it_behaves_like 'unsubscribing as anonymous'
++            it_behaves_like 'unsubscribing as anonymous', :private
+           end
+ 
+           context 'when unsubscribing from merge request' do
+             let(:noteable) { merge_request }
+ 
+-            it 'shows merge request title' do
++            it 'dos not show merge request title' do
+               expect(response.body).not_to include(merge_request.title)
+             end
+ 
+-            it_behaves_like 'unsubscribing as anonymous'
++            it_behaves_like 'unsubscribing as anonymous', :private
+           end
+         end
+       end
+--- a/spec/features/merge_request/user_suggests_changes_on_diff_spec.rb
++++ b/spec/features/merge_request/user_suggests_changes_on_diff_spec.rb
+@@ -139,6 +139,10 @@
+       # Making sure it's not a Front-end cache.
+       visit(diffs_project_merge_request_path(project, merge_request))
+ 
++      page.within '.line-resolve-all-container' do
++        page.find('.discussion-next-btn').click
++      end
++
+       expect_appliable_suggestions(2)
+ 
+       page.within("[id='#{hash}']") do
+--- a/spec/lib/banzai/filter/relative_link_filter_spec.rb
++++ b/spec/lib/banzai/filter/relative_link_filter_spec.rb
+@@ -124,6 +124,15 @@
+     expect { filter(act) }.not_to raise_error
+   end
+ 
++  it 'does not raise an exception on URIs containing invalid utf-8 byte sequences in uploads' do
++    act = link("/uploads/%FF")
++    expect { filter(act) }.not_to raise_error
++  end
++
++  it 'does not raise an exception on URIs containing invalid utf-8 byte sequences in context requested path' do
++    expect { filter(link("files/test.md"), requested_path: '%FF') }.not_to raise_error
++  end
++
+   it 'does not raise an exception with a garbled path' do
+     act = link("open(/var/tmp/):%20/location%0Afrom:%20/test")
+     expect { filter(act) }.not_to raise_error
+--- a/spec/lib/gitlab/gitaly_client/cleanup_service_spec.rb
++++ b/spec/lib/gitlab/gitaly_client/cleanup_service_spec.rb
+@@ -9,6 +9,10 @@
+   let(:client) { described_class.new(project.repository) }
+ 
+   describe '#apply_bfg_object_map_stream' do
++    before do
++      ::Gitlab::GitalyClient.clear_stubs!
++    end
++
+     it 'sends an apply_bfg_object_map_stream message' do
+       expect_any_instance_of(Gitaly::CleanupService::Stub)
+         .to receive(:apply_bfg_object_map_stream)
+--- a/spec/models/ci/build_runner_session_spec.rb
++++ b/spec/models/ci/build_runner_session_spec.rb
+@@ -4,6 +4,7 @@
+ 
+ describe Ci::BuildRunnerSession, model: true do
+   let!(:build) { create(:ci_build, :with_runner_session) }
++  let(:url) { 'https://new.example.com' }
+ 
+   subject { build.runner_session }
+ 
+@@ -12,6 +13,25 @@
+   it { is_expected.to validate_presence_of(:build) }
+   it { is_expected.to validate_presence_of(:url).with_message('must be a valid URL') }
+ 
++  context 'nested attribute assignment' do
++    it 'creates a new session' do
++      simple_build = create(:ci_build)
++      simple_build.runner_session_attributes = { url: url }
++      simple_build.save!
++
++      session = simple_build.reload.runner_session
++      expect(session).to be_a(Ci::BuildRunnerSession)
++      expect(session.url).to eq(url)
++    end
++
++    it 'updates session with new attributes' do
++      build.runner_session_attributes = { url: url }
++      build.save!
++
++      expect(build.reload.runner_session.url).to eq(url)
++    end
++  end
++
+   describe '#terminal_specification' do
+     let(:specification) { subject.terminal_specification }
+ 
+--- a/spec/models/project_services/asana_service_spec.rb
++++ b/spec/models/project_services/asana_service_spec.rb
+@@ -21,6 +21,7 @@
+   describe 'Execute' do
+     let(:user) { create(:user) }
+     let(:project) { create(:project) }
++    let(:gid) { "123456789ABCD" }
+ 
+     def create_data_for_commits(*messages)
+       {
+@@ -48,32 +49,32 @@
+     end
+ 
+     it 'calls Asana service to create a story' do
+-      data = create_data_for_commits('Message from commit. related to #123456')
++      data = create_data_for_commits("Message from commit. related to ##{gid}")
+       expected_message = "#{data[:user_name]} pushed to branch #{data[:ref]} of #{project.full_name} ( #{data[:commits][0][:url]} ): #{data[:commits][0][:message]}"
+ 
+-      d1 = double('Asana::Task')
++      d1 = double('Asana::Resources::Task')
+       expect(d1).to receive(:add_comment).with(text: expected_message)
+-      expect(Asana::Task).to receive(:find_by_id).with(anything, '123456').once.and_return(d1)
++      expect(Asana::Resources::Task).to receive(:find_by_id).with(anything, gid).once.and_return(d1)
+ 
+       @asana.execute(data)
+     end
+ 
+     it 'calls Asana service to create a story and close a task' do
+       data = create_data_for_commits('fix #456789')
+-      d1 = double('Asana::Task')
++      d1 = double('Asana::Resources::Task')
+       expect(d1).to receive(:add_comment)
+       expect(d1).to receive(:update).with(completed: true)
+-      expect(Asana::Task).to receive(:find_by_id).with(anything, '456789').once.and_return(d1)
++      expect(Asana::Resources::Task).to receive(:find_by_id).with(anything, '456789').once.and_return(d1)
+ 
+       @asana.execute(data)
+     end
+ 
+     it 'is able to close via url' do
+       data = create_data_for_commits('closes https://app.asana.com/19292/956299/42')
+-      d1 = double('Asana::Task')
++      d1 = double('Asana::Resources::Task')
+       expect(d1).to receive(:add_comment)
+       expect(d1).to receive(:update).with(completed: true)
+-      expect(Asana::Task).to receive(:find_by_id).with(anything, '42').once.and_return(d1)
++      expect(Asana::Resources::Task).to receive(:find_by_id).with(anything, '42').once.and_return(d1)
+ 
+       @asana.execute(data)
+     end
+@@ -84,28 +85,28 @@
+       ref https://app.asana.com/19292/956299/42 and closing https://app.asana.com/19292/956299/12
+       EOF
+       data = create_data_for_commits(message)
+-      d1 = double('Asana::Task')
++      d1 = double('Asana::Resources::Task')
+       expect(d1).to receive(:add_comment)
+       expect(d1).to receive(:update).with(completed: true)
+-      expect(Asana::Task).to receive(:find_by_id).with(anything, '123').once.and_return(d1)
++      expect(Asana::Resources::Task).to receive(:find_by_id).with(anything, '123').once.and_return(d1)
+ 
+-      d2 = double('Asana::Task')
++      d2 = double('Asana::Resources::Task')
+       expect(d2).to receive(:add_comment)
+       expect(d2).to receive(:update).with(completed: true)
+-      expect(Asana::Task).to receive(:find_by_id).with(anything, '456').once.and_return(d2)
++      expect(Asana::Resources::Task).to receive(:find_by_id).with(anything, '456').once.and_return(d2)
+ 
+-      d3 = double('Asana::Task')
++      d3 = double('Asana::Resources::Task')
+       expect(d3).to receive(:add_comment)
+-      expect(Asana::Task).to receive(:find_by_id).with(anything, '789').once.and_return(d3)
++      expect(Asana::Resources::Task).to receive(:find_by_id).with(anything, '789').once.and_return(d3)
+ 
+-      d4 = double('Asana::Task')
++      d4 = double('Asana::Resources::Task')
+       expect(d4).to receive(:add_comment)
+-      expect(Asana::Task).to receive(:find_by_id).with(anything, '42').once.and_return(d4)
++      expect(Asana::Resources::Task).to receive(:find_by_id).with(anything, '42').once.and_return(d4)
+ 
+-      d5 = double('Asana::Task')
++      d5 = double('Asana::Resources::Task')
+       expect(d5).to receive(:add_comment)
+       expect(d5).to receive(:update).with(completed: true)
+-      expect(Asana::Task).to receive(:find_by_id).with(anything, '12').once.and_return(d5)
++      expect(Asana::Resources::Task).to receive(:find_by_id).with(anything, '12').once.and_return(d5)
+ 
+       @asana.execute(data)
+     end
+--- a/spec/models/user_spec.rb
++++ b/spec/models/user_spec.rb
+@@ -2533,8 +2533,8 @@
+           add_user(:maintainer)
+         end
+ 
+-        it 'loads' do
+-          expect(user.ci_owned_runners).to contain_exactly(runner)
++        it 'does not load' do
++          expect(user.ci_owned_runners).to be_empty
+         end
+       end
+ 
+@@ -2549,6 +2549,20 @@
+       end
+     end
+ 
++    shared_examples :group_member do
++      context 'when the user is owner' do
++        before do
++          add_user(:owner)
++        end
++
++        it 'loads' do
++          expect(user.ci_owned_runners).to contain_exactly(runner)
++        end
++      end
++
++      it_behaves_like :member
++    end
++
+     context 'with groups projects runners' do
+       let(:group) { create(:group) }
+       let!(:project) { create(:project, group: group) }
+@@ -2557,7 +2571,7 @@
+         group.add_user(user, access)
+       end
+ 
+-      it_behaves_like :member
++      it_behaves_like :group_member
+     end
+ 
+     context 'with groups runners' do
+@@ -2568,14 +2582,14 @@
+         group.add_user(user, access)
+       end
+ 
+-      it_behaves_like :member
++      it_behaves_like :group_member
+     end
+ 
+     context 'with other projects runners' do
+       let!(:project) { create(:project) }
+ 
+       def add_user(access)
+-        project.add_role(user, access)
++        project.add_user(user, access)
+       end
+ 
+       it_behaves_like :member
+@@ -2593,7 +2607,7 @@
+         subgroup.add_user(another_user, :owner)
+       end
+ 
+-      it_behaves_like :member
++      it_behaves_like :group_member
+     end
+   end
+ 
+--- a/spec/requests/api/graphql/gitlab_schema_spec.rb
++++ b/spec/requests/api/graphql/gitlab_schema_spec.rb
+@@ -8,6 +8,18 @@
+   set(:project) { create(:project) }
+ 
+   shared_examples 'imposing query limits' do
++    describe 'timeouts' do
++      context 'when timeout is reached' do
++        it 'shows an error' do
++          Timecop.scale(50000000) do # ludicrously large number because the timeout has to happen before the query even begins
++            subject
++
++            expect_graphql_errors_to_include /Timeout/
++          end
++        end
++      end
++    end
++
+     describe '#max_complexity' do
+       context 'when complexity is too high' do
+         it 'shows an error' do
+--- a/spec/requests/api/runners_spec.rb
++++ b/spec/requests/api/runners_spec.rb
+@@ -6,6 +6,7 @@
+   let(:admin) { create(:user, :admin) }
+   let(:user) { create(:user) }
+   let(:user2) { create(:user) }
++  let(:group_maintainer) { create(:user) }
+ 
+   let(:project) { create(:project, creator_id: user.id) }
+   let(:project2) { create(:project, creator_id: user.id) }
+@@ -20,6 +21,7 @@
+ 
+   before do
+     # Set project access for users
++    create(:group_member, :maintainer, user: group_maintainer, group: group)
+     create(:project_member, :maintainer, user: user, project: project)
+     create(:project_member, :maintainer, user: user, project: project2)
+     create(:project_member, :reporter, user: user2, project: project)
+@@ -525,6 +527,20 @@
+           end.to change { Ci::Runner.project_type.count }.by(-1)
+         end
+ 
++        it 'does not delete group runner with maintainer access' do
++          delete api("/runners/#{group_runner.id}", group_maintainer)
++
++          expect(response).to have_http_status(403)
++        end
++
++        it 'deletes group runner with owner access' do
++          expect do
++            delete api("/runners/#{group_runner.id}", user)
++
++            expect(response).to have_http_status(204)
++          end.to change { Ci::Runner.group_type.count }.by(-1)
++        end
++
+         it_behaves_like '412 response' do
+           let(:request) { api("/runners/#{project_runner.id}", user) }
+         end

debian/patches/series

@@ -33,3 +33,4 @@
 0750-fix-relative-paths.patch
 0760-bump-rubyzip.patch
 0770-bump-node-d3.patch
+gitlab-v12.5.4..v12.5.6.diff

debian/rules

@@ -7,6 +7,7 @@ include /usr/share/dpkg/pkg-info.mk
 
 override_dh_install:
 	dh_install -XLICENSE
+	dh_installexamples
 	# Make sure we are installing all required files in debian/install
 	sh debian/upstream-file-count-check.sh
 	rm -rf debian/gitlab/usr/share/gitlab/tmp/*