Update CHANGELOG.md for 11.6.7

[ci skip]

26 files changed, 34 insertions, 127 deletions

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6887efe55bc..7243bc5e7bb 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,40 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.
 
+## 11.6.7 (2019-01-29)
+
+### Security (24 changes, 1 of them is from the community)
+
+- Make potentially malicious links more visible in the UI and scrub RTLO chars from links. !2770
+- Don't process MR refs for guests in the notes. !2771
+- Sanitize user full name to clean up any URL to prevent mail clients from auto-linking URLs. !2829
+- Fixed XSS content in KaTex links.
+- Disallows unauthorized users from accessing the pipelines section.
+- Verify that LFS upload requests are genuine.
+- Bump Ruby on Rails to 4.2.11. (@blackst0ne)
+- Prevent awarding emojis to notes whose parent is not visible to user.
+- Prevent unauthorized replies when discussion is locked or confidential.
+- Disable git v2 protocol temporarily.
+- Fix showing ci status for guest users when public pipline are not set.
+- Fix contributed projects info still visible when user enable private profile.
+- Extract GitLab Pages using RubyZip.
+- Add more LFS validations to prevent forgery.
+- Use common error for unauthenticated users when creating issues.
+- Fix slow regex in project reference pattern.
+- Fix private user email being visible in push (and tag push) webhooks.
+- Fix wiki access rights when external wiki is enabled.
+- Group guests are no longer able to see merge requests they don't have access to at group level.
+- Fix path disclosure on project import error.
+- Restrict project import visibility based on its group.
+- Expose CI/CD trigger token only to the trigger owner.
+- Notify only users who can access the project on project move.
+- Alias GitHub and BitBucket OAuth2 callback URLs.
+
+### Fixed (1 change)
+
+- Fix uninitialized constant with GitLab Pages.
+
+
 ## 11.6.6 (2019-01-28)
 
 - Unreleased due to quality assurance failure.
diff --git a/changelogs/unreleased/11-6-security-stored-xss-via-katex.yml b/changelogs/unreleased/11-6-security-stored-xss-via-katex.yml
deleted file mode 100644
index a71ae1123f2..00000000000
--- a/changelogs/unreleased/11-6-security-stored-xss-via-katex.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Fixed XSS content in KaTex links
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/blackst0ne-bump-rails-cve-2018-16476.yml b/changelogs/unreleased/blackst0ne-bump-rails-cve-2018-16476.yml
deleted file mode 100644
index fc8af425779..00000000000
--- a/changelogs/unreleased/blackst0ne-bump-rails-cve-2018-16476.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Bump Ruby on Rails to 4.2.11
-merge_request:
-author: "@blackst0ne"
-type: security
diff --git a/changelogs/unreleased/extract-pages-with-rubyzip.yml b/changelogs/unreleased/extract-pages-with-rubyzip.yml
deleted file mode 100644
index 8352e79d3e5..00000000000
--- a/changelogs/unreleased/extract-pages-with-rubyzip.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Extract GitLab Pages using RubyZip
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-11-6-22076-sanitize-url-in-names.yml b/changelogs/unreleased/security-11-6-22076-sanitize-url-in-names.yml
deleted file mode 100644
index f28ab554660..00000000000
--- a/changelogs/unreleased/security-11-6-22076-sanitize-url-in-names.yml
+++ /dev/null
@@ -1,6 +0,0 @@
----
-title: Sanitize user full name to clean up any URL to prevent mail clients from auto-linking
-  URLs
-merge_request: 2829
-author:
-type: security
diff --git a/changelogs/unreleased/security-11-6-test-permissions.yml b/changelogs/unreleased/security-11-6-test-permissions.yml
deleted file mode 100644
index cfb69fdcb1e..00000000000
--- a/changelogs/unreleased/security-11-6-test-permissions.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Disallows unauthorized users from accessing the pipelines section.
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-2767-verify-lfs-finalize-from-workhorse.yml b/changelogs/unreleased/security-2767-verify-lfs-finalize-from-workhorse.yml
deleted file mode 100644
index e79e3263df7..00000000000
--- a/changelogs/unreleased/security-2767-verify-lfs-finalize-from-workhorse.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Verify that LFS upload requests are genuine
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-2769-idn-homograph-attack.yml b/changelogs/unreleased/security-2769-idn-homograph-attack.yml
deleted file mode 100644
index a014b522c96..00000000000
--- a/changelogs/unreleased/security-2769-idn-homograph-attack.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Make potentially malicious links more visible in the UI and scrub RTLO chars from links
-merge_request: 2770
-author:
-type: security
diff --git a/changelogs/unreleased/security-2776-fix-add-reaction-permissions.yml b/changelogs/unreleased/security-2776-fix-add-reaction-permissions.yml
deleted file mode 100644
index 3ad92578c44..00000000000
--- a/changelogs/unreleased/security-2776-fix-add-reaction-permissions.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Prevent awarding emojis to notes whose parent is not visible to user
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-2779-fix-email-comment-permissions-check.yml b/changelogs/unreleased/security-2779-fix-email-comment-permissions-check.yml
deleted file mode 100644
index 2f76064d8a4..00000000000
--- a/changelogs/unreleased/security-2779-fix-email-comment-permissions-check.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Prevent unauthorized replies when discussion is locked or confidential
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-2780-disable-git-v2-protocol.yml b/changelogs/unreleased/security-2780-disable-git-v2-protocol.yml
deleted file mode 100644
index 30a08a98e83..00000000000
--- a/changelogs/unreleased/security-2780-disable-git-v2-protocol.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Disable git v2 protocol temporarily
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-commit-status-shown-for-guest-user.yml b/changelogs/unreleased/security-commit-status-shown-for-guest-user.yml
deleted file mode 100644
index a80170091d0..00000000000
--- a/changelogs/unreleased/security-commit-status-shown-for-guest-user.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Fix showing ci status for guest users when public pipline are not set
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-contributed-projects.yml b/changelogs/unreleased/security-contributed-projects.yml
deleted file mode 100644
index f745a2255ca..00000000000
--- a/changelogs/unreleased/security-contributed-projects.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Fix contributed projects info still visible when user enable private profile
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-do-not-process-mr-ref-for-guests.yml b/changelogs/unreleased/security-do-not-process-mr-ref-for-guests.yml
deleted file mode 100644
index 0281dde11e6..00000000000
--- a/changelogs/unreleased/security-do-not-process-mr-ref-for-guests.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Don't process MR refs for guests in the notes
-merge_request: 2771
-author:
-type: security
diff --git a/changelogs/unreleased/security-fix-lfs-import-project-ssrf-forgery.yml b/changelogs/unreleased/security-fix-lfs-import-project-ssrf-forgery.yml
deleted file mode 100644
index b6315ec29d8..00000000000
--- a/changelogs/unreleased/security-fix-lfs-import-project-ssrf-forgery.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Add more LFS validations to prevent forgery
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-fix-new-issues-login-message.yml b/changelogs/unreleased/security-fix-new-issues-login-message.yml
deleted file mode 100644
index 9dabf2438c9..00000000000
--- a/changelogs/unreleased/security-fix-new-issues-login-message.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Use common error for unauthenticated users when creating issues
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-fix-regex-dos.yml b/changelogs/unreleased/security-fix-regex-dos.yml
deleted file mode 100644
index b08566d2f15..00000000000
--- a/changelogs/unreleased/security-fix-regex-dos.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Fix slow regex in project reference pattern
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-fix-user-email-tag-push-leak.yml b/changelogs/unreleased/security-fix-user-email-tag-push-leak.yml
deleted file mode 100644
index 915ea7b5216..00000000000
--- a/changelogs/unreleased/security-fix-user-email-tag-push-leak.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Fix private user email being visible in push (and tag push) webhooks
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-fix-wiki-access-rights-with-external-wiki-enabled.yml b/changelogs/unreleased/security-fix-wiki-access-rights-with-external-wiki-enabled.yml
deleted file mode 100644
index d5f20b87a90..00000000000
--- a/changelogs/unreleased/security-fix-wiki-access-rights-with-external-wiki-enabled.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Fix wiki access rights when external wiki is enabled
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-guests-can-see-list-of-merge-requests.yml b/changelogs/unreleased/security-guests-can-see-list-of-merge-requests.yml
deleted file mode 100644
index f5b74011829..00000000000
--- a/changelogs/unreleased/security-guests-can-see-list-of-merge-requests.yml
+++ /dev/null
@@ -1,6 +0,0 @@
----
-title: Group guests are no longer able to see merge requests they don't have access
-  to at group level
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-import-path-logging.yml b/changelogs/unreleased/security-import-path-logging.yml
deleted file mode 100644
index 2ba2d88d82a..00000000000
--- a/changelogs/unreleased/security-import-path-logging.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Fix path disclosure on project import error
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-import-project-visibility.yml b/changelogs/unreleased/security-import-project-visibility.yml
deleted file mode 100644
index 04ae172a9a1..00000000000
--- a/changelogs/unreleased/security-import-project-visibility.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Restrict project import visibility based on its group
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-pipeline-trigger-tokens-exposure.yml b/changelogs/unreleased/security-pipeline-trigger-tokens-exposure.yml
deleted file mode 100644
index 97d743eead1..00000000000
--- a/changelogs/unreleased/security-pipeline-trigger-tokens-exposure.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Expose CI/CD trigger token only to the trigger owner
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-project-move-users.yml b/changelogs/unreleased/security-project-move-users.yml
deleted file mode 100644
index 744df68651f..00000000000
--- a/changelogs/unreleased/security-project-move-users.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Notify only users who can access the project on project move.
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/sh-fix-issue-56663-11-6.yml b/changelogs/unreleased/sh-fix-issue-56663-11-6.yml
deleted file mode 100644
index addf327b69d..00000000000
--- a/changelogs/unreleased/sh-fix-issue-56663-11-6.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Alias GitHub and BitBucket OAuth2 callback URLs
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/sh-fix-pages-zip-constant.yml b/changelogs/unreleased/sh-fix-pages-zip-constant.yml
deleted file mode 100644
index fcd8aa45825..00000000000
--- a/changelogs/unreleased/sh-fix-pages-zip-constant.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Fix uninitialized constant with GitLab Pages
-merge_request:
-author:
-type: fixed