Update CHANGELOG.md for 12.9.1

[ci skip]

18 files changed, 26 insertions, 85 deletions

diff --git a/CHANGELOG.md b/CHANGELOG.md
index cf9105114c0..f5d55efc24a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,32 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.
 
+## 12.9.1 (2020-03-26)
+
+### Security (16 changes)
+
+- Add permission check for pipeline status of MR.
+- Ignore empty remote_id params from Workhorse accelerated uploads.
+- External user can not create personal snippet through API.
+- Prevent malicious entry for group name.
+- Restrict mirroring changes to admins only when mirroring is disabled.
+- Reject all container registry requests from blocked users.
+- Deny localhost requests on fogbugz importer.
+- Redact notes in moved confidential issues.
+- Fix UploadRewriter Path Traversal vulnerability.
+- Block hotlinking to repository archives.
+- Restrict access to project pipeline metrics reports.
+- vulnerability_feedback records should be restricted to a dev role and above.
+- Exclude Carrierwave remote URL methods from import.
+- Update Nokogiri to fix CVE-2020-7595.
+- Prevent updating trigger by other maintainers.
+- Fix XSS vulnerability in `admin/email` "Recipient Group" dropdown.
+
+### Fixed (1 change)
+
+- Fix updating the authorized_keys file. !27798
+
+
 ## 12.9.0 (2020-03-22)
 
 ### Security (1 change)
diff --git a/changelogs/unreleased/212178-fix-authorized-keys-worker.yml b/changelogs/unreleased/212178-fix-authorized-keys-worker.yml
deleted file mode 100644
index a95f2e0e71a..00000000000
--- a/changelogs/unreleased/212178-fix-authorized-keys-worker.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Fix updating the authorized_keys file
-merge_request: 27798
-author:
-type: fixed
diff --git a/changelogs/unreleased/security-120026-redact-notes-in-moved-confidential-issues.yml b/changelogs/unreleased/security-120026-redact-notes-in-moved-confidential-issues.yml
deleted file mode 100644
index 54ee6ac9048..00000000000
--- a/changelogs/unreleased/security-120026-redact-notes-in-moved-confidential-issues.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Redact notes in moved confidential issues
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-193100-ignore-duplicate-multipart-params.yml b/changelogs/unreleased/security-193100-ignore-duplicate-multipart-params.yml
deleted file mode 100644
index c871e1615e0..00000000000
--- a/changelogs/unreleased/security-193100-ignore-duplicate-multipart-params.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Ignore empty remote_id params from Workhorse accelerated uploads
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-59-prevent-create-api-snippet.yml b/changelogs/unreleased/security-59-prevent-create-api-snippet.yml
deleted file mode 100644
index 135fdfe7153..00000000000
--- a/changelogs/unreleased/security-59-prevent-create-api-snippet.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: External user can not create personal snippet through API
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-backend-xss-admin-email.yml b/changelogs/unreleased/security-backend-xss-admin-email.yml
deleted file mode 100644
index 82f97cd719a..00000000000
--- a/changelogs/unreleased/security-backend-xss-admin-email.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Prevent malicious entry for group name
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-disable-mirroring-fix.yml b/changelogs/unreleased/security-disable-mirroring-fix.yml
deleted file mode 100644
index 1b0a6a87515..00000000000
--- a/changelogs/unreleased/security-disable-mirroring-fix.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Restrict mirroring changes to admins only when mirroring is disabled
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-docker-blocked-users.yml b/changelogs/unreleased/security-docker-blocked-users.yml
deleted file mode 100644
index 6e34506e7fd..00000000000
--- a/changelogs/unreleased/security-docker-blocked-users.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Reject all container registry requests from blocked users
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-fogbugz-importer-deny-localhost-requests.yml b/changelogs/unreleased/security-fogbugz-importer-deny-localhost-requests.yml
deleted file mode 100644
index ecc05470717..00000000000
--- a/changelogs/unreleased/security-fogbugz-importer-deny-localhost-requests.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Deny localhost requests on fogbugz importer
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-mr-pipeline-status-permission-check.yml b/changelogs/unreleased/security-mr-pipeline-status-permission-check.yml
deleted file mode 100644
index 598804bd0a7..00000000000
--- a/changelogs/unreleased/security-mr-pipeline-status-permission-check.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Add permission check for pipeline status of MR
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-path-traversal-master.yml b/changelogs/unreleased/security-path-traversal-master.yml
deleted file mode 100644
index d5e269823ea..00000000000
--- a/changelogs/unreleased/security-path-traversal-master.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Fix UploadRewriter Path Traversal vulnerability
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-repository-archive-hotlinking.yml b/changelogs/unreleased/security-repository-archive-hotlinking.yml
deleted file mode 100644
index cf87ea488f0..00000000000
--- a/changelogs/unreleased/security-repository-archive-hotlinking.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Block hotlinking to repository archives
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-restrict-project-pipeline-metrics.yml b/changelogs/unreleased/security-restrict-project-pipeline-metrics.yml
deleted file mode 100644
index 20c24aa6bdf..00000000000
--- a/changelogs/unreleased/security-restrict-project-pipeline-metrics.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Restrict access to project pipeline metrics reports
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-rf-vulnerability-metadata-fix.yml b/changelogs/unreleased/security-rf-vulnerability-metadata-fix.yml
deleted file mode 100644
index 5de5fc761fd..00000000000
--- a/changelogs/unreleased/security-rf-vulnerability-metadata-fix.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: vulnerability_feedback records should be restricted to a dev role and above
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-ssrf-attachment-url.yml b/changelogs/unreleased/security-ssrf-attachment-url.yml
deleted file mode 100644
index bb5e3e54574..00000000000
--- a/changelogs/unreleased/security-ssrf-attachment-url.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Exclude Carrierwave remote URL methods from import
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-update-nokogiri-cve-2020-7595.yml b/changelogs/unreleased/security-update-nokogiri-cve-2020-7595.yml
deleted file mode 100644
index 58ad219f0eb..00000000000
--- a/changelogs/unreleased/security-update-nokogiri-cve-2020-7595.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Update Nokogiri to fix CVE-2020-7595
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-updating-description-of-trigger-by-other-maintainer.yml b/changelogs/unreleased/security-updating-description-of-trigger-by-other-maintainer.yml
deleted file mode 100644
index f7bef1589a2..00000000000
--- a/changelogs/unreleased/security-updating-description-of-trigger-by-other-maintainer.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Prevent updating trigger by other maintainers
-merge_request:
-author:
-type: security
diff --git a/changelogs/unreleased/security-xss-vulnerability-in-admin-send-email-notification.yml b/changelogs/unreleased/security-xss-vulnerability-in-admin-send-email-notification.yml
deleted file mode 100644
index fe31f1167eb..00000000000
--- a/changelogs/unreleased/security-xss-vulnerability-in-admin-send-email-notification.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Fix XSS vulnerability in `admin/email` "Recipient Group" dropdown
-merge_request:
-author:
-type: security