Update CHANGELOG.md for 11.6.1

[ci skip]

CHANGELOG.md

@@ -2,6 +2,31 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.
+## 11.6.1 (2018-12-28)
+
+### Security (15 changes)
+
+- Escape label and milestone titles to prevent XSS in GFM autocomplete. !2740
+- Prevent private snippets from being embeddable.
+- Add subresources removal to member destroy service.
+- Escape html entities in LabelReferenceFilter when no label found.
+- Allow changing group CI/CD settings only for owners.
+- Authorize before reading job information via API.
+- Prevent leaking protected variables for ambiguous refs.
+- Ensure that build token is only used when running.
+- Issuable no longer is visible to users when project can't be viewed.
+- Don't expose cross project repositories through diffs when creating merge reqeusts.
+- Fix SSRF with import_url and remote mirror url.
+- Fix persistent symlink in project import.
+- Set URL rel attribute for broken URLs.
+- Project guests no longer are able to see refs page.
+- Delete confidential todos for user when downgraded to Guest.
+
+### Other (1 change)
+
+- Fix due date test. !23845
+
+
 ## 11.6.0 (2018-12-22)
 ### Security (24 changes, 1 of them is from the community)

changelogs/unreleased/54427-label-xss.yml

----
-title: Escape html entities in LabelReferenceFilter when no label found
-merge_request:
-author:
-type: security

changelogs/unreleased/55402-broken-master-karma-test-failing-in-spec-javascripts-boards-components-issue_due_date_spec-js.yml

----
-title: Fix due date test
-merge_request: 23845
-author:
-type: other

changelogs/unreleased/ensure-that-build-token-is-always-running.yml

----
-title: Ensure that build token is only used when running
-merge_request:
-author:
-type: security

changelogs/unreleased/fix-security-group-user-removal.yml

----
-title: Add subresources removal to member destroy service
-merge_request:
-author:
-type: security

changelogs/unreleased/security-11-6-54377-label-milestone-name-xss.yml

----
-title: Escape label and milestone titles to prevent XSS in GFM autocomplete
-merge_request: 2740
-author:
-type: security

changelogs/unreleased/security-11-6-group-cicd-settings-accessible-to-maintainer.yml

----
-title: Allow changing group CI/CD settings only for owners.
-merge_request:
-author:
-type: security

changelogs/unreleased/security-11-6-guests-jobs-api.yml

----
-title: Authorize before reading job information via API.
-merge_request:
-author:
-type: security

changelogs/unreleased/security-11-6-secret-ci-variables-exposed.yml

----
-title: Prevent leaking protected variables for ambiguous refs.
-merge_request:
-author:
-type: security

changelogs/unreleased/security-48259-private-snippet.yml

----
-title: Prevent private snippets from being embeddable
-merge_request:
-author:
-type: security

changelogs/unreleased/security-53543-user-keeps-access-to-mr-issue-when-removed-from-team.yml

----
-title: Issuable no longer is visible to users when project can't be viewed
-merge_request:
-author:
-type: security

changelogs/unreleased/security-bvl-fix-cross-project-mr-exposure.yml

----
-title: Don't expose cross project repositories through diffs when creating merge reqeusts
-merge_request:
-author:
-type: security

changelogs/unreleased/security-fix-ssrf-import-url-remote-mirror.yml

----
-title: Fix SSRF with import_url and remote mirror url
-merge_request:
-author:
-type: security

changelogs/unreleased/security-import-symlink.yml

----
-title: Fix persistent symlink in project import
-merge_request:
-author:
-type: security

changelogs/unreleased/security-master-url-rel.yml

----
-title: Set URL rel attribute for broken URLs.
-merge_request:
-author:
-type: security

changelogs/unreleased/security-refs-available-to-project-guest.yml

----
-title: Project guests no longer are able to see refs page
-merge_request:
-author:
-type: security

changelogs/unreleased/security-todos_not_redacted_for_guests.yml

----
-title: Delete confidential todos for user when downgraded to Guest
-merge_request:
-author:
-type: security