Update CHANGELOG.md for 12.2.9

[ci skip]

CHANGELOG.md

@@ -2,6 +2,26 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.
+## 12.2.9
+
+### Security (14 changes)
+
+- Standardize error response when route is missing.
+- Do not display project labels that are not visible for user accessing group labels.
+- Show cross-referenced label and milestones in issues' activities only to authorized users.
+- Analyze incoming GraphQL queries and check for recursion.
+- Disallow unprivileged users from commenting on private repository commits.
+- Don't allow maintainers of a target project to delete the source branch of a merge request from a fork.
+- Require Maintainer permission on group where project is transferred to.
+- Don't leak private members in project member autocomplete suggestions.
+- Return 404 on LFS request if project doesn't exist.
+- Mask sentry auth token in Error Tracking dashboard.
+- Fixes a Open Redirect issue in `InternalRedirect`.
+- Sanitize search text to prevent XSS.
+- Sanitize all wiki markup formats with GitLab sanitization pipelines.
+- Fix stored XSS issue for grafana_url.
+
+
 ## 12.2.8
 - No changes.

changelogs/unreleased/29986-remove-leaky-401-responses.yml

----
-title: Standardize error response when route is missing
-merge_request:
-author:
-type: security

changelogs/unreleased/security-2914-labels-visible-despite-no-access-to-issues-repositories.yml

----
-title: Do not display project labels that are not visible for user accessing group labels
-merge_request:
-author:
-type: security

changelogs/unreleased/security-2920-fix-notes-with-label-cross-reference.yml

----
-title: Show cross-referenced label and milestones in issues' activities only to authorized users
-merge_request:
-author:
-type: security

changelogs/unreleased/security-64519-nested-graphql-query-can-cause-denial-of-service.yml

----
-title: Analyze incoming GraphQL queries and check for recursion
-merge_request:
-author:
-type: security

changelogs/unreleased/security-65756-ex-admin-attacker-can-comment-in-internal.yml

----
-title: Disallow unprivileged users from commenting on private repository commits
-merge_request:
-author:
-type: security

changelogs/unreleased/security-bvl-validate-force-remove-branch-on-mrs.yml

----
-title: Don't allow maintainers of a target project to delete the source branch of
-  a merge request from a fork
-merge_request:
-author:
-type: security

changelogs/unreleased/security-developer-transfer-project.yml

----
-title: Require Maintainer permission on group where project is transferred to
-merge_request:
-author:
-type: security

changelogs/unreleased/security-hide-private-members-in-project-member-autocomplete.yml

----
-title: "Don't leak private members in project member autocomplete suggestions"
-type: security

changelogs/unreleased/security-id-fix-disclosure-of-private-repo-names.yml

----
-title: Return 404 on LFS request if project doesn't exist
-merge_request:
-author:
-type: security

changelogs/unreleased/security-mask-sentry-token-ce.yml

----
-title: Mask sentry auth token in Error Tracking dashboard
-author:
-type: security

changelogs/unreleased/security-open-redirect-internalredirect-12-2.yml

----
-title: Fixes a Open Redirect issue in `InternalRedirect`.
-merge_request:
-author:
-type: security

changelogs/unreleased/security-stored-xss-using-find-file.yml

----
-title: Sanitize search text to prevent XSS
-merge_request:
-author:
-type: security

changelogs/unreleased/security-wiki-rdoc-content.yml

----
-title: Sanitize all wiki markup formats with GitLab sanitization pipelines
-merge_request:
-author:
-type: security

changelogs/unreleased/security-xss-grafana-url-12-4.yml

----
-title: Fix stored XSS issue for grafana_url
-merge_request:
-author:
-type: security