Update CHANGELOG.md for 13.9.2-ee

[ci skip]

CHANGELOG.md

@@ -2,6 +2,18 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.
 
+## 13.9.2 (2021-03-04)
+
+### Security (6 changes)
+
+- Bump thrift gem to 0.14.0.
+- Allow only owners to manage group variables.
+- Do not store marshalled sessions ids in Redis.
+- Fix XSS in wiki author email and name.
+- Workhorse: prevent escaped router path traversal.
+- Fix XSS vulnerability for swagger file viewer.
+
+
 ## 13.9.1 (2021-02-23)
 
 ### Fixed (6 changes, 1 of them is from the community)

changelogs/unreleased/security-bvl-update-thrift-gem.yml

----
-title: Bump thrift gem to 0.14.0
-merge_request:
-author:
-type: security

changelogs/unreleased/security-ci-api-variables-permissions.yml

----
-title: Allow only owners to manage group variables
-merge_request:
-author:
-type: security

changelogs/unreleased/security-clean-up-active-sessions.yml

----
-title: Do not store marshalled sessions ids in Redis
-merge_request:
-author:
-type: security

changelogs/unreleased/security-fj-fix-xss-wiki-email.yml

----
-title: Fix XSS in wiki author email and name
-merge_request:
-author:
-type: security

changelogs/unreleased/security-upgrade-swagger-ui.yml

----
-title: Fix XSS vulnerability for swagger file viewer
-merge_request:
-author:
-type: security