diff --git a/CHANGELOG.md b/CHANGELOG.md
index ef2ce0ab52..7e54cb1cce 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,13 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.
 
+## 11.8.3 (2019-03-19)
+
+### Security (1 change)
+
+- Remove project serialization in quick actions response.
+
+
 ## 11.8.2 (2019-03-13)
 
 ### Security (1 change)
diff --git a/VERSION b/VERSION
index 95da6166f2..6cf2801b8f 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-11.8.2
+11.8.3
diff --git a/app/controllers/concerns/notes_actions.rb b/app/controllers/concerns/notes_actions.rb
index 0319948a12..80b9bdc8f2 100644
--- a/app/controllers/concerns/notes_actions.rb
+++ b/app/controllers/concerns/notes_actions.rb
@@ -54,7 +54,7 @@ module NotesActions
     respond_to do |format|
       format.json do
         json = {
-          commands_changes: @note.commands_changes
+          commands_changes: @note.commands_changes&.slice(:emoji_award, :time_estimate, :spend_time)
         }
 
         if @note.persisted? && return_discussion?
diff --git a/debian/changelog b/debian/changelog
index 5fd7c770a7..4f6c8aa2ca 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+gitlab (11.8.3-1) unstable; urgency=high
+
+  [ Pirate Praveen ]
+  * Set minimum version of git to 2.18
+
+  [ Sruthi Chandran ]
+  * New upstream version 11.8.3 (Closes: #925196) (Fixes: CVE-2019-9866)
+
+ -- Sruthi Chandran <srud@disroot.org>  Fri, 22 Mar 2019 00:19:33 +0530
+
 gitlab (11.8.2-3+fto10+1) buster-fasttrack; urgency=medium
 
   * Rebuild for buster-fasttrack
diff --git a/debian/control b/debian/control
index fc8c7c3e48..8196447aaf 100644
--- a/debian/control
+++ b/debian/control
@@ -367,7 +367,7 @@ Architecture: all
 Depends: ${shlibs:Depends}, ${misc:Depends},
  ruby | ruby-interpreter,
  adduser (>= 3.34~),
- git (>= 1:2.7.3~),
+ git (>= 1:2.18~),
  ucf,
  gitlab-shell (>= 8.4.4~)
 Description: git powered software platform to collaborate on code (common)
diff --git a/spec/controllers/projects/notes_controller_spec.rb b/spec/controllers/projects/notes_controller_spec.rb
index 8189257588..ec91a76038 100644
--- a/spec/controllers/projects/notes_controller_spec.rb
+++ b/spec/controllers/projects/notes_controller_spec.rb
@@ -397,6 +397,37 @@ describe Projects::NotesController do
         end
       end
     end
+
+    context 'when creating a note with quick actions' do
+      context 'with commands that return changes' do
+        let(:note_text) { "/award :thumbsup:\n/estimate 1d\n/spend 3h" }
+
+        it 'includes changes in commands_changes ' do
+          post :create, params: request_params.merge(note: { note: note_text }, format: :json)
+
+          expect(response).to have_gitlab_http_status(200)
+          expect(json_response['commands_changes']).to include('emoji_award', 'time_estimate', 'spend_time')
+          expect(json_response['commands_changes']).not_to include('target_project', 'title')
+        end
+      end
+
+      context 'with commands that do not return changes' do
+        let(:issue) { create(:issue, project: project) }
+        let(:other_project) { create(:project) }
+        let(:note_text) { "/move #{other_project.full_path}\n/title AAA" }
+
+        before do
+          other_project.add_developer(user)
+        end
+
+        it 'does not include changes in commands_changes' do
+          post :create, params: request_params.merge(note: { note: note_text }, target_type: 'issue', target_id: issue.id, format: :json)
+
+          expect(response).to have_gitlab_http_status(200)
+          expect(json_response['commands_changes']).not_to include('target_project', 'title')
+        end
+      end
+    end
   end
 
   describe 'PUT update' do