This MR should be created on `gitlab.com/gitlab-org/security/gitlab`.
See [the general developer security release guidelines](https://gitlab.com/gitlab-org/release/docs/blob/master/general/security/developer.md).
See [the general developer security release guidelines](https://gitlab.com/gitlab-org/release/docs/blob/master/general/security/developer.md).
This merge request _must not_ close the corresponding security issue _unless_ it
targets master.
When submitting a merge request for CE, a corresponding EE merge request is
always required. This makes it easier to merge security merge requests, as
manually merging CE into EE is no longer required.
-->
-->
## Related issues
## Related issues
<!-- Mention the issue(s) this MR is related to -->
<!-- Mention the GitLab Security issue this MR is related to -->
## Developer checklist
## Developer checklist
- [ ] Link to the developer security workflow issue on `dev.gitlab.org`
- [ ] **Make sure this merge request mentions the [GitLab Security] issue it belongs to (i.e. `Related to <issue_id>`).**
- [ ] MR targets `master`, or `X-Y-stable` for backports
- [ ] Merge request targets `master`, or `X-Y-stable` for backports.
- [ ] Milestone is set for the version this MR applies to
- [ ] Milestone is set for the version this merge request applies to. A closed milestone can be assigned via [quick actions].
- [ ] Title of this MR is the same as for all backports
- [ ] Title of this merge request is the same as for all backports.
-[ ] A [CHANGELOG entry](https://docs.gitlab.com/ee/development/changelog.html) is added without a `merge_request` value, with `type` set to `security`
-[ ] A [CHANGELOG entry](https://docs.gitlab.com/ee/development/changelog.html) is added without a `merge_request` value, with `type` set to `security`
- [ ] Add a link to this MR in the `links` section of related issue
- [ ] Assign to a reviewer and maintainer, per our [Code Review process].
- [ ] Set up an EE MR (always required for CE merge requests): EE_MR_LINK_HERE
- [ ] For the MR targeting `master`:
- [ ] Assign to a reviewer (that is not a release manager)
- [ ] Ping appsec team member who created the issue and ask for a non-blocking review with `Please review this MR`.
- [ ] Ensure it's approved according to our [Approval Guidelines].
- [ ] Merge request _must not_ close the corresponding security issue, _unless_ it targets `master`.
## Reviewer checklist
**Note:** Reviewer/maintainer should not be a Release Manager
## Maintainer checklist
- [ ] Correct milestone is applied and the title is matching across all backports
- [ ] Correct milestone is applied and the title is matching across all backports
- [ ] Assigned to `@gitlab-release-tools-bot` with passing CI pipelines
- [ ] Assigned to `@gitlab-release-tools-bot` with passing CI pipelines