From 74806c89ddbb952e13ec04ed910e6450f7dc0c79 Mon Sep 17 00:00:00 2001 From: Desere Crawford Date: Tue, 30 Aug 2022 10:27:59 -0500 Subject: [PATCH 1/4] adding release notes --- .../enterprise-server/3-2/18.yml | 16 +++++++++ .../enterprise-server/3-3/13.yml | 23 ++++++++++++ .../release-notes/enterprise-server/3-4/8.yml | 26 ++++++++++++++ .../release-notes/enterprise-server/3-5/5.yml | 28 +++++++++++++++ .../release-notes/enterprise-server/3-6/1.yml | 35 +++++++++++++++++++ 5 files changed, 128 insertions(+) create mode 100644 data/release-notes/enterprise-server/3-2/18.yml create mode 100644 data/release-notes/enterprise-server/3-3/13.yml create mode 100644 data/release-notes/enterprise-server/3-4/8.yml create mode 100644 data/release-notes/enterprise-server/3-5/5.yml create mode 100644 data/release-notes/enterprise-server/3-6/1.yml diff --git a/data/release-notes/enterprise-server/3-2/18.yml b/data/release-notes/enterprise-server/3-2/18.yml new file mode 100644 index 0000000000..9da92c8bb6 --- /dev/null +++ b/data/release-notes/enterprise-server/3-2/18.yml @@ -0,0 +1,16 @@ +date: '2022-08-30' +sections: + bugs: + - Prevents duplication of admin SSH keys showing up in Management Console and admin/.ssh/authorized_keys + - Some background tasks could deadlock preventing them from making progress caused by `enterprise-crypto` which has now been modified to be thread safe. + changes: + - Performance improvements to the GitHub Enterprise Support Bundle generation process. This modifies the `sanitize_logs` function in `ghe-support-bundle` to run `psed` in parallel vs. serially. This is based on an analysis of bundle generation on `ghe.io` where it was observed we spent 36% of our time in `psed` sanitizing logs. + known_issues: + - On a freshly set up {% data variables.product.prodname_ghe_server %} instance without any users, an attacker could create the first admin user. + - Custom firewall rules are removed during the upgrade process. + - Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository. + - Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters. + - When "Users can search GitHub.com" is enabled with {% data variables.product.prodname_github_connect %}, issues in private and internal repositories are not included in {% data variables.product.prodname_dotcom_the_website %} search results. + - The {% data variables.product.prodname_registry %} npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues. + - Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail. + - '{% data reusables.release-notes.ghas-3.4-secret-scanning-known-issue %}' diff --git a/data/release-notes/enterprise-server/3-3/13.yml b/data/release-notes/enterprise-server/3-3/13.yml new file mode 100644 index 0000000000..3c53ba2012 --- /dev/null +++ b/data/release-notes/enterprise-server/3-3/13.yml @@ -0,0 +1,23 @@ +date: '2022-08-30' +sections: + bugs: + - Site administrators were not able to manage security products settings for repositories they had unlocked. + - Prevents duplication of admin SSH keys showing up in Management Console and admin/.ssh/authorized_keys + - Adding a check for running replication before updating configuration files on replica stand-up before running `ghe-cluster-config-apply`. This prevents cases where unconfigured nodes could replicate their configuration to the rest of the cluster, potentially removing configurations from the existing cluster nodes. + - The validation phase of the config apply run would incorrectly mark some Nomad jobs as invalid. + - The symlinks for self-signed TLS certificates were no created which caused various failures in the GitHub UI. + - Some background tasks could deadlock preventing them from making progress caused by `enterprise-crypto` which has now been modified to be thread safe. + changes: + - Performance improvements to the GitHub Enterprise Support Bundle generation process. This modifies the `sanitize_logs` function in `ghe-support-bundle` to run `psed` in parallel vs. serially. This is based on an analysis of bundle generation on `ghe.io` where it was observed we spent 36% of our time in `psed` sanitizing logs. + - User generated audit-logs events, such as `repo.create`, are now correctly returned from the REST API availabe at `api.github.com/enterprises/{enterprise}/audit-log`. In addition to that, more types of user generated events, such as `project.create`, are now available on both the enterprise audit-log UI (available at `github.com/enterprises/{enterprise}/settings/audit-log`) and REST API (same endpoint as above). + known_issues: + - After upgrading to {% data variables.product.prodname_ghe_server %} 3.3, {% data variables.product.prodname_actions %} may fail to start automatically. To resolve this issue, connect to the appliance via SSH and run the `ghe-actions-start` command. + - On a freshly set up {% data variables.product.prodname_ghe_server %} instance without any users, an attacker could create the first admin user. + - Custom firewall rules are removed during the upgrade process. + - Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository. + - Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters. + - When "Users can search GitHub.com" is enabled with {% data variables.product.prodname_github_connect %}, issues in private and internal repositories are not included in {% data variables.product.prodname_dotcom_the_website %} search results. + - The {% data variables.product.prodname_registry %} npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues. + - Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail. + - '{% data variables.product.prodname_actions %} storage settings cannot be validated and saved in the {% data variables.enterprise.management_console %} when "Force Path Style" is selected, and must instead be configured with the `ghe-actions-precheck` command line utility.' + - '{% data reusables.release-notes.ghas-3.4-secret-scanning-known-issue %}' diff --git a/data/release-notes/enterprise-server/3-4/8.yml b/data/release-notes/enterprise-server/3-4/8.yml new file mode 100644 index 0000000000..49263df7f9 --- /dev/null +++ b/data/release-notes/enterprise-server/3-4/8.yml @@ -0,0 +1,26 @@ +date: '2022-08-30' +sections: + bugs: + - Site administrators were not able to manage security products settings for repositories they had unlocked. + - Prevents duplication of admin SSH keys showing up in Management Console and admin/.ssh/authorized_keys + - Adding a check for running replication before updating configuration files on replica stand-up before running `ghe-cluster-config-apply`. This prevents cases where unconfigured nodes could replicate their configuration to the rest of the cluster, potentially removing configurations from the existing cluster nodes. + - The validation phase of the config apply run would incorrectly mark some Nomad jobs as invalid. + - The symlinks for self-signed TLS certificates were no created which caused various failures in the GitHub UI. + - Some background tasks could deadlock preventing them from making progress caused by `enterprise-crypto` which has now been modified to be thread safe. + changes: + - Performance improvements to the GitHub Enterprise Support Bundle generation process. This modifies the `sanitize_logs` function in `ghe-support-bundle` to run `psed` in parallel vs. serially. This is based on an analysis of bundle generation on `ghe.io` where it was observed we spent 36% of our time in `psed` sanitizing logs. + - Change the `/organizations/`, `/orgs/` API routes to accept organization slugs or IDs. Previously, they only accepted slugs which was inconsistent with the `/enterprises/` routes and caused `Link` headers on GitHub Advanced Security API endpoints, that use IDs not slugs, to be inaccessible to users. + - User generated audit-logs events, such as `repo.create`, are now correctly returned from the REST API availabe at `api.github.com/enterprises/{enterprise}/audit-log`. In addition to that, more types of user generated events, such as `project.create`, are now available on both the enterprise audit-log UI (available at `github.com/enterprises/{enterprise}/settings/audit-log`) and REST API (same endpoint as above). + - The page at `/stafftools/users/:login/admin` contained functionality not intended for GitHub Enterprise Server. + known_issues: + - On a freshly set up {% data variables.product.prodname_ghe_server %} instance without any users, an attacker could create the first admin user. + - Custom firewall rules are removed during the upgrade process. + - Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository. + - Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters. + - When "Users can search GitHub.com" is enabled with {% data variables.product.prodname_github_connect %}, issues in private and internal repositories are not included in {% data variables.product.prodname_dotcom_the_website %} search results. + - The {% data variables.product.prodname_registry %} npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues. + - Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail. + - | + After registering a self-hosted runner with the `--ephemeral` parameter on more than one level (for example, both enterprise and organization), the runner may get stuck in an idle state and require re-registration. [Updated: 2022-06-17] + - After upgrading to {% data variables.product.prodname_ghe_server %} 3.4, releases may appear to be missing from repositories. This can occur when the required Elasticsearch index migrations have not successfully completed. + - '{% data reusables.release-notes.ghas-3.4-secret-scanning-known-issue %}' diff --git a/data/release-notes/enterprise-server/3-5/5.yml b/data/release-notes/enterprise-server/3-5/5.yml new file mode 100644 index 0000000000..d6f74825f1 --- /dev/null +++ b/data/release-notes/enterprise-server/3-5/5.yml @@ -0,0 +1,28 @@ +date: '2022-08-30' +sections: + bugs: + - Site administrators were not able to manage security products settings for repositories they had unlocked. + - Prevents duplication of admin SSH keys showing up in Management Console and admin/.ssh/authorized_keys + - Adding a check for running replication before updating configuration files on replica stand-up before running `ghe-cluster-config-apply`. This prevents cases where unconfigured nodes could replicate their configuration to the rest of the cluster, potentially removing configurations from the existing cluster nodes. + - The validation phase of the config apply run would incorrectly mark some Nomad jobs as invalid. + - The symlinks for self-signed TLS certificates were no created which caused various failures in the GitHub UI. + - The top site admin bar contained a broken link to the SHA for the currently running version of the application. + - Some background tasks could deadlock preventing them from making progress caused by `enterprise-crypto` which has now been modified to be thread safe. + - The list of organizations on the fork screen would overflow its box when a user was in many organizations. + changes: + - In some cases, GitHub Advanced Security customers who skipped an upgrade to GitHub Enterprise Server 3.4 may have noticed that alerts from secret scanning were missing in the web UI and REST API. This fix recovers those impacted alerts. + - Performance improvements to the GitHub Enterprise Support Bundle generation process. This modifies the `sanitize_logs` function in `ghe-support-bundle` to run `psed` in parallel vs. serially. This is based on an analysis of bundle generation on `ghe.io` where it was observed we spent 36% of our time in `psed` sanitizing logs. + - Change the `/organizations/`, `/orgs/` API routes to accept organization slugs or IDs. Previously, they only accepted slugs which was inconsistent with the `/enterprises/` routes and caused `Link` headers on GitHub Advanced Security API endpoints, that use IDs not slugs, to be inaccessible to users. + - User generated audit-logs events, such as `repo.create`, are now correctly returned from the REST API availabe at `api.github.com/enterprises/{enterprise}/audit-log`. In addition to that, more types of user generated events, such as `project.create`, are now available on both the enterprise audit-log UI (available at `github.com/enterprises/{enterprise}/settings/audit-log`) and REST API (same endpoint as above). + - The page at `/stafftools/users/:login/admin` contained functionality not intended for GitHub Enterprise Server. + - Cache replicas could intermittently reject some git operations on recently updated repositories. + known_issues: + - On a freshly set up {% data variables.product.prodname_ghe_server %} instance without any users, an attacker could create the first admin user. + - Custom firewall rules are removed during the upgrade process. + - Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository. + - Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters. + - When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results. + - The {% data variables.product.prodname_registry %} npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues. + - Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail. + - Actions services need to be restarted after restoring an appliance from a backup taken on a different host. + - '{% data reusables.release-notes.ghas-3.4-secret-scanning-known-issue %}' diff --git a/data/release-notes/enterprise-server/3-6/1.yml b/data/release-notes/enterprise-server/3-6/1.yml new file mode 100644 index 0000000000..9dd8a01927 --- /dev/null +++ b/data/release-notes/enterprise-server/3-6/1.yml @@ -0,0 +1,35 @@ +date: '2022-08-30' +sections: + bugs: + - Site administrators were not able to manage security products settings for repositories they had unlocked. + - Prevents duplication of admin SSH keys showing up in Management Console and admin/.ssh/authorized_keys + - Adding a check for running replication before updating configuration files on replica stand-up before running `ghe-cluster-config-apply`. This prevents cases where unconfigured nodes could replicate their configuration to the rest of the cluster, potentially removing configurations from the existing cluster nodes. + - The validation phase of the config apply run would incorrectly mark some Nomad jobs as invalid. + - The symlinks for self-signed TLS certificates were no created which caused various failures in the GitHub UI. + - Fixes an issue where organization admins were unable to set the level of access required for creating discussions. + - Fixes an issue where some users were incorrectly seeing a message that they needed to verify their email before creating a discussion. + - Fixes an issue with the hydro payload value. It use to not have quotes, so the problematic file name isnt being handled properly which created a potential security vulnerability in the file tree + - Fixes an issue where enterprise users were incorrectly seeing a link to the GitHub.com community guidelines. + - Some background tasks could deadlock preventing them from making progress caused by `enterprise-crypto` which has now been modified to be thread safe. + - The top site admin bar contained a broken link to the SHA for the currently running version of the application. + changes: + - In some cases, GitHub Advanced Security customers who skipped an upgrade to GitHub Enterprise Server 3.4 may have noticed that alerts from secret scanning were missing in the web UI and REST API. This fix recovers those impacted alerts. + - Performance improvements to the GitHub Enterprise Support Bundle generation process. This modifies the `sanitize_logs` function in `ghe-support-bundle` to run `psed` in parallel vs. serially. This is based on an analysis of bundle generation on `ghe.io` where it was observed we spent 36% of our time in `psed` sanitizing logs. + - Change the `/organizations/`, `/orgs/` API routes to accept organization slugs or IDs. Previously, they only accepted slugs which was inconsistent with the `/enterprises/` routes and caused `Link` headers on GitHub Advanced Security API endpoints, that use IDs not slugs, to be inaccessible to users. + - User generated audit-logs events, such as `repo.create`, are now correctly returned from the REST API availabe at `api.github.com/enterprises/{enterprise}/audit-log`. In addition to that, more types of user generated events, such as `project.create`, are now available on both the enterprise audit-log UI (available at `github.com/enterprises/{enterprise}/settings/audit-log`) and REST API (same endpoint as above). + - The page at `/stafftools/users/:login/admin` contained functionality not intended for GitHub Enterprise Server. + - Cache replicas could intermittently reject some git operations on recently updated repositories. + - Adds support for creating dismissible announcements via the API. + known_issues: + - On a freshly set up {% data variables.product.prodname_ghe_server %} instance without any users, an attacker could create the first admin user. + - Custom firewall rules are removed during the upgrade process. + - Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository. + - Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters. + - When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results. + - The {% data variables.product.prodname_registry %} npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues. + - Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail. + - Actions services need to be restarted after restoring an instance from a backup taken on a different host. + - In a repository's settings, enabling the option to allow users with read access to create discussions does not enable this functionality. + - In some cases, users cannot convert existing issues to discussions. + - Custom patterns for secret scanning have `.*` as an end delimiter, specifically in the "After secret" field. This delimiter causes inconsistencies in scans for secrets across repositories, and you may notice gaps in a repository's history where no scans completed. Incremental scans may also be impacted. To prevent issues with scans, modify the end of the pattern to remove the `.*` delimiter. + - '{% data reusables.release-notes.ghas-3.4-secret-scanning-known-issue %}' From 51b813089438043c3ae989cc62994747ae04eff6 Mon Sep 17 00:00:00 2001 From: Matt Pollard Date: Thu, 1 Sep 2022 12:26:39 +0200 Subject: [PATCH 2/4] Update note about secret scanning --- data/release-notes/enterprise-server/3-5/5.yml | 3 +-- data/release-notes/enterprise-server/3-6/1.yml | 3 +-- .../release-notes/ghas-3.4-secret-scanning-known-issue.md | 6 +++--- 3 files changed, 5 insertions(+), 7 deletions(-) diff --git a/data/release-notes/enterprise-server/3-5/5.yml b/data/release-notes/enterprise-server/3-5/5.yml index d6f74825f1..cfec15d02f 100644 --- a/data/release-notes/enterprise-server/3-5/5.yml +++ b/data/release-notes/enterprise-server/3-5/5.yml @@ -9,8 +9,8 @@ sections: - The top site admin bar contained a broken link to the SHA for the currently running version of the application. - Some background tasks could deadlock preventing them from making progress caused by `enterprise-crypto` which has now been modified to be thread safe. - The list of organizations on the fork screen would overflow its box when a user was in many organizations. + - Alerts from secret scanning for GitHub Advanced Security customers were missing in the web UI and REST API if a site administrator did not upgrade directly to GitHub Enterprise Server 3.4. The alerts are now visible. changes: - - In some cases, GitHub Advanced Security customers who skipped an upgrade to GitHub Enterprise Server 3.4 may have noticed that alerts from secret scanning were missing in the web UI and REST API. This fix recovers those impacted alerts. - Performance improvements to the GitHub Enterprise Support Bundle generation process. This modifies the `sanitize_logs` function in `ghe-support-bundle` to run `psed` in parallel vs. serially. This is based on an analysis of bundle generation on `ghe.io` where it was observed we spent 36% of our time in `psed` sanitizing logs. - Change the `/organizations/`, `/orgs/` API routes to accept organization slugs or IDs. Previously, they only accepted slugs which was inconsistent with the `/enterprises/` routes and caused `Link` headers on GitHub Advanced Security API endpoints, that use IDs not slugs, to be inaccessible to users. - User generated audit-logs events, such as `repo.create`, are now correctly returned from the REST API availabe at `api.github.com/enterprises/{enterprise}/audit-log`. In addition to that, more types of user generated events, such as `project.create`, are now available on both the enterprise audit-log UI (available at `github.com/enterprises/{enterprise}/settings/audit-log`) and REST API (same endpoint as above). @@ -25,4 +25,3 @@ sections: - The {% data variables.product.prodname_registry %} npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues. - Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail. - Actions services need to be restarted after restoring an appliance from a backup taken on a different host. - - '{% data reusables.release-notes.ghas-3.4-secret-scanning-known-issue %}' diff --git a/data/release-notes/enterprise-server/3-6/1.yml b/data/release-notes/enterprise-server/3-6/1.yml index 9dd8a01927..cdc0406750 100644 --- a/data/release-notes/enterprise-server/3-6/1.yml +++ b/data/release-notes/enterprise-server/3-6/1.yml @@ -12,8 +12,8 @@ sections: - Fixes an issue where enterprise users were incorrectly seeing a link to the GitHub.com community guidelines. - Some background tasks could deadlock preventing them from making progress caused by `enterprise-crypto` which has now been modified to be thread safe. - The top site admin bar contained a broken link to the SHA for the currently running version of the application. + - Alerts from secret scanning for GitHub Advanced Security customers were missing in the web UI and REST API if a site administrator did not upgrade directly to GitHub Enterprise Server 3.4. The alerts are now visible. changes: - - In some cases, GitHub Advanced Security customers who skipped an upgrade to GitHub Enterprise Server 3.4 may have noticed that alerts from secret scanning were missing in the web UI and REST API. This fix recovers those impacted alerts. - Performance improvements to the GitHub Enterprise Support Bundle generation process. This modifies the `sanitize_logs` function in `ghe-support-bundle` to run `psed` in parallel vs. serially. This is based on an analysis of bundle generation on `ghe.io` where it was observed we spent 36% of our time in `psed` sanitizing logs. - Change the `/organizations/`, `/orgs/` API routes to accept organization slugs or IDs. Previously, they only accepted slugs which was inconsistent with the `/enterprises/` routes and caused `Link` headers on GitHub Advanced Security API endpoints, that use IDs not slugs, to be inaccessible to users. - User generated audit-logs events, such as `repo.create`, are now correctly returned from the REST API availabe at `api.github.com/enterprises/{enterprise}/audit-log`. In addition to that, more types of user generated events, such as `project.create`, are now available on both the enterprise audit-log UI (available at `github.com/enterprises/{enterprise}/settings/audit-log`) and REST API (same endpoint as above). @@ -32,4 +32,3 @@ sections: - In a repository's settings, enabling the option to allow users with read access to create discussions does not enable this functionality. - In some cases, users cannot convert existing issues to discussions. - Custom patterns for secret scanning have `.*` as an end delimiter, specifically in the "After secret" field. This delimiter causes inconsistencies in scans for secrets across repositories, and you may notice gaps in a repository's history where no scans completed. Incremental scans may also be impacted. To prevent issues with scans, modify the end of the pattern to remove the `.*` delimiter. - - '{% data reusables.release-notes.ghas-3.4-secret-scanning-known-issue %}' diff --git a/data/reusables/release-notes/ghas-3.4-secret-scanning-known-issue.md b/data/reusables/release-notes/ghas-3.4-secret-scanning-known-issue.md index 14f4157528..04d9906902 100644 --- a/data/reusables/release-notes/ghas-3.4-secret-scanning-known-issue.md +++ b/data/reusables/release-notes/ghas-3.4-secret-scanning-known-issue.md @@ -1,8 +1,8 @@ {% ifversion ghes < 3.5 %} -In some cases, GitHub Advanced Security customers who upgrade to GitHub Enterprise Server 3.5 or later may notice that alerts from secret scanning are missing in the web UI and REST API. To ensure the alerts remain visible, do not skip 3.4 when you upgrade from an earlier release to 3.5 or later. A fix will be available in upcoming patch releases. +In some cases, GitHub Advanced Security customers who upgrade to GitHub Enterprise Server 3.5 or later may notice that alerts from secret scanning are missing in the web UI and REST API. To ensure the alerts remain visible, do not skip 3.4 when you upgrade from an earlier release to 3.5 or later. A fix is available in the [3.5.5](/enterprise-server@3.5/admin/release-notes#3.5.5) and [3.6.1](/enterprise-server@3.6/admin/release-notes#3.6.1) patch releases. -To plan an upgrade through 3.4, see the [Upgrade assistant](https://support.github.com/enterprise/server-upgrade). [Updated: 2022-08-26] +To plan an upgrade through 3.4, see the [Upgrade assistant](https://support.github.com/enterprise/server-upgrade). [Updated: 2022-09-01] {% elsif ghes = 3.5 or ghes = 3.6 %} @@ -11,6 +11,6 @@ In some cases, GitHub Advanced Security customers who upgrade to GitHub Enterpri - To display the missing alerts for all repositories owned by an organization, organization owners can navigate to the organization's **Code security and analysis** settings, then click **Enable all** for secret scanning. For more information, see "[Managing security and analysis settings for your organization](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories)." - To display the missing alerts for an individual repository, people with admin access to the repository can disable then enable secret scanning for the repository. For more information, see "[Managing security and analysis settings for your repository](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository)." -A fix will be available in an upcoming patch release. [Updated: 2022-08-26] +A fix is available in the {% ifversion ghes = 3.5 %}[3.5.5](/admin/release-notes#3.5.5){% elsif ghes = 3.6 %}[3.6.1](/admin/release-notes#3.6.1){% endif %} patch release. [Updated: 2022-09-01] {% endif %} From 5087e154f4eebf7a05759acae34b5428b8675340 Mon Sep 17 00:00:00 2001 From: Matt Pollard Date: Thu, 1 Sep 2022 14:06:48 +0200 Subject: [PATCH 3/4] Revise notes --- .../enterprise-server/3-2/18.yml | 6 ++--- .../enterprise-server/3-3/13.yml | 16 ++++++------- .../release-notes/enterprise-server/3-4/8.yml | 20 ++++++++-------- .../release-notes/enterprise-server/3-5/5.yml | 22 ++++++++--------- .../release-notes/enterprise-server/3-6/1.yml | 24 +++++++++---------- 5 files changed, 44 insertions(+), 44 deletions(-) diff --git a/data/release-notes/enterprise-server/3-2/18.yml b/data/release-notes/enterprise-server/3-2/18.yml index 9da92c8bb6..818d03df01 100644 --- a/data/release-notes/enterprise-server/3-2/18.yml +++ b/data/release-notes/enterprise-server/3-2/18.yml @@ -1,10 +1,10 @@ date: '2022-08-30' sections: bugs: - - Prevents duplication of admin SSH keys showing up in Management Console and admin/.ssh/authorized_keys - - Some background tasks could deadlock preventing them from making progress caused by `enterprise-crypto` which has now been modified to be thread safe. + - Duplicate administrative SSH keys could appear in both the Management Console and the `/home/admin/.ssh/authorized_keys` file. + - In some cases, background tasks could stall due to a library that was used concurrently despite not being thread-safe. changes: - - Performance improvements to the GitHub Enterprise Support Bundle generation process. This modifies the `sanitize_logs` function in `ghe-support-bundle` to run `psed` in parallel vs. serially. This is based on an analysis of bundle generation on `ghe.io` where it was observed we spent 36% of our time in `psed` sanitizing logs. + - Generation of support bundles is faster as a result of parallelized log sanitization. For more information about support bundles, see "[Providing data to GitHub Support](/support/contacting-github-support/providing-data-to-github-support)." known_issues: - On a freshly set up {% data variables.product.prodname_ghe_server %} instance without any users, an attacker could create the first admin user. - Custom firewall rules are removed during the upgrade process. diff --git a/data/release-notes/enterprise-server/3-3/13.yml b/data/release-notes/enterprise-server/3-3/13.yml index 3c53ba2012..7072e70f12 100644 --- a/data/release-notes/enterprise-server/3-3/13.yml +++ b/data/release-notes/enterprise-server/3-3/13.yml @@ -1,15 +1,15 @@ date: '2022-08-30' sections: bugs: - - Site administrators were not able to manage security products settings for repositories they had unlocked. - - Prevents duplication of admin SSH keys showing up in Management Console and admin/.ssh/authorized_keys - - Adding a check for running replication before updating configuration files on replica stand-up before running `ghe-cluster-config-apply`. This prevents cases where unconfigured nodes could replicate their configuration to the rest of the cluster, potentially removing configurations from the existing cluster nodes. - - The validation phase of the config apply run would incorrectly mark some Nomad jobs as invalid. - - The symlinks for self-signed TLS certificates were no created which caused various failures in the GitHub UI. - - Some background tasks could deadlock preventing them from making progress caused by `enterprise-crypto` which has now been modified to be thread safe. + - After unlocking a repository for temporary access, a site administrator was unable to manage settings for security products in the repository. + - Duplicate administrative SSH keys could appear in both the Management Console and the `/home/admin/.ssh/authorized_keys` file. + - In some cases, running `ghe-cluster-config-apply` could replicate an empty configuration to existing nodes in a cluster. + - In some cases, configuration runs started with `ghe-config-apply` did not complete, or returned a `Container count mismatch` error. + - After updating a self-signed TLS certificate on a GitHub Enterprise Server instance, UI elements on some pages in the web interface did not appear. + - In some cases, background tasks could stall due to a library that was used concurrently despite not being thread-safe. changes: - - Performance improvements to the GitHub Enterprise Support Bundle generation process. This modifies the `sanitize_logs` function in `ghe-support-bundle` to run `psed` in parallel vs. serially. This is based on an analysis of bundle generation on `ghe.io` where it was observed we spent 36% of our time in `psed` sanitizing logs. - - User generated audit-logs events, such as `repo.create`, are now correctly returned from the REST API availabe at `api.github.com/enterprises/{enterprise}/audit-log`. In addition to that, more types of user generated events, such as `project.create`, are now available on both the enterprise audit-log UI (available at `github.com/enterprises/{enterprise}/settings/audit-log`) and REST API (same endpoint as above). + - Generation of support bundles is faster as a result of parallelized log sanitization. For more information about support bundles, see "[Providing data to GitHub Support](/support/contacting-github-support/providing-data-to-github-support)." + - The enterprise audit log now includes more user-generated events, such as `project.create`. The REST API also returns additional user-generated events, such as `repo.create`. For more information, see "[Accessing the audit log for your enterprise](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/accessing-the-audit-log-for-your-enterprise)" and "[Using the audit log API for your enterprise](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/using-the-audit-log-api-for-your-enterprise#querying-the-audit-log-rest-api)." known_issues: - After upgrading to {% data variables.product.prodname_ghe_server %} 3.3, {% data variables.product.prodname_actions %} may fail to start automatically. To resolve this issue, connect to the appliance via SSH and run the `ghe-actions-start` command. - On a freshly set up {% data variables.product.prodname_ghe_server %} instance without any users, an attacker could create the first admin user. diff --git a/data/release-notes/enterprise-server/3-4/8.yml b/data/release-notes/enterprise-server/3-4/8.yml index 49263df7f9..6353897f97 100644 --- a/data/release-notes/enterprise-server/3-4/8.yml +++ b/data/release-notes/enterprise-server/3-4/8.yml @@ -1,17 +1,17 @@ date: '2022-08-30' sections: bugs: - - Site administrators were not able to manage security products settings for repositories they had unlocked. - - Prevents duplication of admin SSH keys showing up in Management Console and admin/.ssh/authorized_keys - - Adding a check for running replication before updating configuration files on replica stand-up before running `ghe-cluster-config-apply`. This prevents cases where unconfigured nodes could replicate their configuration to the rest of the cluster, potentially removing configurations from the existing cluster nodes. - - The validation phase of the config apply run would incorrectly mark some Nomad jobs as invalid. - - The symlinks for self-signed TLS certificates were no created which caused various failures in the GitHub UI. - - Some background tasks could deadlock preventing them from making progress caused by `enterprise-crypto` which has now been modified to be thread safe. + - After unlocking a repository for temporary access, a site administrator was unable to manage settings for security products in the repository. + - Duplicate administrative SSH keys could appear in both the Management Console and the `/home/admin/.ssh/authorized_keys` file. + - The site admin page for individual users at http(s)://HOSTNAME/stafftools/users/USERNAME/admin contained functionality not intended for GitHub Enterprise Server. + - In some cases, running `ghe-cluster-config-apply` could replicate an empty configuration to existing nodes in a cluster. + - In some cases, configuration runs started with `ghe-config-apply` did not complete, or returned a `Container count mismatch` error. + - After updating a self-signed TLS certificate on a GitHub Enterprise Server instance, UI elements on some pages in the web interface did not appear. + - In some cases, background tasks could stall due to a library that was used concurrently despite not being thread-safe. changes: - - Performance improvements to the GitHub Enterprise Support Bundle generation process. This modifies the `sanitize_logs` function in `ghe-support-bundle` to run `psed` in parallel vs. serially. This is based on an analysis of bundle generation on `ghe.io` where it was observed we spent 36% of our time in `psed` sanitizing logs. - - Change the `/organizations/`, `/orgs/` API routes to accept organization slugs or IDs. Previously, they only accepted slugs which was inconsistent with the `/enterprises/` routes and caused `Link` headers on GitHub Advanced Security API endpoints, that use IDs not slugs, to be inaccessible to users. - - User generated audit-logs events, such as `repo.create`, are now correctly returned from the REST API availabe at `api.github.com/enterprises/{enterprise}/audit-log`. In addition to that, more types of user generated events, such as `project.create`, are now available on both the enterprise audit-log UI (available at `github.com/enterprises/{enterprise}/settings/audit-log`) and REST API (same endpoint as above). - - The page at `/stafftools/users/:login/admin` contained functionality not intended for GitHub Enterprise Server. + - Generation of support bundles is faster as a result of parallelized log sanitization. For more information about support bundles, see "[Providing data to GitHub Support](/support/contacting-github-support/providing-data-to-github-support)." + - APIs that contain the `organization` or `org` route now accept either the organization's slug or ID. Previously, the APIs only accepted slugs, which caused `Link` headers for GitHub Advanced Security endpoints to be inaccessible. For more information, see "[Organizations](https://docs.github.com/rest/orgs/orgs)" in the REST API documentation. + - The enterprise audit log now includes more user-generated events, such as `project.create`. The REST API also returns additional user-generated events, such as `repo.create`. For more information, see "[Accessing the audit log for your enterprise](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/accessing-the-audit-log-for-your-enterprise)" and "[Using the audit log API for your enterprise](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/using-the-audit-log-api-for-your-enterprise#querying-the-audit-log-rest-api)." known_issues: - On a freshly set up {% data variables.product.prodname_ghe_server %} instance without any users, an attacker could create the first admin user. - Custom firewall rules are removed during the upgrade process. diff --git a/data/release-notes/enterprise-server/3-5/5.yml b/data/release-notes/enterprise-server/3-5/5.yml index cfec15d02f..d73bb01961 100644 --- a/data/release-notes/enterprise-server/3-5/5.yml +++ b/data/release-notes/enterprise-server/3-5/5.yml @@ -1,21 +1,21 @@ date: '2022-08-30' sections: bugs: - - Site administrators were not able to manage security products settings for repositories they had unlocked. - - Prevents duplication of admin SSH keys showing up in Management Console and admin/.ssh/authorized_keys - - Adding a check for running replication before updating configuration files on replica stand-up before running `ghe-cluster-config-apply`. This prevents cases where unconfigured nodes could replicate their configuration to the rest of the cluster, potentially removing configurations from the existing cluster nodes. - - The validation phase of the config apply run would incorrectly mark some Nomad jobs as invalid. - - The symlinks for self-signed TLS certificates were no created which caused various failures in the GitHub UI. + - After unlocking a repository for temporary access, a site administrator was unable to manage settings for security products in the repository. + - Duplicate administrative SSH keys could appear in both the Management Console and the `/home/admin/.ssh/authorized_keys` file. + - The site admin page for individual users at http(s)://HOSTNAME/stafftools/users/USERNAME/admin contained functionality not intended for GitHub Enterprise Server. + - In some cases, running `ghe-cluster-config-apply` could replicate an empty configuration to existing nodes in a cluster. + - In some cases, configuration runs started with `ghe-config-apply` did not complete, or returned a `Container count mismatch` error. + - After updating a self-signed TLS certificate on a GitHub Enterprise Server instance, UI elements on some pages in the web interface did not appear. - The top site admin bar contained a broken link to the SHA for the currently running version of the application. - - Some background tasks could deadlock preventing them from making progress caused by `enterprise-crypto` which has now been modified to be thread safe. + - In some cases, background tasks could stall due to a library that was used concurrently despite not being thread-safe. - The list of organizations on the fork screen would overflow its box when a user was in many organizations. - Alerts from secret scanning for GitHub Advanced Security customers were missing in the web UI and REST API if a site administrator did not upgrade directly to GitHub Enterprise Server 3.4. The alerts are now visible. changes: - - Performance improvements to the GitHub Enterprise Support Bundle generation process. This modifies the `sanitize_logs` function in `ghe-support-bundle` to run `psed` in parallel vs. serially. This is based on an analysis of bundle generation on `ghe.io` where it was observed we spent 36% of our time in `psed` sanitizing logs. - - Change the `/organizations/`, `/orgs/` API routes to accept organization slugs or IDs. Previously, they only accepted slugs which was inconsistent with the `/enterprises/` routes and caused `Link` headers on GitHub Advanced Security API endpoints, that use IDs not slugs, to be inaccessible to users. - - User generated audit-logs events, such as `repo.create`, are now correctly returned from the REST API availabe at `api.github.com/enterprises/{enterprise}/audit-log`. In addition to that, more types of user generated events, such as `project.create`, are now available on both the enterprise audit-log UI (available at `github.com/enterprises/{enterprise}/settings/audit-log`) and REST API (same endpoint as above). - - The page at `/stafftools/users/:login/admin` contained functionality not intended for GitHub Enterprise Server. - - Cache replicas could intermittently reject some git operations on recently updated repositories. + - Generation of support bundles is faster as a result of parallelized log sanitization. For more information about support bundles, see "[Providing data to GitHub Support](/support/contacting-github-support/providing-data-to-github-support)." + - APIs that contain the `organization` or `org` route now accept either the organization's slug or ID. Previously, the APIs only accepted slugs, which caused `Link` headers for GitHub Advanced Security endpoints to be inaccessible. For more information, see "[Organizations](https://docs.github.com/rest/orgs/orgs)" in the REST API documentation. + - The enterprise audit log now includes more user-generated events, such as `project.create`. The REST API also returns additional user-generated events, such as `repo.create`. For more information, see "[Accessing the audit log for your enterprise](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/accessing-the-audit-log-for-your-enterprise)" and "[Using the audit log API for your enterprise](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/using-the-audit-log-api-for-your-enterprise#querying-the-audit-log-rest-api)." + - In some cases, cache replicas could reject some Git operations on recently updated repositories. For more information about repository caching, see "[About repository caching](/admin/enterprise-management/caching-repositories/about-repository-caching)." known_issues: - On a freshly set up {% data variables.product.prodname_ghe_server %} instance without any users, an attacker could create the first admin user. - Custom firewall rules are removed during the upgrade process. diff --git a/data/release-notes/enterprise-server/3-6/1.yml b/data/release-notes/enterprise-server/3-6/1.yml index cdc0406750..b59262eb63 100644 --- a/data/release-notes/enterprise-server/3-6/1.yml +++ b/data/release-notes/enterprise-server/3-6/1.yml @@ -1,25 +1,25 @@ date: '2022-08-30' sections: bugs: - - Site administrators were not able to manage security products settings for repositories they had unlocked. - - Prevents duplication of admin SSH keys showing up in Management Console and admin/.ssh/authorized_keys - - Adding a check for running replication before updating configuration files on replica stand-up before running `ghe-cluster-config-apply`. This prevents cases where unconfigured nodes could replicate their configuration to the rest of the cluster, potentially removing configurations from the existing cluster nodes. - - The validation phase of the config apply run would incorrectly mark some Nomad jobs as invalid. - - The symlinks for self-signed TLS certificates were no created which caused various failures in the GitHub UI. + - After unlocking a repository for temporary access, a site administrator was unable to manage settings for security products in the repository. + - Duplicate administrative SSH keys could appear in both the Management Console and the `/home/admin/.ssh/authorized_keys` file. + - The site admin page for individual users at http(s)://HOSTNAME/stafftools/users/USERNAME/admin contained functionality not intended for GitHub Enterprise Server. + - In some cases, running `ghe-cluster-config-apply` could replicate an empty configuration to existing nodes in a cluster. + - In some cases, configuration runs started with `ghe-config-apply` did not complete, or returned a `Container count mismatch` error. + - After updating a self-signed TLS certificate on a GitHub Enterprise Server instance, UI elements on some pages in the web interface did not appear. - Fixes an issue where organization admins were unable to set the level of access required for creating discussions. - Fixes an issue where some users were incorrectly seeing a message that they needed to verify their email before creating a discussion. - Fixes an issue with the hydro payload value. It use to not have quotes, so the problematic file name isnt being handled properly which created a potential security vulnerability in the file tree - Fixes an issue where enterprise users were incorrectly seeing a link to the GitHub.com community guidelines. - - Some background tasks could deadlock preventing them from making progress caused by `enterprise-crypto` which has now been modified to be thread safe. + - In some cases, background tasks could stall due to a library that was used concurrently despite not being thread-safe. - The top site admin bar contained a broken link to the SHA for the currently running version of the application. - Alerts from secret scanning for GitHub Advanced Security customers were missing in the web UI and REST API if a site administrator did not upgrade directly to GitHub Enterprise Server 3.4. The alerts are now visible. changes: - - Performance improvements to the GitHub Enterprise Support Bundle generation process. This modifies the `sanitize_logs` function in `ghe-support-bundle` to run `psed` in parallel vs. serially. This is based on an analysis of bundle generation on `ghe.io` where it was observed we spent 36% of our time in `psed` sanitizing logs. - - Change the `/organizations/`, `/orgs/` API routes to accept organization slugs or IDs. Previously, they only accepted slugs which was inconsistent with the `/enterprises/` routes and caused `Link` headers on GitHub Advanced Security API endpoints, that use IDs not slugs, to be inaccessible to users. - - User generated audit-logs events, such as `repo.create`, are now correctly returned from the REST API availabe at `api.github.com/enterprises/{enterprise}/audit-log`. In addition to that, more types of user generated events, such as `project.create`, are now available on both the enterprise audit-log UI (available at `github.com/enterprises/{enterprise}/settings/audit-log`) and REST API (same endpoint as above). - - The page at `/stafftools/users/:login/admin` contained functionality not intended for GitHub Enterprise Server. - - Cache replicas could intermittently reject some git operations on recently updated repositories. - - Adds support for creating dismissible announcements via the API. + - Generation of support bundles is faster as a result of parallelized log sanitization. For more information about support bundles, see "[Providing data to GitHub Support](/support/contacting-github-support/providing-data-to-github-support)." + - APIs that contain the `organization` or `org` route now accept either the organization's slug or ID. Previously, the APIs only accepted slugs, which caused `Link` headers for GitHub Advanced Security endpoints to be inaccessible. For more information, see "[Organizations](https://docs.github.com/rest/orgs/orgs)" in the REST API documentation. + - The enterprise audit log now includes more user-generated events, such as `project.create`. The REST API also returns additional user-generated events, such as `repo.create`. For more information, see "[Accessing the audit log for your enterprise](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/accessing-the-audit-log-for-your-enterprise)" and "[Using the audit log API for your enterprise](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/using-the-audit-log-api-for-your-enterprise#querying-the-audit-log-rest-api)." + - In some cases, cache replicas could reject some Git operations on recently updated repositories. For more information about repository caching, see "[About repository caching](/admin/enterprise-management/caching-repositories/about-repository-caching)." + - You can now configure the global announcement banner to be dismissable using the REST API. For more information, see "[Customizing user messages for your enterprise](/admin/user-management/managing-users-in-your-enterprise/customizing-user-messages-for-your-enterprise#creating-a-global-announcement-banner)." known_issues: - On a freshly set up {% data variables.product.prodname_ghe_server %} instance without any users, an attacker could create the first admin user. - Custom firewall rules are removed during the upgrade process. From 22dc833963588850eb5ef957866761de74fc896e Mon Sep 17 00:00:00 2001 From: Matt Pollard Date: Thu, 1 Sep 2022 14:20:21 +0200 Subject: [PATCH 4/4] Revise notes --- data/release-notes/enterprise-server/3-5/5.yml | 4 ++-- data/release-notes/enterprise-server/3-6/1.yml | 9 ++++----- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/data/release-notes/enterprise-server/3-5/5.yml b/data/release-notes/enterprise-server/3-5/5.yml index d73bb01961..1864d8e999 100644 --- a/data/release-notes/enterprise-server/3-5/5.yml +++ b/data/release-notes/enterprise-server/3-5/5.yml @@ -7,10 +7,10 @@ sections: - In some cases, running `ghe-cluster-config-apply` could replicate an empty configuration to existing nodes in a cluster. - In some cases, configuration runs started with `ghe-config-apply` did not complete, or returned a `Container count mismatch` error. - After updating a self-signed TLS certificate on a GitHub Enterprise Server instance, UI elements on some pages in the web interface did not appear. - - The top site admin bar contained a broken link to the SHA for the currently running version of the application. + - The site admin bar at the top of the web interface contained a broken link to the SHA for the currently running version of the application. - In some cases, background tasks could stall due to a library that was used concurrently despite not being thread-safe. - - The list of organizations on the fork screen would overflow its box when a user was in many organizations. - Alerts from secret scanning for GitHub Advanced Security customers were missing in the web UI and REST API if a site administrator did not upgrade directly to GitHub Enterprise Server 3.4. The alerts are now visible. + - When a user forked a repository into an organization, a long list of organizations would not render properly. changes: - Generation of support bundles is faster as a result of parallelized log sanitization. For more information about support bundles, see "[Providing data to GitHub Support](/support/contacting-github-support/providing-data-to-github-support)." - APIs that contain the `organization` or `org` route now accept either the organization's slug or ID. Previously, the APIs only accepted slugs, which caused `Link` headers for GitHub Advanced Security endpoints to be inaccessible. For more information, see "[Organizations](https://docs.github.com/rest/orgs/orgs)" in the REST API documentation. diff --git a/data/release-notes/enterprise-server/3-6/1.yml b/data/release-notes/enterprise-server/3-6/1.yml index b59262eb63..f31b9cb734 100644 --- a/data/release-notes/enterprise-server/3-6/1.yml +++ b/data/release-notes/enterprise-server/3-6/1.yml @@ -7,12 +7,11 @@ sections: - In some cases, running `ghe-cluster-config-apply` could replicate an empty configuration to existing nodes in a cluster. - In some cases, configuration runs started with `ghe-config-apply` did not complete, or returned a `Container count mismatch` error. - After updating a self-signed TLS certificate on a GitHub Enterprise Server instance, UI elements on some pages in the web interface did not appear. - - Fixes an issue where organization admins were unable to set the level of access required for creating discussions. - - Fixes an issue where some users were incorrectly seeing a message that they needed to verify their email before creating a discussion. - - Fixes an issue with the hydro payload value. It use to not have quotes, so the problematic file name isnt being handled properly which created a potential security vulnerability in the file tree - - Fixes an issue where enterprise users were incorrectly seeing a link to the GitHub.com community guidelines. - In some cases, background tasks could stall due to a library that was used concurrently despite not being thread-safe. - - The top site admin bar contained a broken link to the SHA for the currently running version of the application. + - The site admin bar at the top of the web interface contained a broken link to the SHA for the currently running version of the application. + - Organization owners were unable to set the level of access required to create discussions. + - Discussions users were incorrectly directed to the community guidelines for GitHub.com. + - In some cases, users were incorrectly instructed to verify their email before creating a discussion. - Alerts from secret scanning for GitHub Advanced Security customers were missing in the web UI and REST API if a site administrator did not upgrade directly to GitHub Enterprise Server 3.4. The alerts are now visible. changes: - Generation of support bundles is faster as a result of parallelized log sanitization. For more information about support bundles, see "[Providing data to GitHub Support](/support/contacting-github-support/providing-data-to-github-support)."