GHES Patch Release Notes (#33497)

Co-authored-by: Release-Controller <runner@fv-az221-820.rdwmklopv5je1nmcb30mjggtwb.cx.internal.cloudapp.net> Co-authored-by: Matt Pollard <mattpollard@users.noreply.github.com> Co-authored-by: Mike Bailey <miskerest@github.com>
2025-12-30 03:01:36 -05:00 · 2022-12-13 22:17:57 +01:00
parent 64b96cda96
commit 67cfff4fa2
10 changed files with 181 additions and 10 deletions
--- a/data/release-notes/enterprise-server/3-3/16.yml
+++ b/data/release-notes/enterprise-server/3-3/16.yml
@@ -1,7 +1,6 @@
 date: '2022-11-22'
 sections:
  security_fixes:
-    - "**HIGH**: Added an extra check to harden against a path traversal bug that could lead to remote code execution in GitHub Pages builds on a GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the instance. [Updated: 2022-12-02]"
    - "**MEDIUM**: Updated [CommonMarker](https://github.com/gjtorikian/commonmarker) to address a scenario where parallel requests to the Markdown REST API could result in unbounded resource exhaustion. This vulnerability has been assigned [CVE-2022-39209](https://nvd.nist.gov/vuln/detail/CVE-2022-39209)."
    - "**MEDIUM**: Scoped user-to-server tokens from GitHub Apps could bypass authorization checks in GraphQL API requests when accessing non-repository resources. This vulnerability was reported via the [GitHub Bug Bounty Program](https://bounty.github.com/)."
    - "**MEDIUM**: Pull request preview links did not properly sanitize URLs, allowing a malicious user to embed dangerous links in the instances web UI. This vulnerability was reported via the [GitHub Bug Bounty program](https://bounty.github.com)."
--- a/data/release-notes/enterprise-server/3-3/17.yml
+++ b/data/release-notes/enterprise-server/3-3/17.yml
@@ -0,0 +1,24 @@
+date: '2022-12-13'
+sections:
+  security_fixes:
+    - |
+      **HIGH**: A path traversal vulnerability was identified in GitHub Enterprise Server that allowed remote code execution when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the instance. This vulnerability was reported via the [GitHub Bug Bounty Program](https://bounty.github.com/) and has been assigned [CVE-2022-46256](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46256).
+    - |
+      **HIGH**: An incorrect authorization vulnerability allowed a scoped user-to-server token to escalate to full admin access for a repository. An attacker would require an account with admin access to install a malicious GitHub App. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.7.0. This vulnerability was reported via the GitHub Bug Bounty program and has been assigned [CVE-2022-23741](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23741).  bugs:
+  bugs:
+    - Installation of GitHub Enterprise Server on the VMware ESXi hypervisor failed due to the generation of an OVA file with an invalid capacity value. 
+    - When users performed an operation using the API, GitHub Enterprise Server enforced repository size quotas even when disabled globally.
+    - A debug-level message appeared in a system log, which could consume space rapidly on the instance's root storage volume.
+    - On instances where the dependency graph is enabled, upgrades could sometimes fail due to a slow-running migration of dependency graph data.
+  known_issues:
+    - After upgrading to {% data variables.product.prodname_ghe_server %} 3.3, {% data variables.product.prodname_actions %} may fail to start automatically. To resolve this issue, connect to the appliance via SSH and run the `ghe-actions-start` command.
+    - On a freshly set up {% data variables.product.prodname_ghe_server %} instance without any users, an attacker could create the first admin user.
+    - Custom firewall rules are removed during the upgrade process.
+    - Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository.
+    - Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.
+    - When "Users can search GitHub.com" is enabled with {% data variables.product.prodname_github_connect %}, issues in private and internal repositories are not included in {% data variables.product.prodname_dotcom_the_website %} search results.
+    - The {% data variables.product.prodname_registry %} npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
+    - Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
+    - '{% data variables.product.prodname_actions %} storage settings cannot be validated and saved in the {% data variables.enterprise.management_console %} when "Force Path Style" is selected, and must instead be configured with the `ghe-actions-precheck` command line utility.'
+    - '{% data reusables.release-notes.ghas-3.4-secret-scanning-known-issue %}'
+    - '{% data reusables.release-notes.2022-09-hotpatch-issue %}'
--- a/data/release-notes/enterprise-server/3-4/11.yml
+++ b/data/release-notes/enterprise-server/3-4/11.yml
@@ -1,7 +1,6 @@
 date: '2022-11-22'
 sections:
  security_fixes:
-    - "**HIGH**: Added an extra check to harden against a path traversal bug that could lead to remote code execution in GitHub Pages builds on a GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the instance. [Updated: 2022-12-02]" 
    - "**MEDIUM**: Updated [CommonMarker](https://github.com/gjtorikian/commonmarker) to address a scenario where parallel requests to the Markdown REST API could result in unbounded resource exhaustion. This vulnerability has been assigned [CVE-2022-39209](https://nvd.nist.gov/vuln/detail/CVE-2022-39209)."
    - "**MEDIUM**: Scoped user-to-server tokens from GitHub Apps could bypass authorization checks in GraphQL API requests when accessing non-repository resources. This vulnerability was reported via the [GitHub Bug Bounty Program](https://bounty.github.com/)."
    - "**MEDIUM**: Pull request preview links did not properly sanitize URLs, allowing a malicious user to embed dangerous links in the instances web UI. This vulnerability was reported via the [GitHub Bug Bounty program](https://bounty.github.com)." 
--- a/data/release-notes/enterprise-server/3-4/12.yml
+++ b/data/release-notes/enterprise-server/3-4/12.yml
@@ -0,0 +1,27 @@
+date: '2022-12-13'
+sections:
+  security_fixes:
+    - |
+      **HIGH**: A path traversal vulnerability was identified in GitHub Enterprise Server that allowed remote code execution when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the instance. This vulnerability was reported via the [GitHub Bug Bounty Program](https://bounty.github.com/) and has been assigned [CVE-2022-46256](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46256).
+    - |
+      **HIGH**: An incorrect authorization vulnerability allowed a scoped user-to-server token to escalate to full admin access for a repository. An attacker would require an account with admin access to install a malicious GitHub App. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.7.0. This vulnerability was reported via the GitHub Bug Bounty program and has been assigned [CVE-2022-23741](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23741).  bugs:
+  bugs:
+    - When a site administrator ran the `ghe-repl-sync-ca-certificates` command from an instances primary node via the administrative shell (SSH), the command only replicated CA certificates from the instances primary node to a single replica node. The command did not replicate the certificates to all available replica nodes. 
+    - Installation of GitHub Enterprise Server on the VMware ESXi hypervisor failed due to the generation of an OVA file with an invalid capacity value. 
+    - When users performed an operation using the API, GitHub Enterprise Server enforced repository size quotas even when disabled globally.
+    - The `member` webhook event did not include the `from` and `to` field values for the `permission` field as part of the `changes` field. 
+    - After a user's account was deleted from the instance, image attachments that the user uploaded in comments were no longer visible in the web interface. 
+    - A debug-level message appeared in a system log, which could consume space rapidly on the instance's root storage volume.
+  known_issues:
+    - On a freshly set up {% data variables.product.prodname_ghe_server %} instance without any users, an attacker could create the first admin user.
+    - Custom firewall rules are removed during the upgrade process.
+    - Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository.
+    - Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.
+    - When "Users can search GitHub.com" is enabled with {% data variables.product.prodname_github_connect %}, issues in private and internal repositories are not included in {% data variables.product.prodname_dotcom_the_website %} search results.
+    - The {% data variables.product.prodname_registry %} npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
+    - Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
+    - |
+      After registering a self-hosted runner with the `--ephemeral` parameter on more than one level (for example, both enterprise and organization), the runner may get stuck in an idle state and require re-registration. [Updated: 2022-06-17]
+    - After upgrading to {% data variables.product.prodname_ghe_server %} 3.4, releases may appear to be missing from repositories. This can occur when the required Elasticsearch index migrations have not successfully completed.
+    - '{% data reusables.release-notes.ghas-3.4-secret-scanning-known-issue %}'
+    - '{% data reusables.release-notes.2022-09-hotpatch-issue %}'
--- a/data/release-notes/enterprise-server/3-5/8.yml
+++ b/data/release-notes/enterprise-server/3-5/8.yml
@@ -1,7 +1,6 @@
 date: '2022-11-22'
 sections:
  security_fixes:
-    - "**HIGH**: Added an extra check to harden against a path traversal bug that could lead to remote code execution in GitHub Pages builds on a GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the instance. [Updated: 2022-12-02]" 
    - "**MEDIUM**: Updated [CommonMarker](https://github.com/gjtorikian/commonmarker) to address a scenario where parallel requests to the Markdown REST API could result in unbounded resource exhaustion. This vulnerability has been assigned [CVE-2022-39209](https://nvd.nist.gov/vuln/detail/CVE-2022-39209)."
    - "**MEDIUM**: Scoped user-to-server tokens from GitHub Apps could bypass authorization checks in GraphQL API requests when accessing non-repository resources. This vulnerability was reported via the [GitHub Bug Bounty Program](https://bounty.github.com/)."
    - "**MEDIUM**: Pull request preview links did not properly sanitize URLs, allowing a malicious user to embed dangerous links in the instances web UI. This vulnerability was reported via the [GitHub Bug Bounty program](https://bounty.github.com)."
@@ -17,8 +16,6 @@ sections:
    - When an enterprise owner impersonated a user and tried to install a GitHub App, the button to confirm the installation was disabled and could not be clicked. 
    - After running migrations for the GitHub Enterprise Importer on an instance configured for high availability, replication of migration storage assets would not catch up. 
    - Zombie processes no longer accumulate in the `gitrpcd` container. 
-  changes:
-    - To diagnose zero-length file problems in Git repositories, which can result from a crash of the instance, site administrators can run the `git-crash-fix` utility. 
  known_issues:
    - On a freshly set up {% data variables.product.prodname_ghe_server %} instance without any users, an attacker could create the first admin user.
    - Custom firewall rules are removed during the upgrade process.
--- a/data/release-notes/enterprise-server/3-5/9.yml
+++ b/data/release-notes/enterprise-server/3-5/9.yml
@@ -0,0 +1,28 @@
+date: '2022-12-13'
+sections:
+  security_fixes:
+    - |
+      **HIGH**: A path traversal vulnerability was identified in GitHub Enterprise Server that allowed remote code execution when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the instance. This vulnerability was reported via the [GitHub Bug Bounty Program](https://bounty.github.com/) and has been assigned [CVE-2022-46256](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46256).
+    - |
+      **HIGH**: An incorrect authorization vulnerability allowed a scoped user-to-server token to escalate to full admin access for a repository. An attacker would require an account with admin access to install a malicious GitHub App. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.7.0. This vulnerability was reported via the GitHub Bug Bounty program and has been assigned [CVE-2022-23741](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23741).  bugs:
+  bugs:
+    - If a GitHub Actions dependency uses a pinned SHA version, Dependabot will no longer mark the dependency as vulnerable. 
+    - When a site administrator ran the `ghe-repl-sync-ca-certificates` command from an instances primary node via the administrative shell (SSH), the command only replicated CA certificates from the instances primary node to a single replica node. The command did not replicate the certificates to all available replica nodes. 
+    - Installation of GitHub Enterprise Server on the VMware ESXi hypervisor failed due to the generation of an OVA file with an invalid capacity value. 
+    - When users performed an operation using the API, GitHub Enterprise Server enforced repository size quotas even when disabled globally.
+    - The `member` webhook event did not include the `from` and `to` field values for the `permission` field as part of the `changes` field. 
+    - After a user's account was deleted from the instance, image attachments that the user uploaded in comments were no longer visible in the web interface. 
+    - In some cases, the page for setting up code scanning would erroneously report that GitHub Actions was not configured for the instance. 
+    - If a user uploaded more than one file while creating a new Gist, the user could not delete any files uploaded after the first. 
+    - A debug-level message appeared in a system log, which could consume space rapidly on the instance's root storage volume.
+  known_issues:
+    - On a freshly set up {% data variables.product.prodname_ghe_server %} instance without any users, an attacker could create the first admin user.
+    - Custom firewall rules are removed during the upgrade process.
+    - Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository.
+    - Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.
+    - When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
+    - The {% data variables.product.prodname_registry %} npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
+    - Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
+    - Actions services need to be restarted after restoring an appliance from a backup taken on a different host.
+    - '{% data reusables.release-notes.2022-09-hotpatch-issue %}'
+    - '{% data reusables.release-notes.babeld-max-threads-performance-issue %}'
--- a/data/release-notes/enterprise-server/3-6/4.yml
+++ b/data/release-notes/enterprise-server/3-6/4.yml
@@ -1,7 +1,6 @@
 date: '2022-11-22'
 sections:
  security_fixes:
-    - "**HIGH**: Added an extra check to harden against a path traversal bug that could lead to remote code execution in GitHub Pages builds on a GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the instance. [Updated: 2022-12-02]"
    - "**MEDIUM**: Updated [CommonMarker](https://github.com/gjtorikian/commonmarker) to address a scenario where parallel requests to the Markdown REST API could result in unbounded resource exhaustion. This vulnerability has been assigned [CVE-2022-39209](https://nvd.nist.gov/vuln/detail/CVE-2022-39209)."
    - "**MEDIUM**: Scoped user-to-server tokens from GitHub Apps could bypass authorization checks in GraphQL API requests when accessing non-repository resources. This vulnerability was reported via the [GitHub Bug Bounty Program](https://bounty.github.com/)."
    - "**MEDIUM**: Pull request preview links did not properly sanitize URLs, allowing a malicious user to embed dangerous links in the instances web UI. This vulnerability was reported via the [GitHub Bug Bounty program](https://bounty.github.com)."
@@ -23,7 +22,6 @@ sections:
    - Zombie processes no longer accumulate in the `gitrpcd` container. 
  changes:
    - If a site administrator has not yet configured GitHub Actions for the instance, the UI for setting up code scanning will prompt the user to configure GitHub Actions. 
-    - To diagnose zero-length file problems in Git repositories, which can result from a crash of the instance, site administrators can run the `git-crash-fix` utility. 
  known_issues:
    - On a freshly set up {% data variables.product.prodname_ghe_server %} instance without any users, an attacker could create the first admin user.
    - Custom firewall rules are removed during the upgrade process.
--- a/data/release-notes/enterprise-server/3-6/5.yml
+++ b/data/release-notes/enterprise-server/3-6/5.yml
@@ -0,0 +1,45 @@
+date: '2022-12-13'
+sections:
+  security_fixes:
+    - |
+      **HIGH**: A path traversal vulnerability was identified in GitHub Enterprise Server that allowed remote code execution when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the instance. This vulnerability was reported via the [GitHub Bug Bounty Program](https://bounty.github.com/) and has been assigned [CVE-2022-46256](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46256).
+    - |
+      **HIGH**: An incorrect authorization vulnerability allowed a scoped user-to-server token to escalate to full admin access for a repository. An attacker would require an account with admin access to install a malicious GitHub App. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.7.0. This vulnerability was reported via the GitHub Bug Bounty program and has been assigned [CVE-2022-23741](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23741).  bugs:
+  bugs:
+    - A race condition blocked upgrades to GitHub Enterprise Server 3.6 or later until a site administrator retried the upgrade. 
+    - Site administrators were not able to manage security products settings for repositories they had unlocked. 
+    - When a site administrator ran the `ghe-repl-status` command on a cache replica via the administrative shell (SSH), the command incorrectly reported overall Git and Alambic cluster replication status information as if it pertained only to cache replication. 
+    - When a site administrator ran the `ghe-repl-sync-ca-certificates` command from an instances primary node via the administrative shell (SSH), the command only replicated CA certificates from the instances primary node to a single replica node. The command did not replicate the certificates to all available replica nodes. 
+    - When using repository caching with an instance in a high availability configuration, if a Git client used SSH instead of HTTPS for a repositorys remote URL, Git LFS would fetch objects from the instances primary node instead of the appropriate cache replica node. 
+    - Installation of GitHub Enterprise Server on the VMware ESXi hypervisor failed due to the generation of an OVA file with an invalid capacity value. 
+    - When users performed an operation using the API, GitHub Enterprise Server enforced repository size quotas even when disabled globally.
+    - If a user uploaded more than one file while creating a new Gist, the user could not delete any files uploaded after the first. 
+    - In some cases, searches via the API returned a `500` error. 
+    - In some cases, when browsing repositories in the web interface, an erroneous banner indicated that a repository didnt contain a specific undefined path on the current branch. 
+    - The `member` webhook event did not include the `from` and `to` field values for the `permission` field as part of the `changes` field. 
+    - Adding a collaborator to a user-owned fork of a private, organization-owned repository with triage, maintain, or custom access resulted in a `500` error. 
+    - In some cases, the page for setting up code scanning would erroneously report that GitHub Actions was not configured for the instance. 
+    - After a user's account was deleted from the instance, image attachments that the user uploaded in comments were no longer visible in the web interface. 
+    - A debug-level message appeared in a system log, which could consume space rapidly on the instance's root storage volume.
+  changes:
+    - To avoid failing domain verification due to the 63-character limit enforced by DNS providers for DNS records, the GitHub-generated `TXT` record to verify domain ownership is now limited to 63 characters. 
+    - After an enterprise owner enables Dependabot alerts, GitHub Enterprise Server enqueues the synchronization of advisory data to ensure hourly updates from GitHub.com. 
+    - A user's list of recently accessed repositories no longer includes deleted repositories. 
+  known_issues:
+    - On a freshly set up {% data variables.product.prodname_ghe_server %} instance without any users, an attacker could create the first admin user.
+    - Custom firewall rules are removed during the upgrade process.
+    - Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository.
+    - Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.
+    - When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
+    - The {% data variables.product.prodname_registry %} npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
+    - Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
+    - Actions services need to be restarted after restoring an instance from a backup taken on a different host.
+    - In a repository's settings, enabling the option to allow users with read access to create discussions does not enable this functionality.
+    - In some cases, users cannot convert existing issues to discussions.
+    - Custom patterns for secret scanning have `.*` as an end delimiter, specifically in the "After secret" field. This delimiter causes inconsistencies in scans for secrets across repositories, and you may notice gaps in a repository's history where no scans completed. Incremental scans may also be impacted. To prevent issues with scans, modify the end of the pattern to remove the `.*` delimiter.
+    - '{% data reusables.release-notes.2022-09-hotpatch-issue %}'
+    - |
+      Following an upgrade to GitHub Enterprise Server 3.6 or later, existing inconsistencies in a repository such as broken refs or missing objects, may now be reported as errors like `invalid sha1 pointer 0000000000000000000000000000000000000000`, `Zero-length loose reference file`, or `Zero-length loose object file`. Previously, these indicators of repository corruption may have been silently ignored. GitHub Enterprise Server now uses an updated Git version with more diligent error reporting enabled. For more information, see this [upstream commit](https://github.com/git/git/commit/968f12fdac) in the Git project.
+
+      If you suspect a problem like this exists in one of your repositories, you can run `git-crash-fix analyze` in the repository on your GitHub Enterprise Server instance. If `git-crash-fix analyze` reports problems, [contact GitHub Enterprise Support](/support/contacting-github-support/creating-a-support-ticket) for assistance, and include the command output in your support request.
+    - '{% data reusables.release-notes.babeld-max-threads-performance-issue %}'
--- a/data/release-notes/enterprise-server/3-7/1.yml
+++ b/data/release-notes/enterprise-server/3-7/1.yml
@@ -2,8 +2,7 @@ date: '2022-11-22'
 sections:
  security_fixes:
    - "**HIGH**: An improper neutralization of argument delimiters in a command vulnerability was identified in GitHub Enterprise Server that enabled remote code execution. To exploit this vulnerability, an attacker would need permission to create and build GitHub Pages using GitHub Actions. This bug was originally reported via GitHub's Bug Bounty program and assigned [CVE-2022-23740](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23740). [Updated: 2022-12-02]"
-    - "**HIGH**: Added an extra check to harden against a path traversal bug that could lead to remote code execution in GitHub Pages builds on a GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the instance. [Updated: 2022-12-02]"
-    - "**HIGH**: Added a check in Pages to ensure the working directory is clean before unpacking new content to prevent an arbitrary file overwrite bug."
+    - "**HIGH**: A check was added within Pages to ensure the working directory is clean before unpacking new content to prevent an arbitrary file overwrite bug. This vulnerability has been assigned [CVE-2022-46255](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46255)."
    - "**MEDIUM**: Updated [CommonMarker](https://github.com/gjtorikian/commonmarker) to address a scenario where parallel requests to the Markdown REST API could result in unbounded resource exhaustion. This vulnerability has been assigned [CVE-2022-39209](https://nvd.nist.gov/vuln/detail/CVE-2022-39209)."
    - "**MEDIUM**: Pull request preview links did not properly sanitize URLs, allowing a malicious user to embed dangerous links in the instances web UI. This vulnerability was reported via the [GitHub Bug Bounty program](https://bounty.github.com)." 
  bugs:
@@ -25,7 +24,6 @@ sections:
  changes:
    - If a site administrator has not yet configured GitHub Actions for the instance, the UI for setting up code scanning will prompt the user to configure GitHub Actions. 
    - To avoid failing domain verification due to the 63-character limit enforced by DNS providers for DNS records, the GitHub-generated `TXT` record to verify domain ownership is now limited to 63 characters. 
-    - To diagnose zero-length file problems in Git repositories, which can result from a crash of the instance, site administrators can run the `git-crash-fix` utility. 
  known_issues:
    - On a freshly set up {% data variables.product.prodname_ghe_server %} instance without any users, an attacker could create the first admin user.
    - Custom firewall rules are removed during the upgrade process.
--- a/data/release-notes/enterprise-server/3-7/2.yml
+++ b/data/release-notes/enterprise-server/3-7/2.yml
@@ -0,0 +1,56 @@
+date: '2022-12-13'
+sections:
+  security_fixes:
+    - |
+      **HIGH**: A path traversal vulnerability was identified in GitHub Enterprise Server that allowed remote code execution when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the instance. This vulnerability was reported via the [GitHub Bug Bounty Program](https://bounty.github.com/) and has been assigned [CVE-2022-46256](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46256).
+  bugs:
+    - A race condition blocked upgrades to GitHub Enterprise Server 3.6 or later until a site administrator retried the upgrade. 
+    - When a site administrator ran the `ghe-repl-status` command on a cache replica via the administrative shell (SSH), the command incorrectly reported overall Git and Alambic cluster replication status information as if it pertained only to cache replication. 
+    - When a site administrator ran the `ghe-repl-sync-ca-certificates` command from an instances primary node via the administrative shell (SSH), the command only replicated CA certificates from the instances primary node to a single replica node. The command did not replicate the certificates to all available replica nodes. 
+    - In a high availability configuration, after promotion of a replica to be the primary node, a site administrator could not force replication to stop on a secondary replica node using the `ghe-repl-stop -f` command. 
+    - When using repository caching with an instance in a high availability configuration, if a Git client used SSH instead of HTTPS for a repositorys remote URL, Git LFS would fetch objects from the instances primary node instead of the appropriate cache replica node. 
+    - Installation of GitHub Enterprise Server on the VMware ESXi hypervisor failed due to the generation of an OVA file with an invalid capacity value. 
+    - When users performed an operation using the API, GitHub Enterprise Server enforced repository size quotas even when disabled globally.
+    - In some cases, searches via the API returned a `500` error. 
+    - Adding a collaborator to a user-owned fork of a private, organization-owned repository with triage, maintain, or custom access resulted in a `500` error. 
+    - In some cases, the page for setting up code scanning would erroneously report that GitHub Actions was not configured for the instance. 
+    - Dismissing a Dependabot alert that contained certain characters could result in a `400` error. 
+    - After a user's account was deleted from the instance, image attachments that the user uploaded in comments were no longer visible in the web interface. 
+    - On an instance that uses SAML for authentication, the **Configure SSO** dropdown menu appeared erroneously for personal access tokens and SSH keys. 
+    - An upgrade from GitHub Enterprise Server 3.5 to 3.7 could fail because the instance had not yet purged deleted repositories. 
+    - In a high availability or repository caching configuration, Unicorn services on nodes other than the primary node were unable to send log events to the primary node. 
+    - Fixes a bug in which a GHES log file could get filled very quickly and cause the root drive to run out of free space.
+    - When viewing code scanning results for Ruby, an erroneous beta label appeared.
+  changes:
+    - After an enterprise owner enables Dependabot alerts, GitHub Enterprise Server enqueues the synchronization of advisory data to ensure hourly updates from GitHub.com. 
+    - A user's list of recently accessed repositories no longer includes deleted repositories. 
+  known_issues:
+    - On a freshly set up {% data variables.product.prodname_ghe_server %} instance without any users, an attacker could create the first admin user.
+    - Custom firewall rules are removed during the upgrade process.
+    - Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository.
+    - Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.
+    - When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
+    - The {% data variables.product.prodname_registry %} npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
+    - Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
+    - Actions services need to be restarted after restoring an instance from a backup taken on a different host.
+    - In a repository's settings, enabling the option to allow users with read access to create discussions does not enable this functionality.
+    - In some cases, users cannot convert existing issues to discussions.
+    - During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
+    - |
+      Following an upgrade to GitHub Enterprise Server 3.6 or later, existing inconsistencies in a repository such as broken refs or missing objects, may now be reported as errors like `invalid sha1 pointer 0000000000000000000000000000000000000000`, `Zero-length loose reference file`, or `Zero-length loose object file`. Previously, these indicators of repository corruption may have been silently ignored. GitHub Enterprise Server now uses an updated Git version with more diligent error reporting enabled. For more information, see this [upstream commit](https://github.com/git/git/commit/968f12fdac) in the Git project.
+
+      If you suspect a problem like this exists in one of your repositories, you can run `git-crash-fix analyze` in the repository on your GitHub Enterprise Server instance. If `git-crash-fix analyze` reports problems, [contact GitHub Enterprise Support](/support/contacting-github-support/creating-a-support-ticket) for assistance, and include the command output in your support request.
+    - '{% data reusables.release-notes.babeld-max-threads-performance-issue %}'
+  deprecations:
+    # https://github.com/github/enterprise-releases/issues/3217
+    - |
+      **Upcoming deprecation**: In GitHub Enterprise Server 3.8 and later, unsecure algorithms will be disabled for SSH connections to the administrative shell.
+
+    # https://github.com/github/releases/issues/2395
+    - Commit comments, which are comments that users add directly to a commit outside of a pull request, no longer appear in the pull request timeline. Users could not reply to or resolve these comments. The Timeline events REST API and the GraphQL API's `PullRequest` object also no longer return commit comments.
+
+    # https://github.com/github/releases/issues/2380
+    - Diffing GeoJSON, PSD, and STL files is no longer possible.
+
+    # https://github.com/github/releases/issues/2480
+    - Package registries on the new GitHub Packages architecture, including Container registry and npm packages, no longer expose data through the GraphQL API. In a coming release, other GitHub Packages registries will migrate to the new architecture, which will deprecate the GraphQL API for those registries as well. GitHub recommends using the REST API to programmatically access information about GitHub Packages. For more information, see "[Packages](/rest/packages)" in the REST API documentation.