Patch release notes for GitHub Enterprise Server (#58139)

Co-authored-by: Release-Controller <releasecontroller@github.com> Co-authored-by: Devin Dooley <dooleydevin@github.com> Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> Co-authored-by: Isaac Brown <101839405+isaacmbrown@users.noreply.github.com>
2025-12-19 18:10:59 -05:00 · 2025-11-10 16:33:36 -05:00
parent 8dbf0f9bf2
commit c747d99bc7
5 changed files with 402 additions and 0 deletions
--- a/data/release-notes/enterprise-server/3-14/19.yml
+++ b/data/release-notes/enterprise-server/3-14/19.yml
@@ -0,0 +1,54 @@
+date: '2025-10-29'
+sections:
+  security_fixes:
+    - |
+      **CRITICAL:** Redis has been upgraded to version 6.2.20 to address CVE-2025-49844 (also known as RediShell). Administrators should apply this update promptly to mitigate potential security risks.
+    - |
+      **HIGH:** A privilege escalation vulnerability in GitHub Enterprise Server allowed an authenticated enterprise admin to gain root SSH access. The exploit used a symlink escape in pre-receive hook environments. An attacker could craft a malicious repository and environment to replace system binaries during hook cleanup. This allowed them to execute a payload that added their SSH key to the root user's authorized keys, granting root SSH access. The attacker needed enterprise admin privileges to exploit this vulnerability. This has been assigned CVE-2025-11578 and was reported through the GitHub Bug Bounty program.
+    - |
+      **HIGH:** An attacker could execute arbitrary code in the context of other users' browsers by supplying a malicious `label:` value that was injected into the DOM without proper sanitization. This could be triggered when a user visits a crafted Issues search URL, enabling session hijacking, account takeover, and recovery code exfiltration. GitHub has requested CVE ID [CVE-2025-11892](https://www.cve.org/cverecord?id=CVE-2025-11892) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
+    - |
+      Packages have been updated to the latest security versions.
+  bugs:
+    - |
+      Users applying a new license file received an HTTP 500 error.
+    - |
+      SVG files stored in Git Large File Storage (LFS) failed to render on the web interface.
+    - |
+      On the "Scheduled workflows" page in the site admin dashboard, actors attributed to workflows appeared as "Not found".
+  changes:
+    - |
+      Elasticsearch deprecation warnings, which are logged to index files in new versions of Elasticsearch, have been disabled. These warnings provided no value to administrators, and in some cases could block upgrades of instances in high-availability or cluster configurations.
+  known_issues:
+    - |
+      During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
+    - |
+      If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see [AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account).
+    - |
+      On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
+    - |
+      {% data reusables.release-notes.large-adoc-files-issue %}
+    - |
+      Admin stats REST API endpoints may timeout on appliances with many users or repositories. Retrying the request until data is returned is advised.
+    - |
+      When following the steps for [Replacing the primary MySQL node](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-the-primary-mysql-node), step 14 (running `ghe-cluster-config-apply`) might fail with errors. If this occurs, re-running `ghe-cluster-config-apply` is expected to succeed.
+    - |
+      Running a config apply as part of the steps for [Replacing a node in an emergency](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-a-node-in-an-emergency) may fail with errors if the node being replaced is still reachable. If this occurs, shut down the node and repeat the steps.
+    - |
+      {% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %}
+    - |
+      When restoring data originally backed up from a 3.13 or greater appliance version, the Elasticsearch indices need to be reindexed before some of the data will show up.  This happens via a nightly scheduled job.  You can also trigger the reindexing by running `/usr/local/share/enterprise/ghe-es-search-repair`.
+    - |
+      An organization-level code scanning configuration page is displayed on instances that do not use GitHub Advanced Security or code scanning.
+    - |
+      In the header bar displayed to site administrators, some icons are not available.
+    - |
+      When enabling automatic update checks for the first time in the Management Console, the status is not dynamically reflected until the "Updates" page is reloaded.
+    - |
+      When restoring from a backup snapshot, a large number of `mapper_parsing_exception` errors may be displayed.
+    - |
+      After a restore, existing outside collaborators cannot be added to repositories in a new organization. This issue can be resolved by running `/usr/local/share/enterprise/ghe-es-search-repair` on the appliance.
+    - |
+      After a geo-replica is promoted to be a primary by running `ghe-repl-promote`, the actions workflow of a repository does not have any suggested workflows.
+    - |
+      Unexpected elements may appear in the UI on the repository overview page for locked repositories.
--- a/data/release-notes/enterprise-server/3-15/14.yml
+++ b/data/release-notes/enterprise-server/3-15/14.yml
@@ -0,0 +1,68 @@
+date: '2025-10-29'
+sections:
+  security_fixes:
+    - |
+      **CRITICAL:** Redis has been upgraded to version 6.2.20 to address CVE-2025-49844 (also known as RediShell). Administrators should apply this update promptly to mitigate potential security risks.
+    - |
+      **HIGH:** A privilege escalation vulnerability in GitHub Enterprise Server allowed an authenticated enterprise admin to gain root SSH access. The exploit used a symlink escape in pre-receive hook environments. An attacker could craft a malicious repository and environment to replace system binaries during hook cleanup. This allowed them to execute a payload that added their SSH key to the root user's authorized keys, granting root SSH access. The attacker needed enterprise admin privileges to exploit this vulnerability. This has been assigned CVE-2025-11578 and was reported through the GitHub Bug Bounty program.
+    - |
+      **HIGH:** An attacker could execute arbitrary code in the context of other users' browsers by supplying a malicious `label:` value that was injected into the DOM without proper sanitization. This could be triggered when a user visits a crafted Issues search URL, enabling session hijacking, account takeover, and recovery code exfiltration. GitHub has requested CVE ID [CVE-2025-11892](https://www.cve.org/cverecord?id=CVE-2025-11892) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
+    - |
+      Packages have been updated to the latest security versions.
+  bugs:
+    - |
+      Users applying a new license file received an HTTP 500 error.
+    - |
+      Administrators running the `ghe-repl-start-all` command may have encountered replicas remaining in an enabled state after a failed operation, causing subsequent configuration updates to execute on unintended nodes. Replicas now revert to a disabled state if the command fails.
+    - |
+      Setting up MySQL replication on secondary replica nodes was inefficient and consumed unnecessary root disk space.
+    - |
+      When running the `system-requirements` check as part of the `ghe-cluster-config-check` command prior to the initialization of a new cluster, the check request would fail because it exceeded the overall request timeout.
+    - |
+      SVG files stored in Git Large File Storage (LFS) failed to render on the web interface.
+    - |
+      Announcements scheduled using the `expires_at` timestamp in ISO 8601 format were not parsing the specified time correctly, resulting in the time component always being ignored.
+    - |
+      On the "Scheduled workflows" page in the site admin dashboard, actors attributed to workflows appeared as "Not found".
+    - |
+      On instances where GitHub Actions workflows require approval to run on pull requests from forked repositories, workflows remained queued indefinitely after users clicked "Approve and run".
+  changes:
+    - |
+      Elasticsearch deprecation warnings, which are logged to index files in new versions of Elasticsearch, have been disabled. These warnings provided no value to administrators, and in some cases could block upgrades of instances in high-availability or cluster configurations.
+  known_issues:
+    - |
+      Custom firewall rules are removed during the upgrade process.
+    - |
+      During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
+    - |
+      If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see [AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account).
+    - |
+      On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
+    - |
+      {% data reusables.release-notes.large-adoc-files-issue %}
+    - |
+      Admin stats REST API endpoints may timeout on appliances with many users or repositories. Retrying the request until data is returned is advised.
+    - |
+      When following the steps for [Replacing the primary MySQL node](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-the-primary-mysql-node), step 14 (running `ghe-cluster-config-apply`) might fail with errors. If this occurs, re-running `ghe-cluster-config-apply` is expected to succeed.
+    - |
+      Running a config apply as part of the steps for [Replacing a node in an emergency](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-a-node-in-an-emergency) may fail with errors if the node being replaced is still reachable. If this occurs, shut down the node and repeat the steps.
+    - |
+      {% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %}
+    - |
+      When restoring data originally backed up from a 3.13 or greater appliance version, the Elasticsearch indices need to be reindexed before some of the data will show up.  This happens via a nightly scheduled job.  You can also trigger the reindexing by running `/usr/local/share/enterprise/ghe-es-search-repair`.
+    - |
+      An organization-level code scanning configuration page is displayed on instances that do not use GitHub Advanced Security or code scanning.
+    - |
+      In the header bar displayed to site administrators, some icons are not available.
+    - |
+      When enabling automatic update checks for the first time in the Management Console, the status is not dynamically reflected until the "Updates" page is reloaded.
+    - |
+      When restoring from a backup snapshot, a large number of `mapper_parsing_exception` errors may be displayed.
+    - |
+      When initializing a new GHES cluster, nodes with the `consul-server` role should be added to the cluster before adding more nodes. Adding all nodes simultaneously creates a race condition between nomad server registration and nomad client registration.
+    - |
+      Admins setting up cluster high availability (HA) may encounter a spokes error when running `ghe-cluster-repl-status` if a new organization and repositories are created before using the `ghe-cluster-repl-bootstrap` command. To avoid this issue, complete the cluster HA setup with `ghe-cluster-repl-bootstrap` before creating new organizations and repositories.
+    - |
+      After a restore, existing outside collaborators cannot be added to repositories in a new organization. This issue can be resolved by running `/usr/local/share/enterprise/ghe-es-search-repair` on the appliance.
+    - |
+      Unexpected elements may appear in the UI on the repository overview page for locked repositories.
--- a/data/release-notes/enterprise-server/3-16/10.yml
+++ b/data/release-notes/enterprise-server/3-16/10.yml
@@ -0,0 +1,86 @@
+date: '2025-10-29'
+sections:
+  security_fixes:
+    - |
+      **CRITICAL:** Redis has been upgraded to version 6.2.20 to address CVE-2025-49844 (also known as RediShell). Administrators should apply this update promptly to mitigate potential security risks.
+    - |
+      **HIGH:** A privilege escalation vulnerability in GitHub Enterprise Server allowed an authenticated enterprise admin to gain root SSH access. The exploit used a symlink escape in pre-receive hook environments. An attacker could craft a malicious repository and environment to replace system binaries during hook cleanup. This allowed them to execute a payload that added their SSH key to the root user's authorized keys, granting root SSH access. The attacker needed enterprise admin privileges to exploit this vulnerability. This has been assigned CVE-2025-11578 and was reported through the GitHub Bug Bounty program.
+    - |
+      **HIGH:** An attacker could execute arbitrary code in the context of other users' browsers by supplying a malicious `label:` value that was injected into the DOM without proper sanitization. This could be triggered when a user visits a crafted Issues search URL, enabling session hijacking, account takeover, and recovery code exfiltration. GitHub has requested CVE ID [CVE-2025-11892](https://www.cve.org/cverecord?id=CVE-2025-11892) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
+    - |
+      Authenticated users could target the internal aqueduct-lite endpoints by using a domain name to circumvent checks. This fix addresses this Server-Side Request Forgery (SSRF) vulnerability by blocking connections to loopback addresses after resolving the domain name for the webhook delivery address.
+    - |
+      Packages have been updated to the latest security versions.
+  bugs:
+    - |
+      Users applying a new license file received an HTTP 500 error.
+    - |
+      Administrators running the `ghe-repl-start-all` command may have encountered replicas remaining in an enabled state after a failed operation, causing subsequent configuration updates to execute on unintended nodes. Replicas now revert to a disabled state if the command fails.
+    - |
+      Setting up MySQL replication on secondary replica nodes was inefficient and consumed unnecessary root disk space.
+    - |
+      After an upgrade, administrators found that Elasticsearch allocation remained set to "none," causing subsequent upgrades to fail. Enterprise upgrades now correctly set allocation to "all" after configuration is applied, preventing upgrade blocks.
+    - |
+      When running the `system-requirements` check as part of the `ghe-cluster-config-check` command prior to the initialization of a new cluster, the check request would fail because it exceeded the overall request timeout.
+    - |
+      SVG files stored in Git Large File Storage (LFS) failed to render on the web interface.
+    - |
+      Creating an organization would fail with a 500 or validation error if a maximum lifetime policy for {% data variables.product.pat_generic_plural %} was set to less than 366 days in the enterprise settings.
+    - |
+      Announcements scheduled using the `expires_at` timestamp in ISO 8601 format were not parsing the specified time correctly, resulting in the time component always being ignored.
+    - |
+      On the "Scheduled workflows" page in the site admin dashboard, actors attributed to workflows appeared as "Not found".
+    - |
+      On instances with thousands of organizations and roles, opening the security overview page for an organization or any other organization-level pages accessible via the Security tab triggered inefficient database queries that could degrade performance for other users.
+    - |
+      Administrators who had upgraded to the previous patch release may have observed a significant increase in executions of the `SecurityOverviewAnalytics::UpdateFeatureStatusSummaryJob`, causing background job queue saturation, service delays, reduced stability, and lower performance for environments using security overview analytics.
+    - |
+      On instances where GitHub Actions workflows require approval to run on pull requests from forked repositories, workflows remained queued indefinitely after users clicked "Approve and run".
+    - |
+      The GitHub system user was not always properly set on startup, occasionally surfacing in authentication errors or failed secret scanning jobs in logs.
+  changes:
+    - |
+      Elasticsearch deprecation warnings, which are logged to index files in new versions of Elasticsearch, have been disabled. These warnings provided no value to administrators, and in some cases could block upgrades of instances in high-availability or cluster configurations.
+    - |
+      Logging of configuration runs is improved with streamlined logging for different configuration phases. Phase-specific logs are written to both the main log file (`ghe-config.log`) and the console for better visibility.
+  known_issues:
+    - |
+      Custom firewall rules are removed during the upgrade process.
+    - |
+      During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
+    - |
+      If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see [AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account).
+    - |
+      On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
+    - |
+      {% data reusables.release-notes.large-adoc-files-issue %}
+    - |
+      Admin stats REST API endpoints may timeout on appliances with many users or repositories. Retrying the request until data is returned is advised.
+    - |
+      When following the steps for [Replacing the primary MySQL node](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-the-primary-mysql-node), step 14 (running `ghe-cluster-config-apply`) might fail with errors. If this occurs, re-running `ghe-cluster-config-apply` is expected to succeed.
+    - |
+      Running a config apply as part of the steps for [Replacing a node in an emergency](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-a-node-in-an-emergency) may fail with errors if the node being replaced is still reachable. If this occurs, shut down the node and repeat the steps.
+    - |
+      {% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %}
+    - |
+      When restoring data originally backed up from a 3.13 or greater appliance version, the Elasticsearch indices need to be reindexed before some of the data will show up.  This happens via a nightly scheduled job.  You can also trigger the reindexing by running `/usr/local/share/enterprise/ghe-es-search-repair`.
+    - |
+      An organization-level code scanning configuration page is displayed on instances that do not use GitHub Advanced Security or code scanning.
+    - |
+      When enabling automatic update checks for the first time in the Management Console, the status is not dynamically reflected until the "Updates" page is reloaded.
+    - |
+      When restoring from a backup snapshot, a large number of `mapper_parsing_exception` errors may be displayed.
+    - |
+      When initializing a new GHES cluster, nodes with the `consul-server` role should be added to the cluster before adding more nodes. Adding all nodes simultaneously creates a race condition between nomad server registration and nomad client registration.
+    - |
+      Admins setting up cluster high availability (HA) may encounter a spokes error when running `ghe-cluster-repl-status` if a new organization and repositories are created before using the `ghe-cluster-repl-bootstrap` command. To avoid this issue, complete the cluster HA setup with `ghe-cluster-repl-bootstrap` before creating new organizations and repositories.
+    - |
+      In a cluster, the host running restore requires access to the storage nodes via their private IPs.
+    - |
+      On an instance hosted on Azure, commenting on an issue via email meant the comment was not added to the issue.
+    - |
+      After a restore, existing outside collaborators cannot be added to repositories in a new organization. This issue can be resolved by running `/usr/local/share/enterprise/ghe-es-search-repair` on the appliance.
+    - |
+      After a geo-replica is promoted to be a primary by running `ghe-repl-promote`, the actions workflow of a repository does not have any suggested workflows.
+    - |
+      Unexpected elements may appear in the UI on the repository overview page for locked repositories.
--- a/data/release-notes/enterprise-server/3-17/7.yml
+++ b/data/release-notes/enterprise-server/3-17/7.yml
@@ -0,0 +1,96 @@
+date: '2025-10-29'
+sections:
+  security_fixes:
+    - |
+      **CRITICAL:** Redis has been upgraded to version 6.2.20 to address CVE-2025-49844 (also known as RediShell). Administrators should apply this update promptly to mitigate potential security risks.
+    - |
+      **HIGH:** A privilege escalation vulnerability in GitHub Enterprise Server allowed an authenticated enterprise admin to gain root SSH access. The exploit used a symlink escape in pre-receive hook environments. An attacker could craft a malicious repository and environment to replace system binaries during hook cleanup. This allowed them to execute a payload that added their SSH key to the root user's authorized keys, granting root SSH access. The attacker needed enterprise admin privileges to exploit this vulnerability. This has been assigned CVE-2025-11578 and was reported through the GitHub Bug Bounty program.
+    - |
+      **HIGH:** An attacker could execute arbitrary code in the context of other users' browsers by supplying a malicious `label:` value that was injected into the DOM without proper sanitization. This could be triggered when a user visits a crafted Issues search URL, enabling session hijacking, account takeover, and recovery code exfiltration. GitHub has requested CVE ID [CVE-2025-11892](https://www.cve.org/cverecord?id=CVE-2025-11892) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
+    - |
+      Authenticated users could target the internal aqueduct-lite endpoints by using a domain name to circumvent checks. This fix addresses this Server-Side Request Forgery (SSRF) vulnerability by blocking connections to loopback addresses after resolving the domain name for the webhook delivery address.
+    - |
+      Packages have been updated to the latest security versions.
+  bugs:
+    - |
+      Initializing a cluster configuration for the first time could fail with `Error: Validation preflight-check`.
+    - |
+      Administrators running the `ghe-repl-start-all` command may have encountered replicas remaining in an enabled state after a failed operation, causing subsequent configuration updates to execute on unintended nodes. Replicas now revert to a disabled state if the command fails.
+    - |
+      Setting up MySQL replication on secondary replica nodes was inefficient and consumed unnecessary root disk space.
+    - |
+      Users applying a new license file received an HTTP 500 error.
+    - |
+      After an upgrade, administrators found that Elasticsearch allocation remained set to "none," causing subsequent upgrades to fail. Enterprise upgrades now correctly set allocation to "all" after configuration is applied, preventing upgrade blocks.
+    - |
+      When running the `system-requirements` check as part of the `ghe-cluster-config-check` command prior to the initialization of a new cluster, the check request would fail because it exceeded the overall request timeout.
+    - |
+      SVG files stored in Git Large File Storage (LFS) failed to render on the web interface.
+    - |
+      Creating an organization would fail with a 500 or validation error if a maximum lifetime policy for {% data variables.product.pat_generic_plural %} was set to less than 366 days in the enterprise settings.
+    - |
+      Announcements scheduled using the `expires_at` timestamp in ISO 8601 format were not parsing the specified time correctly, resulting in the time component always being ignored.
+    - |
+      On the "Scheduled workflows" page in the site admin dashboard, actors attributed to workflows appeared as "Not found".
+    - |
+      On pull requests in organization-owned repositories, users could not request reviews from teams with the "All-repository read" organization role.
+    - |
+      Administrators experienced 500 errors when attempting to run Dependabot from the Security tab, to scan repositories for dependency vulnerabilities.
+    - |
+      On instances with thousands of organizations and roles, opening the security overview page for an organization or any other organization-level pages accessible via the Security tab triggered inefficient database queries that could degrade performance for other users.
+    - |
+      Administrators who had upgraded to the previous patch release may have observed a significant increase in executions of the `SecurityOverviewAnalytics::UpdateFeatureStatusSummaryJob`, causing background job queue saturation, service delays, reduced stability, and lower performance for environments using security overview analytics.
+    - |
+      On instances where GitHub Actions workflows require approval to run on pull requests from forked repositories, workflows remained queued indefinitely after users clicked "Approve and run".
+    - |
+      The GitHub system user was not always properly set on startup, occasionally surfacing in authentication errors or failed secret scanning jobs in logs.
+    - |
+      In rare cases, inconsistent data could lead to a panic in the code scanning service, causing it to restart and become unavailable for a few seconds. This could cause HTTP 500 errors when interacting with the code scanning API or in parts of the UI.
+  changes:
+    - |
+      Elasticsearch deprecation warnings, which are logged to index files in new versions of Elasticsearch, have been disabled. These warnings provided no value to administrators, and in some cases could block upgrades of instances in high-availability or cluster configurations.
+    - |
+      Logging of configuration runs is improved with streamlined logging for different configuration phases. Phase-specific logs are written to both the main log file (`ghe-config.log`) and the console for better visibility.
+  known_issues:
+    - |
+      Custom firewall rules are removed during the upgrade process.
+    - |
+      During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
+    - |
+      If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see [AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account).
+    - |
+      On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
+    - |
+      {% data reusables.release-notes.large-adoc-files-issue %}
+    - |
+      Admin stats REST API endpoints may timeout on appliances with many users or repositories. Retrying the request until data is returned is advised.
+    - |
+      When following the steps for [Replacing the primary MySQL node](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-the-primary-mysql-node), step 14 (running `ghe-cluster-config-apply`) might fail with errors. If this occurs, re-running `ghe-cluster-config-apply` is expected to succeed.
+    - |
+      Running a config apply as part of the steps for [Replacing a node in an emergency](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-a-node-in-an-emergency) may fail with errors if the node being replaced is still reachable. If this occurs, shut down  the node and repeat the steps.
+    - |
+      {% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %}
+    - |
+      When restoring data originally backed up from a 3.13 or greater appliance version, the Elasticsearch indices need to be reindexed before some of the data will show up.  This happens via a nightly scheduled job.  You can also trigger the reindexing by running `/usr/local/share/enterprise/ghe-es-search-repair`.
+    - |
+      An organization-level code scanning configuration page is displayed on instances that do not use GitHub Advanced Security or code scanning.
+    - |
+      When enabling automatic update checks for the first time in the Management Console, the status is not dynamically reflected until the "Updates" page is reloaded.
+    - |
+      When restoring from a backup snapshot, a large number of `mapper_parsing_exception` errors may be displayed.
+    - |
+      When initializing a new GHES cluster, nodes with the `consul-server` role should be added to the cluster before adding more nodes. Adding all nodes simultaneously creates a race condition between nomad server registration and nomad client registration.
+    - |
+      Admins setting up cluster high availability (HA) may encounter a spokes error when running `ghe-cluster-repl-status` if a new organization and repositories are created before using the `ghe-cluster-repl-bootstrap` command. To avoid this issue, complete the cluster HA setup with `ghe-cluster-repl-bootstrap` before creating new organizations and repositories.
+    - |
+      In a cluster, the host running restore requires access to the storage nodes via their private IPs.
+    - |
+      On an instance hosted on Azure, commenting on an issue via email meant the comment was not added to the issue.
+    - |
+      After a restore, existing outside collaborators cannot be added to repositories in a new organization. This issue can be resolved by running `/usr/local/share/enterprise/ghe-es-search-repair` on the appliance.
+    - |
+      After a geo-replica is promoted to be a primary by running `ghe-repl-promote`, the actions workflow of a repository does not have any suggested workflows.
+    - |
+      Unexpected elements may appear in the UI on the repository overview page for locked repositories.
+    - |
+      When publishing npm packages in a workflow after restoring from a backup to GitHub Enterprise Server 3.13.5.gm4 or 3.14.2.gm3, you may encounter a `401 Unauthorized` error from the GitHub Packages service. This can happen if the restore is from an N-1 or N-2 version and the workflow targets the npm endpoint on the backup instance. To avoid this issue, ensure the access token is valid and includes the correct scopes for publishing to GitHub Packages.
--- a/data/release-notes/enterprise-server/3-18/1.yml
+++ b/data/release-notes/enterprise-server/3-18/1.yml
@@ -0,0 +1,98 @@
+date: '2025-10-29'
+sections:
+  security_fixes:
+    - |
+      **CRITICAL:** Redis has been upgraded to version 6.2.20 to address CVE-2025-49844 (also known as RediShell). Administrators should apply this update promptly to mitigate potential security risks.
+    - |
+      **HIGH:** A privilege escalation vulnerability in GitHub Enterprise Server allowed an authenticated enterprise admin to gain root SSH access. The exploit used a symlink escape in pre-receive hook environments. An attacker could craft a malicious repository and environment to replace system binaries during hook cleanup. This allowed them to execute a payload that added their SSH key to the root user's authorized keys, granting root SSH access. The attacker needed enterprise admin privileges to exploit this vulnerability. This has been assigned CVE-2025-11578 and was reported through the GitHub Bug Bounty program.
+    - |
+      **HIGH:** An attacker could execute arbitrary code in the context of other users' browsers by supplying a malicious `label:` value that was injected into the DOM without proper sanitization. This could be triggered when a user visits a crafted Issues search URL, enabling session hijacking, account takeover, and recovery code exfiltration. GitHub has requested CVE ID [CVE-2025-11892](https://www.cve.org/cverecord?id=CVE-2025-11892) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
+    - |
+      Authenticated users could target the internal aqueduct-lite endpoints by using a domain name to circumvent checks. This fix addresses this Server-Side Request Forgery (SSRF) vulnerability by blocking connections to loopback addresses after resolving the domain name for the webhook delivery address.
+    - |
+       **LOW:** When a user updated a classic {% data variables.product.pat_generic_title_case %} (PAT) to remove all scopes instead of revoking the PAT, the change was silently ignored and the PAT continued to grant its previously held permissions. To mitigate this issue, GitHub updated the token management logic to correctly clear scopes when no scope is provided.
+    - |
+      Packages have been updated to the latest security versions.
+  bugs:
+    - |
+      Initializing a cluster configuration for the first time could fail with `Error: Validation preflight-check`.
+    - |
+      Administrators running the `ghe-repl-start-all` command may have encountered replicas remaining in an enabled state after a failed operation, causing subsequent configuration updates to execute on unintended nodes. Replicas now revert to a disabled state if the command fails.
+    - |
+      Setting up MySQL replication on secondary replica nodes was inefficient and consumed unnecessary root disk space.
+    - |
+      Administrators and users who accessed dashboard panels experienced issues with the CPU panel, navigation between dashboards, and a missing home dashboard.
+    - |
+      Administrators could not generate support bundles on stateless high availability nodes because the `ghe-support-bundle` command failed when attempting to query Elasticsearch on nodes without the `elasticsearch-server` role.
+    - |
+      After an upgrade, administrators found that Elasticsearch allocation remained set to "none," causing subsequent upgrades to fail. Enterprise upgrades now correctly set allocation to "all" after configuration is applied, preventing upgrade blocks.
+    - |
+      When running the `system-requirements` check as part of the `ghe-cluster-config-check` command prior to the initialization of a new cluster, the check request would fail because it exceeded the overall request timeout.
+    - |
+      Creating an organization would fail with a 500 or validation error if a maximum lifetime policy for {% data variables.product.pat_generic_plural %} was set to less than 366 days in the enterprise settings.
+    - |
+      Announcements scheduled using the `expires_at` timestamp in ISO 8601 format were not parsing the specified time correctly, resulting in the time component always being ignored.
+    - |
+      On pull requests in organization-owned repositories, users could not request reviews from teams with the "All-repository read" organization role.
+    - |
+      Administrators experienced 500 errors when attempting to run Dependabot from the Security tab, to scan repositories for dependency vulnerabilities.
+    - |
+      On instances with thousands of organizations and roles, opening the security overview page for an organization or any other organization-level pages accessible via the Security tab triggered inefficient database queries that could degrade performance for other users.
+    - |
+      Administrators who had upgraded to the previous patch release may have observed a significant increase in executions of the `SecurityOverviewAnalytics::UpdateFeatureStatusSummaryJob`, causing background job queue saturation, service delays, reduced stability, and lower performance for environments using security overview analytics.
+    - |
+      On instances where GitHub Actions workflows require approval to run on pull requests from forked repositories, workflows remained queued indefinitely after users clicked "Approve and run".
+    - |
+      The GitHub system user was not always properly set on startup, occasionally surfacing in authentication errors or failed secret scanning jobs in logs.
+  changes:
+    - |
+      Elasticsearch deprecation warnings, which are logged to index files in new versions of Elasticsearch, have been disabled. These warnings provided no value to administrators, and in some cases could block upgrades of instances in high-availability or cluster configurations.
+    - |
+      Logging of configuration runs is improved with streamlined logging for different configuration phases. Phase-specific logs are written to both the main log file (`ghe-config.log`) and the console for better visibility.
+    - |
+      Users can no longer view Git objects, such as commits and  tags, that exceed the maximum size limit of 10 MB.
+  known_issues:
+    - |
+      Custom firewall rules are removed during the upgrade process.
+    - |
+      During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
+    - |
+      If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see [AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account).
+    - |
+      On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
+    - |
+      {% data reusables.release-notes.large-adoc-files-issue %}
+    - |
+      Admin stats REST API endpoints may timeout on appliances with many users or repositories. Retrying the request until data is returned is advised.
+    - |
+      When following the steps for [Replacing the primary MySQL node](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-the-primary-mysql-node), step 14 (running `ghe-cluster-config-apply`) might fail with errors. If this occurs, re-running `ghe-cluster-config-apply` is expected to succeed.
+    - |
+      Running a config apply as part of the steps for [Replacing a node in an emergency](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-a-node-in-an-emergency) may fail with errors if the node being replaced is still reachable. If this occurs, shut down the node and repeat the steps.
+    - |
+      {% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %}
+    - |
+      When restoring data originally backed up from a 3.13 or greater appliance version, the Elasticsearch indices need to be reindexed before some of the data will show up.  This happens via a nightly scheduled job.  You can also trigger the reindexing by running `/usr/local/share/enterprise/ghe-es-search-repair`.
+    - |
+      An organization-level code scanning configuration page is displayed on instances that do not use GitHub Advanced Security or code scanning.
+    - |
+      When enabling automatic update checks for the first time in the Management Console, the status is not dynamically reflected until the "Updates" page is reloaded.
+    - |
+      When restoring from a backup snapshot, a large number of `mapper_parsing_exception` errors may be displayed.
+    - |
+      When initializing a new GHES cluster, nodes with the `consul-server` role should be added to the cluster before adding more nodes. Adding all nodes simultaneously creates a race condition between nomad server registration and nomad client registration.
+    - |
+      Admins setting up cluster high availability (HA) may encounter a spokes error when running `ghe-cluster-repl-status` if a new organization and repositories are created before using the `ghe-cluster-repl-bootstrap` command. To avoid this issue, complete the cluster HA setup with `ghe-cluster-repl-bootstrap` before creating new organizations and repositories.
+    - |
+      In a cluster, the host running restore requires access to the storage nodes via their private IPs.
+    - |
+      On an instance hosted on Azure, commenting on an issue via email meant the comment was not added to the issue.
+    - |
+      After a restore, existing outside collaborators cannot be added to repositories in a new organization. This issue can be resolved by running `/usr/local/share/enterprise/ghe-es-search-repair` on the appliance.
+    - |
+      After a geo-replica is promoted to be a primary by running `ghe-repl-promote`, the actions workflow of a repository does not have any suggested workflows.
+    - |
+      Unexpected elements may appear in the UI on the repository overview page for locked repositories.
+    - |
+      When publishing npm packages in a workflow after restoring from a backup to GitHub Enterprise Server 3.13.5.gm4 or 3.14.2.gm3, you may encounter a `401 Unauthorized` error from the GitHub Packages service. This can happen if the restore is from an N-1 or N-2 version and the workflow targets the npm endpoint on the backup instance. To avoid this issue, ensure the access token is valid and includes the correct scopes for publishing to GitHub Packages.
+    - |
+      The setting to define private registries at the organization level for code scanning is only available if Dependabot is also enabled for the instance.