GHES Patch Release Notes (#32769)

Co-authored-by: Release-Controller <runner@fv-az225-803.nn523fotaqjeti0rucxshd1u2e.jx.internal.cloudapp.net> Co-authored-by: Joseph Franks <joefranks1993@github.com> Co-authored-by: Gurjant <97250585+Gill312@users.noreply.github.com> Co-authored-by: Release-Controller <runner@fv-az226-987.tgcx2ubhyojezlzda0twcaouih.dx.internal.cloudapp.net> Co-authored-by: Matt Pollard <mattpollard@users.noreply.github.com>
2025-12-29 09:04:39 -05:00 · 2022-11-23 15:54:33 +01:00
parent 5720e01ca0
commit e52a9c5772
5 changed files with 197 additions and 0 deletions
--- a/data/release-notes/enterprise-server/3-3/16.yml
+++ b/data/release-notes/enterprise-server/3-3/16.yml
@@ -0,0 +1,25 @@
+date: '2022-11-22'
+sections:
+  security_fixes:
+    - "**HIGH**: Added an extra check to harden against a path traversal bug that could lead to remote code execution in GitHub Pages builds on a GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the instance. This bug was originally reported via GitHubs Bug Bounty program and assigned [CVE-2021-22870](https://nvd.nist.gov/vuln/detail/CVE-2021-22870)." 
+    - "**MEDIUM**: Updated [CommonMarker](https://github.com/gjtorikian/commonmarker) to address a scenario where parallel requests to the Markdown REST API could result in unbounded resource exhaustion. This vulnerability has been assigned [CVE-2022-39209](https://nvd.nist.gov/vuln/detail/CVE-2022-39209)."
+    - "**MEDIUM**: Scoped user-to-server tokens from GitHub Apps could bypass authorization checks in GraphQL API requests when accessing non-repository resources. This vulnerability was reported via the [GitHub Bug Bounty Program](https://bounty.github.com/)."
+    - "**MEDIUM**: Pull request preview links did not properly sanitize URLs, allowing a malicious user to embed dangerous links in the instances web UI. This vulnerability was reported via the [GitHub Bug Bounty program](https://bounty.github.com)."
+    - The [Create or update file contents API](/rest/repos/contents#create-or-update-file-contents) correctly enforces workflow scope. This vulnerability was reported via the [GitHub Bug Bounty program](https://bounty.github.com). 
+  bugs:
+    - Setting the maintenance mode with an IP Exception List would not persist across upgrades. 
+    - After configuration of Dependabot and alert digest emails, the instance would send digest emails to suspended users. 
+    - If a user configured a pre-receive hook for multiple repositories, the instances **Hooks** page would not always display the correct status for the hook. 
+    - Zombie processes no longer accumulate in the `gitrpcd` container. 
+  known_issues:
+    - After upgrading to {% data variables.product.prodname_ghe_server %} 3.3, {% data variables.product.prodname_actions %} may fail to start automatically. To resolve this issue, connect to the appliance via SSH and run the `ghe-actions-start` command.
+    - On a freshly set up {% data variables.product.prodname_ghe_server %} instance without any users, an attacker could create the first admin user.
+    - Custom firewall rules are removed during the upgrade process.
+    - Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository.
+    - Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.
+    - When "Users can search GitHub.com" is enabled with {% data variables.product.prodname_github_connect %}, issues in private and internal repositories are not included in {% data variables.product.prodname_dotcom_the_website %} search results.
+    - The {% data variables.product.prodname_registry %} npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
+    - Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
+    - '{% data variables.product.prodname_actions %} storage settings cannot be validated and saved in the {% data variables.enterprise.management_console %} when "Force Path Style" is selected, and must instead be configured with the `ghe-actions-precheck` command line utility.'
+    - '{% data reusables.release-notes.ghas-3.4-secret-scanning-known-issue %}'
+    - '{% data reusables.release-notes.2022-09-hotpatch-issue %}'
--- a/data/release-notes/enterprise-server/3-4/11.yml
+++ b/data/release-notes/enterprise-server/3-4/11.yml
@@ -0,0 +1,30 @@
+date: '2022-11-22'
+sections:
+  security_fixes:
+    - "**HIGH**: Added an extra check to harden against a path traversal bug that could lead to remote code execution in GitHub Pages builds on a GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the instance. This bug was originally reported via GitHubs Bug Bounty program and assigned [CVE-2021-22870](https://nvd.nist.gov/vuln/detail/CVE-2021-22870)." 
+    - "**MEDIUM**: Updated [CommonMarker](https://github.com/gjtorikian/commonmarker) to address a scenario where parallel requests to the Markdown REST API could result in unbounded resource exhaustion. This vulnerability has been assigned [CVE-2022-39209](https://nvd.nist.gov/vuln/detail/CVE-2022-39209)."
+    - "**MEDIUM**: Scoped user-to-server tokens from GitHub Apps could bypass authorization checks in GraphQL API requests when accessing non-repository resources. This vulnerability was reported via the [GitHub Bug Bounty Program](https://bounty.github.com/)."
+    - "**MEDIUM**: Pull request preview links did not properly sanitize URLs, allowing a malicious user to embed dangerous links in the instances web UI. This vulnerability was reported via the [GitHub Bug Bounty program](https://bounty.github.com)." 
+    - The [Create or update file contents API](/rest/repos/contents#create-or-update-file-contents) correctly enforces workflow scope. This vulnerability was reported via the [GitHub Bug Bounty program](https://bounty.github.com). 
+  bugs:
+    - If GitHub Actions was configured with S3 blob storage for the instance, content like logs and artifacts from deleted or expired workflow runs would remain in blob storage indefinitely. The instance will delete this content automatically the next time a regular background cleanup job runs. 
+    - Setting the maintenance mode with an IP Exception List would not persist across upgrades. 
+    - GitHub Pages builds could time out on instances in AWS that are configured for high availability. 
+    - After configuration of Dependabot and alert digest emails, the instance would send digest emails to suspended users. 
+    - If a user configured a pre-receive hook for multiple repositories, the instances **Hooks** page would not always display the correct status for the hook. 
+    - In some cases, users could not merge a pull request due to unexpected status checks. 
+    - After running migrations for the GitHub Enterprise Importer on an instance configured for high availability, replication of migration storage assets would not catch up. 
+    - Zombie processes no longer accumulate in the `gitrpcd` container. 
+  known_issues:
+    - On a freshly set up {% data variables.product.prodname_ghe_server %} instance without any users, an attacker could create the first admin user.
+    - Custom firewall rules are removed during the upgrade process.
+    - Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository.
+    - Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.
+    - When "Users can search GitHub.com" is enabled with {% data variables.product.prodname_github_connect %}, issues in private and internal repositories are not included in {% data variables.product.prodname_dotcom_the_website %} search results.
+    - The {% data variables.product.prodname_registry %} npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
+    - Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
+    - |
+      After registering a self-hosted runner with the `--ephemeral` parameter on more than one level (for example, both enterprise and organization), the runner may get stuck in an idle state and require re-registration. [Updated: 2022-06-17]
+    - After upgrading to {% data variables.product.prodname_ghe_server %} 3.4, releases may appear to be missing from repositories. This can occur when the required Elasticsearch index migrations have not successfully completed.
+    - '{% data reusables.release-notes.ghas-3.4-secret-scanning-known-issue %}'
+    - '{% data reusables.release-notes.2022-09-hotpatch-issue %}'
--- a/data/release-notes/enterprise-server/3-5/8.yml
+++ b/data/release-notes/enterprise-server/3-5/8.yml
@@ -0,0 +1,31 @@
+date: '2022-11-22'
+sections:
+  security_fixes:
+    - "**HIGH**: Added an extra check to harden against a path traversal bug that could lead to remote code execution in GitHub Pages builds on a GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the instance. This bug was originally reported via GitHubs Bug Bounty program and assigned [CVE-2021-22870](https://nvd.nist.gov/vuln/detail/CVE-2021-22870)." 
+    - "**MEDIUM**: Updated [CommonMarker](https://github.com/gjtorikian/commonmarker) to address a scenario where parallel requests to the Markdown REST API could result in unbounded resource exhaustion. This vulnerability has been assigned [CVE-2022-39209](https://nvd.nist.gov/vuln/detail/CVE-2022-39209)."
+    - "**MEDIUM**: Scoped user-to-server tokens from GitHub Apps could bypass authorization checks in GraphQL API requests when accessing non-repository resources. This vulnerability was reported via the [GitHub Bug Bounty Program](https://bounty.github.com/)."
+    - "**MEDIUM**: Pull request preview links did not properly sanitize URLs, allowing a malicious user to embed dangerous links in the instances web UI. This vulnerability was reported via the [GitHub Bug Bounty program](https://bounty.github.com)."
+    - The [Create or update file contents API](/rest/repos/contents#create-or-update-file-contents) correctly enforces workflow scope. This vulnerability was reported via the [GitHub Bug Bounty program](https://bounty.github.com).
+  bugs:
+    - Setting the maintenance mode with an IP Exception List would not persist across upgrades. 
+    - GitHub Pages builds could time out on instances in AWS that are configured for high availability. 
+    - After configuration of Dependabot and alert digest emails, the instance would send digest emails to suspended users. 
+    - The audit log timestamp for Dependabot alert events returned the creation date of the alert instead of the timestamp when a user took action on the alert. 
+    - When accessing an instances JavaScript resources from behind a proxy, the browser displayed Cross-Origin Resource Sharing (CORS) errors. 
+    - If a user named a status check with leading or trailing spaces, the instance created a duplicate check if another check existed with the same name and no leading or trailing spaces. 
+    - If a user configured a pre-receive hook for multiple repositories, the instances **Hooks** page would not always display the correct status for the hook. 
+    - When an enterprise owner impersonated a user and tried to install a GitHub App, the button to confirm the installation was disabled and could not be clicked. 
+    - After running migrations for the GitHub Enterprise Importer on an instance configured for high availability, replication of migration storage assets would not catch up. 
+    - Zombie processes no longer accumulate in the `gitrpcd` container. 
+  changes:
+    - To diagnose zero-length file problems in Git repositories, which can result from a crash of the instance, site administrators can run the `git-crash-fix` utility. 
+  known_issues:
+    - On a freshly set up {% data variables.product.prodname_ghe_server %} instance without any users, an attacker could create the first admin user.
+    - Custom firewall rules are removed during the upgrade process.
+    - Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository.
+    - Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.
+    - When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
+    - The {% data variables.product.prodname_registry %} npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
+    - Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
+    - Actions services need to be restarted after restoring an appliance from a backup taken on a different host.
+    - '{% data reusables.release-notes.2022-09-hotpatch-issue %}'
--- a/data/release-notes/enterprise-server/3-6/4.yml
+++ b/data/release-notes/enterprise-server/3-6/4.yml
@@ -0,0 +1,39 @@
+date: '2022-11-22'
+sections:
+  security_fixes:
+    - "**HIGH**: Added an extra check to harden against a path traversal bug that could lead to remote code execution in GitHub Pages builds on a GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the instance. This bug was originally reported via GitHubs Bug Bounty program and assigned [CVE-2021-22870](https://nvd.nist.gov/vuln/detail/CVE-2021-22870)." 
+    - "**MEDIUM**: Updated [CommonMarker](https://github.com/gjtorikian/commonmarker) to address a scenario where parallel requests to the Markdown REST API could result in unbounded resource exhaustion. This vulnerability has been assigned [CVE-2022-39209](https://nvd.nist.gov/vuln/detail/CVE-2022-39209)."
+    - "**MEDIUM**: Scoped user-to-server tokens from GitHub Apps could bypass authorization checks in GraphQL API requests when accessing non-repository resources. This vulnerability was reported via the [GitHub Bug Bounty Program](https://bounty.github.com/)."
+    - "**MEDIUM**: Pull request preview links did not properly sanitize URLs, allowing a malicious user to embed dangerous links in the instances web UI. This vulnerability was reported via the [GitHub Bug Bounty program](https://bounty.github.com)."
+    - The [Create or update file contents API](/rest/repos/contents#create-or-update-file-contents) correctly enforces workflow scope. This vulnerability was reported via the [GitHub Bug Bounty program](https://bounty.github.com).
+  bugs:
+    - If a GitHub Actions dependency uses a pinned SHA version, Dependabot will no longer mark the dependency as vulnerable. 
+    - Setting the maintenance mode with an IP Exception List would not persist across upgrades. 
+    - GitHub Pages builds could time out on instances in AWS that are configured for high availability. 
+    - Status details for the replication of Git LFS objects to repository cache replica nodes were not visible in the `ghe-repl-status` output on those nodes. 
+    - After configuration of Dependabot and alert digest emails, the instance would send digest emails to suspended users. 
+    - The audit log timestamp for Dependabot alert events returned the creation date of the alert instead of the timestamp when a user took action on the alert. 
+    - "When using the CodeQL action, the runs annotations would include a spurious `HttpError: Upload not found` error." 
+    - When accessing an instances JavaScript resources from behind a proxy, the browser displayed Cross-Origin Resource Sharing (CORS) errors. 
+    - If a user named a status check with leading or trailing spaces, the instance created a duplicate check if another check existed with the same name and no leading or trailing spaces. 
+    - If a user configured a pre-receive hook for multiple repositories, the instances **Hooks** page would not always display the correct status for the hook. 
+    - In some cases, an instance could replace an active repository with a deleted repository. 
+    - Git LFS objects in a repository with a cache replication policy would not be copied to cache replicas if the total number of objects in the repository exceeded 5,000. 
+    - After running migrations for the GitHub Enterprise Importer on an instance configured for high availability, replication of migration storage assets would not catch up. 
+    - Zombie processes no longer accumulate in the `gitrpcd` container. 
+  changes:
+    - If a site administrator has not yet configured GitHub Actions for the instance, the UI for setting up code scanning will prompt the user to configure GitHub Actions. 
+    - To diagnose zero-length file problems in Git repositories, which can result from a crash of the instance, site administrators can run the `git-crash-fix` utility. 
+  known_issues:
+    - On a freshly set up {% data variables.product.prodname_ghe_server %} instance without any users, an attacker could create the first admin user.
+    - Custom firewall rules are removed during the upgrade process.
+    - Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository.
+    - Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.
+    - When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
+    - The {% data variables.product.prodname_registry %} npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
+    - Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
+    - Actions services need to be restarted after restoring an instance from a backup taken on a different host.
+    - In a repository's settings, enabling the option to allow users with read access to create discussions does not enable this functionality.
+    - In some cases, users cannot convert existing issues to discussions.
+    - Custom patterns for secret scanning have `.*` as an end delimiter, specifically in the "After secret" field. This delimiter causes inconsistencies in scans for secrets across repositories, and you may notice gaps in a repository's history where no scans completed. Incremental scans may also be impacted. To prevent issues with scans, modify the end of the pattern to remove the `.*` delimiter.
+    - '{% data reusables.release-notes.2022-09-hotpatch-issue %}'
--- a/data/release-notes/enterprise-server/3-7/1.yml
+++ b/data/release-notes/enterprise-server/3-7/1.yml
@@ -0,0 +1,72 @@
+date: '2022-11-22'
+sections:
+  security_fixes:
+    - "**CRITICAL**: An improper neutralization of argument delimiters in a command vulnerability was identified in GitHub Enterprise Server that enabled remote code execution. To exploit this vulnerability, an attacker would need permission to create and build GitHub Pages using GitHub Actions."
+    - "**HIGH**: Added an extra check to harden against a path traversal bug that could lead to remote code execution in GitHub Pages builds on a GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the instance. This bug was originally reported via GitHubs Bug Bounty program and assigned [CVE-2021-22870](https://nvd.nist.gov/vuln/detail/CVE-2021-22870)." 
+    - "**HIGH**: Added a check in Pages to ensure the working directory is clean before unpacking new content to prevent an arbitrary file overwrite bug."
+    - "**MEDIUM**: Pull request preview links did not properly sanitize URLs, allowing a malicious user to embed dangerous links in the instances web UI. This vulnerability was reported via the [GitHub Bug Bounty program](https://bounty.github.com)." 
+  bugs:
+    - If a GitHub Actions dependency uses a pinned SHA version, Dependabot will no longer mark the dependency as vulnerable. 
+    - Running the `ghe-spokesctl` command returned a `failed to get repo metrics` error. 
+    - Setting the maintenance mode with an IP Exception List would not persist across upgrades. 
+    - GitHub Pages builds could time out on instances in AWS that are configured for high availability. 
+    - Status details for the replication of Git LFS objects to repository cache replica nodes were not visible in the `ghe-repl-status` output on those nodes. 
+    - The audit log timestamp for Dependabot alert events returned the creation date of the alert instead of the timestamp when a user took action on the alert. 
+    - When accessing an instances JavaScript resources from behind a proxy, the browser displayed Cross-Origin Resource Sharing (CORS) errors. 
+    - If a user named a status check with leading or trailing spaces, the instance created a duplicate check if another check existed with the same name and no leading or trailing spaces. 
+    - If a user configured a pre-receive hook for multiple repositories, the instances **Hooks** page would not always display the correct status for the hook. 
+    - In some cases, an instance could replace an active repository with a deleted repository. 
+    - Git LFS objects in a repository with a cache replication policy would not be copied to cache replicas if the total number of objects in the repository exceeded 5,000. 
+    - After running migrations for the GitHub Enterprise Importer on an instance configured for high availability, replication of migration storage assets would not catch up. 
+    - Zombie processes no longer accumulate in the `gitrpcd` container. 
+    - On an instance with GitHub Packages configured, package upload and installation could fail for customers using a VPC endpoint URL for AWS S3 blob storage. 
+    - In some cases, after upgrading to GitHub Enterprise Server 3.7.0, users may encounter `Internal Server Error` or `500` errors when initiating Git operations over SSH or HTTPS.
+  changes:
+    - If a site administrator has not yet configured GitHub Actions for the instance, the UI for setting up code scanning will prompt the user to configure GitHub Actions. 
+    - To avoid failing domain verification due to the 63-character limit enforced by DNS providers for DNS records, the GitHub-generated `TXT` record to verify domain ownership is now limited to 63 characters. 
+    - To diagnose zero-length file problems in Git repositories, which can result from a crash of the instance, site administrators can run the `git-crash-fix` utility. 
+  known_issues:
+    - On a freshly set up {% data variables.product.prodname_ghe_server %} instance without any users, an attacker could create the first admin user.
+    - Custom firewall rules are removed during the upgrade process.
+    - Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository.
+    - Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.
+    - When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
+    - The {% data variables.product.prodname_registry %} npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
+    - Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
+    - Actions services need to be restarted after restoring an instance from a backup taken on a different host.
+    - In a repository's settings, enabling the option to allow users with read access to create discussions does not enable this functionality.
+    - In some cases, users cannot convert existing issues to discussions.
+    - During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
+    - |
+      In some cases after upgrading to GitHub Enterprise Server 3.7.0, users may encounter `Internal Server Error` or `500` errors when initiating `git` operations over SSH or HTTPS. Example:
+
+        ```
+        git push origin master
+        Total 0 (delta 0), reused 0 (delta 0)
+        remote: Internal Server Error
+        To ghes.hostname.com:User/repo.git
+        ! [remote rejected]       master -> master (Internal Server Error)
+        ```
+      
+      If these are encountered, please [contact GitHub Enterprise Support](/support/contacting-github-support/creating-a-support-ticket) with a support bundle. The known temporary workaround at this time is to restart the `github-gitauth` service with the commands below:
+
+        ```
+        nomad stop github-gitauth
+        nomad run /etc/nomad-jobs/github/gitauth.hcl
+        nomad status git
+        ```
+      We are currently investigating a permanent fix for a future hot patch.
+
+  deprecations:
+    # https://github.com/github/enterprise-releases/issues/3217
+    - |
+      **Upcoming deprecation**: In GitHub Enterprise Server 3.8 and later, unsecure algorithms will be disabled for SSH connections to the administrative shell.
+
+    # https://github.com/github/releases/issues/2395
+    - Commit comments, which are comments that users add directly to a commit outside of a pull request, no longer appear in the pull request timeline. Users could not reply to or resolve these comments. The Timeline events REST API and the GraphQL API's `PullRequest` object also no longer return commit comments.
+
+    # https://github.com/github/releases/issues/2380
+    - Diffing GeoJSON, PSD, and STL files is no longer possible.
+
+    # https://github.com/github/releases/issues/2480
+    - Package registries on the new GitHub Packages architecture, including Container registry and npm packages, no longer expose data through the GraphQL API. In a coming release, other GitHub Packages registries will migrate to the new architecture, which will deprecate the GraphQL API for those registries as well. GitHub recommends using the REST API to programmatically access information about GitHub Packages. For more information, see "[Packages](/rest/packages)" in the REST API documentation.