date: '2021-09-24'
sections:
  security_fixes:
    - '**HIGH:** A path traversal vulnerability was identified in {% data variables.product.prodname_ghe_server %} that could be exploited when building a {% data variables.product.prodname_pages %} site. User-controlled configuration options used by {% data variables.product.prodname_pages %} were not sufficiently restricted and made it possible to read files on the {% data variables.product.prodname_ghe_server %} instance. To exploit this vulnerability, an attacker would need permission to create and build a {% data variables.product.prodname_pages %} site on the {% data variables.product.prodname_ghe_server %} instance. This vulnerability affected all versions of {% data variables.product.prodname_ghe_server %} prior to 3.1.8 and was fixed in 3.1.8, 3.0.16, and 2.22.22. This is the result of an incomplete fix for CVE-2021-22867. This vulnerability was reported via the GitHub Bug Bounty program and has been assigned CVE-2021-22868. {% comment %} https://github.com/github/pages/pull/3359, https://github.com/github/pages/pull/3357 {% endcomment %}'
  bugs:
    - 'The {% data variables.product.prodname_github_connect %} configuration of the source instance was always restored to new instances even when the `--config` option for `ghe-restore` was not used. This would lead to a conflict with the {% data variables.product.prodname_github_connect %} connection and license synchronization if both the source and destination instances were online at the same time. {% comment %} https://github.com/github/github/pull/192247, https://github.com/github/github/pull/191951, https://github.com/github/enterprise2/pull/26870, https://github.com/github/backup-utils/pull/770, https://github.com/github/connected-enterprise/issues/208 {% endcomment %}'
    - 'Fixes {% data variables.product.prodname_pages %} builds so they take into account the NO_PROXY setting of the appliance. This is relevant to appliances configured with an HTTP proxy only. {% comment %} https://github.com/github/github/pull/192380 {% endcomment %}'
  known_issues:
    - On a freshly set up {% data variables.product.prodname_ghe_server %} without any users, an attacker could create the first admin user.
    - Custom firewall rules are removed during the upgrade process.
    - Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository.
    - Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.
    - When "Users can search GitHub.com" is enabled with {% data variables.product.prodname_github_connect %}, issues in private and internal repositories are not included in GitHub.com search results.
    - When a replica node is offline in a high availability configuration, {% data variables.product.product_name %} may still route {% data variables.product.prodname_pages %} requests to the offline node, reducing the availability of {% data variables.product.prodname_pages %} for users.