date: '2022-12-13'
sections:
  security_fixes:
    - |
      **HIGH**: A path traversal vulnerability was identified in GitHub Enterprise Server that allowed remote code execution when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the instance. This vulnerability was reported via the [GitHub Bug Bounty Program](https://bounty.github.com/) and has been assigned [CVE-2022-46256](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46256).
  bugs:
    - A race condition blocked upgrades to GitHub Enterprise Server 3.6 or later until a site administrator retried the upgrade.
    - When a site administrator ran the `ghe-repl-status` command on a cache replica via the administrative shell (SSH), the command incorrectly reported overall Git and Alambic cluster replication status information as if it pertained only to cache replication.
    - When a site administrator ran the `ghe-repl-sync-ca-certificates` command from an instances primary node via the administrative shell (SSH), the command only replicated CA certificates from the instances primary node to a single replica node. The command did not replicate the certificates to all available replica nodes.
    - In a high availability configuration, after promotion of a replica to be the primary node, a site administrator could not force replication to stop on a secondary replica node using the `ghe-repl-stop -f` command.
    - When using repository caching with an instance in a high availability configuration, if a Git client used SSH instead of HTTPS for a repositorys remote URL, Git LFS would fetch objects from the instances primary node instead of the appropriate cache replica node.
    - Installation of GitHub Enterprise Server on the VMware ESXi hypervisor failed due to the generation of an OVA file with an invalid capacity value.
    - When users performed an operation using the API, GitHub Enterprise Server enforced repository size quotas even when disabled globally.
    - In some cases, searches via the API returned a `500` error.
    - Adding a collaborator to a user-owned fork of a private, organization-owned repository with triage, maintain, or custom access resulted in a `500` error.
    - In some cases, the page for setting up code scanning would erroneously report that GitHub Actions was not configured for the instance.
    - Dismissing a Dependabot alert that contained certain characters could result in a `400` error.
    - After a user's account was deleted from the instance, image attachments that the user uploaded in comments were no longer visible in the web interface.
    - On an instance that uses SAML for authentication, the **Configure SSO** dropdown menu appeared erroneously for personal access tokens and SSH keys.
    - An upgrade from GitHub Enterprise Server 3.5 to 3.7 could fail because the instance had not yet purged deleted repositories.
    - In a high availability or repository caching configuration, Unicorn services on nodes other than the primary node were unable to send log events to the primary node.
    - Fixes a bug in which a GHES log file could get filled very quickly and cause the root drive to run out of free space.
    - When viewing code scanning results for Ruby, an erroneous beta label appeared.
  changes:
    - After an enterprise owner enables Dependabot alerts, GitHub Enterprise Server enqueues the synchronization of advisory data to ensure hourly updates from GitHub.com.
    - A user's list of recently accessed repositories no longer includes deleted repositories.
    - '{% data reusables.release-notes.scim-custom-mappings-supported-change %}'
  known_issues:
    - On a freshly set up {% data variables.product.prodname_ghe_server %} instance without any users, an attacker could create the first admin user.
    - Custom firewall rules are removed during the upgrade process.
    - When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
    - The {% data variables.product.prodname_registry %} npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
    - Actions services need to be restarted after restoring an instance from a backup taken on a different host.
    - In a repository's settings, enabling the option to allow users with read access to create discussions does not enable this functionality.
    - In some cases, users cannot convert existing issues to discussions.
    - During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
    - '{% data reusables.release-notes.repository-inconsistencies-errors %}'
    - '{% data reusables.release-notes.babeld-max-threads-performance-issue %}'
    - '{% data reusables.release-notes.new-subdomains-missing-from-management-console %}'
    - '{% data reusables.release-notes.scim-saml-tokens-known-issue %}'
    - '{% data reusables.release-notes.git-push-known-issue %}'
    - '{% data reusables.release-notes.replication-commands-in-maintenance-mode-known-issue %}'
    - '{% data reusables.release-notes.slow-deleted-repos-migration-known-issue %}'