date: '2022-11-22'
sections:
  security_fixes:
    - "**MEDIUM**: Updated [CommonMarker](https://github.com/gjtorikian/commonmarker) to address a scenario where parallel requests to the Markdown REST API could result in unbounded resource exhaustion. This vulnerability has been assigned [CVE-2022-39209](https://nvd.nist.gov/vuln/detail/CVE-2022-39209)."
    - "**MEDIUM**: Scoped user-to-server tokens from GitHub Apps could bypass authorization checks in GraphQL API requests when accessing non-repository resources. This vulnerability was reported via the [GitHub Bug Bounty Program](https://bounty.github.com/)."
    - "**MEDIUM**: Pull request preview links did not properly sanitize URLs, allowing a malicious user to embed dangerous links in the instances web UI. This vulnerability was reported via the [GitHub Bug Bounty program](https://bounty.github.com)."
    - |
      **MEDIUM**: An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed a repository-scoped token with read/write access to modify GitHub Actions workflow files without a workflow scope. The "[Create or Update file contents API](/rest/repos/contents#create-or-update-file-contents)" should enforce workflow scope. This vulnerability was reported via the [GitHub Bug Bounty program](https://bounty.github.com) and has been assigned [CVE-2022-46258](https://www.cve.org/CVERecord?id=CVE-2022-46258).
  bugs:
    - If a GitHub Actions dependency uses a pinned SHA version, Dependabot will no longer mark the dependency as vulnerable.
    - Setting the maintenance mode with an IP Exception List would not persist across upgrades.
    - GitHub Pages builds could time out on instances in AWS that are configured for high availability.
    - Status details for the replication of Git LFS objects to repository cache replica nodes were not visible in the `ghe-repl-status` output on those nodes.
    - After configuration of Dependabot and alert digest emails, the instance would send digest emails to suspended users.
    - The audit log timestamp for Dependabot alert events returned the creation date of the alert instead of the timestamp when a user took action on the alert.
    - "When using the CodeQL action, the runs annotations would include a spurious `HttpError: Upload not found` error."
    - When accessing an instances JavaScript resources from behind a proxy, the browser displayed Cross-Origin Resource Sharing (CORS) errors.
    - If a user named a status check with leading or trailing spaces, the instance created a duplicate check if another check existed with the same name and no leading or trailing spaces.
    - If a user configured a pre-receive hook for multiple repositories, the instances **Hooks** page would not always display the correct status for the hook.
    - In some cases, an instance could replace an active repository with a deleted repository.
    - Git LFS objects in a repository with a cache replication policy would not be copied to cache replicas if the total number of objects in the repository exceeded 5,000.
    - After running migrations for the GitHub Enterprise Importer on an instance configured for high availability, replication of migration storage assets would not catch up.
    - Zombie processes no longer accumulate in the `gitrpcd` container.
  changes:
    - If a site administrator has not yet configured GitHub Actions for the instance, the UI for setting up code scanning will prompt the user to configure GitHub Actions.
  known_issues:
    - On a freshly set up {% data variables.product.prodname_ghe_server %} instance without any users, an attacker could create the first admin user.
    - Custom firewall rules are removed during the upgrade process.
    - Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository.
    - Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.
    - When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
    - The {% data variables.product.prodname_registry %} npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
    - Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
    - Actions services need to be restarted after restoring an instance from a backup taken on a different host.
    - In a repository's settings, enabling the option to allow users with read access to create discussions does not enable this functionality.
    - In some cases, users cannot convert existing issues to discussions.
    - Custom patterns for secret scanning have `.*` as an end delimiter, specifically in the "After secret" field. This delimiter causes inconsistencies in scans for secrets across repositories, and you may notice gaps in a repository's history where no scans completed. Incremental scans may also be impacted. To prevent issues with scans, modify the end of the pattern to remove the `.*` delimiter.
    - '{% data reusables.release-notes.2022-09-hotpatch-issue %}'
    - |
      Following an upgrade to GitHub Enterprise Server 3.6 or later, existing inconsistencies in a repository such as broken refs or missing objects, may now be reported as errors like `invalid sha1 pointer 0000000000000000000000000000000000000000`, `Zero-length loose reference file`, or `Zero-length loose object file`. Previously, these indicators of repository corruption may have been silently ignored. GitHub Enterprise Server now uses an updated Git version with more diligent error reporting enabled. For more information, see this [upstream commit](https://github.com/git/git/commit/968f12fdac) in the Git project.

      If you suspect a problem like this exists in one of your repositories, you can run `git-crash-fix analyze` in the repository on your GitHub Enterprise Server instance. If `git-crash-fix analyze` reports problems, [contact GitHub Enterprise Support](/support/contacting-github-support/creating-a-support-ticket) for assistance, and include the command output in your support request.
    - '{% data reusables.release-notes.babeld-max-threads-performance-issue %}'