date: '2022-04-04' sections: security_fixes: - 'MEDIUM: A path traversal vulnerability was identified in {% data variables.product.prodname_ghe_server %} Management Console that allowed the bypass of CSRF protections. This vulnerability affected all versions of {% data variables.product.prodname_ghe_server %} prior to 3.5 and was fixed in versions 3.1.19, 3.2.11, 3.3.6, 3.4.1. This vulnerability was reported via the {% data variables.product.prodname_dotcom %} Bug Bounty program and has been assigned CVE-2022-23732.' - 'MEDIUM: An integer overflow vulnerability was identified in the 1.x branch and the 2.x branch of `yajil` which leads to subsequent heap memory corruption when dealing with large (~2GB) inputs. This vulnerability was reported internally and has been assigned CVE-2022-24795. ' - Support bundles could include sensitive files if {% data variables.product.prodname_actions %} was enabled. - Packages have been updated to the latest security versions. bugs: - A workflow run may not complete if it uses composite-actions. - When enabling {% data variables.product.prodname_dependabot %}, an error caused some security advisories to temporarily read as no-longer applicable. - Minio processes would have high CPU usage if an old configuration option was present after upgrading {% data variables.product.prodname_ghe_server %}. - The options to enable `TLS 1.0` and `TLS 1.1` in the Privacy settings of the Management Console were shown, although removal of those protocol versions occurred in an earlier release. - In a HA environment, configuring MSSQL replication could require additional manual steps after enabling {% data variables.product.prodname_actions %} for the first time. - A subset of internal configuration files are more reliably updated after a hotpatch. - The `ghe-run-migrations` script would sometimes fail to generate temporary certificate names correctly. - Pre-receive hooks that used `gpg --import` timed out due to insufficient `syscall` privileges. - In some cluster topologies, webhook delivery information was not available. - The {% data variables.product.prodname_actions %} deployment graph would display an error when rendering a pending job. - Elasticsearch health checks would not allow a yellow cluster status when running migrations. - When using the [Migrations API](/rest/reference/migrations), queued export jobs were not processed. - Repositories would display a non-functional Discussions tab in the web UI. - Organizations created as a result of a user transforming their user account into an organization were not added to the global enterprise account. - LDAP user sync jobs would fail when trying to sync GPG keys that had been synced previously. - Links to inaccessible pages were removed. - Some instances experienced high CPU usage due to large amounts unnecessary background jobs being queued. - Empty repositories didnt sync correctly to cache servers. - Adding a team as a reviewer to a pull request would sometimes show the incorrect number of members on that team. - The remove team membership API endpoint would respond with an error when attempting to remove member externally managed via a SCIM Group. - A large number of dormant users could cause a {% data variables.product.prodname_github_connect %} configuration to fail. - The "Feature & beta enrollments" page in the Site admin web UI was incorrectly available. - The "Site admin mode" link in the site footer did not change state when clicked. changes: - Memcached connection limits were increased to better accommodate large cluster topologies. - The Dependency Graph API previously ran with a statically defined port. - The default shard counts for cluster-related Elasticsearch shard settings have been updated. - The [Migrations API](/rest/reference/migrations) now generates exports of repositories. - When filtering enterprise members by organization role on the "People" page, the text for the dropdown menu items has been improved. - The “Triage” and “Maintain” team roles are preserved during repository migrations. - Using ghe-migrator or exporting from GitHub.com, an export would not include Pull Request attachments. - Performance has been improved for web requests made by enterprise owners. known_issues: - On a freshly set up {% data variables.product.prodname_ghe_server %} instance without any users, an attacker could create the first admin user. - Custom firewall rules are removed during the upgrade process. - Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository. - Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters. - When "Users can search GitHub.com" is enabled with {% data variables.product.prodname_github_connect %}, issues in private and internal repositories are not included in {% data variables.product.prodname_dotcom_the_website %} search results. - The {% data variables.product.prodname_registry %} npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues. - Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail. - | After registering a self-hosted runner with the `--ephemeral` parameter on more than one level (for example, both enterprise and organization), the runner may get stuck in an idle state and require re-registration. [Updated: 2022-06-17] - | When using SAML encrypted assertions with {% data variables.product.prodname_ghe_server %} 3.4.0 and 3.4.1, a new XML attribute `WantAssertionsEncrypted` in the `SPSSODescriptor` contains an invalid attribute for SAML metadata. IdPs that consume this SAML metadata endpoint may encounter errors when validating the SAML metadata XML schema. A fix will be available in the next patch release. [Updated: 2022-04-11] To work around this problem, you can take one of the two following actions. - Reconfigure the IdP by uploading a static copy of the SAML metadata without the `WantAssertionsEncrypted` attribute. - Copy the SAML metadata, remove `WantAssertionsEncrypted` attribute, host it on a web server, and reconfigure the IdP to point to that URL. - '{% data reusables.release-notes.ghas-3.4-secret-scanning-known-issue %}' - | GitHub Pages builds may time out on instances in AWS that are configured for high availability. [Updated: 2022-11-28] deprecations: - heading: Deprecation of GitHub Enterprise Server 3.0 notes: - '**{% data variables.product.prodname_ghe_server %} 3.0 was discontinued on February 16, 2022**. This means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, [upgrade to the newest version of {% data variables.product.prodname_ghe_server %}](/enterprise-server@3.4/admin/enterprise-management/upgrading-github-enterprise-server) as soon as possible.' - heading: Deprecation of GitHub Enterprise Server 3.1 notes: - '**{% data variables.product.prodname_ghe_server %} 3.1 will be discontinued on June 3, 2022**. This means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, [upgrade to the newest version of {% data variables.product.prodname_ghe_server %}](/enterprise-server@3.4/admin/enterprise-management/upgrading-github-enterprise-server) as soon as possible.' - heading: Deprecation of XenServer Hypervisor support notes: # https://github.com/github/docs-content/issues/4439 - Starting in {% data variables.product.prodname_ghe_server %} 3.3, {% data variables.product.prodname_ghe_server %} on XenServer was deprecated and is no longer supported. Please contact [GitHub Support](https://support.github.com) with questions or concerns. - heading: Deprecation of the Content Attachments API preview notes: # - Due to low usage, we have deprecated the Content References API preview in {% data variables.product.prodname_ghe_server %} 3.4. The API was previously accessible with the `corsair-preview` header. Users can continue to navigate to external URLs without this API. Any registered usages of the Content References API will no longer receive a webhook notification for URLs from your registered domain(s) and we no longer return valid response codes for attempted updates to existing content attachments. - heading: Deprecation of the Codes of Conduct API preview notes: # https://github.com/github/releases/issues/1708 - 'The Codes of Conduct API preview, which was accessible with the `scarlet-witch-preview` header, is deprecated and no longer accessible in {% data variables.product.prodname_ghe_server %} 3.4. We instead recommend using the "[Get community profile metrics](/rest/reference/repos#get-community-profile-metrics)" endpoint to retrieve information about a repository''s code of conduct. For more information, see the "[Deprecation Notice: Codes of Conduct API preview](https://github.blog/changelog/2021-10-06-deprecation-notice-codes-of-conduct-api-preview/)" in the {% data variables.product.prodname_dotcom %} changelog.' - heading: Deprecation of OAuth Application API endpoints and API authentication using query parameters notes: # https://github.com/github/releases/issues/1316 - | Starting with {% data variables.product.prodname_ghe_server %} 3.4, the [deprecated version of the OAuth Application API endpoints](https://developer.github.com/changes/2020-02-14-deprecating-oauth-app-endpoint/#endpoints-affected) have been removed. If you encounter 404 error messages on these endpoints, convert your code to the versions of the OAuth Application API that do not have `access_tokens` in the URL. We've also disabled the use of API authentication using query parameters. We instead recommend using [API authentication in the request header](https://developer.github.com/changes/2020-02-10-deprecating-auth-through-query-param/#changes-to-make). - heading: Deprecation of the CodeQL runner notes: # https://github.com/github/releases/issues/1632 - The {% data variables.product.prodname_codeql %} runner is deprecated in {% data variables.product.prodname_ghe_server %} 3.4 and is no longer supported. The deprecation only affects users who use {% data variables.product.prodname_codeql %} code scanning in third party CI/CD systems; {% data variables.product.prodname_actions %} users are not affected. We strongly recommend that customers migrate to the {% data variables.product.prodname_codeql %} CLI, which is a feature-complete replacement for the {% data variables.product.prodname_codeql %} runner. For more information, see the [{% data variables.product.prodname_dotcom %} changelog](https://github.blog/changelog/2021-09-21-codeql-runner-deprecation/). - heading: Deprecation of custom bit-cache extensions notes: # https://github.com/github/releases/issues/1415 - | Starting in {% data variables.product.prodname_ghe_server %} 3.1, support for {% data variables.product.company_short %}'s proprietary bit-cache extensions began to be phased out. These extensions are deprecated in {% data variables.product.prodname_ghe_server %} 3.3 onwards. Any repositories that were already present and active on {% data variables.location.product_location %} running version 3.1 or 3.2 will have been automatically updated. Repositories which were not present and active before upgrading to {% data variables.product.prodname_ghe_server %} 3.3 may not perform optimally until a repository maintenance task is run and has successfully completed. To start a repository maintenance task manually, browse to `https:///stafftools/repositories///network` for each affected repository and click the Schedule button. backups: - '{% data variables.product.prodname_ghe_server %} 3.4 requires at least [GitHub Enterprise Backup Utilities 3.4.0](https://github.com/github/backup-utils) for [Backups and Disaster Recovery](/admin/configuration/configuring-your-enterprise/configuring-backups-on-your-appliance).'