date: '2022-09-21' sections: security_fixes: - | **HIGH**: A GitHub App could use a scoped user-to-server token to bypass user authorization logic and escalate privileges. - | **MEDIUM**: The use of a Unicode right-to-left override character in the list of accessible files for a GitHub App could obscure additional files that the app could access. - Packages have been updated to the latest security versions. bugs: - Installation of a TLS certificate failed when the certificate's subject string included UTF-8 characters. - Configuration runs could fail when `retry-limit` or `retry-sleep-duration` were manually set by an administrator using `ghe-config`. - In some cases, the Management Console's monitor dashboard would not load correctly. - Removed a non-functional link for exporting Management Console monitor graphs as a PNG image. - When sending a support bundle to GitHub Enterprise Support using `ghe-support-upload`, the `-t` option would not successfully associate the uploaded bundle with the specified ticket. - A link back to the security settings for the instance's enterprise account could render an incorrect view. - Git clones or fetches over SSH could experience data corruption for transfers over 1GB in size. - After a user deleted or restored packages from the web interface, counts for packages could render incorrectly. - After successful configuration of Dependabot and alert digest emails, the instance would not send digest emails. - Manually disabled GitHub Actions workflows in a repository were re-enabled if the repository received a push containing more than 2048 commits, or if the repository's default branch changed. - When using a VPC endpoint URL as an AWS S3 URL for GitHub Packages, publication and installation of packages failed. known_issues: - After upgrading to {% data variables.product.prodname_ghe_server %} 3.3, {% data variables.product.prodname_actions %} may fail to start automatically. To resolve this issue, connect to the appliance via SSH and run the `ghe-actions-start` command. - On a freshly set up {% data variables.product.prodname_ghe_server %} instance without any users, an attacker could create the first admin user. - Custom firewall rules are removed during the upgrade process. - Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository. - Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters. - When "Users can search GitHub.com" is enabled with {% data variables.product.prodname_github_connect %}, issues in private and internal repositories are not included in {% data variables.product.prodname_dotcom_the_website %} search results. - The {% data variables.product.prodname_registry %} npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues. - Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail. - '{% data variables.product.prodname_actions %} storage settings cannot be validated and saved in the {% data variables.enterprise.management_console %} when "Force Path Style" is selected, and must instead be configured with the `ghe-actions-precheck` command line utility.' - '{% data reusables.release-notes.ghas-3.4-secret-scanning-known-issue %}' - '{% data reusables.release-notes.2022-09-hotpatch-issue %}'