jprdonnelly/docs
1
0
Fork 0
mirror of synced 2026-01-03 06:04:16 -05:00
Code Issues Projects Releases Wiki Activity
Files
07f8bdb5baabbd342cbaef77f74e22da2d42b607
docs/data/release-notes/enterprise-server/3-7/1.yml
David Jarzebowski 54c60e330a Document a known issue with MySQL when upgrading to GHES 3.9 (#39751) 
Co-authored-by: Laura Coursen <lecoursen@github.com>
Co-authored-by: Jiaqi Liu <1573931+itsJiaqi@users.noreply.github.com>
Co-authored-by: Rachael Rose Renk <91027132+rachaelrenk@users.noreply.github.com>
2023-07-28 00:45:48 +00:00

48 lines
6.2 KiB
YAML
Raw Blame History

date: '2022-11-22'
sections:
security_fixes:
- "**HIGH**: An improper neutralization of argument delimiters in a command vulnerability was identified in GitHub Enterprise Server that enabled remote code execution. To exploit this vulnerability, an attacker would need permission to create and build GitHub Pages using GitHub Actions. This bug was originally reported via GitHub's Bug Bounty program and assigned [CVE-2022-23740](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23740). [Updated: 2022-12-02]"
- "**HIGH**: A check was added within Pages to ensure the working directory is clean before unpacking new content to prevent an arbitrary file overwrite bug. This vulnerability has been assigned [CVE-2022-46255](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46255)."
- "**MEDIUM**: Updated [CommonMarker](https://github.com/gjtorikian/commonmarker) to address a scenario where parallel requests to the Markdown REST API could result in unbounded resource exhaustion. This vulnerability has been assigned [CVE-2022-39209](https://nvd.nist.gov/vuln/detail/CVE-2022-39209)."
- "**MEDIUM**: Scoped user-to-server tokens from GitHub Apps could bypass authorization checks in GraphQL API requests when accessing non-repository resources. This vulnerability was reported via the [GitHub Bug Bounty Program](https://bounty.github.com/) and has been assigned [CVE-2022-23739](https://www.cve.org/CVERecord?id=CVE-2022-23739)."
- "**MEDIUM**: Pull request preview links did not properly sanitize URLs, allowing a malicious user to embed dangerous links in the instances web UI. This vulnerability was reported via the [GitHub Bug Bounty program](https://bounty.github.com)."
bugs:
- If a GitHub Actions dependency uses a pinned SHA version, Dependabot will no longer mark the dependency as vulnerable.
- Running the `ghe-spokesctl` command returned a `failed to get repo metrics` error.
- Setting the maintenance mode with an IP Exception List would not persist across upgrades.
- GitHub Pages builds could time out on instances in AWS that are configured for high availability.
- Status details for the replication of Git LFS objects to repository cache replica nodes were not visible in the `ghe-repl-status` output on those nodes.
- The audit log timestamp for Dependabot alert events returned the creation date of the alert instead of the timestamp when a user took action on the alert.
- When accessing an instances JavaScript resources from behind a proxy, the browser displayed Cross-Origin Resource Sharing (CORS) errors.
- If a user named a status check with leading or trailing spaces, the instance created a duplicate check if another check existed with the same name and no leading or trailing spaces.
- If a user configured a pre-receive hook for multiple repositories, the instances **Hooks** page would not always display the correct status for the hook.
- In some cases, an instance could replace an active repository with a deleted repository.
- Git LFS objects in a repository with a cache replication policy would not be copied to cache replicas if the total number of objects in the repository exceeded 5,000.
- After running migrations for the GitHub Enterprise Importer on an instance configured for high availability, replication of migration storage assets would not catch up.
- Zombie processes no longer accumulate in the `gitrpcd` container.
- On an instance with GitHub Packages configured, package upload and installation could fail for customers using a VPC endpoint URL for AWS S3 blob storage.
- In some cases, after upgrading to GitHub Enterprise Server 3.7.0, users may encounter `Internal Server Error` or `500` errors when initiating Git operations over SSH or HTTPS.
changes:
- If a site administrator has not yet configured GitHub Actions for the instance, the UI for setting up code scanning will prompt the user to configure GitHub Actions.
- To avoid failing domain verification due to the 63-character limit enforced by DNS providers for DNS records, the GitHub-generated `TXT` record to verify domain ownership is now limited to 63 characters.
known_issues:
- |
{% data reusables.release-notes.upgrade-mysql8-cannot-start-up %}
- |
{% data reusables.release-notes.enterprise-backup-utils-encryption-keys %}
- On a freshly set up {% data variables.product.prodname_ghe_server %} instance without any users, an attacker could create the first admin user.
- Custom firewall rules are removed during the upgrade process.
- When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
- The {% data variables.product.prodname_registry %} npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
- Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
- Actions services need to be restarted after restoring an instance from a backup taken on a different host.
- In a repository's settings, enabling the option to allow users with read access to create discussions does not enable this functionality.
- In some cases, users cannot convert existing issues to discussions.
- During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
- '{% data reusables.release-notes.repository-inconsistencies-errors %}'
- '{% data reusables.release-notes.babeld-max-threads-performance-issue %}'
- '{% data reusables.release-notes.new-subdomains-missing-from-management-console %}'
- '{% data reusables.release-notes.git-push-known-issue %}'
- '{% data reusables.release-notes.replication-commands-in-maintenance-mode-known-issue %}'
- '{% data reusables.release-notes.slow-deleted-repos-migration-known-issue %}'
Reference in New Issue View Git Blame Copy Permalink