54c60e330a
Co-authored-by: Laura Coursen <lecoursen@github.com> Co-authored-by: Jiaqi Liu <1573931+itsJiaqi@users.noreply.github.com> Co-authored-by: Rachael Rose Renk <91027132+rachaelrenk@users.noreply.github.com>
32 lines
3.7 KiB
YAML
32 lines
3.7 KiB
YAML
date: '2023-02-02'
|
|
sections:
|
|
security_fixes:
|
|
- "**MEDIUM**: A code injection vulnerability was identified in GitHub Enterprise Server that allowed setting arbitrary environment variables from a single environment variable value in GitHub Actions when using a Windows based runner due to improper sanitization of null bytes. To exploit this vulnerability, an attacker would need existing permission to control the value of environment variables for use with GitHub Actions. This vulnerability was reported via the [GitHub Bug Bounty Program](https://bounty.github.com/) and has been assigned [CVE-2023-22381](https://www.cve.org/CVERecord?id=CVE-2023-22381)."
|
|
- Packages have been updated to the latest security versions.
|
|
bugs:
|
|
- After a site administrator adjusted the cutoff date for allowing SSH connections with RSA keys using `ghe-config app.gitauth.rsa-sha1`, the instance would still disallow connections with RSA keys if the connection attempt was signed by the SHA-1 hash function.
|
|
- During the validation phase of a configuration run, a `No such object error` may have occurred for the Notebook and Viewscreen services.
|
|
- After disabling Dependabot updates, the avatar for Dependabot was displayed as the **@ghost** user in the Dependabot alert timeline.
|
|
- In some cases, users could experience a `500` error when viewing the **Code security & analysis** settings page for an instance with a very high number of active committers.
|
|
- Some links to contact GitHub Support or view the GitHub Enterprise Server release notes were incorrect.
|
|
- The additional committers count for GitHub Advanced Security always showed 0.
|
|
- In some cases, users were unable to convert existing issues to discussions. If an issue is stuck while being converted to a discussion, enterprise owners can review the "Known issues" section below for more information.
|
|
known_issues:
|
|
- |
|
|
{% data reusables.release-notes.upgrade-mysql8-cannot-start-up %}
|
|
- |
|
|
{% data reusables.release-notes.enterprise-backup-utils-encryption-keys %}
|
|
- On a freshly set up {% data variables.product.prodname_ghe_server %} instance without any users, an attacker could create the first admin user.
|
|
- Custom firewall rules are removed during the upgrade process.
|
|
- When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
|
|
- The {% data variables.product.prodname_registry %} npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
|
|
- Actions services need to be restarted after restoring an instance from a backup taken on a different host.
|
|
- In a repository's settings, enabling the option to allow users with read access to create discussions does not enable this functionality.
|
|
- During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
|
|
- '{% data reusables.release-notes.repository-inconsistencies-errors %}'
|
|
- '{% data reusables.release-notes.babeld-max-threads-performance-issue %}'
|
|
- '{% data reusables.release-notes.stuck-discussion-conversion-issue %}'
|
|
- '{% data reusables.release-notes.git-push-known-issue %}'
|
|
- '{% data reusables.release-notes.replication-commands-in-maintenance-mode-known-issue %}'
|
|
- '{% data reusables.release-notes.slow-deleted-repos-migration-known-issue %}'
|