28 lines
3.8 KiB
YAML
28 lines
3.8 KiB
YAML
date: '2021-04-01'
|
|
intro: The minimum infrastructure requirements have increased for {% data variables.product.prodname_ghe_server %} 3.0+. For more information, see "[About minimum requirements for GitHub Enterprise Server 3.0 and later](/admin/enterprise-management/upgrading-github-enterprise-server#about-minimum-requirements-for-github-enterprise-server-30-and-later)."
|
|
sections:
|
|
security_fixes:
|
|
- "**HIGH:** An improper access control vulnerability was identified in GitHub Enterprise Server that allowed access tokens generated from a GitHub App's [web authentication flow](https://docs.github.com/en/developers/apps/identifying-and-authorizing-users-for-github-apps#web-application-flow) to read private repository metadata via the REST API without having been granted the appropriate permissions. To exploit this vulnerability, an attacker would need to create a GitHub App on the instance and have a user authorize the application through the web authentication flow. The private repository metadata returned would be limited to repositories owned by the user the token identifies. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.0.4 and was fixed in versions 3.0.4, 2.22.10, 2.21.18. This vulnerability has been assigned CVE-2021-22865 and was reported via the [GitHub Bug Bounty Program](https://bounty.github.com)."
|
|
- Packages have been updated to the latest security versions.
|
|
bugs:
|
|
- When maintenance mode was enabled, some services continued to be listed as "active processes" even though they were expected to be running, and should not have been listed.
|
|
- After upgrading from 2.22.x to 3.0.x with GitHub Actions enabled, the self-hosted runner version was not updated and no self-hosted updates were made.
|
|
- Old GitHub Pages builds were not cleaned up leading to increased disk usage.
|
|
- '`memcached` was not running on active replicas.'
|
|
- Upgrade failed when updating file permissions when GitHub Actions was enabled.
|
|
- A timezone set on GitHub Enterprise 11.10.x or earlier was not being used by some services which were defaulting to UTC time.
|
|
- Services were not transitioning to new log files as part of log rotation, resulting in increased disk usage.
|
|
- The `ghe-saml-mapping-csv` command-line utility produced a warning message.
|
|
- The label on search results for internal repositories was shown as "Private" instead of "Internal".
|
|
known_issues:
|
|
- On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
|
|
- Custom firewall rules are not maintained during an upgrade.
|
|
- Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository.
|
|
- Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
|
|
- When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
|
|
- Jupyter Notebook rendering in the web UI may fail if the notebook includes non-ASCII UTF-8 characters.
|
|
- reStructuredText (RST) rendering in the web UI may fail and instead display raw RST markup text.
|
|
- When deleting a branch after merging a pull request, an error message appears although the branch deletion succeeds.
|
|
- When a replica node is offline in a high availability configuration, {% data variables.product.product_name %} may still route {% data variables.product.prodname_pages %} requests to the offline node, reducing the availability of {% data variables.product.prodname_pages %} for users.
|
|
- Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
|