jprdonnelly/docs
1
0
Fork 0
mirror of synced 2026-01-02 12:04:38 -05:00
Code Issues Projects Releases Wiki Activity
Files
1fc030d21dcc213e5f93b514b3f07a52156840bc
docs/data/release-notes/enterprise-server/3-2/11.yml
Cameron Smith 5690d8b305 3.1.19, 3.2.11, 3.3.6, and 3.4.1 Patch Release Notes (#26626) 
Co-authored-by: Vanessa <vgrl@github.com>
Co-authored-by: Sarah Edwards <skedwards88@github.com>
Co-authored-by: Rachael Sewell <rachmari@github.com>
2022-04-05 08:13:15 +10:00

44 lines
5.3 KiB
YAML
Raw Blame History

date: '2022-04-04'
sections:
security_fixes:
- 'MEDIUM: A path traversal vulnerability was identified in {% data variables.product.prodname_ghe_server %} Management Console that allowed the bypass of CSRF protections. This vulnerability affected all versions of {% data variables.product.prodname_ghe_server %} prior to 3.5 and was fixed in versions 3.1.19, 3.2.11, 3.3.6, 3.4.1. This vulnerability was reported via the {% data variables.product.prodname_dotcom %} Bug Bounty program and has been assigned CVE-2022-23732.'
- 'MEDIUM: An integer overflow vulnerability was identified in the 1.x branch and the 2.x branch of `yajil` which leads to subsequent heap memory corruption when dealing with large (~2GB) inputs. This vulnerability was reported internally and has been assigned CVE-2022-24795. '
- Support bundles could include sensitive files if {% data variables.product.prodname_actions %} was enabled.
- Packages have been updated to the latest security versions.
bugs:
- Minio processes would have high CPU usage if an old configuration option was present after upgrading {% data variables.product.prodname_ghe_server %}.
- The options to enable `TLS 1.0` and `TLS 1.1` in the Privacy settings of the Management Console were shown, although removal of those protocol versions occurred in an earlier release.
- In a HA environment, configuring MSSQL replication could require additional manual steps after enabling {% data variables.product.prodname_actions %} for the first time.
- A subset of internal configuration files are more reliably updated after a hotpatch.
- The `ghe-run-migrations` script would sometimes fail to generate temporary certificate names correctly.
- In a cluster environment, Git LFS operations could fail with failed internal API calls that crossed multiple web nodes.
- Pre-receive hooks that used `gpg --import` timed out due to insufficient `syscall` privileges.
- In some cluster topologies, webhook delivery information was not available.
- In HA configurations, tearing down a replica would fail if {% data variables.product.prodname_actions %} had previously been enabled.
- Elasticsearch health checks would not allow a yellow cluster status when running migrations.
- Organizations created as a result of a user transforming their user account into an organization were not added to the global enterprise account.
- When using `ghe-migrator` or exporting from {% data variables.product.prodname_dotcom_the_website %}, a long-running export would fail when data was deleted mid-export.
- The {% data variables.product.prodname_actions %} deployment graph would display an error when rendering a pending job.
- Links to inaccessible pages were removed.
- Navigating away from a comparison of two commits in the web UI would have the diff persist in other pages.
- Adding a team as a reviewer to a pull request would sometimes show the incorrect number of members on that team.
- The [Remove team membership for a user](/rest/reference/teams#remove-team-membership-for-a-user) API endpoint would respond with an error when attempting to remove a member managed externally by a SCIM group.
- A large number of dormant users could cause a {% data variables.product.prodname_github_connect %} configuration to fail.
- The "Feature & beta enrollments" page in the Site admin web UI was incorrectly available.
- The "Site admin mode" link in the site footer did not change state when clicked.
- 'The `spokesctl cache-policy rm` command no longer fails with the message `error: failed to delete cache policy`.'
changes:
- Memcached connection limits were increased to better accommodate large cluster topologies.
- The Dependency Graph API previously ran with a statically defined port.
- The default shard counts for cluster-related Elasticsearch shard settings have been updated.
- The “Triage” and “Maintain” team roles are preserved during repository migrations.
- Performance has been improved for web requests made by enterprise owners.
known_issues:
- On a freshly set up {% data variables.product.prodname_ghe_server %} instance without any users, an attacker could create the first admin user.
- Custom firewall rules are removed during the upgrade process.
- Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository.
- Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.
- When "Users can search GitHub.com" is enabled with {% data variables.product.prodname_github_connect %}, issues in private and internal repositories are not included in {% data variables.product.prodname_dotcom_the_website %} search results.
- The {% data variables.product.prodname_registry %} npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
- Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
Reference in New Issue View Git Blame Copy Permalink