f9ad5851ca
Co-authored-by: Peter Bengtsson <peterbe@github.com> Co-authored-by: Evan Bonsignori <ebonsignori@github.com>
116 lines
8.8 KiB
YAML
116 lines
8.8 KiB
YAML
date: '2023-07-18'
|
|
sections:
|
|
security_fixes:
|
|
- |
|
|
An attacker with access to the password hash of the root site administrator user for the instance's Management Console could make requests to the password API endpoint from outside of the instance.
|
|
- |
|
|
Packages have been updated to the latest security versions.
|
|
- |
|
|
**LOW:** An incorrect comparison vulnerability was identified in GitHub Enterprise Server that allowed commit smuggling by displaying an incorrect diff in a re-opened Pull Request. To exploit this vulnerability, an attacker would need write access to the repository. This vulnerability was reported via the [GitHub Bug Bounty Program](https://bounty.github.com/) and was assigned [CVE-2023-23765](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23765).
|
|
bugs:
|
|
- |
|
|
If MinIO was configured for external blob storage on an instance with GitHub Actions enabled and MinIO was configured for bucket replication, the instance's credential validation with MinIO would occasionally fail.
|
|
- |
|
|
Customers who use Azure Blob store as the remote blob provider to back GitHub Packages would have validation errors if the `EndpointSuffix` part of their Connection string was anything other than `core.windows.net`. Now all valid `EndpointSuffix` are accepted.
|
|
- |
|
|
When a user viewed a Jupyter notebook, GitHub Enterprise Server returned a `500` error code if the instance was configured with a self-signed TLS certificate.
|
|
- |
|
|
After creation of a blob object from the web UI, pre-receive hook events were missing from the instance's audit log.
|
|
- |
|
|
On an instance in a high availability configuration, on some platforms, replication could perform poorly over links with very high latency.
|
|
- |
|
|
On an instance with custom firewall rules defined, a configuration run with `ghe-config-apply` could take longer than expected.
|
|
- |
|
|
On an instance with an outbound web proxy server configured, the proxy interfered with internal operations that used `nomad alloc exec`.
|
|
- |
|
|
On an instance in a cluster configuration, the `ghe-cluster-balance` behaved inconsistently when displaying status or managing jobs with more than one task group.
|
|
- |
|
|
On an instance configured for LDAP authentication, if the LDAP server sent an empty string for the `sshPublicKey` attribute, LDAP user sync would fail.
|
|
- |
|
|
When an administrator updated an instance's TLS certificate via the API as a query parameter instead of in the request body, the certificate and key appeared in `unicorn.log`.
|
|
- |
|
|
Jobs that performed daily clean-up tasks failed to run, so old data was not removed from the MySQL database.
|
|
- |
|
|
After creation of a new Management Console user, the Management Console did not display the button to copy the new users invitation.
|
|
- |
|
|
`ghe-service-list` erroneously reported errors because the utility looked for systemd services that have been migrated to Nomad.
|
|
- |
|
|
On an instance in a high availability configuration, when adding a new node, connection checks between existing nodes would fail.
|
|
- |
|
|
On an instance with Dependabot enabled, in some situations, Dependabot alerts were not updated when a user pushed to a repository.
|
|
- |
|
|
In rare circumstances, Git commits signed with SSH keys using the RSA algorithm would incorrectly indicate the signature was invalid.
|
|
- |
|
|
After a migration using GitHub Enterprise Importer, some repository autolink references were created with an incorrect format.
|
|
- |
|
|
In some cases on an instance without a GitHub Advanced Security license, Redis exceeded the maximum default memory allocation, causing `500` errors for the instance's users.
|
|
- |
|
|
On an instance with many organizations, the enterprise security overview page returned a `500` error.
|
|
- |
|
|
On an instance that was not configured to deliver email notifications using SMTP, background jobs to deliver email were enqueued unnecessarily.
|
|
- |
|
|
Users were unable to configure a SSH certificate authority for an organization.
|
|
- |
|
|
An erroneous "Blocked Copilot Repositories" link was visible in site admin pages for organizations.
|
|
- |
|
|
Events related to repository notifications did not appear in the audit log.
|
|
- |
|
|
On an instance with a GitHub Advanced Security license and secret scanning enabled, in some cases, a committer would not receive an email notification for a secret scanning alert where push protections were bypassed.
|
|
- |
|
|
On an instance with a GitHub Advanced Security license, if a user filtered by a custom pattern on an organizations "Code & security analysis" page using an invalid query, the entire GitHub Advanced Security disappeared and an error reading "Sorry, something went wrong loading GitHub Advanced Security settings" appeared.
|
|
- |
|
|
On an instance with a GitHub Advanced Security license and secret scanning enabled, output from Git for a push blocked by push protection always included an `http://` link.
|
|
- |
|
|
Querying the audit log for `hashed_token` returned no results.
|
|
- |
|
|
The audit log reported the incorrect target repository for pre-receive hook failures.
|
|
- |
|
|
Links to wiki pages in Markdown headers did not point to the correct path, resulting in a `404 Not Found` error.
|
|
- |
|
|
GitHub Actions will now properly execute after restoring a deleted repository.
|
|
- |
|
|
On an instance with multiple nodes, when using the `spokesctl` command-line utility to manage repositories with replicas that failed to fully create, the utility would spuriously attempt to repair healthy replicas.
|
|
changes:
|
|
- |
|
|
On an instance in a cluster configuration, the `ghe-cluster-config-check` command-line utility will return an affirmative message when no warnings or errors are detected. The affirmative message is "Configuration validation complete. No errors found."
|
|
- |
|
|
During initialization of a cluster configuration, output from the `ghe-cluster-config-init` command-line utility is improved and simplified.
|
|
- |
|
|
The Management Console displays a warning about unexpected consequences that may result from modification of the instance's hostname after initial configuration.
|
|
known_issues:
|
|
- |
|
|
{% data reusables.release-notes.2023-10-git-push-made-but-not-registered %} [Updated: 2023-10-26]
|
|
- |
|
|
{% data reusables.release-notes.upgrade-to-3-9-or-to-3-10-mysql-cannot-start-up %} [Updated: 2023-08-11]
|
|
- |
|
|
Custom firewall rules are removed during the upgrade process.
|
|
|
|
- |
|
|
During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
|
|
- |
|
|
If the root site administrator is locked out of the Management Console after failed login attempts, the account will not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see "[Troubleshooting access to the Management Console](/enterprise-server@3.8/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)." [Updated: 2023-02-23]
|
|
- |
|
|
On an instance in a high-availability configuration, passive replica nodes accept Git client requests and forward the requests to the primary node.
|
|
- |
|
|
If an instance is configured to forward logs to a target server with TLS enabled, certificate authority (CA) bundles that a site administrator uploads using `ghe-ssl-ca-certificate-install` are not respected, and connections to the server fail.
|
|
- |
|
|
When running `ghe-config-apply`, the process may stall with the message `Deployment is running pending automatic promotion`.
|
|
- |
|
|
{% data reusables.release-notes.mermaid-rendering-known-issue %}
|
|
- |
|
|
{% data reusables.release-notes.enterprise-backup-utils-encryption-keys %} [Updated: 2023-07-31]
|
|
- |
|
|
{% data reusables.release-notes.migrations-missing-section-known-issue %} [Updated: 2023-08-18]
|
|
- |
|
|
{% data reusables.release-notes.2023-08-mssql-replication-known-issue %} [Updated: 2023-08-24]
|
|
- |
|
|
{% data reusables.release-notes.2023-10-support-bundle-p-flag-not-working %} [Updated: 2023-10-13]
|
|
- |
|
|
{% data reusables.release-notes.scheduled-reminders-unintentional %} [Updated: 2023-10-17]
|
|
- |
|
|
{% data reusables.release-notes.2023-11-aws-system-time %} [Updated 2023-11-10]
|
|
- |
|
|
{% data reusables.release-notes.2023-12-backup-utils-exit-early-redis %} [Updated 2023-12-05]
|
|
- |
|
|
{% data reusables.release-notes.2023-12-client-ip-addresses-incorrect-in-audit-log %} [Updated 2023-12-13]
|