101 lines
7.9 KiB
YAML
101 lines
7.9 KiB
YAML
date: '2024-03-20'
|
|
intro: |
|
|
{% warning %}
|
|
|
|
**Warning**: A change to MySQL in GitHub Enterprise Server 3.9 and later may impact the performance of your instance. Before you upgrade, make sure you've read the "[Known issues](#3.9.12-known-issues)" section of these release notes.
|
|
|
|
{% endwarning %}
|
|
sections:
|
|
security_fixes:
|
|
- |
|
|
**HIGH:** An attacker with an Administrator role in GitHub Enterprise Server could gain SSH root access via remote code execution. GitHub has requested CVE ID [CVE-2024-2469](https://www.cve.org/cverecord?id=CVE-2024-2469) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
|
- |
|
|
**HIGH:** An attacker with an editor role in the Management Console could gain SSH access to the instance by command injection when configuring GeoJSON settings. GitHub has requested CVE ID [CVE-2024-2443](https://www.cve.org/cverecord?id=CVE-2024-2443) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
|
- |
|
|
Packages have been updated to the latest security versions.
|
|
bugs:
|
|
- |
|
|
In some cases, storage initialization on a new instance launch could cause EBS-backed data volumes to not be detected correctly.
|
|
- |
|
|
Redundant messages caused an increase in the volume of events logged in `/var/log/syslog`.
|
|
- |
|
|
Administrators could initiate an SSH audit that unknowingly unverified all SSH keys.
|
|
- |
|
|
Attributes used to debug LDAP issues were not included in system logs.
|
|
- |
|
|
On an instance in a cluster configuration with high availability enabled, the `ghe-spokesctl` command failed when run on a replica node.
|
|
- |
|
|
On an instance with GitHub Actions enabled, GitHub Actions workflows that deployed GitHub Pages sites failed with the following error: `Error: Deployment failed, try again later.`
|
|
- |
|
|
Organizations using projects (classic) returned an error log about a soon-to-be deprecated MySQL feature when viewing a project.
|
|
- |
|
|
On an instance in a cluster configuration, Jupyter notebooks did not render correctly.
|
|
- |
|
|
In some cases, manual repository maintenance using ghe-spokesctl would fail with the following error: panic: runtime error: invalid memory address or nil pointer dereference.
|
|
- |
|
|
On an instance with a GitHub Advanced Security license, in some cases, when a user deleted a custom pattern for secret scanning, GitHub Enterprise Server failed to close or delete the pattern's alerts.
|
|
- |
|
|
On an instance in a cluster configuration with many nodes, requests to the REST API for managing GitHub Enterprise Server would exceed the instance's HTTP timeouts.
|
|
- |
|
|
In some cases, the `codeload` service could panic during shutdown and not terminate gracefully.
|
|
- |
|
|
When an administrator set a policy to require two-factor authentication (2FA) for an enterprise, a message incorrectly indicated that users without 2FA enabled on their account would be removed from the enterprise. These users will be removed from repositories and organizations in the enterprise, but not from the enterprise itself.
|
|
- |
|
|
On an instance with a GitHub Advanced Security license, viewing a secret scanning alert as a user without the security manager role would return a `500` error if the alert was generated from a Git tag instead of a normal commit.
|
|
- |
|
|
When using GitHub Enterprise Importer to import repositories, `ghost` users in archive metadata files would cause an error when generating a list of migration conflicts using `ghe-migrator conflicts`.
|
|
- |
|
|
Some API endpoints for projects did not properly filter target repositories based on the users access.
|
|
- |
|
|
After an administrator ran `ghe-saml-mapping-csv`, the output did not include the corresponding SQL query.
|
|
- |
|
|
During a configuration run prompted by the delayed restart of the `notebooks` service, a container validation warning appeared in system logs.
|
|
- |
|
|
On an instance in a cluster configuration, rebuilds of GitHub Pages sites failed if no replicas of the GitHub Pages data were available (for example, on a newly restored cluster).
|
|
- |
|
|
On an instance with code scanning enabled, upgrades to GitHub Enterprise Server version 3.9 or 3.10 could be slow if a large number of code scanning analyses were present on the instance.
|
|
changes:
|
|
- |
|
|
Gists can be deleted using the **Purge Gist** button on the Deleted Gists page in Staff Tools.
|
|
- |
|
|
People deploying a GitHub Enterprise Server instance in AWS can now deploy in an environment that uses Instance Metadata Service Version 2 (IMDSv2).
|
|
- |
|
|
The payload for the `push` webhook event is now limited to 2,048 commits. If there are more than 2,048 commits in a push, the payload for the push webhook will not contain serialized diff information for each commit. If you need to fetch commit information, you can use the Commits endpoints of the REST API. For more information, see "[AUTOTITLE](/webhooks/webhook-events-and-payloads#push)" and "[AUTOTITLE](/rest/commits)."
|
|
known_issues:
|
|
- |
|
|
Custom firewall rules are removed during the upgrade process.
|
|
- |
|
|
During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
|
|
- |
|
|
If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see "[AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)."
|
|
- |
|
|
If an instance is configured to forward logs to a target server with TLS enabled, certificate authority (CA) bundles that a site administrator uploads using `ghe-ssl-ca-certificate-install` are not respected, and connections to the server fail.
|
|
- |
|
|
When running `ghe-config-apply`, the process may stall with the message `Deployment is running pending automatic promotion`.
|
|
- |
|
|
The `mbind: Operation not permitted` error in the `/var/log/mysql/mysql.err` file can be ignored. MySQL 8 does not gracefully handle when the `CAP_SYS_NICE` capability isn't required, and outputs an error instead of a warning.
|
|
- |
|
|
When enabling CodeQL via default setup [at scale](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-at-scale), some checks related to GitHub Actions are omitted, potentially preventing the process from completing.
|
|
- |
|
|
{% data reusables.release-notes.upgrade-to-3-9-or-to-3-10-mysql-cannot-start-up %}
|
|
- |
|
|
{% data reusables.release-notes.upgrade-to-3-9-or-to-3-10-io-utilization-increase %}
|
|
- |
|
|
{% data reusables.release-notes.2023-08-mssql-replication-known-issue %}
|
|
- |
|
|
{% data reusables.release-notes.2023-09-config-apply-timeout-hookshot-go-replicas %}
|
|
- |
|
|
{% data reusables.release-notes.2023-11-aws-system-time %}
|
|
- |
|
|
On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
|
|
- |
|
|
{% data reusables.release-notes.2023-10-git-push-made-but-not-registered %}
|
|
- |
|
|
{% data reusables.release-notes.2023-10-actions-upgrade-bug %}
|
|
- |
|
|
{% data reusables.release-notes.2023-12-backup-utils-exit-early-redis %}
|
|
- |
|
|
{% data reusables.release-notes.2024-01-haproxy-upgrade-causing-increased-errors %}
|
|
- |
|
|
{% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %} [Updated: 2024-06-17]
|