docs/data/release-notes/enterprise-server/3-11/13.yml

date: '2024-07-19'
intro: |

     >[!NOTE] Due to a bug that caused hotpatch upgrades to fail for instances on Microsoft Azure, the previous patch release in this series (**3.11.12**) is not available for download. The following release notes include the updates introduced in that release.
sections:
  security_fixes:
    - |
      **HIGH**: An attacker could cause unbounded resource exhaustion on the instance by sending a large payload to the Git server. To mitigate this issue, GitHub has limited the count of "have" and "want" lines for Git read operations. GitHub has requested CVE ID [CVE-2024-5795](https://www.cve.org/cverecord?id=CVE-2024-5795) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com).
    - |
      **MEDIUM:** An improper privilege management vulnerability allowed users to migrate private repositories without having appropriate scopes defined on the related {% data variables.product.pat_generic %}. GitHub has requested CVE ID [CVE-2024-5566](https://www.cve.org/cverecord?id=CVE-2024-5566) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com).
    - |
      **MEDIUM:** An attacker could have unauthorized access in a public repository using a suspended GitHub App via a scoped user access token. This was only exploitable in public repositories while private repositories were not impacted. GitHub has requested CVE ID [CVE-2024-5816](https://www.cve.org/cverecord?id=CVE-2024-5816) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com).
    - |
      **MEDIUM:** An attacker could execute a Cross Site Request Forgery (CSRF) attack to perform write operations on a victim-owned repository in GitHub Enterprise Server by exploiting incorrect request types. A mitigating factor is that the attacker has to be a trusted user and the victim has to visit a tag in the attacker's fork of their own repository. GitHub has requested CVE ID [CVE-2024-5815](https://nvd.nist.gov/vuln/detail/CVE-2024-5815) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
    - |
      **MEDIUM:** An attacker could disclose the name of a private repository on the GitHub Enterprise Server appliance when the private repository has a deploy key associated to it. GitHub has requested CVE ID [CVE-2024-6395](https://www.cve.org/cverecord?id=CVE-2024-6395) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com).
    - |
      **LOW:** Instance administrators could see fine-grained {% data variables.product.pat_generic_plural %} in plaintext in the babeld and gitauth logs.
    - |
      **LOW:** An attacker with read access to a project could use the REST API to view a list of all members in an organization, including members who had made their membership private. This vulnerability was reported via the [GitHub Bug Bounty](https://bounty.github.com/) program.
    - |
      **LOW:** An attacker could include MathJax syntax in Markdown to bypass GitHubs normal restrictions on CSS properties in Markdown. This vulnerability was reported via the [GitHub Bug Bounty](https://bounty.github.com/) program.
    - |
      **MEDIUM:** An attacker could disclose sensitive information from a private repository exploiting organization ruleset features. This attack required an organization member to explicitly change the visibility of a dependent repository from private to public. GitHub has requested CVE ID [CVE-2024-6336](https://www.cve.org/cverecord?id=CVE-2024-6336) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com).
    - |
      **MEDIUM:** An attacker could have unauthorized read access to issue content inside an internal repository via GitHub projects. This attack required attacker access to the corresponding project board. GitHub has requested CVE ID [CVE-2024-5817](https://nvd.nist.gov/vuln/detail/CVE-2024-5817) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
    - |
      Packages have been updated to the latest security versions.
  bugs:
    - |
      When an instance hosted on Azure was upgraded with a hotpatch, the upgrade failed with an `rsync` error.
    - |
      On an instance with GitHub Actions enabled, remote blob storage could fill up with large amounts of data because cleanup jobs were skipped on old hosts.
    - |
      The threshold set by `server_rejoin_age_max` for single-node GHES deployments was too low.
    - |
      In some cases, commands run in an administrative SSH shell were not written to the audit log.
    - |
      When an administrator submitted support data to GitHub Support, spokesd keys were incorrectly sanitized.
    - |
      When log forwarding was enabled, some specific service logs, including babeld, gitauth, unicorn, and resqued, were duplicated.
    - |
      During the initial boot of an instance, a data disk attached as `/dev/sdb` may not have been recognized as an available disk.
    - |
      In a high availablity configuration, running `ghe-repl-node` multiple times from a node that did not have replication running had the potential to overwrite the configuration on the primary node.
    - |
      Configuration history is only generated for instances in a cluster, high availability (HA) cluster, or standalone HA configuration. The current node must be a primary or replica node with replication running.
    - |
      In some cases, the HAProxy `kill_timeout` setting caused service outages during upgrades or large transactions.
    - |
      The `ssh-audit-log.sh` script did not effectively log SSH commands, and the `ghe-sanitize-log.psed` script inadequately sanitized password-related logs.
    - |
      The default MSSQL timeout of 8 seconds sometimes caused issues during administrator activities. The default timeout has been increased to 30 seconds.
    - |
      For an instance running on Microsoft Azure, the user disk service failed to start because the attached volume could not be found.
    - |
      Establishing a new GitHub Connect connection could fail with a 500 error.
    - |
      When using `ghe-migrator` to migrate a repository, the links for pull requests merge commits were not imported.
    - |
      When a user used the REST API endpoints that returned secret scanning alerts at the repository or organization level with non-cursor-based pagination (for example, without `before` or `after` query parameters), the REST API endpoints for secret scanning returned incorrect `Link` headers.
    - |
      On certain branch names, the branch info bar was causing frozen string errors.
    - |
      On instances with SAML authentication configured, users were unable to sign out and became stuck in an infinite SAML SSO loop.
    - |
      On instances with SCIM enabled, the administrator was unable to view users without an external identity record (for example, because they were provisioned before SCIM was enabled on the instance) in stafftools.
    - |
      On instances enrolled in the SCIM private beta, built-in authentication users can be added to organizations and teams. Organization owners will no longer see the misleading message that the organization membership is managed by the SAML identity provider when updating organization memberships.
    - |
      Enterprise owners managed by an identity provider were asked to authenticate within GitHub when performing privileged actions.
    - |
      On an instance that restricts emails to verified domains, secret scanning emails would sometimes be sent to an unverified domain.
    - |
      In some cases, on the "Files" tab of a pull request, a comment on the first line did not render.
    - |
      Some organizations were not recognized as part of an instance's enterprise account.
    - |
      Some users would encounter an error when navigating to their personal security settings page at `https://HOSTNAME/settings/security`.
    - |
      The `SpokesSyncCacheReplicaJob` could not initialize in some cases, resulting in an exception when handling the error.
    - |
      On the "Code scanning" page of a repository, the branch filter did not correctly display all branches.
    - |
      When including a `.gitignore` or `README.md` file on repository creation failed due to a ruleset or pre-receive hook, no error message displayed.
    - |
      On an instance with a GitHub Advanced Security license, requests to the `/enterprises/{enterprise}/settings/billing/advanced-security` REST API endpoint could fail due to timeout.
    - |
      Users viewing the alerts index page experienced inconsistencies in rendering the closed alert state.
    - |
      Organizations named "C" were incorrectly routed to the GitHub Enterprise Server contact page instead of their organization page.
    - |
      On an instance with a GitHub Advanced Security license, commits made by users who do not belong to an organization were not counted.
    - |
      When servers responded with unsupported characters, webhook deliveries were not displayed in the UI.
    - |
      Chat integrations required frequent reauthentication, as a result of new app installations overwriting previous ones.
    - |
      On an instance in a cluster configuration, the `ghe-spokesctl ssh` command did not select the correct Nomad container when running a command within a Git repository.
    - |
      On an instance with a GitHub Advanced Security license, disabling and re-enabling GitHub Advanced Security for an organization resulted in redundant scans of some repositories.
    - |
      On an instance with a GitHub Advanced Security license, contributions were not tracked on public repositories.
    - |
      On an instance with a GitHub Advanced Security license, the "adjust configuration" step failed when enabling code scanning with the default setup on self-hosted Windows runners.
  changes:
    - |
      In a high availability configuration, users can only run `ghe-config-apply` or `ghe-cluster-config-apply` on a replica node if replication is already running (from `ghe-repl-start`). If replication isnt running on the node, the user will be instructed to start replication.
    - |
      Configuration history has been extended. When `ghe-config-apply`, `ghe-cluster-config-apply`, or `ghe-config-archive` is run: `secrets.conf` is captured, a sha256sum for each of the current configuration files is included, the existing patch that is generated includes `secrets.conf`, and an additional sanitized patch that excludes `secrets.conf` is also generated.
    - |
      The timeout for requests made to the REST API endpoints for secret scanning has been extended.
    - |
      A more specific error message is shown when a non-provisioned user tried to sign in to an instance with SCIM enabled.
    - |
      When a user changes a repository's visibility to public, the user is now warned that previous Actions history and logs will become public as well.
    - |
      A more specific error message is shown when a deprovisioned user attempts signing into an instance with SCIM enabled.
    - |
      In the audit logs, administrators can see more context for failed user authentication attempts using LDAP.
    - |
      The system logs provide more context for authentication failures related to multi-factor authentication.
    - |
      When using the `ghe-webhook-logs` utility, webhook delivery logs can be filtered by event and action. Users can use `ghe-webhook-logs --event issues` to filter by event, or `ghe-webhook-logs --event issues.opened` to filter by event and action.
    - |
      To avoid excessive log volume and associated disk pressure, requests for `GetCacheKey` are no longer logged. Previously, the high frequency of these requests caused significant log accumulation.
  known_issues:
    - |
      Custom firewall rules are removed during the upgrade process.
    - |
      During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
    - |
      If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see "[AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)."
    - |
      If an instance is configured to forward logs to a target server with TLS enabled, certificate authority (CA) bundles that a site administrator uploads using `ghe-ssl-ca-certificate-install` are not respected, and connections to the server fail.
    - |
      The `mbind: Operation not permitted` error in the `/var/log/mysql/mysql.err` file can be ignored. MySQL 8 does not gracefully handle when the `CAP_SYS_NICE` capability isn't required, and outputs an error instead of a warning.
    - |
      {% data reusables.release-notes.2023-11-aws-system-time %}
    - |
      On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
    - |
      {% data reusables.release-notes.2023-10-git-push-made-but-not-registered %}
    - |
      {% data reusables.release-notes.large-adoc-files-issue %}
    - |
      {% data reusables.release-notes.2023-11-cluster-ha-failover-git-push-failure %}
    - |
      {% data reusables.release-notes.2023-12-backup-utils-exit-early-redis %}
    - |
      {% data reusables.release-notes.2024-01-haproxy-upgrade-causing-increased-errors %}
    - |
      Repositories originally imported using ghe-migrator will not correctly track Advanced Security contributions.
    - |
      Due to a known regression, operators will not be able to use the `ghe-migrations` visualizer to view the status of migrations during an upgrade. Instead, the operator can inspect the log files in `/var/log/dbmigration` to see the status and progress of migrations.
    - |
      The reply.[hostname] subdomain is falsely always displaying as having no ssl and dns record, when testing the domain settings via management console **without subdomain isolation**.
    - |
      _Admin stats REST API endpoints may timeout on appliances with many users or repositories. Retrying the request until data is returned is advised._
    - |
      If a hotpatch upgrade requires the `haproxy-frontend` service to be restarted, the restart will hang if there are existing long-lived connections, such as browser web sockets or Git operations. No new connections will be accepted for up to 5 minutes. Any existing unfinished connections at this time will be disconnected.