docs/data/release-notes/enterprise-server/3-13/3.yml

date: '2024-08-20'
sections:
  features:
    - |
      Users can view the app state of gists, networks, and wikis in the `spokesctl info` output, enhancing visibility into the status of these elements. Additionally, `spokesctl check` can diagnose and, in most cases, fix empty repository networks, improving network management.
  security_fixes:
    - |
      **CRITICAL:** On GitHub Enterprise Server instances that use SAML single sign-on (SSO) authentication with specific IdPs utilizing publicly exposed signed federation metadata XML, an attacker could forge a SAML response to provision and/or gain access to a user account with site administrator privileges. GitHub has requested CVE ID [CVE-2024-6800](https://www.cve.org/cverecord?id=CVE-2024-6800) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
    - |
      **MEDIUM:** An attacker could update the `title`, `assignees`, and `labels` of any issue inside a public repository. This was only exploitable inside a public repository, and private/internal repositories were not affected. GitHub has requested CVE ID [CVE-2024-7711](https://www.cve.org/cverecord?id=CVE-2024-7711) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
    - |
      **MEDIUM:** An attacker could disclose the issue contents from a private repository using a GitHub App with only `contents: read` and `pull requests: write` permissions. This was only exploitable via user access token, and installation access tokens were not impacted. GitHub has requested CVE ID [CVE-2024-6337](https://www.cve.org/cverecord?id=CVE-2024-6337) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
    - |
      Packages have been updated to the latest security versions.
  bugs:
    - |
      During hotpatching and sometimes when applying configuration changes, a configuration run to upgrade the GitHub Actions service was unnecessarily triggered. The GitHub Actions service will only be upgraded in GitHub Enterprise Server feature releases.
    - |
      On an instance with GitHub Actions enabled, during a hotpatch upgrade, a race condition could block various upgrade activities.
    - |
      The `ghe-config-apply` process made an unnecessary number of connections to Redis.
    - |
      Upgrading the Dependency Graph sometimes failed due to outdated data from `go.sum` manifests.
    - |
      Restarting the `resolvconf` service would not correctly update the contents of `/etc/resolv.conf`.
    - |
      The configuration log at `/data/user/common/ghe-config.log` was no longer rotated to `/data/user/config-apply/logs/` after each config apply run. This was because a regular expression failed to match after timestamps were added to the config apply log.
    - |
      Empty lines were inserted into the configuration log at `/data/user/common/ghe-config.log`.
    - |
      Instances installed on Google Cloud Platform (GCP) could have their hostname overwritten by GCP when a hotpatch was applied.
    - |
      The minimum password requirements for Management Console users and the root site administrator required an upper case character when providing a password with a minimum of 8 characters, contradicting the documentation and password hint.
    - |
      The `ghe-migrations` utility for visualizing migrations did not work due to a regression. Administrators can now run `ghe-migrations` to view the progress and status of `github` migrations, or run `ghe-migrations --all` to view progress on all services.
    - |
      On an instance with subdomain isolation enabled, configuration runs created subdomains for ChatOps services, such as `slack.HOSTNAME` and `teams.HOSTNAME`, regardless of whether the service was enabled.
    - |
      Audit log data migration failed on instances using a legacy Elasticsearch data directory.
    - |
      When clicking the help link under the Authentication header in enterprise-manage, the user would be redirected to `/admin/managing-accounts-and-repositories` instead of `/admin/managing-iam/understanding-iam-for-enterprises/about-identity-and-access-management`.
    - |
      During support bundle generation or when running `ghe-diagnostics`, filesystem usage for the Elasticsearch data directory was not be included.
    - |
      On an instance with GitHub Actions enabled, due to an insufficient wait time, MS SQL and MySQL replication could fail with the error message `Failed to start nomad service!`.
    - |
      Site administrators could not switch maintenance mode directly from "scheduled" to "on," or vice versa.
    - |
      Some users were unable to delete project views.
    - |
      On the repository settings page for GitHub Pages, users saw an option to upgrade to GitHub Enterprise to use GitHub Pages with private visibility.
    - |
      When importing using `ghe-migrator`, team URLs containing dots were imported as-is, leading to 404s when attempting to view the imported teams. Dots in imported team URLs are now escaped to dashes.
    - |
      In the file tree on the "Files changed" tab of a pull request, users could not collapse or expand directories.
    - |
      Due to a regression introduced in a previous patch, for enterprises that use encrypted SAML assertions, SSO attempts failed with a digest mismatch error if the entire SAML response was signed, rather than just the assertions.
    - |
      Administrators sometimes saw an error message when visiting the administrative search page.
    - |
      On an instance with subdomain isolation enabled, images served from a subdomain or external source did not render correctly in issues opened in the Projects side panel.
    - |
      Running `go get` for a Golang repository with a directory structure that overlaps with GitHub UI routes failed
    - |
      The wrong help link was displayed when push protection blocked a secret from the CLI.
    - |
      Embedded images in wiki pages were broken.
    - |
      For repositories with issues disabled, issue links were redirected to pull requests.
    - |
      In custom pre-receive hooks, the paths stored in environment variables that allow for newly pushed objects to be in a quarantine directory could be incorrectly interpreted as relative to a worktree instead of the Git directory, causing certain commands to fail to read from the repository. The variables now use absolute paths.
    - |
      A corrupted entry in the Git audit log could cause out of memory errors.
    - |
      Fixes and improvements for the git core module.
    - |
      When enabling GitHub Advanced Security for an organization, active committers in other organizations were not accounted for.
    - |
      Following an upgrade, Elasticsearch search migrations are sometimes incorrectly reported as failing in the audit log, even though the migrations completed successfully. [Updated: 2024-09-27]
  changes:
    - |
      Actions KPI logs are disabled by default to reduce log size.
    - |
      When running `ghe-support-bundle`, the support bundle includes the Elasticsearch config.
    - |
      In the site admin dashboard, administrators have more granular options for the maximum object size in repositories.
    - |
      Users can set their styling preference for link underlines in the web interface, on their "Accessibility" settings page.
    - |
      Audit log events related to audit log streaming are available in the enterprise audit log page, and via audit log streaming.
  known_issues:
    - |
      During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
    - |
      If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see [AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account).
    - |
      On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
    - |
      Repositories originally imported using `ghe-migrator` will not correctly track Advanced Security contributions.
    - |
      Due to a known regression, operators will not be able to use the `ghe-migrations` visualizer to view the status of migrations during an upgrade. Instead, the operator can inspect the log files in `/var/log/dbmigration` to see the status and progress of migrations.
    - |
      For an instance in a cluster configuration and with GitHub Actions enabled, restoring a cluster from backup requires targeting the primary DB node.
    - |
      `TokenScanningServiceMetricsApiError` errors may appear after the upgrade.
    - |
      When following the steps for [Replacing the primary MySQL node](/enterprise-server@3.12/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-the-primary-mysql-node), step 14 (running `ghe-cluster-config-apply`) might fail with errors. If this occurs, re-running `ghe-cluster-config-apply` is expected to succeed.
    - |
      Memory utilization may increase after the upgrade. During periods of high traffic, interruptions in service may occur due to insufficient memory allocations for internal components.
    - |
      Running a `config apply` as part of the steps for [Replacing a node in an emergency](/enterprise-server@3.12/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-a-node-in-an-emergency) may fail with errors if the node being replaced is still reachable. If this occurs, shutdown the node and repeat the steps.
    - |
      Including `../` when editing a file name does not move the file up a directory level.
    - |
      If a hotpatch upgrade requires the `haproxy-frontend` service to be restarted, the restart will hang if there are existing long-lived connections, such as browser web sockets or Git operations. No new connections will be accepted for up to 5 minutes. Any existing unfinished connections at this time will be disconnected.
    - |
      When restoring data originally backed up from a 3.13 appliance onto a 3.13 appliance, the elasticsearch indices need to be reindexed before some of the data will show up. This happens via a nightly scheduled job.  It can also be forced by running `/usr/local/share/enterprise/ghe-es-search-repair`.
    - |
      The global search bar does not have suggestions enabled due to the redesigned navigation and pending new search experience.
    - |
      When restoring from a backup snapshot, a large number of `mapper_parsing_exception` errors may be displayed.
    - |
      Services may respond with a `503` status due to an out of date `haproxy` configuration. This can usually be resolved with a `ghe-config-apply` run.
    - |
      Instance setup in AWS with IMDSv2 enforced fails if no public IP is present.
    - |
      {% data reusables.release-notes.2024-08-resolvconf-wont-start %}

      [Updated: 2024-08-26]
    - |
      {% data reusables.release-notes.2024-11-ghe-repl-promote-primary-down %}

      [Updated: 2024-11-29]
    - |
      {% data reusables.release-notes.2025-03-03-elasticsearch-data-loss %}

      [Updated: 2025-03-12]

  errata:
    - |
      These release notes previously indicated as a known issue that on GitHub Enterprise Server 3.13.3 when log forwarding is enabled, some forwarded log entries may be duplicated.
      The fix for this problem was already included in GitHub Enterprise Server [3.13.2](/admin/release-notes#3.13.2-bugs). [Updated: 2024-09-16]