jprdonnelly/docs
1
0
Fork 0
mirror of synced 2026-01-07 00:01:39 -05:00
Code Issues Projects Releases Wiki Activity
Files
75eea7686ea985f7efa03e2d1bc215dbcbc73adf
docs/data/release-notes/enterprise-server/3-4/15.yml

22 lines
3.1 KiB
YAML
Raw Blame History

date: '2023-02-02'
sections:
security_fixes:
- "**MEDIUM**: A code injection vulnerability was identified in GitHub Enterprise Server that allowed setting arbitrary environment variables from a single environment variable value in GitHub Actions when using a Windows based runner due to improper sanitization of null bytes. To exploit this vulnerability, an attacker would need existing permission to control the value of environment variables for use with GitHub Actions. This vulnerability was reported via the [GitHub Bug Bounty Program](https://bounty.github.com/) and has been assigned [CVE-2023-22381](https://www.cve.org/CVERecord?id=CVE-2023-22381)."
- Packages have been updated to the latest security versions.
bugs:
- During the validation phase of a configuration run, a `No such object error` may have occurred for the Notebook and Viewscreen services.
- When enabling automatic TLS certificate management with Let's Encrypt, the process could fail with the error `The certificate is not signed by a trusted certificate authority (CA) or the certificate chain in missing intermediate CA signing certificates`.
changes:
- When a timeout occurs during diff generation, such as when a commit displays an error that the diff is taking too long to generate, the `push` webhook event will deliver empty diff information. Previously, the `push` webhook event would fail to be delivered.
known_issues:
- On a freshly set up {% data variables.product.prodname_ghe_server %} instance without any users, an attacker could create the first admin user.
- Custom firewall rules are removed during the upgrade process.
- Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository.
- When "Users can search GitHub.com" is enabled with {% data variables.product.prodname_github_connect %}, issues in private and internal repositories are not included in {% data variables.product.prodname_dotcom_the_website %} search results.
- The {% data variables.product.prodname_registry %} npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
- Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
- |
After registering a self-hosted runner with the `--ephemeral` parameter on more than one level (for example, both enterprise and organization), the runner may get stuck in an idle state and require re-registration. [Updated: 2022-06-17]
- After upgrading to {% data variables.product.prodname_ghe_server %} 3.4, releases may appear to be missing from repositories. This can occur when the required Elasticsearch index migrations have not successfully completed.
- '{% data reusables.release-notes.ghas-3.4-secret-scanning-known-issue %}'
Reference in New Issue View Git Blame Copy Permalink