docs/data/release-notes/enterprise-server/3-12/5.yml

date: '2024-06-19'
sections:
  security_fixes:
    - |
      **HIGH**: An attacker with the site administrator role could gain arbitrary code execution capability on the GitHub Enterprise Server appliance when configuring audit log streaming. GitHub has requested CVE ID [CVE-2024-5746](https://www.cve.org/cverecord?id=CVE-2024-5746) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
    - |
      Packages have been updated to the latest security versions.
  bugs:
    - |
      On an instance with GitHub Actions and External MySQL enabled, a validation step in the config apply could fail.
    - |
      Users would see an error message from the server while pushing to a gist (the push would still complete).
  known_issues:
    - |
      Custom firewall rules are removed during the upgrade process.
    - |
      During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
    - |
      If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see "[AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)."
    - |
      If an instance is configured to forward logs to a target server with TLS enabled, certificate authority (CA) bundles that a site administrator uploads using `ghe-ssl-ca-certificate-install` are not respected, and connections to the server fail.
    - |
      The `mbind: Operation not permitted` error in the `/var/log/mysql/mysql.err` file can be ignored. MySQL 8 does not gracefully handle when the `CAP_SYS_NICE` capability isn't required, and outputs an error instead of a warning.
    - |
      {% data reusables.release-notes.2023-11-aws-system-time %}
    - |
      On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
    - |
      {% data reusables.release-notes.large-adoc-files-issue %}
    - |
      {% data reusables.release-notes.2023-11-cluster-ha-failover-git-push-failure %}
    - |
      {% data reusables.release-notes.2023-12-backup-utils-exit-early-redis %}
    - |
      Repositories originally imported using ghe-migrator will not correctly track Advanced Security contributions.
    - |
      `ghe-migrations` visualizer is not working due to a known regression. As a results, users will not be able to use `ghe-migrations` to view the status of migrations during an upgrade. Instead you can inspect the log files in `/var/log/dbmigration` to get the status/progress of migrations.
    - |
      When enabling [log forwarding](/admin/monitoring-activity-in-your-enterprise/exploring-user-activity-in-your-enterprise/log-forwarding#enabling-log-forwarding), specific services logs (babeld and some more) are duplicated.
    - |
      The reply.[hostname] subdomain is falsely always displaying as having no SSL and DNS record, when testing the domain settings via management console without subdomain isolation.
    - |
      When log forwarding is enabled, some forwarded log entries may be duplicated.
    - |
      Admin stats REST API endpoints may timeout on appliances with many users or repositories. Retrying the request until data is returned is advised.
    - |
      If a hotpatch upgrade requires the `haproxy-frontend` service to be restarted, the restart will hang if there are existing long-lived connections, such as browser web sockets or Git operations. No new connections will be accepted for up to 5 minutes. Any existing unfinished connections at this time will be disconnected.