docs/data/release-notes/enterprise-server/3-7/2.yml

date: '2022-12-13'
sections:
  security_fixes:
    - |
      **HIGH**: A path traversal vulnerability was identified in GitHub Enterprise Server that allowed remote code execution when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the instance. This vulnerability was reported via the [GitHub Bug Bounty Program](https://bounty.github.com/) and has been assigned [CVE-2022-46256](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46256).
  bugs:
    - A race condition blocked upgrades to GitHub Enterprise Server 3.6 or later until a site administrator retried the upgrade. 
    - When a site administrator ran the `ghe-repl-status` command on a cache replica via the administrative shell (SSH), the command incorrectly reported overall Git and Alambic cluster replication status information as if it pertained only to cache replication. 
    - When a site administrator ran the `ghe-repl-sync-ca-certificates` command from an instances primary node via the administrative shell (SSH), the command only replicated CA certificates from the instances primary node to a single replica node. The command did not replicate the certificates to all available replica nodes. 
    - In a high availability configuration, after promotion of a replica to be the primary node, a site administrator could not force replication to stop on a secondary replica node using the `ghe-repl-stop -f` command. 
    - When using repository caching with an instance in a high availability configuration, if a Git client used SSH instead of HTTPS for a repositorys remote URL, Git LFS would fetch objects from the instances primary node instead of the appropriate cache replica node. 
    - Installation of GitHub Enterprise Server on the VMware ESXi hypervisor failed due to the generation of an OVA file with an invalid capacity value. 
    - When users performed an operation using the API, GitHub Enterprise Server enforced repository size quotas even when disabled globally.
    - In some cases, searches via the API returned a `500` error. 
    - Adding a collaborator to a user-owned fork of a private, organization-owned repository with triage, maintain, or custom access resulted in a `500` error. 
    - In some cases, the page for setting up code scanning would erroneously report that GitHub Actions was not configured for the instance. 
    - Dismissing a Dependabot alert that contained certain characters could result in a `400` error. 
    - After a user's account was deleted from the instance, image attachments that the user uploaded in comments were no longer visible in the web interface. 
    - On an instance that uses SAML for authentication, the **Configure SSO** dropdown menu appeared erroneously for personal access tokens and SSH keys. 
    - An upgrade from GitHub Enterprise Server 3.5 to 3.7 could fail because the instance had not yet purged deleted repositories. 
    - In a high availability or repository caching configuration, Unicorn services on nodes other than the primary node were unable to send log events to the primary node. 
    - Fixes a bug in which a GHES log file could get filled very quickly and cause the root drive to run out of free space.
    - When viewing code scanning results for Ruby, an erroneous beta label appeared.
  changes:
    - After an enterprise owner enables Dependabot alerts, GitHub Enterprise Server enqueues the synchronization of advisory data to ensure hourly updates from GitHub.com. 
    - A user's list of recently accessed repositories no longer includes deleted repositories. 
  known_issues:
    - On a freshly set up {% data variables.product.prodname_ghe_server %} instance without any users, an attacker could create the first admin user.
    - Custom firewall rules are removed during the upgrade process.
    - Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository.
    - Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.
    - When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
    - The {% data variables.product.prodname_registry %} npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
    - Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
    - Actions services need to be restarted after restoring an instance from a backup taken on a different host.
    - In a repository's settings, enabling the option to allow users with read access to create discussions does not enable this functionality.
    - In some cases, users cannot convert existing issues to discussions.
    - During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
    - |
      Following an upgrade to GitHub Enterprise Server 3.6 or later, existing inconsistencies in a repository such as broken refs or missing objects, may now be reported as errors like `invalid sha1 pointer 0000000000000000000000000000000000000000`, `Zero-length loose reference file`, or `Zero-length loose object file`. Previously, these indicators of repository corruption may have been silently ignored. GitHub Enterprise Server now uses an updated Git version with more diligent error reporting enabled. For more information, see this [upstream commit](https://github.com/git/git/commit/968f12fdac) in the Git project.

      If you suspect a problem like this exists in one of your repositories, you can run `git-crash-fix analyze` in the repository on your GitHub Enterprise Server instance. If `git-crash-fix analyze` reports problems, [contact GitHub Enterprise Support](/support/contacting-github-support/creating-a-support-ticket) for assistance, and include the command output in your support request.
    - '{% data reusables.release-notes.babeld-max-threads-performance-issue %}'
  deprecations:
    # https://github.com/github/enterprise-releases/issues/3217
    - |
      **Upcoming deprecation**: In GitHub Enterprise Server 3.8 and later, unsecure algorithms will be disabled for SSH connections to the administrative shell.

    # https://github.com/github/releases/issues/2395
    - Commit comments, which are comments that users add directly to a commit outside of a pull request, no longer appear in the pull request timeline. Users could not reply to or resolve these comments. The Timeline events REST API and the GraphQL API's `PullRequest` object also no longer return commit comments.

    # https://github.com/github/releases/issues/2380
    - Diffing GeoJSON, PSD, and STL files is no longer possible.

    # https://github.com/github/releases/issues/2480
    - Package registries on the new GitHub Packages architecture, including Container registry and npm packages, no longer expose data through the GraphQL API. In a coming release, other GitHub Packages registries will migrate to the new architecture, which will deprecate the GraphQL API for those registries as well. GitHub recommends using the REST API to programmatically access information about GitHub Packages. For more information, see "[Packages](/rest/packages)" in the REST API documentation.