jprdonnelly/docs
1
0
Fork 0
mirror of synced 2026-01-05 03:06:35 -05:00
Code Issues Projects Releases Wiki Activity
Files
92abd218ccb25cdf351663faa8a32a141d606002
docs/data/release-notes/enterprise-server/3-5/8.yml
Mike Bailey 2033bf486f Update release notes for Security#5415 (#33137) 
Co-authored-by: Matt Pollard <mattpollard@users.noreply.github.com>
2022-12-02 18:17:01 +00:00

32 lines
4.3 KiB
YAML
Raw Blame History

date: '2022-11-22'
sections:
security_fixes:
- "**HIGH**: Added an extra check to harden against a path traversal bug that could lead to remote code execution in GitHub Pages builds on a GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the instance. [Updated: 2022-12-02]"
- "**MEDIUM**: Updated [CommonMarker](https://github.com/gjtorikian/commonmarker) to address a scenario where parallel requests to the Markdown REST API could result in unbounded resource exhaustion. This vulnerability has been assigned [CVE-2022-39209](https://nvd.nist.gov/vuln/detail/CVE-2022-39209)."
- "**MEDIUM**: Scoped user-to-server tokens from GitHub Apps could bypass authorization checks in GraphQL API requests when accessing non-repository resources. This vulnerability was reported via the [GitHub Bug Bounty Program](https://bounty.github.com/)."
- "**MEDIUM**: Pull request preview links did not properly sanitize URLs, allowing a malicious user to embed dangerous links in the instances web UI. This vulnerability was reported via the [GitHub Bug Bounty program](https://bounty.github.com)."
- The [Create or update file contents API](/rest/repos/contents#create-or-update-file-contents) correctly enforces workflow scope. This vulnerability was reported via the [GitHub Bug Bounty program](https://bounty.github.com).
bugs:
- Setting the maintenance mode with an IP Exception List would not persist across upgrades.
- GitHub Pages builds could time out on instances in AWS that are configured for high availability.
- After configuration of Dependabot and alert digest emails, the instance would send digest emails to suspended users.
- The audit log timestamp for Dependabot alert events returned the creation date of the alert instead of the timestamp when a user took action on the alert.
- When accessing an instances JavaScript resources from behind a proxy, the browser displayed Cross-Origin Resource Sharing (CORS) errors.
- If a user named a status check with leading or trailing spaces, the instance created a duplicate check if another check existed with the same name and no leading or trailing spaces.
- If a user configured a pre-receive hook for multiple repositories, the instances **Hooks** page would not always display the correct status for the hook.
- When an enterprise owner impersonated a user and tried to install a GitHub App, the button to confirm the installation was disabled and could not be clicked.
- After running migrations for the GitHub Enterprise Importer on an instance configured for high availability, replication of migration storage assets would not catch up.
- Zombie processes no longer accumulate in the `gitrpcd` container.
changes:
- To diagnose zero-length file problems in Git repositories, which can result from a crash of the instance, site administrators can run the `git-crash-fix` utility.
known_issues:
- On a freshly set up {% data variables.product.prodname_ghe_server %} instance without any users, an attacker could create the first admin user.
- Custom firewall rules are removed during the upgrade process.
- Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository.
- Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.
- When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
- The {% data variables.product.prodname_registry %} npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
- Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
- Actions services need to be restarted after restoring an appliance from a backup taken on a different host.
- '{% data reusables.release-notes.2022-09-hotpatch-issue %}'
Reference in New Issue View Git Blame Copy Permalink