jprdonnelly/docs
1
0
Fork 0
mirror of synced 2026-01-04 18:06:26 -05:00
Code Issues Projects Releases Wiki Activity
Files
92abd218ccb25cdf351663faa8a32a141d606002
docs/data/release-notes/enterprise-server/3-7/1.yml
Mike Bailey 2033bf486f Update release notes for Security#5415 (#33137) 
Co-authored-by: Matt Pollard <mattpollard@users.noreply.github.com>
2022-12-02 18:17:01 +00:00

58 lines
8.1 KiB
YAML
Raw Blame History

date: '2022-11-22'
sections:
security_fixes:
- "**HIGH**: An improper neutralization of argument delimiters in a command vulnerability was identified in GitHub Enterprise Server that enabled remote code execution. To exploit this vulnerability, an attacker would need permission to create and build GitHub Pages using GitHub Actions. This bug was originally reported via GitHub's Bug Bounty program and assigned [CVE-2022-23740](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23740). [Updated: 2022-12-02]"
- "**HIGH**: Added an extra check to harden against a path traversal bug that could lead to remote code execution in GitHub Pages builds on a GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the instance. [Updated: 2022-12-02]"
- "**HIGH**: Added a check in Pages to ensure the working directory is clean before unpacking new content to prevent an arbitrary file overwrite bug."
- "**MEDIUM**: Updated [CommonMarker](https://github.com/gjtorikian/commonmarker) to address a scenario where parallel requests to the Markdown REST API could result in unbounded resource exhaustion. This vulnerability has been assigned [CVE-2022-39209](https://nvd.nist.gov/vuln/detail/CVE-2022-39209)."
- "**MEDIUM**: Pull request preview links did not properly sanitize URLs, allowing a malicious user to embed dangerous links in the instances web UI. This vulnerability was reported via the [GitHub Bug Bounty program](https://bounty.github.com)."
bugs:
- If a GitHub Actions dependency uses a pinned SHA version, Dependabot will no longer mark the dependency as vulnerable.
- Running the `ghe-spokesctl` command returned a `failed to get repo metrics` error.
- Setting the maintenance mode with an IP Exception List would not persist across upgrades.
- GitHub Pages builds could time out on instances in AWS that are configured for high availability.
- Status details for the replication of Git LFS objects to repository cache replica nodes were not visible in the `ghe-repl-status` output on those nodes.
- The audit log timestamp for Dependabot alert events returned the creation date of the alert instead of the timestamp when a user took action on the alert.
- When accessing an instances JavaScript resources from behind a proxy, the browser displayed Cross-Origin Resource Sharing (CORS) errors.
- If a user named a status check with leading or trailing spaces, the instance created a duplicate check if another check existed with the same name and no leading or trailing spaces.
- If a user configured a pre-receive hook for multiple repositories, the instances **Hooks** page would not always display the correct status for the hook.
- In some cases, an instance could replace an active repository with a deleted repository.
- Git LFS objects in a repository with a cache replication policy would not be copied to cache replicas if the total number of objects in the repository exceeded 5,000.
- After running migrations for the GitHub Enterprise Importer on an instance configured for high availability, replication of migration storage assets would not catch up.
- Zombie processes no longer accumulate in the `gitrpcd` container.
- On an instance with GitHub Packages configured, package upload and installation could fail for customers using a VPC endpoint URL for AWS S3 blob storage.
- In some cases, after upgrading to GitHub Enterprise Server 3.7.0, users may encounter `Internal Server Error` or `500` errors when initiating Git operations over SSH or HTTPS.
changes:
- If a site administrator has not yet configured GitHub Actions for the instance, the UI for setting up code scanning will prompt the user to configure GitHub Actions.
- To avoid failing domain verification due to the 63-character limit enforced by DNS providers for DNS records, the GitHub-generated `TXT` record to verify domain ownership is now limited to 63 characters.
- To diagnose zero-length file problems in Git repositories, which can result from a crash of the instance, site administrators can run the `git-crash-fix` utility.
known_issues:
- On a freshly set up {% data variables.product.prodname_ghe_server %} instance without any users, an attacker could create the first admin user.
- Custom firewall rules are removed during the upgrade process.
- Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository.
- Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.
- When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
- The {% data variables.product.prodname_registry %} npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
- Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
- Actions services need to be restarted after restoring an instance from a backup taken on a different host.
- In a repository's settings, enabling the option to allow users with read access to create discussions does not enable this functionality.
- In some cases, users cannot convert existing issues to discussions.
- During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
- |
Following an upgrade to GitHub Enterprise Server 3.6 or later, existing inconsistencies in a repository such as broken refs or missing objects, may now be reported as errors like `invalid sha1 pointer 0000000000000000000000000000000000000000`, `Zero-length loose reference file`, or `Zero-length loose object file`. Previously, these indicators of repository corruption may have been silently ignored. GitHub Enterprise Server now uses an updated Git version with more diligent error reporting enabled. For more information, see this [upstream commit](https://github.com/git/git/commit/968f12fdac) in the Git project.
If you suspect a problem like this exists in one of your repositories, you can run `git-crash-fix analyze` in the repository on your GitHub Enterprise Server instance. If `git-crash-fix analyze` reports problems, [contact GitHub Enterprise Support](/support/contacting-github-support/creating-a-support-ticket) for assistance, and include the command output in your support request.
deprecations:
# https://github.com/github/enterprise-releases/issues/3217
- |
**Upcoming deprecation**: In GitHub Enterprise Server 3.8 and later, unsecure algorithms will be disabled for SSH connections to the administrative shell.
# https://github.com/github/releases/issues/2395
- Commit comments, which are comments that users add directly to a commit outside of a pull request, no longer appear in the pull request timeline. Users could not reply to or resolve these comments. The Timeline events REST API and the GraphQL API's `PullRequest` object also no longer return commit comments.
# https://github.com/github/releases/issues/2380
- Diffing GeoJSON, PSD, and STL files is no longer possible.
# https://github.com/github/releases/issues/2480
- Package registries on the new GitHub Packages architecture, including Container registry and npm packages, no longer expose data through the GraphQL API. In a coming release, other GitHub Packages registries will migrate to the new architecture, which will deprecate the GraphQL API for those registries as well. GitHub recommends using the REST API to programmatically access information about GitHub Packages. For more information, see "[Packages](/rest/packages)" in the REST API documentation.
Reference in New Issue View Git Blame Copy Permalink