67cfff4fa2
Co-authored-by: Release-Controller <runner@fv-az221-820.rdwmklopv5je1nmcb30mjggtwb.cx.internal.cloudapp.net> Co-authored-by: Matt Pollard <mattpollard@users.noreply.github.com> Co-authored-by: Mike Bailey <miskerest@github.com>
25 lines
3.5 KiB
YAML
25 lines
3.5 KiB
YAML
date: '2022-12-13'
|
|
sections:
|
|
security_fixes:
|
|
- |
|
|
**HIGH**: A path traversal vulnerability was identified in GitHub Enterprise Server that allowed remote code execution when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the instance. This vulnerability was reported via the [GitHub Bug Bounty Program](https://bounty.github.com/) and has been assigned [CVE-2022-46256](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46256).
|
|
- |
|
|
**HIGH**: An incorrect authorization vulnerability allowed a scoped user-to-server token to escalate to full admin access for a repository. An attacker would require an account with admin access to install a malicious GitHub App. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.7.0. This vulnerability was reported via the GitHub Bug Bounty program and has been assigned [CVE-2022-23741](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23741). bugs:
|
|
bugs:
|
|
- Installation of GitHub Enterprise Server on the VMware ESXi hypervisor failed due to the generation of an OVA file with an invalid capacity value.
|
|
- When users performed an operation using the API, GitHub Enterprise Server enforced repository size quotas even when disabled globally.
|
|
- A debug-level message appeared in a system log, which could consume space rapidly on the instance's root storage volume.
|
|
- On instances where the dependency graph is enabled, upgrades could sometimes fail due to a slow-running migration of dependency graph data.
|
|
known_issues:
|
|
- After upgrading to {% data variables.product.prodname_ghe_server %} 3.3, {% data variables.product.prodname_actions %} may fail to start automatically. To resolve this issue, connect to the appliance via SSH and run the `ghe-actions-start` command.
|
|
- On a freshly set up {% data variables.product.prodname_ghe_server %} instance without any users, an attacker could create the first admin user.
|
|
- Custom firewall rules are removed during the upgrade process.
|
|
- Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository.
|
|
- Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.
|
|
- When "Users can search GitHub.com" is enabled with {% data variables.product.prodname_github_connect %}, issues in private and internal repositories are not included in {% data variables.product.prodname_dotcom_the_website %} search results.
|
|
- The {% data variables.product.prodname_registry %} npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
|
|
- Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
|
|
- '{% data variables.product.prodname_actions %} storage settings cannot be validated and saved in the {% data variables.enterprise.management_console %} when "Force Path Style" is selected, and must instead be configured with the `ghe-actions-precheck` command line utility.'
|
|
- '{% data reusables.release-notes.ghas-3.4-secret-scanning-known-issue %}'
|
|
- '{% data reusables.release-notes.2022-09-hotpatch-issue %}'
|