docs/data/release-notes/enterprise-server/3-7/19.yml

date: '2023-12-21'
sections:
  security_fixes:
    - |
      **HIGH**: A path traversal vulnerability was identified in GitHub Enterprise Server that allowed arbitrary file reading when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability was reported via the [GitHub Bug Bounty](https://bounty.github.com/) program and assigned [CVE-2023-46645](https://www.cve.org/cverecord?id=CVE-2023-46645).
    - |
      **MEDIUM**: An insertion of sensitive information into log file vulnerability was identified in the log files for a GitHub Enterprise Server backend service that could permit an adversary in the middle attack when combined with other phishing techniques. To exploit this, an attacker would need access to the log files for the GitHub Enterprise Server instance, a backup archive created with GitHub Enterprise Server Backup Utilities, or a service which received streamed logs. GitHub has requested CVE ID [CVE-2023-6746](https://www.cve.org/CVERecord?id=CVE-2023-6746) for this vulnerability.
    - |
      **MEDIUM**: Due to an improper access control, an attacker could view private repository names by enumerating check run IDs with the "Get a check run" API endpoint. This vulnerability did not allow unauthorized access to any repository content other than the name. GitHub has requested CVE ID [CVE-2023-46646](https://www.cve.org/CVERecord?id=CVE-2023-46646) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
    - |
      **MEDIUM**: An incorrect authorization vulnerability was identified that allowed issue comments to be updated with an improperly scoped token. This vulnerability did not allow unauthorized access to any repository content as it also required `contents.write` and `issues.read` permissions. This vulnerability was reported via the [GitHub Bug Bounty Program](https://bounty.github.com/) and has been assigned [CVE-2023-51379](https://www.cve.org/CVERecord?id=CVE-2023-51379).
    - |
      **MEDIUM**: An incorrect authorization vulnerability was identified that allowed issue comments to be read with an improperly scoped token. This vulnerability was reported via the [GitHub Bug Bounty Program](https://bounty.github.com/) and has been assigned [CVE-2023-51380](https://www.cve.org/CVERecord?id=CVE-2023-51380).
    - |
      **LOW:** To render interactive maps in an instance's web UI using Azure Maps, GitHub Enterprise Server has migrated from use of an unsecure Azure Maps API token to a more secure access token provided by role-based access control (RBAC) in Entra ID. After upgrading to this release, to re-enable interactive maps, an administrator must reconfigure authentication to Azure Maps in the Management Console. For more information, see "[AUTOTITLE](/admin/configuration/configuring-user-applications-for-your-enterprise/configuring-interactive-maps)."
    - |
      Packages have been updated to the latest security versions.
  bugs:
    - |
      When an administrator ran the `ghe-support-bundle` or `ghe-cluster-support-bundle` command, the `-p` flag did not produce bundles with log durations as specified. The duration period can now only be specified in `days`. Additionally, unnecessary files were sanitized by the commands.
    - |
      On an instance in a cluster configuration, upgrades could fail due to a background job running during database migration.
    - |
      On an instance in a high availability configuration, the `ghe-repl-teardown` command failed when provided with a UUID.
    - |
      In some environments, stale `.backup` log files could accumulate in the system.
    - |
      On an instance hosted on AWS, when configuring GitHub Packages, virtual-hosted-style AWS S3 URLs would default to path-style URLs if a `region-code` was included. For more information, see [Virtual hosting of buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/VirtualHosting.html) in the AWS documentation.
    - |
      Because the `|` character was not permitted, administrators could not add an SMTP username to authenticate with the Azure Communication Service.
    - |
      On an instance with a GitHub Advanced Security license and secret scanning enabled, site administrators using the `ghe-secret-scanning` command would not see a relevant error message if their input was invalid.
    - |
      After importing a migration archive using `ghe-migrator` or REST API endpoints for organization migrations, in some cases, some review comments within pull requests were not associated with lines of code.
    - |
      On an instance with a GitHub Advanced Security license and secret scanning enabled, secret scanning alert emails were sent to organization owners even if their email address did not comply with domain restrictions.
    - |
      A missing executable on the PATH caused the `ghe-spokesctl ssh` command to fail.
    - |
      On an instance with GitHub Connect enabled, some system users were incorrectly counted as consuming a license following license sync.
    - |
      A user in the process of being converted into an organization could be added as a collaborator on a repository. This resulted in the new organizations owners unexpectedly receiving access to the repository.
    - |
      Pre-receive hook failures were not visible in the administrator audit log.
    - |
      On an instance with a GitHub Advanced Security license and secret scanning enabled, dry runs sometimes incorrectly reported no results for custom patterns.
  changes:
    - |
      When adding a node to an instance, performance is improved during initial database replication.
    - |
      An administrator can run the new `ghe-check-background-upgrade-jobs` command to ensure all upgrade jobs that run in the background have finished. This allows the administrator to know when they can start the next upgrade to their GitHub Enterprise Server instance.
    - |
      When using `ghe-migrator prepare` to import an archive, a missing `schema.json` file results in an `UnsupportedArchive` error rather than an `UnsupportedSchemaVersion` error.
    - |
      As a security measure, GitHub Pages does not build sites that contain symbolic links except when using custom GitHub Actions workflows. When the page builder encounters a symbolic link, the build will fail with an error indicating that the symbolic link should be dereferenced. Custom workflows for GitHub Pages are available in GitHub Enterprise Server 3.7 and later.
  known_issues:
    - |
      Custom firewall rules are removed during the upgrade process.
    - |
      The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
    - |
      In a repository's settings, enabling the option to allow users with read access to create discussions does not enable this functionality.
    - |
      Custom patterns for secret scanning have `.*` as an end delimiter, specifically in the "After secret" field. This delimiter causes inconsistencies in scans for secrets across repositories, and you may notice gaps in a repository's history where no scans completed. Incremental scans may also be impacted. To prevent issues with scans, modify the end of the pattern to remove the `.*` delimiter.
    - |
      {% data reusables.release-notes.repository-inconsistencies-errors %}
    - |
      During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
    - |
      If an instance is configured to forward logs to a target server with TLS enabled, certificate authority (CA) bundles that a site administrator uploads using `ghe-ssl-ca-certificate-install` are not respected, and connections to the server fail.
    - |
      When running `ghe-config-apply`, the process may stall with the message `Deployment is running pending automatic promotion`.
    - |
      {% data reusables.release-notes.2023-08-mssql-replication-known-issue %}
    - |
      On an instance hosted in AWS, system time may lose synchronization with Amazon's servers after an administrator reboots the instance.
    - |
      On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
    - |
      Restoring backups with `ghe-restore` on a GHES cluster will exit prematurely if `redis` has not restarted properly.
  deprecations:
    - heading: Interactive maps in the web UI no longer allow authentication using an Azure Maps API key
      notes:
        - |
          To allow users to render interactive maps in an instance's web UI by writing GeoJSON or TopoJSON syntax, GitHub Enterprise Server previously required a potentially unsecure API key for authentication with Azure Maps. If an administrator previously enabled interactive maps on an instance, the feature is disabled upon upgrade to this release.

          To re-enable interactive maps for your instance, you must configure an application on an Entra ID tenant that has access to Azure Maps using role-based access control (RBAC). For more information, see "[AUTOTITLE](/admin/configuration/configuring-user-applications-for-your-enterprise/configuring-interactive-maps)" and the security fixes for this release.