jprdonnelly/docs
1
0
Fork 0
mirror of synced 2026-01-03 06:04:16 -05:00
Code Issues Projects Releases Wiki Activity
Files
c0f108ee4672f5a71d84aedc729c821dfc1fb73a
docs/data/release-notes/enterprise-server/3-1/8.yml
bwestover 20d17404b1 add release note for backup-utils GH connect fix
2021-11-18 13:26:07 -08:00

21 lines
4.7 KiB
YAML
Raw Blame History

date: '2021-09-24'
sections:
security_fixes:
- '**HIGH:** A path traversal vulnerability was identified in {% data variables.product.prodname_ghe_server %} that could be exploited when building a {% data variables.product.prodname_pages %} site. User-controlled configuration options used by {% data variables.product.prodname_pages %} were not sufficiently restricted and made it possible to read files on the {% data variables.product.prodname_ghe_server %} instance. To exploit this vulnerability, an attacker would need permission to create and build a {% data variables.product.prodname_pages %} site on the {% data variables.product.prodname_ghe_server %} instance. This vulnerability affected all versions of {% data variables.product.prodname_ghe_server %} prior to 3.1.8 and was fixed in 3.1.8, 3.0.16, and 2.22.22. This is the result of an incomplete fix for CVE-2021-22867. This vulnerability was reported via the GitHub Bug Bounty program and has been assigned CVE-2021-22868. {% comment %} https://github.com/github/pages/pull/3361, https://github.com/github/pages/pull/3357 {% endcomment %}'
- '**MEDIUM:** An improper access control vulnerability in {% data variables.product.prodname_ghe_server %} allowed a workflow job to execute in a self-hosted runner group it should not have had access to. This affects customers using self-hosted runner groups for access control. A repository with access to one enterprise runner group could access all of the enterprise runner groups within the organization because of improper authentication checks during the request. This could cause code to be run unintentionally by the incorrect runner group. This vulnerability affected {% data variables.product.prodname_ghe_server %} versions from 3.0.0 to 3.0.15 and 3.1.0 to 3.1.7 and was fixed in 3.0.16 and 3.1.8 releases. It has been assigned CVE-2021-22869. {% comment %} https://github.com/github/enterprise2/pull/27013 {% endcomment %}'
bugs:
- 'Resque worker counts were displayed incorrectly during maintenance mode. {% comment %} https://github.com/github/enterprise2/pull/26899, https://github.com/github/enterprise2/pull/26883 {% endcomment %}'
- 'Allocated memcached memory could be zero in clustering mode. {% comment %} https://github.com/github/enterprise2/pull/26928, https://github.com/github/enterprise2/pull/26832 {% endcomment %}'
- 'Non-empty binary files displayed an incorrect file type and size on the pull request "Files" tab. {% comment %} https://github.com/github/github/pull/192810, https://github.com/github/github/pull/172284, https://github.com/github/coding/issues/694 {% endcomment %}'
- 'Fixes {% data variables.product.prodname_pages %} builds so they take into account the NO_PROXY setting of the appliance. This is relevant to appliances configured with an HTTP proxy only. (update 2021-09-30) {% comment %} https://github.com/github/pages/pull/3360 {% endcomment %}'
- 'The GitHub Connect configuration of the source instance was always restored to new instances even when the `--config` option for `ghe-restore` was not used. This would lead to a conflict with the GitHub Connect connection and license synchronization if both the source and destination instances were online at the same time. The fix also requires updating backup-utils to 3.2.0 or higher. [updated: 2021-11-18]'
known_issues:
- The {% data variables.product.prodname_registry %} npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
- On a freshly set up {% data variables.product.prodname_ghe_server %} without any users, an attacker could create the first admin user.
- Custom firewall rules are removed during the upgrade process.
- Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository.
- Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.
- When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
- If {% data variables.product.prodname_actions %} is enabled for {% data variables.product.prodname_ghe_server %}, teardown of a replica node with `ghe-repl-teardown` will succeed, but may return `ERROR:Running migrations`.
- Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
Reference in New Issue View Git Blame Copy Permalink