jprdonnelly/docs
1
0
Fork 0
mirror of synced 2026-01-01 18:05:46 -05:00
Code Issues Projects Releases Wiki Activity
Files
c0f108ee4672f5a71d84aedc729c821dfc1fb73a
docs/data/release-notes/enterprise-server/3-2/5.yml

28 lines
3.4 KiB
YAML
Raw Blame History

date: '2021-12-07'
sections:
security_fixes:
- Support bundles could include sensitive files if they met a specific set of conditions.
- A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed more permissions to be granted during a GitHub App's user-authorization web flow than was displayed to the user during approval. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.3 and was fixed in versions 3.2.5, 3.1.13, 3.0.21. This vulnerability was reported via the GitHub Bug Bounty program and has been assigned [CVE-2021-41598](https://www.cve.org/CVERecord?id=CVE-2021-41598).
- A remote code execution vulnerability was identified in GitHub Enterprise Server that could be exploited when building a GitHub Pages site. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.3 and was fixed in versions 3.0.21, 3.1.13, 3.2.5. This vulnerability was reported via the GitHub Bug Bounty program and has been assigned [CVE-2021-41599](https://www.cve.org/CVERecord?id=CVE-2021-41599). Updated February 17, 2022.
bugs:
- In some cases when Actions was not enabled, `ghe-support-bundle` reported an unexpected message `Unable to find MS SQL container.`
- Running `ghe-config-apply` could sometimes fail because of permission issues in `/data/user/tmp/pages`.
- A misconfiguration in the Management Console caused scheduling errors.
- Docker would hold log files open after a log rotation.
- Migrations could get stuck due to incorrect handling of `blob_path` values that are not UTF-8 compatible.
- GraphQL requests did not set the GITHUB_USER_IP variable in pre-receive hook environments.
- Pagination links on org audit logs would not persist query parameters.
- During a hotpatch, it was possible for duplicate hashes if a transition ran more than once.
changes:
- Clarifies explanation of Actions path-style in documentation.
- Updates support contact URLs to use the current support site, support.github.com.
- Additional troubleshooting provided when running `ghe-mssql-diagnostic`.
known_issues:
- On a freshly set up {% data variables.product.prodname_ghe_server %} without any users, an attacker could create the first admin user.
- Custom firewall rules are removed during the upgrade process.
- Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository.
- Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.
- When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
- The {% data variables.product.prodname_registry %} npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
- Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
- '{% data reusables.release-notes.ghas-3.4-secret-scanning-known-issue %}'
Reference in New Issue View Git Blame Copy Permalink