jprdonnelly/docs
1
0
Fork 0
mirror of synced 2026-01-04 00:06:20 -05:00
Code Issues Projects Releases Wiki Activity
Files
db8a027f08aae3d8a08e307371da91cbf9727b72
docs/data/release-notes/enterprise-server/3-6/10.yml
Matt Pollard bbae7067d4 Release note bug fixes for 2023-04-17 (#36411)
2023-04-19 06:01:42 +00:00

26 lines
3.1 KiB
YAML
Raw Blame History

date: '2023-03-02'
sections:
security_fixes:
- |
**HIGH**: A path traversal vulnerability was identified in GitHub Enterprise Server that allowed remote code execution when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability was reported via the [GitHub Bug Bounty Program](https://bounty.github.com/) and has been assigned [CVE-2023-23760](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23760). [Updated: 2023-03-10]
bugs:
- When viewing a list of open sessions for the devices logged into a user account, the GitHub Enterprise Server web UI could display an incorrect location.
- |
In the rare case when primary shards for Elasticsearch were located on a replica node, the `ghe-repl-stop` command would fail with `ERROR: Running migrations`.
- The settings page for discussions in an organization returned a `500` error after a repository owned by the organization was deleted.
changes:
- '{% data reusables.release-notes.scim-in-3-6-series %} [Updated: 2023-04-17]'
known_issues:
- On a freshly set up {% data variables.product.prodname_ghe_server %} instance without any users, an attacker could create the first admin user.
- Custom firewall rules are removed during the upgrade process.
- Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository.
- When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
- The {% data variables.product.prodname_registry %} npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
- Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
- Actions services need to be restarted after restoring an instance from a backup taken on a different host.
- In a repository's settings, enabling the option to allow users with read access to create discussions does not enable this functionality.
- Custom patterns for secret scanning have `.*` as an end delimiter, specifically in the "After secret" field. This delimiter causes inconsistencies in scans for secrets across repositories, and you may notice gaps in a repository's history where no scans completed. Incremental scans may also be impacted. To prevent issues with scans, modify the end of the pattern to remove the `.*` delimiter.
- '{% data reusables.release-notes.repository-inconsistencies-errors %}'
- '{% data reusables.release-notes.babeld-max-threads-performance-issue %}'
- '{% data reusables.release-notes.stuck-discussion-conversion-issue %}'
- '{% data reusables.release-notes.git-push-known-issue %}'
Reference in New Issue View Git Blame Copy Permalink