jprdonnelly/docs
1
0
Fork 0
mirror of synced 2026-02-01 03:01:50 -05:00
Code Issues Projects Releases Wiki Activity
Files
f9be78e493f38b4fcdcf6616331daec52d3501e9
docs/data/release-notes/2-22/9.yml
Brett Westover 5ee9bc0a9a [GHES] Patch Release notes 2021-03-23 (#18367) 
* add 3-23 release notes

* copy over release note

This release note only exists in the docs site, so it is missing when the notes are copied over from the old process. It's not fixed yet though, so copying it back over

* Update data/release-notes/2-21/17.yml

Co-authored-by: Meg Bird <megbird@github.com>

* quote all lines with backticks

* remove unnecssary (probably) quotes

Co-authored-by: Meg Bird <megbird@github.com>
Co-authored-by: James M. Greene <JamesMGreene@github.com>
2021-03-23 12:18:37 -07:00

24 lines
2.5 KiB
YAML
Raw Blame History

date: '2021-03-23'
sections:
security_fixes:
- '**HIGH:** A remote code execution vulnerability was identified in GitHub Enterprise Server that could be exploited when building a GitHub Pages site. User-controlled configuration options used by GitHub Pages were not sufficiently restricted and made it possible to override environment variables leading to code execution on the GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.0.3 and was fixed in 3.0.3, 2.22.9, and 2.21.17. This vulnerability was reported via the GitHub Bug Bounty program and has been assigned CVE-2021-22864.'
- Packages have been updated to the latest security versions.
bugs:
- Running `ghe-cluster-config-init` could cause a cluster to become inoperable.
- Systemd could lose track of HAProxy's PID.
- The mysql-failover warning was displayed indefinitely after a successful failover.
- The `ghe-cluster-config-init` run was not fully accounting for the exit code of background jobs leading to improper handling of preflight checks.
- A Security & Analysis link did not appear in the left-side navigation on the Settings page for repositories.
- After disabling GitHub Packages, some organization pages would return an HTTP 500 error response.
changes:
- Improves reliability of nomad services by implementing the same restart policy introduced in GitHub Enterprise Server 3.0.
- Use a relative number for consul and nomad `bootstrap_expect` allowing for a cluster to bootstrap even if a handful of nodes are down.
- Logs will rotate based on size in addition to time.
- Added kafka-lite to the `ghe-cluster-status` command.
known_issues:
- On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
- Custom firewall rules are not maintained during an upgrade.
- Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository.
- Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
- When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
Reference in New Issue View Git Blame Copy Permalink