jprdonnelly/docs
1
0
Fork 0
mirror of synced 2026-01-05 12:07:35 -05:00
Code Issues Projects Releases Wiki Activity
Files
fe8774efe2dccd710b00a75d0739e36ae42723b4
docs/data/release-notes/enterprise-server/3-4/11.yml
release-controller[bot] e52a9c5772 GHES Patch Release Notes (#32769) 
Co-authored-by: Release-Controller <runner@fv-az225-803.nn523fotaqjeti0rucxshd1u2e.jx.internal.cloudapp.net>
Co-authored-by: Joseph Franks <joefranks1993@github.com>
Co-authored-by: Gurjant <97250585+Gill312@users.noreply.github.com>
Co-authored-by: Release-Controller <runner@fv-az226-987.tgcx2ubhyojezlzda0twcaouih.dx.internal.cloudapp.net>
Co-authored-by: Matt Pollard <mattpollard@users.noreply.github.com>
2022-11-23 14:54:33 +00:00

31 lines
4.5 KiB
YAML
Raw Blame History

date: '2022-11-22'
sections:
security_fixes:
- "**HIGH**: Added an extra check to harden against a path traversal bug that could lead to remote code execution in GitHub Pages builds on a GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the instance. This bug was originally reported via GitHubs Bug Bounty program and assigned [CVE-2021-22870](https://nvd.nist.gov/vuln/detail/CVE-2021-22870)."
- "**MEDIUM**: Updated [CommonMarker](https://github.com/gjtorikian/commonmarker) to address a scenario where parallel requests to the Markdown REST API could result in unbounded resource exhaustion. This vulnerability has been assigned [CVE-2022-39209](https://nvd.nist.gov/vuln/detail/CVE-2022-39209)."
- "**MEDIUM**: Scoped user-to-server tokens from GitHub Apps could bypass authorization checks in GraphQL API requests when accessing non-repository resources. This vulnerability was reported via the [GitHub Bug Bounty Program](https://bounty.github.com/)."
- "**MEDIUM**: Pull request preview links did not properly sanitize URLs, allowing a malicious user to embed dangerous links in the instances web UI. This vulnerability was reported via the [GitHub Bug Bounty program](https://bounty.github.com)."
- The [Create or update file contents API](/rest/repos/contents#create-or-update-file-contents) correctly enforces workflow scope. This vulnerability was reported via the [GitHub Bug Bounty program](https://bounty.github.com).
bugs:
- If GitHub Actions was configured with S3 blob storage for the instance, content like logs and artifacts from deleted or expired workflow runs would remain in blob storage indefinitely. The instance will delete this content automatically the next time a regular background cleanup job runs.
- Setting the maintenance mode with an IP Exception List would not persist across upgrades.
- GitHub Pages builds could time out on instances in AWS that are configured for high availability.
- After configuration of Dependabot and alert digest emails, the instance would send digest emails to suspended users.
- If a user configured a pre-receive hook for multiple repositories, the instances **Hooks** page would not always display the correct status for the hook.
- In some cases, users could not merge a pull request due to unexpected status checks.
- After running migrations for the GitHub Enterprise Importer on an instance configured for high availability, replication of migration storage assets would not catch up.
- Zombie processes no longer accumulate in the `gitrpcd` container.
known_issues:
- On a freshly set up {% data variables.product.prodname_ghe_server %} instance without any users, an attacker could create the first admin user.
- Custom firewall rules are removed during the upgrade process.
- Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository.
- Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.
- When "Users can search GitHub.com" is enabled with {% data variables.product.prodname_github_connect %}, issues in private and internal repositories are not included in {% data variables.product.prodname_dotcom_the_website %} search results.
- The {% data variables.product.prodname_registry %} npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
- Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.
- |
After registering a self-hosted runner with the `--ephemeral` parameter on more than one level (for example, both enterprise and organization), the runner may get stuck in an idle state and require re-registration. [Updated: 2022-06-17]
- After upgrading to {% data variables.product.prodname_ghe_server %} 3.4, releases may appear to be missing from repositories. This can occur when the required Elasticsearch index migrations have not successfully completed.
- '{% data reusables.release-notes.ghas-3.4-secret-scanning-known-issue %}'
- '{% data reusables.release-notes.2022-09-hotpatch-issue %}'
Reference in New Issue View Git Blame Copy Permalink