jprdonnelly/docs
1
0
Fork 0
mirror of synced 2025-12-30 03:01:36 -05:00
Code Issues Projects Releases Wiki Activity
Files
feac4c738b2ad6d7fad7ef6bcaaad3e07372302d
docs/data/release-notes/enterprise-server/2-22/22.yml
Terrell Broomer 7222c4fd2c GHES patch release notes for 2.22.22, 3.0.16, 3.1.8 (#21705) 
Co-authored-by: Lucas Costi <lucascosti@users.noreply.github.com>
2021-09-24 04:53:23 +00:00

15 lines
3.1 KiB
YAML
Raw Blame History

date: '2021-09-24'
sections:
security_fixes:
- '**HIGH:** A path traversal vulnerability was identified in {% data variables.product.prodname_ghe_server %} that could be exploited when building a {% data variables.product.prodname_pages %} site. User-controlled configuration options used by {% data variables.product.prodname_pages %} were not sufficiently restricted and made it possible to read files on the {% data variables.product.prodname_ghe_server %} instance. To exploit this vulnerability, an attacker would need permission to create and build a {% data variables.product.prodname_pages %} site on the {% data variables.product.prodname_ghe_server %} instance. This vulnerability affected all versions of {% data variables.product.prodname_ghe_server %} prior to 3.1.8 and was fixed in 3.1.8, 3.0.16, and 2.22.22. This is the result of an incomplete fix for CVE-2021-22867. This vulnerability was reported via the GitHub Bug Bounty program and has been assigned CVE-2021-22868. {% comment %} https://github.com/github/pages/pull/3359, https://github.com/github/pages/pull/3357 {% endcomment %}'
bugs:
- 'The {% data variables.product.prodname_github_connect %} configuration of the source instance was always restored to new instances even when the `--config` option for `ghe-restore` was not used. This would lead to a conflict with the {% data variables.product.prodname_github_connect %} connection and license synchronization if both the source and destination instances were online at the same time. {% comment %} https://github.com/github/github/pull/192247, https://github.com/github/github/pull/191951, https://github.com/github/enterprise2/pull/26870, https://github.com/github/backup-utils/pull/770, https://github.com/github/connected-enterprise/issues/208 {% endcomment %}'
- 'Fixes {% data variables.product.prodname_pages %} builds so they take into account the NO_PROXY setting of the appliance. This is relevant to appliances configured with an HTTP proxy only. {% comment %} https://github.com/github/github/pull/192380 {% endcomment %}'
known_issues:
- On a freshly set up {% data variables.product.prodname_ghe_server %} without any users, an attacker could create the first admin user.
- Custom firewall rules are removed during the upgrade process.
- Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository.
- Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.
- When "Users can search GitHub.com" is enabled with {% data variables.product.prodname_github_connect %}, issues in private and internal repositories are not included in GitHub.com search results.
- When a replica node is offline in a high availability configuration, {% data variables.product.product_name %} may still route {% data variables.product.prodname_pages %} requests to the offline node, reducing the availability of {% data variables.product.prodname_pages %} for users.
Reference in New Issue View Git Blame Copy Permalink