docs/data/release-notes/enterprise-server/2-22/9.yml

date: '2021-03-23'
intro: Downloads have been disabled due to a major bug affecting multiple customers. A fix will be available in the next patch.
sections:
  security_fixes:
    - '**HIGH:** A remote code execution vulnerability was identified in GitHub Enterprise Server that could be exploited when building a GitHub Pages site. User-controlled configuration options used by GitHub Pages were not sufficiently restricted and made it possible to override environment variables leading to code execution on the GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.0.3 and was fixed in 3.0.3, 2.22.9, and 2.21.17. This vulnerability was reported via the GitHub Bug Bounty program and has been assigned CVE-2021-22864.'
    - Packages have been updated to the latest security versions.
  bugs:
    - Running `ghe-cluster-config-init` could cause a cluster to become inoperable.
    - Systemd could lose track of HAProxy's PID.
    - The mysql-failover warning was displayed indefinitely after a successful failover.
    - The `ghe-cluster-config-init` run was not fully accounting for the exit code of background jobs leading to improper handling of preflight checks.
    - A Security & Analysis link did not appear in the left-side navigation on the Settings page for repositories.
    - After disabling GitHub Packages, some organization pages would return an HTTP 500 error response.
  changes:
    - Improves reliability of nomad services by implementing the same restart policy introduced in GitHub Enterprise Server 3.0.
    - Use a relative number for consul and nomad `bootstrap_expect` allowing for a cluster to bootstrap even if a handful of nodes are down.
    - Logs will rotate based on size in addition to time.
    - Added kafka-lite to the `ghe-cluster-status` command.
  known_issues:
    - On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
    - Custom firewall rules are not maintained during an upgrade.
    - Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository.
    - Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
    - When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
    - |
      Log rotation may fail to signal services to transition to new log files, leading to older log files continuing to be used, and eventual root disk space exhaustion.
      To remedy and/or prevent this issue, run the following commands in the [administrative shell](https://docs.github.com/en/enterprise-server/admin/configuration/accessing-the-administrative-shell-ssh) (SSH), or contact [GitHub Enterprise Support](https://support.github.com/contact) for assistance:

      ```
      printf "PATH=/usr/local/sbin:/usr/local/bin:/usr/local/share/enterprise:/usr/sbin:/usr/bin:/sbin:/bin\n29,59 * * * * root /usr/sbin/logrotate /etc/logrotate.conf\n" | sudo sponge /etc/cron.d/logrotate
      sudo /usr/sbin/logrotate -f /etc/logrotate.conf
      ```
    - 'When a replica node is offline in a high availability configuration, {% data variables.product.product_name %} may still route {% data variables.product.prodname_pages %} requests to the offline node, reducing the availability of {% data variables.product.prodname_pages %} for users.'