-
Notifications
You must be signed in to change notification settings - Fork 67.1k
Expand file tree
/
Copy path4.yml
More file actions
89 lines (86 loc) · 8.5 KB
/
4.yml
File metadata and controls
89 lines (86 loc) · 8.5 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
date: '2024-09-23'
sections:
security_fixes:
- |
**MEDIUM:** An attacker could steal sensitive information by exploiting a Cross-Site Scripting vulnerability in the repository transfer feature. This exploitation would require social engineering. GitHub has requested CVE ID [CVE-2024-8770](https://www.cve.org/cverecord?id=CVE-2024-8770) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
- |
**MEDIUM:** An attacker could push a commit with changes to a workflow using a PAT or OAuth app that lacks the appropriate `workflow` scope by pushing a triple-nested tag pointing at the associated commit. GitHub has requested CVE ID [CVE-2024-8263](https://www.cve.org/cverecord?id=CVE-2024-8263) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
- |
**HIGH:** A GitHub App installed in organizations could upgrade some permissions from read to write access without approval from an organization administrator. An attacker would require an account with administrator access to install a malicious GitHub App. GitHub has requested [CVE ID CVE-2024-8810](https://www.cve.org/cverecord?id=CVE-2024-8810) for this vulnerability, which was reported via the [GitHub Bug Bounty Program](https://bounty.github.com/). [Updated: 2024-11-07]
bugs:
- |
For instances deployed on AWS with IMDSv2 enforced, fallback to private IPs was not successful.
- |
A config apply run may not have been properly applied due to calls being made to Nomad before it was ready to accept connections. When this occurred, the `Error querying agent info: failed querying self endpoint: Get "http://127.0.0.1:4646/v1/agent/self"` error was written to the `/data/user/common/ghe-config.log` file.
- |
`ghe-storage-find` was sometimes unable to identify a data disk.
- |
Replication could be stuck in an loop running `ghe-repl-start` because `GHE_REPL_SSH_RETRY_COUNT` was set to 60 by default for the whole scope of `ghe-repl-start` which will retry config apply (up to 60 times).
- |
After upgrading the relevant GHES version, the `resolvconf` service failed to start due to a missing directory.
- |
When configuring a high availability replica and during the database seeding of a MySQL replica node, restarting the nomad service could time out. Consequently, when MySQL replication attempted to start an error was reported, and setting up replication failed.
- |
Some pre-receive hooks using the `faccessat2` system call, such as those using Alpine Linux as the base, failed unexpectedly.
- |
Placing Nomad jobs would not allow retries in cases when Nomad wasn't available yet.
- |
A repeated error message concerning connectivity to port 6002 was emitted to the system logs when Actions was enabled.
- |
On an instance in a cluster configuration, the `ghe-cluster-status` command returned an error if a soft-deleted repository had a checksum mismatch.
- |
Some repositories could miss spokes information after restoring in a clustering topology due to unrescued exceptions.
- |
In organizations with a large number of repositories, when an administrator used repository properties to target repositories in an organization ruleset, the ruleset index page timed out.
- |
After a user created a Projects Insights chart with time as the X-axis, the chart became hidden and inaccessible.
- |
The `CommandPalette` component no longer displays repository information on `404` pages, preventing the leakage of private repository information for users without access.
- |
A bug introduced in 3.12 which prevented the search input in the global navigation from displaying a dropdown of search suggestions has been fixed. The search input functionality prior to 3.12 has been restored, and users are once again able to see and submit suggested search queries, including scope suggestions.
- |
Custom links to other repositories displayed incorrect breadcrumbs.
- |
Some custom pattern matches were incorrectly filtered during post-scan filtering and outdated alerts were sometimes published. You may want to edit and republish your custom patterns. You can manually republish custom patterns with the following command: `ghe-secret-scanning jobs queue custom-patterns republish --custom-pattern-id=?`.
- |
On an instance with secret scanning enabled, a banner indicated that secret scanning was running on pull request comments and discussions. This feature is not available in this version of GitHub Enterprise Server.
- |
Memory utilization would sometimes exceed levels comparable to GitHub Enterprise Server 3.12.
- |
Some custom pattern matches were incorrectly filtered during post-scan filtering and outdated alerts were sometimes published. You may want to edit and republish your custom patterns. You can manually republish custom patterns with the following command: `ghe-secret-scanning jobs queue custom-patterns republish --custom-pattern-id=?.`
changes:
- |
For instances deployed on Amazon Web Services (AWS), site administrators can configure regional AWS STS endpoints for OIDC from the Management Console.
known_issues:
- |
During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
- |
If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see [AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account).
- |
On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as `127.0.0.1`.
- |
Repositories originally imported using ghe-migrator will not correctly track Advanced Security contributions.
- |
For an instance in a cluster configuration and with GitHub Actions enabled, restoring a cluster from backup requires targeting the primary DB node.
- |
When following the steps for [Replacing the primary MySQL node](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-the-primary-mysql-node), step 14 (running `ghe-cluster-config-apply`) might fail with errors. If this occurs, re-running `ghe-cluster-config-apply` is expected to succeed.
- |
Running a config apply as part of the steps for [Replacing a node in an emergency](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-a-node-in-an-emergency) may fail with errors if the node being replaced is still reachable. If this occurs, shutdown the node and repeat the steps.
- |
{% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %}
- |
When restoring data originally backed up from a 3.13 appliance onto a 3.13 appliance, the elasticsearch indices need to be reindexed before some of the data will show up. This happens via a nightly scheduled job. It can also be forced by running `/usr/local/share/enterprise/ghe-es-search-repair`.
- |
When restoring from a backup snapshot, a large number of `mapper_parsing_exception` errors may be displayed.
- |
Services may respond with a `503` status due to an out of date `haproxy` configuration. This can usually be resolved with a `ghe-config-apply` run.
- |
For customers using Secret Scanning, internal jobs were created and not worked that could contribute to performance issues.
- |
{% data reusables.release-notes.2024-11-ghe-repl-promote-primary-down %}
[Updated: 2024-11-29]
- |
{% data reusables.release-notes.2025-03-03-elasticsearch-data-loss %}
[Updated: 2025-03-12]
errata:
- 'The [Known issues](/admin/release-notes#3.13.4-known-issues) section previously indicated that `Instance setup in AWS with IMDSv2 enforced fails if no public IP is present` is still an issue. The issue is resolved and is documented in the [Bug fixes](/admin/release-notes#3.13.4-bugs) section. [Updated: 2024-09-30]'