|
| 1 | +date: '2021-03-23' |
| 2 | +sections: |
| 3 | + security_fixes: |
| 4 | + - '**HIGH:** A remote code execution vulnerability was identified in GitHub Enterprise Server that could be exploited when building a GitHub Pages site. User-controlled configuration options used by GitHub Pages were not sufficiently restricted and made it possible to override environment variables leading to code execution on the GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.0.3 and was fixed in 3.0.3, 2.22.9, and 2.21.17. This vulnerability was reported via the GitHub Bug Bounty program and has been assigned CVE-2021-22864.' |
| 5 | + - Packages have been updated to the latest security versions. |
| 6 | + bugs: |
| 7 | + - Running `ghe-cluster-config-init` could cause a cluster to become inoperable. |
| 8 | + - Resolving merge conflicts in the GUI would fail when custom pre-receive hooks are configured on the repository. |
| 9 | + - '`launch-deployer` and `launch-receiver` were logging at DEBUG level and filling logs with unnecessary information.' |
| 10 | + - Systemd could lose track of HAProxy's PID. |
| 11 | + - When Actions was configured to use S3 storage, the logs for an action would sometimes fail to load. |
| 12 | + - The mysql-failover warning was displayed indefinitely after a successful failover. |
| 13 | + - The `ghe-cluster-config-init` run was not fully accounting for the exit code of background jobs leading to improper handling of preflight checks. |
| 14 | + - When enabling GitHub Actions, initialization could fail silently. |
| 15 | + - When vulnerability alerting is enabled, upgrades to the 3.0 series would fail. |
| 16 | + - Jobs related to Codespaces were being enqueued leading to an accumulation of unprocessed jobs. |
| 17 | + changes: |
| 18 | + - Use a relative number for consul and nomad `bootstrap_expect` allowing for a cluster to bootstrap even if a handful of nodes are down. |
| 19 | + - Logs will rotate based on size in addition to time. |
| 20 | + - Added kafka-lite to the `ghe-cluster-status` command. |
| 21 | + known_issues: |
| 22 | + - On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user. |
| 23 | + - Custom firewall rules are not maintained during an upgrade. |
| 24 | + - Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository. |
| 25 | + - Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. |
| 26 | + - When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results. |
| 27 | + - When maintenance mode is enabled, some services continue to be listed as "active processes". The services identified are expected to run during maintenance mode. If you experience this issue and are unsure, contact [GitHub Enterprise Support](https://enterprise.githubsupport.com/hc/en-us) or [GitHub Premium Support](https://premium.githubsupport.com/). |
| 28 | + - Juypter Notebook rendering in the web UI may fail if the notebook includes non UTF-8 encoded characters. |
0 commit comments