|
| 1 | +date: '2021-03-02' |
| 2 | +sections: |
| 3 | + security_fixes: |
| 4 | + - '**HIGH:** An improper access control vulnerability was identified in GitHub Enterprise Server that allowed authenticated users of the instance to gain write access to unauthorized repositories via specifically crafted pull requests and REST API requests. An attacker would need to be able to fork the targeted repository, a setting that is disabled by default for organization owned private repositories. Branch protections such as required pull request reviews or status checks would prevent unauthorized commits from being merged without further review or validation. This vulnerability has been assigned CVE-2021-22861. This issue was reported via the [GitHub Bug Bounty Program](https://bounty.github.com).' |
| 5 | + - '**HIGH:** An improper access control vulnerability was identified in the GitHub Enterprise Server GraphQL API that allowed authenticated users of the instance to modify the maintainer collaboration permission of a pull request without proper authorization. By exploiting this vulnerability, an attacker would be able to gain access to head branches of pull requests opened on repositories of which they are a maintainer. Forking is disabled by default for organization owned private repositories and would prevent this vulnerability. Additionally, branch protections such as required pull request reviews or status checks would prevent unauthorized commits from being merged without further review or validation. This vulnerability has been assigned CVE-2021-22863. This issue was reported via the [GitHub Bug Bounty Program](https://bounty.github.com).' |
| 6 | + - '**HIGH:** A remote code execution vulnerability was identified in GitHub Enterprise Server that could be exploited when building a GitHub Pages site. User-controlled configuration of the underlying parsers used by GitHub Pages were not sufficiently restricted and made it possible to execute commands on the GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability has been assigned CVE-2020-10519.' |
| 7 | + - '**MEDIUM:** GitHub Tokens from GitHub Pages builds could end up in logs.' |
| 8 | + - '**LOW:** A specially crafted request to the SVN bridge could trigger a long wait before failure resulting in Denial of Service (DoS).' |
| 9 | + - 'Packages have been updated to the latest security versions.' |
| 10 | + bugs: |
| 11 | + - 'The load-balancer health checks in some cases could cause the babeld logs to fill up with errors about the PROXY protocol.' |
| 12 | + - 'An informational message was unintentionally logged as an error during GitHub Enterprise Backup Utilities snapshots, which resulted in unnecessary emails being sent when backups were scheduled by cron jobs that listen for output to stderr.' |
| 13 | + - 'While restoring a large backup, exception logging related to Redis memory exhaustion could cause the restore to fail due to a full disk.' |
| 14 | + - 'When first setting up a new instance, if you selected "Configure as Replica" you would be unable to start replication.' |
| 15 | + - 'When GitHub Actions was enabled, disabling maintenance mode in the management console failed.' |
| 16 | + - 'When editing a wiki page a user could experience a 500 error when clicking the Save button.' |
| 17 | + - 'An S/MIME signed commit using a certificate with multiple names in the subject alternative name would incorrectly show as "Unverified" in the commit badge.' |
| 18 | + - 'Suspended user was sent emails when added to a team.' |
| 19 | + - 'User saw 500 error when executing git operations on an instance configured with LDAP authentication.' |
| 20 | + - 'The `remove_org_member_package_access` background job was visible in the management console and would continually increase.' |
| 21 | + - 'When a repository had a large number of manifests an error `You have reached the maximum number of allowed manifest files (20) for this repository.` was shown on the Insights -> Dependency graph tab. For more information, see [Visualization limits](https://docs.github.com/en/github/managing-security-vulnerabilities/troubleshooting-the-detection-of-vulnerable-dependencies#are-there-limits-which-affect-the-dependency-graph-data).' |
| 22 | + - 'When uploading a new license file with a different number of seats from the previous license file, the seat difference was not correctly represented in the enterprise account Settings -> License page.' |
| 23 | + - 'The "Prevent repository admins from changing anonymous Git read access" checkbox available in the enterprise account settings could not be successfully enabled or disabled.' |
| 24 | + - 'When a GitHub Pages build failed, the email notification contained an incorrect link for support location.' |
| 25 | + - 'During a leap year, the user was getting a 404 response when trying to view Contribution activity on a Monday.' |
| 26 | + changes: |
| 27 | + - 'Added support for [AWS EC2 r5b instance types](https://aws.amazon.com/about-aws/whats-new/2020/12/introducing-new-amazon-ec2-r5b-instances-featuring-60-gbps-of-ebs-bandwidth-and-260K-iops/).' |
| 28 | + - 'Adjusted background queue prioritization to more evenly distribute jobs.' |
| 29 | + known_issues: |
| 30 | + - 'On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.' |
| 31 | + - 'Custom firewall rules are not maintained during an upgrade.' |
| 32 | + - 'Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository.' |
| 33 | + - 'Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.' |
| 34 | + - 'When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.' |
0 commit comments