Patch release notes for GitHub Enterprise Server (#51227)

Co-authored-by: Release-Controller <releasecontroller@github.com>
Co-authored-by: Sophie <29382425+sophietheking@users.noreply.github.com>
This commit is contained in:
release-controller[bot] 2024-06-19 16:00:32 +02:00 коммит произвёл GitHub
Родитель 38fec47553
Коммит 75f32de3ea
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: B5690EEEBB952194
4 изменённых файлов: 220 добавлений и 0 удалений

Просмотреть файл

@ -0,0 +1,61 @@
date: '2024-06-19'
intro: |
{% warning %}
**Warning**: A change to MySQL in GitHub Enterprise Server 3.9 and later may impact the performance of your instance. Before you upgrade, make sure you've read the "[Known issues](#3.10.13-known-issues)" section of these release notes.
{% endwarning %}
sections:
security_fixes:
- |
**HIGH**: An attacker with the site administrator role could gain arbitrary code execution capability on the GitHub Enterprise Server appliance when configuring audit log streaming. GitHub has requested CVE ID [CVE-2024-5746](https://www.cve.org/cverecord?id=CVE-2024-5746) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
- |
Packages have been updated to the latest security versions.
bugs:
- |
On an instance with GitHub Actions and External MySQL enabled, a validation step in the config apply could fail.
known_issues:
- |
Custom firewall rules are removed during the upgrade process.
- |
During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
- |
If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see "[AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)."
- |
If an instance is configured to forward logs to a target server with TLS enabled, certificate authority (CA) bundles that a site administrator uploads using `ghe-ssl-ca-certificate-install` are not respected, and connections to the server fail.
- |
The `mbind: Operation not permitted` error in the `/var/log/mysql/mysql.err` file can be ignored. MySQL 8 does not gracefully handle when the `CAP_SYS_NICE` capability isn't required, and outputs an error instead of a warning.
- |
{% data reusables.release-notes.upgrade-to-3-9-or-to-3-10-mysql-cannot-start-up %}
- |
{% data reusables.release-notes.upgrade-to-3-9-or-to-3-10-io-utilization-increase %}
- |
{% data reusables.release-notes.2023-08-mssql-replication-known-issue %}
- |
{% data reusables.release-notes.2023-09-config-apply-timeout-hookshot-go-replicas %}
- |
After an administrator enables maintenance mode from the instance's Management Console UI using Firefox, the administrator is redirected to the Settings page, but maintenance mode is not enabled. To work around this issue, use a different browser.
- |
{% data reusables.release-notes.2023-11-aws-system-time %}
- |
On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
- |
{% data reusables.release-notes.2023-10-git-push-made-but-not-registered %}
- |
{% data reusables.release-notes.2023-10-actions-upgrade-bug %}
- |
{% data reusables.release-notes.large-adoc-files-issue %}
- |
{% data reusables.release-notes.2023-12-backup-utils-exit-early-redis %}
- |
{% data reusables.release-notes.2024-01-haproxy-upgrade-causing-increased-errors %}
- |
When enabling [log forwarding](/admin/monitoring-activity-in-your-enterprise/exploring-user-activity-in-your-enterprise/log-forwarding#enabling-log-forwarding), specific services logs (babeld and some more) are duplicated.
- |
The reply.[hostname] subdomain is falsely always displaying as having no SSL and DNS record, when testing the domain settings via management console without subdomain isolation.
- |
When log forwarding is enabled, some forwarded log entries may be duplicated.
- |
Admin stats REST API endpoints may timeout on appliances with many users or repositories. Retrying the request until data is returned is advised.
- |
If a hotpatch upgrade requires the `haproxy-frontend` service to be restarted, the restart will hang if there are existing long-lived connections, such as browser web sockets or Git operations. No new connections will be accepted for up to 5 minutes. Any existing unfinished connections at this time will be disconnected.

Просмотреть файл

@ -0,0 +1,51 @@
date: '2024-06-19'
sections:
security_fixes:
- |
**HIGH**: An attacker with the site administrator role could gain arbitrary code execution capability on the GitHub Enterprise Server appliance when configuring audit log streaming. GitHub has requested CVE ID [CVE-2024-5746](https://www.cve.org/cverecord?id=CVE-2024-5746) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
- |
Packages have been updated to the latest security versions.
bugs:
- |
On an instance with GitHub Actions and External MySQL enabled, a validation step in the config apply could fail.
- |
Users would see an error message from the server while pushing to a gist (the push would still complete).
known_issues:
- |
Custom firewall rules are removed during the upgrade process.
- |
During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
- |
If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see "[AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)."
- |
If an instance is configured to forward logs to a target server with TLS enabled, certificate authority (CA) bundles that a site administrator uploads using `ghe-ssl-ca-certificate-install` are not respected, and connections to the server fail.
- |
The `mbind: Operation not permitted` error in the `/var/log/mysql/mysql.err` file can be ignored. MySQL 8 does not gracefully handle when the `CAP_SYS_NICE` capability isn't required, and outputs an error instead of a warning.
- |
{% data reusables.release-notes.2023-11-aws-system-time %}
- |
On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
- |
{% data reusables.release-notes.2023-10-git-push-made-but-not-registered %}
- |
{% data reusables.release-notes.large-adoc-files-issue %}
- |
{% data reusables.release-notes.2023-11-cluster-ha-failover-git-push-failure %}
- |
{% data reusables.release-notes.2023-12-backup-utils-exit-early-redis %}
- |
{% data reusables.release-notes.2024-01-haproxy-upgrade-causing-increased-errors %}
- |
Repositories originally imported using ghe-migrator will not correctly track Advanced Security contributions.
- |
`ghe-migrations` visualizer is not working due to a known regression. As a results, users will not be able to use `ghe-migrations` to view the status of migrations during an upgrade. Instead you can inspect the log files in `/var/log/dbmigration` to get the status/progress of migrations.
- |
When enabling [log forwarding](/admin/monitoring-activity-in-your-enterprise/exploring-user-activity-in-your-enterprise/log-forwarding#enabling-log-forwarding), specific services logs (babeld and some more) are duplicated.
- |
The reply.[hostname] subdomain is falsely always displaying as having no SSL and DNS record, when testing the domain settings via management console without subdomain isolation.
- |
When log forwarding is enabled, some forwarded log entries may be duplicated.
- |
Admin stats REST API endpoints may timeout on appliances with many users or repositories. Retrying the request until data is returned is advised.
- |
If a hotpatch upgrade requires the `haproxy-frontend` service to be restarted, the restart will hang if there are existing long-lived connections, such as browser web sockets or Git operations. No new connections will be accepted for up to 5 minutes. Any existing unfinished connections at this time will be disconnected.

Просмотреть файл

@ -0,0 +1,47 @@
date: '2024-06-19'
sections:
security_fixes:
- |
**HIGH**: An attacker with the site administrator role could gain arbitrary code execution capability on the GitHub Enterprise Server appliance when configuring audit log streaming. GitHub has requested CVE ID [CVE-2024-5746](https://www.cve.org/cverecord?id=CVE-2024-5746) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
- |
Packages have been updated to the latest security versions.
bugs:
- |
On an instance with GitHub Actions and External MySQL enabled, a validation step in the config apply could fail.
- |
Users would see an error message from the server while pushing to a gist (the push would still complete).
known_issues:
- |
Custom firewall rules are removed during the upgrade process.
- |
During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
- |
If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see "[AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)."
- |
If an instance is configured to forward logs to a target server with TLS enabled, certificate authority (CA) bundles that a site administrator uploads using `ghe-ssl-ca-certificate-install` are not respected, and connections to the server fail.
- |
The `mbind: Operation not permitted` error in the `/var/log/mysql/mysql.err` file can be ignored. MySQL 8 does not gracefully handle when the `CAP_SYS_NICE` capability isn't required, and outputs an error instead of a warning.
- |
{% data reusables.release-notes.2023-11-aws-system-time %}
- |
On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
- |
{% data reusables.release-notes.large-adoc-files-issue %}
- |
{% data reusables.release-notes.2023-11-cluster-ha-failover-git-push-failure %}
- |
{% data reusables.release-notes.2023-12-backup-utils-exit-early-redis %}
- |
Repositories originally imported using ghe-migrator will not correctly track Advanced Security contributions.
- |
`ghe-migrations` visualizer is not working due to a known regression. As a results, users will not be able to use `ghe-migrations` to view the status of migrations during an upgrade. Instead you can inspect the log files in `/var/log/dbmigration` to get the status/progress of migrations.
- |
When enabling [log forwarding](/admin/monitoring-activity-in-your-enterprise/exploring-user-activity-in-your-enterprise/log-forwarding#enabling-log-forwarding), specific services logs (babeld and some more) are duplicated.
- |
The reply.[hostname] subdomain is falsely always displaying as having no SSL and DNS record, when testing the domain settings via management console without subdomain isolation.
- |
When log forwarding is enabled, some forwarded log entries may be duplicated.
- |
Admin stats REST API endpoints may timeout on appliances with many users or repositories. Retrying the request until data is returned is advised.
- |
If a hotpatch upgrade requires the `haproxy-frontend` service to be restarted, the restart will hang if there are existing long-lived connections, such as browser web sockets or Git operations. No new connections will be accepted for up to 5 minutes. Any existing unfinished connections at this time will be disconnected.

Просмотреть файл

@ -0,0 +1,61 @@
date: '2024-06-19'
intro: |
{% warning %}
**Warning**: A change to MySQL in GitHub Enterprise Server 3.9 and later may impact the performance of your instance. Before you upgrade, make sure you've read the "[Known issues](#3.9.16-known-issues)" section of these release notes.
{% endwarning %}
sections:
security_fixes:
- |
**HIGH**: An attacker with the site administrator role could gain arbitrary code execution capability on the GitHub Enterprise Server appliance when configuring audit log streaming. GitHub has requested CVE ID [CVE-2024-5746](https://www.cve.org/cverecord?id=CVE-2024-5746) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
- |
Packages have been updated to the latest security versions.
bugs:
- |
On an instance with GitHub Actions and External MySQL enabled, a validation step in the config apply could fail.
known_issues:
- |
Custom firewall rules are removed during the upgrade process.
- |
During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
- |
If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see "[AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)."
- |
If an instance is configured to forward logs to a target server with TLS enabled, certificate authority (CA) bundles that a site administrator uploads using `ghe-ssl-ca-certificate-install` are not respected, and connections to the server fail.
- |
When running `ghe-config-apply`, the process may stall with the message `Deployment is running pending automatic promotion`.
- |
The `mbind: Operation not permitted` error in the `/var/log/mysql/mysql.err` file can be ignored. MySQL 8 does not gracefully handle when the `CAP_SYS_NICE` capability isn't required, and outputs an error instead of a warning.
- |
When enabling CodeQL via default setup [at scale](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-at-scale), some checks related to GitHub Actions are omitted, potentially preventing the process from completing.
- |
{% data reusables.release-notes.upgrade-to-3-9-or-to-3-10-mysql-cannot-start-up %}
- |
{% data reusables.release-notes.upgrade-to-3-9-or-to-3-10-io-utilization-increase %}
- |
{% data reusables.release-notes.2023-08-mssql-replication-known-issue %}
- |
{% data reusables.release-notes.2023-09-config-apply-timeout-hookshot-go-replicas %}
- |
{% data reusables.release-notes.2023-11-aws-system-time %}
- |
On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1.
- |
{% data reusables.release-notes.2023-10-git-push-made-but-not-registered %}
- |
{% data reusables.release-notes.2023-10-actions-upgrade-bug %}
- |
{% data reusables.release-notes.2023-12-backup-utils-exit-early-redis %}
- |
{% data reusables.release-notes.2024-01-haproxy-upgrade-causing-increased-errors %}
- |
When enabling [log forwarding](/admin/monitoring-activity-in-your-enterprise/exploring-user-activity-in-your-enterprise/log-forwarding#enabling-log-forwarding), specific services logs (babeld and some more) are duplicated.
- |
The reply.[hostname] subdomain is falsely always displaying as having no SSL and DNS record, when testing the domain settings via management console without subdomain isolation.
- |
When log forwarding is enabled, some forwarded log entries may be duplicated.
- |
Admin stats REST API endpoints may timeout on appliances with many users or repositories. Retrying the request until data is returned is advised.
- |
If a hotpatch upgrade requires the `haproxy-frontend` service to be restarted, the restart will hang if there are existing long-lived connections, such as browser web sockets or Git operations. No new connections will be accepted for up to 5 minutes. Any existing unfinished connections at this time will be disconnected.