From 7ff08d0b8c9faefe8a5e280f468cbd16843394e2 Mon Sep 17 00:00:00 2001 From: Joseph Franks Date: Thu, 21 Jul 2022 16:15:11 -0500 Subject: [PATCH] July 21, 2022: adding release notes (patch release) (#29225) * adding release notes * Update and deduplicate SVN SSRF vulnerability note * Update note about Grafana * Update note about XSS vulnerability; fix order * Update note about logrotate * Update note about Elasticsearch exceptions * Update note about pull request merges * Update note about password field focus * Update note about scheduled workflows * Update note about pagination for Billing API * Update note about committer count for Billing API * Add links to notes about Billing API * Update note about dormant user report * Update note about GEI and projects * Update note about organization sidebar * Update note about recovery mode * Update note about migration logs Co-authored-by: Matt Pollard Co-authored-by: Gurjant <97250585+Gill312@users.noreply.github.com> --- .../enterprise-server/3-2/16.yml | 17 ++++++++++++++ .../enterprise-server/3-3/11.yml | 18 +++++++++++++++ .../release-notes/enterprise-server/3-4/6.yml | 20 +++++++++++++++++ .../release-notes/enterprise-server/3-5/3.yml | 22 +++++++++++++++++++ 4 files changed, 77 insertions(+) create mode 100644 data/release-notes/enterprise-server/3-2/16.yml create mode 100644 data/release-notes/enterprise-server/3-3/11.yml create mode 100644 data/release-notes/enterprise-server/3-4/6.yml create mode 100644 data/release-notes/enterprise-server/3-5/3.yml diff --git a/data/release-notes/enterprise-server/3-2/16.yml b/data/release-notes/enterprise-server/3-2/16.yml new file mode 100644 index 0000000000..794444dddb --- /dev/null +++ b/data/release-notes/enterprise-server/3-2/16.yml @@ -0,0 +1,17 @@ +date: '2022-07-21' +sections: + security_fixes: + - "**MEDIUM**: Prevents an attack where a server-side request forgery (SSRF) could potentially force the Subversion (SVN) bridge to execute remote code by injecting arbitrary data into Memcached." + - Updates Grafana to version 7.5.16, which addresses various security vulnerabilities including [CVE-2020-13379](https://github.com/advisories/GHSA-wc9w-wvq2-ffm9) and [CVE-2022-21702](https://github.com/grafana/grafana/security/advisories/GHSA-xc3p-28hw-q24g). + - Packages have been updated to the latest security versions. + bugs: + - Fixed an issue where the files inside the artifact zip archives had permissions of 000 when unpacked using an unzip tool. Now the files will have the permissions set to 644, the same way as it works in GitHub.com. + - In some cases, the collectd daemon could consume excess memory. + - In some cases, backups of rotated log files could accumulate and consume excess storage. + - After an upgrade to a new feature release and subsequent configuration run, Elasticsearch could log excessive exceptions while rebuilding indices. + - In some cases where a protected branch required more than one approving review, a pull request could be merged with fewer than the required number of approving reviews. + - On instances using LDAP authentication, the authentication prompt for sudo mode incorrectly placed the cursor within the password field by default when text fields for both a username and password were visible. + changes: + - The `ghe-set-password` command-line utility starts required services automatically when the instance is booted in recovery mode. + - Metrics for `aqueduct` background processes are gathered for Collectd forwarding and display in the Management Console. + - The location of the database migration and configuration run log, `/data/user/common/ghe-config.log`, is now displayed on the page that details a migration in progress. diff --git a/data/release-notes/enterprise-server/3-3/11.yml b/data/release-notes/enterprise-server/3-3/11.yml new file mode 100644 index 0000000000..c9996b0f20 --- /dev/null +++ b/data/release-notes/enterprise-server/3-3/11.yml @@ -0,0 +1,18 @@ +date: '2022-07-21' +sections: + security_fixes: + - "**MEDIUM**: Prevents an attack where a server-side request forgery (SSRF) could potentially force the Subversion (SVN) bridge to execute remote code by injecting arbitrary data into Memcached." + - "**MEDIUM**: Prevents an attacker from executing Javascript code by exploiting a cross-site scripting (XSS) vulnerability in dropdown UI elements within the GitHub Enterprise Server web interface." + - Updates Grafana to version 7.5.16, which addresses various security vulnerabilities including [CVE-2020-13379](https://github.com/advisories/GHSA-wc9w-wvq2-ffm9) and [CVE-2022-21702](https://github.com/grafana/grafana/security/advisories/GHSA-xc3p-28hw-q24g). + - Packages have been updated to the latest security versions. + bugs: + - Fixed an issue where the files inside the artifact zip archives had permissions of 000 when unpacked using an unzip tool. Now the files will have the permissions set to 644, the same way as it works in GitHub.com. + - In some cases, the collectd daemon could consume excess memory. + - In some cases, backups of rotated log files could accumulate and consume excess storage. + - After an upgrade to a new feature release and subsequent configuration run, Elasticsearch could log excessive exceptions while rebuilding indices. + - In some cases where a protected branch required more than one approving review, a pull request could be merged with fewer than the required number of approving reviews. + - On instances using LDAP authentication, the authentication prompt for sudo mode incorrectly placed the cursor within the password field by default when text fields for both a username and password were visible. + changes: + - The `ghe-set-password` command-line utility starts required services automatically when the instance is booted in recovery mode. + - Metrics for `aqueduct` background processes are gathered for Collectd forwarding and display in the Management Console. + - The location of the database migration and configuration run log, `/data/user/common/ghe-config.log`, is now displayed on the page that details a migration in progress. diff --git a/data/release-notes/enterprise-server/3-4/6.yml b/data/release-notes/enterprise-server/3-4/6.yml new file mode 100644 index 0000000000..9f3dca7441 --- /dev/null +++ b/data/release-notes/enterprise-server/3-4/6.yml @@ -0,0 +1,20 @@ +date: '2022-07-21' +sections: + security_fixes: + - "**MEDIUM**: Prevents an attack where a server-side request forgery (SSRF) could potentially force the Subversion (SVN) bridge to execute remote code by injecting arbitrary data into Memcached." + - "**MEDIUM**: Prevents an attacker from executing Javascript code by exploiting a cross-site scripting (XSS) vulnerability in dropdown UI elements within the GitHub Enterprise Server web interface." + - Updates Grafana to version 7.5.16, which addresses various security vulnerabilities including [CVE-2020-13379](https://github.com/advisories/GHSA-wc9w-wvq2-ffm9) and [CVE-2022-21702](https://github.com/grafana/grafana/security/advisories/GHSA-xc3p-28hw-q24g). + - Packages have been updated to the latest security versions. + bugs: + - In some cases, the collectd daemon could consume excess memory. + - In some cases, backups of rotated log files could accumulate and consume excess storage. + - After an upgrade to a new feature release and subsequent configuration run, Elasticsearch could log excessive exceptions while rebuilding indices. + - In some cases where a protected branch required more than one approving review, a pull request could be merged with fewer than the required number of approving reviews. + - On instances using LDAP authentication, the authentication prompt for sudo mode incorrectly placed the cursor within the password field by default when text fields for both a username and password were visible. + - In some cases, scheduled GitHub Actions workflows could become disabled. + - The Billing API's "[Get GitHub Advanced Security active committers for an organization](/rest/billing#get-github-advanced-security-active-committers-for-an-organization)" endpoint now returns `Link` headers to provide information about pagination. + - The Billing API's "[Get GitHub Advanced Security active committers for an organization](/rest/billing#get-github-advanced-security-active-committers-for-an-organization)" endpoint now returns the correct number of total committers. + changes: + - The `ghe-set-password` command-line utility starts required services automatically when the instance is booted in recovery mode. + - Metrics for `aqueduct` background processes are gathered for Collectd forwarding and display in the Management Console. + - The location of the database migration and configuration run log, `/data/user/common/ghe-config.log`, is now displayed on the page that details a migration in progress. diff --git a/data/release-notes/enterprise-server/3-5/3.yml b/data/release-notes/enterprise-server/3-5/3.yml new file mode 100644 index 0000000000..82ab7e4f6b --- /dev/null +++ b/data/release-notes/enterprise-server/3-5/3.yml @@ -0,0 +1,22 @@ +date: '2022-07-21' +sections: + security_fixes: + - "**MEDIUM**: Prevents an attack where a server-side request forgery (SSRF) could potentially force the Subversion (SVN) bridge to execute remote code by injecting arbitrary data into Memcached." + - "**MEDIUM**: Prevents an attacker from executing Javascript code by exploiting a cross-site scripting (XSS) vulnerability in dropdown UI elements within the GitHub Enterprise Server web interface." + - Updates Grafana to version 7.5.16, which addresses various security vulnerabilities including [CVE-2020-13379](https://github.com/advisories/GHSA-wc9w-wvq2-ffm9) and [CVE-2022-21702](https://github.com/grafana/grafana/security/advisories/GHSA-xc3p-28hw-q24g). + - Packages have been updated to the latest security versions. + bugs: + - In some cases, the collectd daemon could consume excess memory. + - In some cases, backups of rotated log files could accumulate and consume excess storage. + - After an upgrade to a new feature release and subsequent configuration run, Elasticsearch could log excessive exceptions while rebuilding indices. + - In some cases where a protected branch required more than one approving review, a pull request could be merged with fewer than the required number of approving reviews. + - The GitHub Enterprise Importer did not correctly migrate settings for projects within repositories. + - On instances using LDAP authentication, the authentication prompt for sudo mode incorrectly placed the cursor within the password field by default when text fields for both a username and password were visible. + - The site admin dashboard erroneously included an option to export a report listing dormant users. + - The Billing API's "[Get GitHub Advanced Security active committers for an organization](/rest/billing#get-github-advanced-security-active-committers-for-an-organization)" endpoint now returns `Link` headers to provide information about pagination. + - The Billing API's "[Get GitHub Advanced Security active committers for an organization](/rest/billing#get-github-advanced-security-active-committers-for-an-organization)" endpoint now returns the correct number of total committers. + - In the sidebar for an organization's settings, the **Archive** navigation item contained no children. + changes: + - The `ghe-set-password` command-line utility starts required services automatically when the instance is booted in recovery mode. + - Metrics for `aqueduct` background processes are gathered for Collectd forwarding and display in the Management Console. + - The location of the database migration and configuration run log, `/data/user/common/ghe-config.log`, is now displayed on the page that details a migration in progress.