From f1e6ca7ca50d3e5d0991d911309f38789b6cb681 Mon Sep 17 00:00:00 2001 From: "release-controller[bot]" <110195724+release-controller[bot]@users.noreply.github.com> Date: Thu, 10 Oct 2024 20:39:52 +0100 Subject: [PATCH] Patch release notes for GitHub Enterprise Server (#52546) Co-authored-by: Release-Controller Co-authored-by: isaacmbrown Co-authored-by: Isaac Brown <101839405+isaacmbrown@users.noreply.github.com> Co-authored-by: Devin Dooley --- .../enterprise-server/3-11/16.yml | 56 +++++++++++++ .../enterprise-server/3-12/10.yml | 54 +++++++++++++ .../enterprise-server/3-13/5.yml | 58 ++++++++++++++ .../enterprise-server/3-14/2.yml | 78 +++++++++++++++++++ 4 files changed, 246 insertions(+) create mode 100644 data/release-notes/enterprise-server/3-11/16.yml create mode 100644 data/release-notes/enterprise-server/3-12/10.yml create mode 100644 data/release-notes/enterprise-server/3-13/5.yml create mode 100644 data/release-notes/enterprise-server/3-14/2.yml diff --git a/data/release-notes/enterprise-server/3-11/16.yml b/data/release-notes/enterprise-server/3-11/16.yml new file mode 100644 index 000000000000..bd57a5a4308c --- /dev/null +++ b/data/release-notes/enterprise-server/3-11/16.yml @@ -0,0 +1,56 @@ +date: '2024-10-10' +sections: + security_fixes: + - | + **MEDIUM**: Malicious URLs for SVG assets provided information about a victim user who clicked the URL, allowing an attacker to retrieve metadata belonging to the user and use it to generate a convincing phishing page. This required the attacker to upload malicious SVGs and phish a victim user to click the URL for the uploaded asset. This vulnerability was reported via the [GitHub Bug Bounty](https://bounty.github.com/) program. + - | + **HIGH**: An attacker could bypass SAML single sign-on (SSO) authentication with the optional encrypted assertions feature, allowing unauthorized provisioning of users and access to the instance, by exploiting an improper verification of cryptographic signatures vulnerability in GitHub Enterprise Server. This was a regression introduced as part of follow-up remediation from [CVE-2024-4985](https://www.cve.org/cverecord?id=CVE-2024-4985), which resulted in a new variant of the vulnerability. Please note that encrypted assertions are not enabled by default. Instances not utilizing SAML SSO, or utilizing SAML SSO authentication without encrypted assertions, are not impacted. Additionally, an attacker would require direct network access as well as a signed SAML response or metadata document. GitHub has requested CVE ID [CVE-2024-9487](https://www.cve.org/cverecord?id=CVE-2024-9487). This vulnerability was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). + bugs: + - | + HAProxy reloading was failure prone, which could lead to failed Git operations. This reloading process has been replaced with a more resilient Systemd process. + - | + An unhandled nil value when configuring Actions storage with AWS S3 via OIDC configuration in the terminal could cause an error. + - | + On an instance with secret scanning enabled, the custom pattern page would not load because dry run results were tied to a deleted repository. + - | + The "List teams" API endpoint returned duplicate results when paginating. + - | + A model with no URL could cause a `ghe-migrator` import to fail. + - | + Restore could fail when restoring MySQL using backup-utils. + changes: + - | + Pre-receive hook environments can use the `clone3()` system call. + - | + The creation, deletion, or change in visibility of a gist has been added to the audit log. + known_issues: + - | + Custom firewall rules are removed during the upgrade process. + - | + During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start. + - | + If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see "[AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)." + - | + The `mbind: Operation not permitted` error in the `/var/log/mysql/mysql.err` file can be ignored. MySQL 8 does not gracefully handle when the `CAP_SYS_NICE` capability isn't required, and outputs an error instead of a warning. + - | + {% data reusables.release-notes.2023-11-aws-system-time %} + - | + On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1. + - | + {% data reusables.release-notes.2023-10-git-push-made-but-not-registered %} + - | + {% data reusables.release-notes.large-adoc-files-issue %} + - | + {% data reusables.release-notes.2024-01-haproxy-upgrade-causing-increased-errors %} + - | + Repositories originally imported using `ghe-migrator` will not correctly track Advanced Security contributions. + - | + The `reply.[hostname]` subdomain is falsely always displaying as having no SSL and DNS record, when testing the domain settings via management console **without subdomain isolation**. + - | + The admin stats REST API endpoints may time out on appliances with many users or repositories. Retrying the request until data is returned is advised. + - | + {% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %} + - | + When restoring from a backup snapshot, a large number of `mapper_parsing_exception` errors may be displayed. + - | + Services may respond with a `503` status due to an out of date `haproxy` configuration. This can usually be resolved with a `ghe-config-apply` run. diff --git a/data/release-notes/enterprise-server/3-12/10.yml b/data/release-notes/enterprise-server/3-12/10.yml new file mode 100644 index 000000000000..aff3e5f78d6c --- /dev/null +++ b/data/release-notes/enterprise-server/3-12/10.yml @@ -0,0 +1,54 @@ +date: '2024-10-10' +sections: + security_fixes: + - | + **MEDIUM**: Malicious URLs for SVG assets provided information about a victim user who clicked the URL, allowing an attacker to retrieve metadata belonging to the user and use it to generate a convincing phishing page. This required the attacker to upload malicious SVGs and phish a victim user to click the URL for the uploaded asset. This vulnerability was reported via the [GitHub Bug Bounty](https://bounty.github.com/) program. + - | + **HIGH**: An attacker could bypass SAML single sign-on (SSO) authentication with the optional encrypted assertions feature, allowing unauthorized provisioning of users and access to the instance, by exploiting an improper verification of cryptographic signatures vulnerability in GitHub Enterprise Server. This was a regression introduced as part of follow-up remediation from [CVE-2024-4985](https://www.cve.org/cverecord?id=CVE-2024-4985), which resulted in a new variant of the vulnerability. Please note that encrypted assertions are not enabled by default. Instances not utilizing SAML SSO, or utilizing SAML SSO authentication without encrypted assertions, are not impacted. Additionally, an attacker would require direct network access as well as a signed SAML response or metadata document. GitHub has requested CVE ID [CVE-2024-9487](https://www.cve.org/cverecord?id=CVE-2024-9487). This vulnerability was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). + bugs: + - | + HAProxy reloading was failure prone, which could lead to failed Git operations. This reloading process has been replaced with a more resilient Systemd process. + - | + An unhandled nil value when configuring Actions storage with AWS S3 via OIDC configuration in the terminal could cause an error. + - | + On an instance with secret scanning enabled, the custom pattern page would not load because dry run results were tied to a deleted repository. + - | + The "List teams" API endpoint returning duplicate results when paginating. + - | + A model with no URL could cause a `ghe-migrator` import to fail. + - | + Restore could fail when restoring MySQL using backup-utils. + changes: + - | + The `ghe-remove-node` command will display the log file location when running in quiet mode. + - | + Pre-receive hook environments can use the `clone3()` system call. + - | + The creation, deletion, or change in visibility of a gist has been added to the audit log. + known_issues: + - | + Custom firewall rules are removed during the upgrade process. + - | + During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start. + - | + If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see "[AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)." + - | + The `mbind: Operation not permitted` error in the `/var/log/mysql/mysql.err` file can be ignored. MySQL 8 does not gracefully handle when the `CAP_SYS_NICE` capability isn't required, and outputs an error instead of a warning. + - | + {% data reusables.release-notes.2023-11-aws-system-time %} + - | + On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1. + - | + {% data reusables.release-notes.large-adoc-files-issue %} + - | + Repositories originally imported using ghe-migrator will not correctly track Advanced Security contributions. + - | + The reply.[hostname] subdomain is falsely always displaying as having no ssl and dns record, when testing the domain settings via management console **without subdomain isolation**. + - | + The admin stats REST API endpoints may time out on appliances with many users or repositories. Retrying the request until data is returned is advised. + - | + {% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %} + - | + When restoring from a backup snapshot, a large number of `mapper_parsing_exception` errors may be displayed. + - | + Services may respond with a `503` status due to an out of date `haproxy` configuration. This can usually be resolved with a `ghe-config-apply` run. diff --git a/data/release-notes/enterprise-server/3-13/5.yml b/data/release-notes/enterprise-server/3-13/5.yml new file mode 100644 index 000000000000..738431f37bb5 --- /dev/null +++ b/data/release-notes/enterprise-server/3-13/5.yml @@ -0,0 +1,58 @@ +date: '2024-10-10' +sections: + security_fixes: + - | + **MEDIUM**: Malicious URLs for SVG assets provided information about a victim user who clicked the URL, allowing an attacker to retrieve metadata belonging to the user and use it to generate a convincing phishing page. This required the attacker to upload malicious SVGs and phish a victim user to click the URL for the uploaded asset. This vulnerability was reported via the [GitHub Bug Bounty](https://bounty.github.com/) program. + - | + **HIGH**: An attacker could bypass SAML single sign-on (SSO) authentication with the optional encrypted assertions feature, allowing unauthorized provisioning of users and access to the instance, by exploiting an improper verification of cryptographic signatures vulnerability in GitHub Enterprise Server. This was a regression introduced as part of follow-up remediation from [CVE-2024-4985](https://www.cve.org/cverecord?id=CVE-2024-4985), which resulted in a new variant of the vulnerability. Please note that encrypted assertions are not enabled by default. Instances not utilizing SAML SSO, or utilizing SAML SSO authentication without encrypted assertions, are not impacted. Additionally, an attacker would require direct network access as well as a signed SAML response or metadata document. GitHub has requested CVE ID [CVE-2024-9487](https://www.cve.org/cverecord?id=CVE-2024-9487). This vulnerability was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). + bugs: + - | + HAProxy reloading was failure prone, which could lead to failed Git operations. This reloading process has been replaced with a more resilient Systemd process. + - | + On an instance with secret scanning enabled, internal jobs were created and not processed, which could contribute to performance issues. + - | + This error message `mbind: Operation not permitted` was repeatedly showing in the `/var/log/mysql/mysql.err` MySQL logs. + - | + The backup of audit log could take longer after upgrading to Elasticsearch 8. + - | + An unhandled nil value when configuring Actions storage with AWS S3 via OIDC configuration in the terminal could cause an error. + - | + Users were unable to sign out from gist pages. + - | + On an instance with secret scanning enabled, the custom pattern page would not load because dry run results were tied to a deleted repository. + - | + The "List teams" API endpoint returning duplicate results when paginating. + - | + A model with no URL could cause a `ghe-migrator` import to fail. + - | + Restore could fail when restoring MySQL using backup-utils. + changes: + - | + The `ghe-remove-node` command will display the log file location when running in quiet mode. + - | + Pre-receive hook environments can use the `clone3()` system call. + - | + The creation, deletion, or change in visibility of a gist has been added to the audit log. + known_issues: + - | + During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start. + - | + If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see "[AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)." + - | + On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1. + - | + Repositories originally imported using `ghe-migrator` will not correctly track Advanced Security contributions. + - | + For an instance in a cluster configuration and with GitHub Actions enabled, restoring a cluster from backup requires targeting the primary DB node. + - | + When following the steps for [Replacing the primary MySQL node](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-the-primary-mysql-node), step 14 (running `ghe-cluster-config-apply`) might fail with errors. If this occurs, re-running `ghe-cluster-config-apply` is expected to succeed. + - | + Running a config apply as part of the steps for [Replacing a node in an emergency](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-a-node-in-an-emergency) may fail with errors if the node being replaced is still reachable. If this occurs, shutdown the node and repeat the steps. + - | + {% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %} + - | + When restoring data originally backed up from a 3.13 appliance onto a 3.13 appliance, the elasticsearch indices need to be reindexed before some of the data will show up. This happens via a nightly scheduled job. It can also be forced by running `/usr/local/share/enterprise/ghe-es-search-repair`. + - | + When restoring from a backup snapshot, a large number of `mapper_parsing_exception` errors may be displayed. + - | + Services may respond with a `503` status due to an out of date `haproxy` configuration. This can usually be resolved with a `ghe-config-apply` run. diff --git a/data/release-notes/enterprise-server/3-14/2.yml b/data/release-notes/enterprise-server/3-14/2.yml new file mode 100644 index 000000000000..17f99eb32967 --- /dev/null +++ b/data/release-notes/enterprise-server/3-14/2.yml @@ -0,0 +1,78 @@ +date: '2024-10-10' +sections: + security_fixes: + - | + A sensitive data exposure in HTML forms was possible in the management console. To mitigate this issue, the "Copy Storage Setting from Actions" functionality was removed from the management console. + - | + **MEDIUM**: Malicious URLs for SVG assets provided information about a victim user who clicked the URL, allowing an attacker to retrieve metadata belonging to the user and use it to generate a convincing phishing page. This required the attacker to upload malicious SVGs and phish a victim user to click the URL for the uploaded asset. This vulnerability was reported via the [GitHub Bug Bounty](https://bounty.github.com/) program. + - | + **HIGH**: An attacker could bypass SAML single sign-on (SSO) authentication with the optional encrypted assertions feature, allowing unauthorized provisioning of users and access to the instance, by exploiting an improper verification of cryptographic signatures vulnerability in GitHub Enterprise Server. This was a regression introduced as part of follow-up remediation from [CVE-2024-4985](https://www.cve.org/cverecord?id=CVE-2024-4985), which resulted in a new variant of the vulnerability. Please note that encrypted assertions are not enabled by default. Instances not utilizing SAML SSO, or utilizing SAML SSO authentication without encrypted assertions, are not impacted. Additionally, an attacker would require direct network access as well as a signed SAML response or metadata document. GitHub has requested CVE ID [CVE-2024-9487](https://www.cve.org/cverecord?id=CVE-2024-9487). This vulnerability was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). + bugs: + - | + A missing configuration value would cause Dependabot to be unable to create group update pull requests. + - | + HAProxy reloading was failure prone, which could lead to failed Git operations. This reloading process has been replaced with a more resilient Systemd process. + - | + This error message `mbind: Operation not permitted` was repeatedly showing in the `/var/log/mysql/mysql.err` MySQL logs. + - | + The backup of audit logs could take longer after upgrading to Elasticsearch 8. + - | + An unhandled nil value when configuring Actions storage with AWS S3 via OIDC configuration in the terminal could cause an error. + - | + Users were unable to sign out from gist pages. + - | + On an instance with secret scanning enabled, the custom pattern page would not load because dry run results were tied to a deleted repository. + - | + Suspended users were not always correctly routed to the correct "suspended" page. + - | + The "List teams" API endpoint returned duplicate results when paginating. + - | + When managing the organization permissions required for {% data variables.product.pat_v2_plural %}, for custom properties or projects, the `Admin` access level could not be selected. + - | + A model with no URL could cause a `ghe-migrator` import to fail. + - | + The `ghe-spokesctl status` command showed repaired repositories as broken if their network ID changed during the repair (for example, when the repository was detached from it's original network). + - | + Missing URLs on import could lead to migration failures without logging or explanation. + - | + On the security overview dashboard, data initialization could fail when creating new organizations or changing GitHub Advanced Security licensing. + - | + Restore could fail when restoring MySQL using backup-utils. + changes: + - | + `ghe-remove-node` will display the log file location when running in quiet mode. + - | + Pre-receive hook environments can use the `clone3()` system call. + - | + The creation, deletion, or change in visibility of a gist has been added to the audit log. + known_issues: + - | + During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start. + - | + If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see "[AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)." + - | + On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1. + - | + {% data reusables.release-notes.large-adoc-files-issue %} + - | + Repositories originally imported using ghe-migrator will not correctly track Advanced Security contributions. + - | + The admin stats REST API endpoints may time out on appliances with many users or repositories. Retrying the request until data is returned is advised. + - | + When following the steps for [Replacing the primary MySQL node](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-the-primary-mysql-node), step 14 (running `ghe-cluster-config-apply`) might fail with errors. If this occurs, re-running `ghe-cluster-config-apply` is expected to succeed. + - | + Running a config apply as part of the steps for [Replacing a node in an emergency](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-a-node-in-an-emergency) may fail with errors if the node being replaced is still reachable. If this occurs, shutdown the node and repeat the steps. + - | + {% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %} + - | + When restoring data originally backed up from a 3.13 appliance onto a 3.13 appliance, the elasticsearch indices need to be reindexed before some of the data will show up. This happens via a nightly scheduled job. It can also be forced by running `/usr/local/share/enterprise/ghe-es-search-repair`. + - | + An organization-level code scanning configuration page is displayed on instances that do not use GitHub Advanced Security or code scanning. + - | + In the header bar displayed to site administrators, some icons are not available. + - | + When enabling automatic update checks for the first time in the Management Console, the status is not dynamically reflected until the "Updates" page is reloaded. + - | + When restoring from a backup snapshot, a large number of `mapper_parsing_exception` errors may be displayed. + - | + Services may respond with a `503` status due to an out of date `haproxy` configuration. This can usually be resolved with a `ghe-config-apply` run.