2.22

Enterprise Server 3.0 release notes

3.1

Enterprise Server 3.0.12

Download

July, 27, 2021

📣 This is not the latest release of Enterprise Server. Please use the latest release for the latest security, performance, and bug fixes.

  • Packages have been updated to the latest security versions.

  • Custom pre-receive hooks could lead to an error like error: object directory /data/user/repositories/0/nw/12/34/56/7890/network.git/objects does not exist; check .git/objects/info/alternates.

  • Unauthenticated HTTP proxy for the pages containers build was not supported for any users that use HTTP proxies.

  • A significant number of 503 errors were logged every time a user visited a repository''s /settings page if the dependency graph was not enabled.

  • Internal repositories were only returned when a user had affiliations with the repository through a team or through collaborator status, or queried with the ?type=internal parameter.

  • Failed background jobs had unlimited retries which could cause large queue depths.

  • A significant number of 503 errors were being created if the scheduled job to sync vulnerabilities with GitHub.com attempted to run when dependency graph was not enabled and content analysis was enabled.

  • The logs for babeld now include a cmd field for HTTP ref advertisement requests instead of only including it during the negotiation requests.

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.

  • Custom firewall rules are removed during the upgrade process.

  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.

  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

  • When a replica node is offline in a high availability configuration, GitHub Enterprise Server may still route GitHub Pages requests to the offline node, reducing the availability of GitHub Pages for users.

Enterprise Server 3.0.11

Download

July, 14, 2021

📣 This is not the latest patch release of this release series, and this is not the latest release of Enterprise Server. Please use the latest release for the latest security, performance, and bug fixes.

  • HIGH: A path traversal vulnerability was identified in GitHub Enterprise Server that could be exploited when building a GitHub Pages site. User-controlled configuration options used by GitHub Pages were not sufficiently restricted and made it possible to read files on the GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.1.3 and has been assigned CVE-2021-22867. This vulnerability was reported via the GitHub Bug Bounty program.

  • Packages have been updated to the latest security versions.

  • SAML expiration date variable was not configurable.

  • Application services would fail their health checks during config apply before they could enter a healthy state.

  • ghe-cluster-config-node-init would fail during cluster setup if HTTP proxy is enabled.

  • Pre-receive hooks could encounter an error Failed to resolve full path of the current executable due to /proc not being mounted on the container.

  • Collectd would not resolve the forwarding destination hostname after the initial startup.

  • The job that purged stale deleted repositories could fail to make progress if some of those repositories were protected from deletion by legal holds.

  • Running git nw-gc --pristine would result in an error.

  • Background jobs were being queued to the spam queue which were not being processed.

  • The preferred merge method would be reset when retrying after a failed PR merge.

  • Git pushes could result in a 500 Internal Server Error during the user reconciliation process on instances using LDAP authentication mode.

  • Improved the efficiency of config apply by skipping IP allow firewall rules that had not changed, which saved significant time on large clusters.

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.

  • Custom firewall rules are removed during the upgrade process.

  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.

  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

  • When a replica node is offline in a high availability configuration, GitHub Enterprise Server may still route GitHub Pages requests to the offline node, reducing the availability of GitHub Pages for users.

Enterprise Server 3.0.10

Download

June, 24, 2021

📣 This is not the latest patch release of this release series, and this is not the latest release of Enterprise Server. Please use the latest release for the latest security, performance, and bug fixes.

  • Packages have been updated to the latest security versions.

  • A large number of gauge-dependency-graph-api-dispatch_dispatch metrics could accumulate in the Management Console.

  • The sshd service would sometimes fail to start on instances running on Google Cloud Platform.

  • Old upgrade files would persist on the user disk, sometimes resulting in out of space conditions.

  • Log rotation could sometimes interrupt background jobs.

  • gh-migrator displayed an incorrect path to its log output.

  • An export archive would fail to import if it contained review requests from teams not present in the archive.

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.

  • Custom firewall rules are removed during the upgrade process.

  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.

  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

  • When a replica node is offline in a high availability configuration, GitHub Enterprise Server may still route GitHub Pages requests to the offline node, reducing the availability of GitHub Pages for users.

Enterprise Server 3.0.9

Download

June, 10, 2021

📣 This is not the latest patch release of this release series, and this is not the latest release of Enterprise Server. Please use the latest release for the latest security, performance, and bug fixes.

  • Packages have been updated to the latest security versions.

  • The upgrade process could fail while upgrading Actions if the instance could not make self-requests using its configured hostname.

  • SVN 1.7 and older clients showed an error when using the svn co and svn export commands.

  • Accessing a repository through the administrative shell using ghe-repo <owner>/<reponame> would hang.

  • After upgrading, users experienced reduced availability during heavy usage, because services restarted too frequently. This would occur due to timeout mismatches between the nomad configuration and that of the internal services.

  • In some instances, running ghe-repl-status after setting up GitHub Actions would produce an error and ghe-actions-teardown would fail.

  • ghe-dbconsole would return errors under some circumstances.

  • Import failures of organizations or repositories from non-GitHub sources could produce an undefined method '[]' for nil:NilClass error.

  • GitHub profile names might have changed unintentionally when using SAML authentication, if the GitHub profile name did not match the value of the attribute mapped to the Full name field in the Management Console.

  • The firstPatchedVersion field is now available on SecurityVulnerability objects in the GraphQL API.

  • Users of the GraphQL API can query the public field closingIssuesReferences on the PullRequest object. This field retrieves issues that will be automatically closed when the related pull request is merged. This approach will also allow this data to be migrated in future, as part of a higher fidelity migration process.

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.

  • Custom firewall rules are removed during the upgrade process.

  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.

  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

  • When a replica node is offline in a high availability configuration, GitHub Enterprise Server may still route GitHub Pages requests to the offline node, reducing the availability of GitHub Pages for users.

Enterprise Server 3.0.8

Download

May, 25, 2021

📣 This is not the latest patch release of this release series, and this is not the latest release of Enterprise Server. Please use the latest release for the latest security, performance, and bug fixes.

  • MEDIUM: Under certain circumstances, users who were removed from a team or organization could retain write access to branches they had existing pull requests opened for.

  • Os pacotes foram atualizados para as últimas versões de segurança.

  • On the "Configure Actions and Packages" page of the initial installation process, when an admin clicked the "Test domain settings" button the test did not complete.

  • Running ghe-btop failed with error cannot find a 'babeld' container.

  • Users were experiencing service unavailability after upgrading due to a mismatch of internal and external timeout values.

  • Normal replication delays in MSSQL generated warnings.

  • Link for GitHub Enterprise Clustering Guide on management console was incorrect.

  • An IP address added by an admin using the "Create Whitelist Entry" button could still be locked out.

  • References to the "Dependency graph" and "Dependabot alerts" features were shown on repositories where they were not enabled.

  • HTTP POST requests to the /hooks endpoint could fail with a 401 response due to the hookID being set incorrectly.

  • The build-server process failed to clean up processes leaving them in the defunct state.

  • spokesd created excessive log entries including the phrase "fixing placement skipped".

  • Check annotations older than 4 months will be archived.

  • Access to a repository through the administrative shell using ghe-repo <owner>/<reponame> will hang. As a workaround, use ghe-repo <owner>/<reponame> -c "bash -i" until a fix is available in the next version.

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.

  • As regras personalizadas de firewall não são mantidas durante uma atualização.

  • Arquivos LFS do Git enviados através da interface web são adicionados diretamente ao repositório e de forma incorreta.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.

  • Quando "Usuários podem pesquisar pelo GitHub.com" está habilitado com o GitHub Connect, os problemas em repositórios privados e internos não estão incluídos nos resultados de pesquisa do GitHub.com.

  • When a replica node is offline in a high availability configuration, GitHub Enterprise Server may still route GitHub Pages requests to the offline node, reducing the availability of GitHub Pages for users.

Enterprise Server 3.0.7

Download

May, 13, 2021

📣 This is not the latest patch release of this release series, and this is not the latest release of Enterprise Server. Please use the latest release for the latest security, performance, and bug fixes.

  • HIGH: A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed more permissions to be granted during a GitHub App's user-authorization web flow than was displayed to the user during approval. To exploit this vulnerability, an attacker would need to create a GitHub App on the instance and have a user authorize the application through the web authentication flow. All permissions being granted would properly be shown during the first authorization, but in certain circumstances, if the user revisits the authorization flow after the GitHub App has configured additional user-level permissions, those additional permissions may not be shown, leading to more permissions being granted than the user potentially intended. This vulnerability affected GitHub Enterprise Server 3.0.x prior to 3.0.7 and 2.22.x prior to 2.22.13. It was fixed in versions 3.0.7 and 2.22.13. This vulnerability has been assigned CVE-2021-22866 and was reported via the GitHub Bug Bounty Program.

  • Os pacotes foram atualizados para as últimas versões de segurança.

  • Quotes included in Actions or Packages storage configuration could cause errors.

  • Custom pre-receive hooks could fail due to too restrictive file size or number of open file limits.

  • Orchestrator auto failover could be enabled during the phase of config apply.

  • Users with maintainer permissions to a repository were shown an e-mail verification warning instead of a successful page build on the repository Pages settings page.

  • The code owner of a wildcard rule would be incorrectly added to the list of owners for the code owners badge even if a later rule took precedence for that path.

  • OpenAPI documentation referred to an invalid header.

  • When creating or editing a pre-receive hook, a race condition in the user interface meant that after selecting a repository, files within the repository were sometimes not populated in files dropdown.

  • Added logging for config change on HAProxy reload.

  • Added logging for repository creation.

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.

  • As regras personalizadas de firewall não são mantidas durante uma atualização.

  • Arquivos LFS do Git enviados através da interface web são adicionados diretamente ao repositório e de forma incorreta.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.

  • Quando "Usuários podem pesquisar pelo GitHub.com" está habilitado com o GitHub Connect, os problemas em repositórios privados e internos não estão incluídos nos resultados de pesquisa do GitHub.com.

  • When a replica node is offline in a high availability configuration, GitHub Enterprise Server may still route GitHub Pages requests to the offline node, reducing the availability of GitHub Pages for users.

Enterprise Server 3.0.6

Download

April, 28, 2021

📣 This is not the latest patch release of this release series, and this is not the latest release of Enterprise Server. Please use the latest release for the latest security, performance, and bug fixes.

  • Os pacotes foram atualizados para as últimas versões de segurança.

  • During upgrades, the process would pause indefinitely after cleanup nomad job.

  • Failing ghe-cluster-failover with the error message Trilogy::Error: trilogy_connect.

  • ghe-cluster-status-mysql showed warnings about failovers as errors.

  • Setup script running on MySQL replication may have caused unnecessary database reseeding during database failover.

  • Upgrades did not include the latest version of Actions runner properly installed.

  • github-env configuration could result in zombie processes.

  • config-apply could take longer than necessary due to rake db:migrate being called unnecessarily.

  • Orchestrator could have failed over to a MySQL replica which was not replicating from primary during seeding phase when primary could not be connected.

  • Organizations or projects with errors blocked migration and could not be excluded.

  • The Create Repository button was disabled for users who belonged to more than 50 organizations.

  • Deleting a branch would temporarily flash an error message indicating something went wrong when the deletion was successful.

  • The rms-packages index was shown in the site admin dashboard.

  • Organization owner was unable to create internal repository due to the correct visibility options not being displayed on the form.

  • The repository actions tab rendered a 500 in cases where the actions starter workflows were misconfigured.

  • Customers with more than three storage hosts were unable to restore to their disaster-recovery cluster due to the fullest disks being selected instead of empty nodes.

  • Code Scanning backend services did not start up reliably after applying hotpatches.

  • Preflight checks allow all AWS instance types by default.

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.

  • As regras personalizadas de firewall não são mantidas durante uma atualização.

  • Arquivos LFS do Git enviados através da interface web são adicionados diretamente ao repositório e de forma incorreta.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.

  • Quando "Usuários podem pesquisar pelo GitHub.com" está habilitado com o GitHub Connect, os problemas em repositórios privados e internos não estão incluídos nos resultados de pesquisa do GitHub.com.

  • When a replica node is offline in a high availability configuration, GitHub Enterprise Server may still route GitHub Pages requests to the offline node, reducing the availability of GitHub Pages for users.

Enterprise Server 3.0.5

Download

April, 14, 2021

📣 This is not the latest patch release of this release series, and this is not the latest release of Enterprise Server. Please use the latest release for the latest security, performance, and bug fixes.

Os requisitos mínimos de infraestrutura aumentaram para GitHub Enterprise Server 3.0+. Para obter mais informações, consulte "Sobre requisitos mínimos para o GitHub Enterprise Server 3.0 e posterior."

  • Os pacotes foram atualizados para as últimas versões de segurança.

  • Some logs were not included in the log forwarding configuration.

  • A warning message jq: error (at <stdin>:0): Cannot index number with string "settings" could occur during replica promotion.

  • Continuously restoring backups to a cluster could fail due to MySQL replicas failing to connect to the primary.

  • Pages were not getting published when using custom CA certificate.

  • Packages related subdomains were not showing up in the "Test domain settings" prompt for subdomain isolation.

  • The X-GitHub-Enterprise-Host header sent with webhooks included a random string, rather than the hostname of the GitHub Enterprise Server instance that sent the HTTP POST payload.

  • Upgrading from 2.22.x to 3.0.x would fail if GitHub Actions had previously been enabled, but disabled before the upgrade.

  • Visiting the /settings/emails page would store state that could cause improper redirects when logging out and logging back in.

  • GitHub integration apps were not able to notify teams when mentioned directly via an at-mention in an issue comment.

  • reStructuredText (RST) rendering in the web UI would fail and instead displayed raw RST markup text.

  • Email notifications for Secret Scanning alerts were not sent to authorized users when the Dependency Graph was not fully enabled.

  • When ghe-migrator encountered import errors, it would sometimes abort the entire process, and the logs did not include enough context.

  • Jupyter notebooks with non-ASCII characters could fail to render.

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.

  • As regras personalizadas de firewall não são mantidas durante uma atualização.

  • Arquivos LFS do Git enviados através da interface web são adicionados diretamente ao repositório e de forma incorreta.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.

  • Quando "Usuários podem pesquisar pelo GitHub.com" está habilitado com o GitHub Connect, os problemas em repositórios privados e internos não estão incluídos nos resultados de pesquisa do GitHub.com.

  • When deleting a branch after merging a pull request, an error message appears although the branch deletion succeeds.

  • When a replica node is offline in a high availability configuration, GitHub Enterprise Server may still route GitHub Pages requests to the offline node, reducing the availability of GitHub Pages for users.

Enterprise Server 3.0.4

Download

April, 01, 2021

📣 This is not the latest patch release of this release series, and this is not the latest release of Enterprise Server. Please use the latest release for the latest security, performance, and bug fixes.

Os requisitos mínimos de infraestrutura aumentaram para GitHub Enterprise Server 3.0+. Para obter mais informações, consulte "Sobre requisitos mínimos para o GitHub Enterprise Server 3.0 e posterior."

  • HIGH: An improper access control vulnerability was identified in GitHub Enterprise Server that allowed access tokens generated from a GitHub App's web authentication flow to read private repository metadata via the REST API without having been granted the appropriate permissions. To exploit this vulnerability, an attacker would need to create a GitHub App on the instance and have a user authorize the application through the web authentication flow. The private repository metadata returned would be limited to repositories owned by the user the token identifies. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.0.4 and was fixed in versions 3.0.4, 2.22.10, 2.21.18. This vulnerability has been assigned CVE-2021-22865 and was reported via the GitHub Bug Bounty Program.

  • Os pacotes foram atualizados para as últimas versões de segurança.

  • When maintenance mode was enabled, some services continued to be listed as "active processes" even though they were expected to be running, and should not have been listed.

  • After upgrading from 2.22.x to 3.0.x with GitHub Actions enabled, the self-hosted runner version was not updated and no self-hosted updates were made.

  • Old GitHub Pages builds were not cleaned up leading to increased disk usage.

  • memcached was not running on active replicas.

  • Upgrade failed when updating file permissions when GitHub Actions was enabled.

  • A timezone set on GitHub Enterprise 11.10.x or earlier was not being used by some services which were defaulting to UTC time.

  • Services were not transitioning to new log files as part of log rotation, resulting in increased disk usage.

  • The ghe-saml-mapping-csv command-line utility produced a warning message.

  • The label on search results for internal repositories was shown as "Private" instead of "Internal".

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.

  • As regras personalizadas de firewall não são mantidas durante uma atualização.

  • Arquivos LFS do Git enviados através da interface web são adicionados diretamente ao repositório e de forma incorreta.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.

  • Quando "Usuários podem pesquisar pelo GitHub.com" está habilitado com o GitHub Connect, os problemas em repositórios privados e internos não estão incluídos nos resultados de pesquisa do GitHub.com.

  • Jupyter Notebook rendering in the web UI may fail if the notebook includes non-ASCII UTF-8 characters.

  • reStructuredText (RST) rendering in the web UI may fail and instead display raw RST markup text.

  • When deleting a branch after merging a pull request, an error message appears although the branch deletion succeeds.

  • When a replica node is offline in a high availability configuration, GitHub Enterprise Server may still route GitHub Pages requests to the offline node, reducing the availability of GitHub Pages for users.

Enterprise Server 3.0.3

Download

March, 23, 2021

📣 This is not the latest patch release of this release series, and this is not the latest release of Enterprise Server. Please use the latest release for the latest security, performance, and bug fixes.

Downloads have been disabled due to a major bug affecting multiple customers. A fix will be available in the next patch.

  • HIGH: A remote code execution vulnerability was identified in GitHub Enterprise Server that could be exploited when building a GitHub Pages site. User-controlled configuration options used by GitHub Pages were not sufficiently restricted and made it possible to override environment variables leading to code execution on the GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.0.3 and was fixed in 3.0.3, 2.22.9, and 2.21.17. This vulnerability was reported via the GitHub Bug Bounty program and has been assigned CVE-2021-22864.

  • Os pacotes foram atualizados para as últimas versões de segurança.

  • Running ghe-cluster-config-init could cause a cluster to become inoperable.

  • Resolving merge conflicts in the GUI would fail when custom pre-receive hooks are configured on the repository.

  • launch-deployer and launch-receiver were logging at DEBUG level and filling logs with unnecessary information.

  • Systemd could lose track of HAProxy's PID.

  • When Actions was configured to use S3 storage, the logs for an action would sometimes fail to load.

  • The mysql-failover warning was displayed indefinitely after a successful failover.

  • The ghe-cluster-config-init run was not fully accounting for the exit code of background jobs leading to improper handling of preflight checks.

  • When enabling GitHub Actions, initialization could fail silently.

  • When vulnerability alerting is enabled, upgrades to the 3.0 series would fail.

  • Jobs related to Codespaces were being enqueued leading to an accumulation of unprocessed jobs.

  • Use a relative number for consul and nomad bootstrap_expect allowing for a cluster to bootstrap even if a handful of nodes are down.

  • Logs will rotate based on size in addition to time.

  • Added kafka-lite to the ghe-cluster-status command.

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.

  • As regras personalizadas de firewall não são mantidas durante uma atualização.

  • Arquivos LFS do Git enviados através da interface web são adicionados diretamente ao repositório e de forma incorreta.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.

  • Quando "Usuários podem pesquisar pelo GitHub.com" está habilitado com o GitHub Connect, os problemas em repositórios privados e internos não estão incluídos nos resultados de pesquisa do GitHub.com.

  • When maintenance mode is enabled, some services continue to be listed as "active processes". The services identified are expected to run during maintenance mode. If you experience this issue and are unsure, contact GitHub Enterprise Support or GitHub Premium Support.

  • Jupyter Notebook rendering in the web UI may fail if the notebook includes non-ASCII UTF-8 characters.

  • reStructuredText (RST) rendering in the web UI may fail and instead display raw RST markup text.

  • Old builds of Pages are not cleaned up, which could fill up the user disk (/data/user/).

  • When deleting a branch after merging a pull request, an error message appears although the branch deletion succeeds.

  • Log rotation may fail to signal services to transition to new log files, leading to older log files continuing to be used, and eventual root disk space exhaustion. To remedy and/or prevent this issue, run the following commands in the administrative shell (SSH), or contact GitHub Enterprise Support or GitHub Premium Support for assistance:

    printf "PATH=/usr/local/sbin:/usr/local/bin:/usr/local/share/enterprise:/usr/sbin:/usr/bin:/sbin:/bin\n29,59 * * * * root /usr/sbin/logrotate /etc/logrotate.conf\n" | sudo sponge /etc/cron.d/logrotate
    sudo /usr/sbin/logrotate -f /etc/logrotate.conf
    
  • When a replica node is offline in a high availability configuration, GitHub Enterprise Server may still route GitHub Pages requests to the offline node, reducing the availability of GitHub Pages for users.

Enterprise Server 3.0.2

Download

March, 16, 2021

📣 This is not the latest patch release of this release series, and this is not the latest release of Enterprise Server. Please use the latest release for the latest security, performance, and bug fixes.

Os requisitos mínimos de infraestrutura aumentaram para GitHub Enterprise Server 3.0+. Para obter mais informações, consulte "Sobre requisitos mínimos para o GitHub Enterprise Server 3.0 e posterior."

  • Os pacotes foram atualizados para as últimas versões de segurança.

  • During a backup an error "Warning: One or more storage objects were not found on the source appliance." was occurring when attempting to clean up purgeable storage objects.

  • Ocorreu uma falha no gráfico de dependência ao analisar os arquivos de manifesto de JavaScript yarn.lock, gerando erros HTTP 500 nos registros.

  • Desabilitar o GitHub Actions às vezes gera falhas.

  • Hooks pre-receive personalizados não foram autorizados a gravar em /tmp, impedindo que alguns scripts sejam executados corretamente.

  • Registros de jornais do Systemd foram duplicados em vários lugares.

  • Um fuso horário definido no GitHub Enterprise 11.10.x ou anterior foi redefinido como fuso horário UTC depois de atualizar para 3.0, o que fez com que os carimbos de data fossem alterados em algumas instâncias.

  • Clicar em "Publicar seu primeiro pacote" na barra lateral de pacotes no repositório leva a uma página vazia.

  • Um administrador do site poderia obter uma página de com a mensagem "500 error" ao tentar visualizar problemas referenciados em repositórios privados.

  • Após desabilitar os pacotes do GitHub, algumas páginas da organização retornariam uma resposta de HTTP 500 error.

  • Importing of repository archives from GitHub Enterprise Server that are missing repository files would fail with an error.

  • Repository deploy keys were unable to be used with repositories containing LFS objects.

  • Na barra lateral de pacotes de um repositório, o ícone Docker era cinza e a dica da ferramenta exibia "This service is deprecated".

  • Os webhooks configurados com um tipo de conteúdo de application/x-www-form-urlencoded não receberam parâmetros de consulta no texto da solicitação POST.

  • Os usuários podem descartar uma mensagem obrigatória sem marcar todas as caixas de seleção.

  • Em alguns casos, após a atualização de uma instância 2.22.X, os ativos de interface web estavam faltando e a página não seria renderizada corretamente.

  • Running ghe-config-apply could time out with Failure waiting for nomad jobs to apply due to 'job' stanza not found.

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.

  • As regras personalizadas de firewall não são mantidas durante uma atualização.

  • Arquivos LFS do Git enviados através da interface web são adicionados diretamente ao repositório e de forma incorreta.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.

  • Quando "Usuários podem pesquisar pelo GitHub.com" está habilitado com o GitHub Connect, os problemas em repositórios privados e internos não estão incluídos nos resultados de pesquisa do GitHub.com.

  • When maintenance mode is enabled, some services continue to be listed as "active processes". The services identified are expected to run during maintenance mode. If you experience this issue and are unsure, contact GitHub Enterprise Support or GitHub Premium Support.

  • Jupyter Notebook rendering in the web UI may fail if the notebook includes non-ASCII UTF-8 characters.

  • reStructuredText (RST) rendering in the web UI may fail and instead display raw RST markup text.

  • Old builds of Pages are not cleaned up, which could fill up the user disk (/data/user/).

  • When deleting a branch after merging a pull request, an error message appears although the branch deletion succeeds.

  • Users may experience assets such as avatars not loading, or a failure to push/pull code. This may be caused by a PID mismatch in the haproxy-cluster-proxy service. To determine if you have an affected instance:

    Single instance

    1. Run this in the administrative shell (SSH):

      if [ $(cat /var/run/haproxy-cluster-proxy.pid) -ne $(systemctl show --property MainPID --value haproxy-cluster-proxy) ]; then echo 'Main PID of haproxy-cluster-proxy does not match /var/run/haproxy-cluster-proxy.pid'; fi
      
    2. If it shows that there is a mismatch, reboot the instance.

    Cluster or High Availability configuration

    1. Run this in the administrative shell (SSH):

      ghe-cluster-each -- 'if [ $(cat /var/run/haproxy-cluster-proxy.pid) -ne $(systemctl show --property MainPID --value haproxy-cluster-proxy) ]; then echo 'Main PID of haproxy-cluster-proxy does not match /var/run/haproxy-cluster-proxy.pid'; fi'
      
    2. If it shows one or more nodes are affected, reboot the affected nodes.

  • When a replica node is offline in a high availability configuration, GitHub Enterprise Server may still route GitHub Pages requests to the offline node, reducing the availability of GitHub Pages for users.

Enterprise Server 3.0.1

Download

March, 02, 2021

📣 This is not the latest patch release of this release series, and this is not the latest release of Enterprise Server. Please use the latest release for the latest security, performance, and bug fixes.

Os requisitos mínimos de infraestrutura aumentaram para GitHub Enterprise Server 3.0+. Para obter mais informações, consulte "Sobre requisitos mínimos para o GitHub Enterprise Server 3.0 e posterior."

  • ALTO: Uma vulnerabilidade de controle de acesso imprópria foi identificada no GitHub Enterprise Server, o que permitiu que usuários autenticados da instância obtivessem acesso de gravação a repositórios não autorizados por meio de solicitações especificamente elaboradas e solicitações da API REST. Um invasor precisaria ser capaz de bifurcar o repositório de destino, uma configuração desabilitada por padrão para repositórios privados pertencentes à organização. As proteções de branch como revisões de pull request requeridas ou verificações de status impediriam que commits não autorizados fossem mesclados sem revisão ou validação. A essa vulnerabilidade foi atribuída a CVE-2021-22861. Esse problema foi relatado por meio do Programa de Recompensas de Erros do GitHub.

  • ALTO: Uma vulnerabilidade de controle de acesso imprópria foi identificada na API do GraphQL do GitHub Enterprise Server, o que permitiu que usuários autenticados da instância modificassem a permissão de colaboração do mantenedor de um pull request sem autorização adequada. Explorando essa vulnerabilidade, um invasor seria capaz de obter acesso aos branches principais dos pull requests abertos em repositórios dos quais são mantenedores. A bifurcação de repositórios está desabilitada por padrão para repositórios privados de propriedade da organização e impediria esta vulnerabilidade. Além disso, as proteções de branches, como revisões de pull request necessárias ou verificações de status impediriam que commits não autorizados fossem mesclados sem outras revisões ou validações. Essa vulnerabilidade foi atribuída a CVE-2021-22863. Esse problema foi relatado por meio do Programa de Compensação de Erro do GitHub.

  • HIGH: An improper access control vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with the ability to fork a repository to disclose Actions secrets for the parent repository of the fork. This vulnerability existed due to a flaw that allowed the base reference of a pull request to be updated to point to an arbitrary SHA or another pull request outside of the fork repository. By establishing this incorrect reference in a PR, the restrictions that limit the Actions secrets sent a workflow from forks could be bypassed. This vulnerability affected GitHub Enterprise Server versions 3.0.0, 3.0.0.rc2, and 3.0.0.rc1 and has been assigned CVE-2021-22862. This vulnerability was reported via the GitHub Bug Bounty program.

  • MÉDIO: Os tokens do GitHub Pages podem acabar em registros.

  • Os pacotes foram atualizados para as últimas versões de segurança.

  • The load-balancer health checks in some cases could cause the babeld logs to fill up with errors about the PROXY protocol.

  • Os cabeçalhos HTTP não eram compatíveis com os padrões HTTP RFC em respostas específicas como o status 304 para arquivos.

  • Em instâncias que hospedem repositórios Python com o recurso de gráfico de dependência, a instância pode tornar-se não responsiva devido ao preenchimento do disco raiz com registros de erro.

  • Uma mensagem informativa foi registrada involuntariamente como erro nos instantâneos dos utilitários do GitHub Enterprise Backup, o que gerou o envio de e-mails desnecessários quando os backups eram programados por trabalhos do cron que ouvem a saída para o stderr.

  • On VMWare ESX 6.7 the initial configuration could hang while creating host keys which left the instance inaccessible via SSH.

  • Quando o GitHub Actions foi habilitado, isso gerou uma falha no modo de manutenção no console de gerenciamento.

  • A configuração de criação de pacotes foi mostrada na página de configurações de integrantes da organização, embora este recurso ainda não esteja disponível.

  • Ao habilitar a varredura de segredo na página Segurança e Análise, o diálogo menciona incorretamente repositórios privados.

  • Ao editar uma página wiki, um usuário pode ter um erro 500 ao clicar no botão Salvar.

  • An S/MIME signed commit using a certificate with multiple names in the subject alternative name would incorrectly show as "Unverified" in the commit badge.

  • O usuário visualizou a mensagem 500 error ao executar operações no git em uma instância configurada com autenticação do LDAP.

  • O usuário suspenso recebeu e-mails quando adicionado a uma equipe.

  • When a repository had a large number of manifests an error You have reached the maximum number of allowed manifest files (20) for this repository. was shown on the Insights -> Dependency graph tab. For more information, see Visualization limits.

  • Corrige os usuários aos quais são apresentados a opção para configurar a Ação do CodeQL da varredura de código, ainda que as ações não tenham sido habilitadas para seu repositório.

  • The "Prevent repository admins from changing anonymous Git read access" checkbox available in the enterprise account settings could not be successfully enabled or disabled.

  • O modal usado para exibir uma mensagem obrigatória não continha barra de rolagem vertical, o que significa que as mensagens mais longas não puderam ser visualizadas completamente.

  • O Redis às vezes pode falhar ao iniciar após uma reinicialização rígida ou falha no aplicativo.

  • Dependency graph fails to parse setup.py Python manifest files, resulting in HTTP 500 errors in logs. This, combined with the duplicated logging issue, results in increased root volume utilization.

  • Satisfy requests concurrently when multiple users are downloading the same archive, resulting in improved performance.

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.

  • As regras personalizadas de firewall não são mantidas durante uma atualização.

  • Arquivos LFS do Git enviados através da interface web são adicionados diretamente ao repositório e de forma incorreta.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.

  • Quando "Usuários podem pesquisar pelo GitHub.com" está habilitado com o GitHub Connect, os problemas em repositórios privados e internos não estão incluídos nos resultados de pesquisa do GitHub.com.

  • When maintenance mode is enabled, some services continue to be listed as "active processes". The services identified are expected to run during maintenance mode. If you experience this issue and are unsure, contact GitHub Enterprise Support or GitHub Premium Support.

  • Duplicated logging to /var/log/messages, /var/log/syslog, and /var/log/user.log results in increased root volume utilization.

  • Os usuários podem ignorar uma mensagem obrigatória sem marcar todas as caixas de seleção.

  • Pre-receive hook scripts cannot write temporary files, which may cause script execution to fail. Users who use pre-receive hooks should test in a staging environment to see if scripts require write access.

  • Repository deploy keys are unable to be used with repositories containing LFS objects.

  • Jupyter Notebook rendering in the web UI may fail if the notebook includes non-ASCII UTF-8 characters.

  • reStructuredText (RST) rendering in the web UI may fail and instead display raw RST markup text.

  • Dependency graph fails to parse yarn.lock Javascript manifest files, resulting in HTTP 500 errors in logs.

  • Instances with a custom timezone that were upgraded from an earlier release of GitHub Enterprise Server may have incorrect timestamps in the web UI.

  • Old builds of Pages are not cleaned up, which could fill up the user disk (/data/user/).

  • When deleting a branch after merging a pull request, an error message appears although the branch deletion succeeds.

  • Users may experience assets such as avatars not loading, or a failure to push/pull code. This may be caused by a PID mismatch in the haproxy-cluster-proxy service. To determine if you have an affected instance:

    Single instance

    1. Run this in the administrative shell (SSH):

      if [ $(cat /var/run/haproxy-cluster-proxy.pid) -ne $(systemctl show --property MainPID --value haproxy-cluster-proxy) ]; then echo 'Main PID of haproxy-cluster-proxy does not match /var/run/haproxy-cluster-proxy.pid'; fi
      
    2. If it shows that there is a mismatch, reboot the instance.

    Cluster or High Availability configuration

    1. Run this in the administrative shell (SSH):

      ghe-cluster-each -- 'if [ $(cat /var/run/haproxy-cluster-proxy.pid) -ne $(systemctl show --property MainPID --value haproxy-cluster-proxy) ]; then echo 'Main PID of haproxy-cluster-proxy does not match /var/run/haproxy-cluster-proxy.pid'; fi'
      
    2. If it shows one or more nodes are affected, reboot the affected nodes.

  • When a replica node is offline in a high availability configuration, GitHub Enterprise Server may still route GitHub Pages requests to the offline node, reducing the availability of GitHub Pages for users.

Enterprise Server 3.0.0

Download

February, 16, 2021

📣 This is not the latest patch release of this release series, and this is not the latest release of Enterprise Server. Please use the latest release for the latest security, performance, and bug fixes.

Os requisitos mínimos de infraestrutura aumentaram para GitHub Enterprise Server 3.0+. Para obter mais informações, consulte "Sobre requisitos mínimos para o GitHub Enterprise Server 3.0 e posterior."

  • HIGH: A remote code execution vulnerability was identified in GitHub Enterprise Server that could be exploited when building a GitHub Pages site. User-controlled configuration of the underlying parsers used by GitHub Pages were not sufficiently restricted and made it possible to execute commands on the GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability has been assigned CVE-2020-10519 and was reported via the GitHub Bug Bounty Program.

  • GitHub Actions

    • [GitHub Actions] (https://github.com/features/actions) está disponível em GitHub Enterprise Server 3,0+. Crie, teste e implante seu código a partir de GitHub. Envie revisões de código, gerenciamento de branches e triagem de problemas da maneira que você desejar.

      Esta versão inclui várias melhorias da versão beta de GitHub Actions em GitHub Enterprise Server:

      GitHub Actions não é atualmente compatível para empresas que usam configurações de cluster.

  • GitHub Package Registry

    • GitHub Package Registry é um serviço de hospedagem de pacotes, integrado nativamente às APIs, ações e webhooks do GitHub. Crie um fluxo de trabalho de DevOps de ponta a ponta que inclui o seu código, integração contínua e soluções de implantação.

      Os backends de armazenamento compatíveis incluem AWS S3 e MinIO com suporte para o Azure blob que virá em uma versão futura. Observe que o suporte atual do Docker será substituído por uma versão beta do novo GitHub Container Registry na próxima versão. Revise os requisitos mínimos atualizados para sua plataforma antes de ativar GitHub Package Registry.

      Ao publicar pacotes no NuGet, os usuários agora podem usar a opção --api-key para passar seu token de autenticação em vez de escrevê-lo em um arquivo. Para obter mais informações, consulte Configurar CLI do dotnet para uso com o GitHub Packages

      GitHub Package Registry não é atualmente compatível para empresas que usam configurações de cluster.

  • GitHub Mobile beta

    • O beta de GitHub para dispositivos móveis permite que você faça triagem de notificações e gerencie problemas e pull requests a partir do seu dispositivo. Você pode estar conectado simultaneamente ao celular com uma conta de usuário em GitHub.com e uma conta de usuário em GitHub Enterprise Server.

      O beta de GitHub para dispositivos móveis agora está disponível para GitHub Enterprise Server. Efetue o login com os nossos aplicativos Android e iOS para monitorar notificações e gerenciar problemas e pull requests em qualquer lugar. Os administradores podem desabilitar o suporte móvel para a sua Empresa usando o console de gerenciamento ou executando o comando ghe-config app.mobile.enabled false.

  • Beta de varredura de segredo de segurança avançada

    • [Varredura de segredo beta](https://github. um/recursos/segurança) faz a varredura de repositórios públicos e privados com relação a credenciais comprometidas, encontra segredos, e notifica o provedor do segredo ou administrador no momento em que são autorizados em um repositório.

      Os administradores que usam Segurança Avançada GitHub podem [habilitar e configurar](/enterprise-server@3. /admin/configuration/configuring-secret-scanning-for-your-appliance) a varredura de segredo de Segurança Avançada GitHub. Você pode revisar os requisitos mínimos atualizados para sua plataforma antes de habilitar a varredura de segredo de Segurança Avançada GitHub.

  • Varredura Avançada de Código de Segurança

  • Alterações na administração

    • O sistema de entrega de eventos de webhook foi rearquitetado para rendimentos mais altos, entregas mais rápidas e menor atraso nas mensagens de erro.. Além disso, ele usa menos CPU e memória em GitHub Enterprise Server 3.0+.

    • Os proprietários da organização e da empresa agora podem ver quando um integrante da equipe foi promovido ou rebaixado de ser um mantenedor de equipe no log de auditoria por meio os novos eventos de log de auditoria team.promote_maintainer e team.demote_maintainer. Para obter mais informações, consulte "Ações auditadas."

    • Os mantenedores do repositório com os sites de GitHub Pages existentes podem atualizar facilmente o nome padrão anterior do branch.

    • São necessários recursos adicionais de hardware para executar GitHub Enterprise Server com qualquer uma das Ações, Pacotes ou Segurança Avançada habilitadas. Para obter mais informações sobre os recursos mínimos necessários para cada plataforma compatível, consulte "Configurar uma instância de GitHub Enterprise Server."

    • Agora os administradores podem publicar uma mensagem, que todos os usuários devem aceitar. Isso pode ajudar a integrar novos usuários e supervisionar outras informações e políticas específicas da organização.

  • Alterações de segurança

    • Os proprietários da organização agora podem desabilitar a publicação de sites de GitHub Pages dos repositórios na organização. Desabilitar GitHub Pages para a organização impedirá que os integrantes criem novos sites de páginas, mas não irá cancelar a publicação de sites existentes. Para obter mais informações, consulte "Desabilitar a publicação de sites de GitHub Pages para a sua organização."

    • Um centro de dados deve ser definido explicitamente em todos os nós antes de habilitar uma réplica ativa.

    • Todo o uso de impressões digitais de SSH foi alterado para usar as impressões digitais de SHA256, pois são usadas com o OpenSSH desde a versão 6.8. Isto se aplica à interface web e também à API em que as impressões digitais são retornadas, como no GraphQL. As impressões digitais seguem o formato OpenSSH.

    • Os cabeçalhos de assinatura SHA-1 e SHA-256 (dois cabeçalhos) são enviados em webhooks.

  • Alterações de desenvolvedor

    • A maioria dos serviços em execução em GitHub Enterprise Server 3.0 + estão agora nos contêineres, o que permite que o GitHub itere internamente e envie rapidamente versões de qualidade

    • O sistema de entrega de eventos webhook foi rearquivado para melhor rendimento, entregas mais rápidas e menor atraso nas mensagens.

  • Alterações de API

    • Os administradores agora podem configurar e gerenciar o anúncio do banner para todo o site através da API REST. Para obter mais informações, consulte os pontos de extremidade para "Administração do GitHub Enterprise."

    • Um novo ponto de extremidade da API permite o intercâmbio de um usuário para um token de servidor para um token de servidor com escopo definido para repositórios específicos. Para obter mais informações, consulte "Apps" na documentação da API REST de GitHub

  • Renomeação do branch padrão

    • Os administradores da empresa e da organização agora podem definir o nome do branch padrão para novos repositórios. Os administradores das empresas também podem aplicar a sua escolha do nome do branch padrão em todas as organizações ou permitir que as organizações individuais escolham suas próprias.

      Os repositórios existentes não são afetados por essas configurações, e seu nome de branch padrão não será alterado.

      O branch padrão para repositórios recém-criados será definido como main no GHES 3., a menos que você opte por não definir a configuração do branch padrão no nível empresarial.

      Esta alteração é uma das muitas mudanças que o GitHub está realizando para ser compatível com projetos e mantenedores que desejam renomear seu branch padrão. Para saber mais sobre as mudanças que estamos criando, consulte github/renaming.

  • Fixes for known issues from Release Candidates

    • All known issues from Release Candidate 1 and Release Candidate 2 have been fixed, except those listed in the Known Issues section below.

  • Correções para outros problemas

    • Foram corrigidos os problemas com migrações e melhorias para a versão 3.0.0.

    • O versionamento do Backup de Utilitários agora funciona para versões de candidato de versões.

    • Gerar um pacote de suporte resultou em um erro nos registros de orquestradores.

    • Uma grande restauração pode resultar no esgotamento da memória do Redis.

    • A caixa de seleção para habilitar o GitHub Actions no Console de Gerenciamento agora é visível com qualquer método de autenticação.

    • GitHub Actions could be enabled if the required storage was also configured.

    • ghe-repl-status could silently fail if MSSQL replication was not configured.

    • O formato de vários arquivos de registro foram alterados, incluindo a adição de um PID para diferentes tipos de registro. Isso não afeta como o Suporte GitHub Enterprise usa pacotes de suporte para solucionar problemas.

    • Uma solicitação de PATCH para a API de configuração de webhook não apaga mais o segredo do webhook.

    • Certain types of pre-receive hooks were failing.

    • The Packages NuGet service now normalizes semantic versions on publish. An invalid semantic version (for example: v1.0.0.0.0.0) is not downloadable by NuGet clients and therefore a NuGet service is expected to normalize those versions (for example: v1.0.0.0.0.0 --> v1.0.0). Any original, non-normalized, version will be available in the verbatimVersion field. No changes to client configurations are required.

  • Em uma nova configuração de GitHub Enterprise Server sem qualquer usuário, um invasor pode criar o primeiro usuário administrador.

  • As regras personalizadas de firewall não são mantidas durante uma atualização.

  • Arquivos rastreados pelo LFS do Git carregados por meio da interface web foram adicionados incorreta e diretamente ao repositório.

  • Quando "Usuários podem pesquisar pelo GitHub.com" está habilitado com o GitHub Connect, os problemas em repositórios privados e internos não estão incluídos nos resultados de pesquisa do GitHub.com.

  • Quando o modo de manutenção está habilitado, alguns serviços continuam listados como "processos ativos". Espera-se que os serviços identificados sejam executados durante o modo de manutenção. Se você tiver este problema e não estiver seguro, entre em contato com Suporte do GitHub Enterprise ou Suporte do GitHub Premium.

  • Quando o GitHub Actions estiver habilitado, use 'ghe-maintenance -u' para cancelar a definição do modo de manutenção.

  • Duplicated logging to /var/log/messages, /var/log/syslog, and /var/log/user.log results in increased root volume utilization.

  • Os usuários podem ignorar uma mensagem obrigatória sem marcar todas as caixas de seleção.

  • Pre-receive hook scripts cannot write temporary files, which may cause script execution to fail. Users who use pre-receive hooks should test in a staging environment to see if scripts require write access.

  • Repository deploy keys are unable to be used with repositories containing LFS objects.

  • Jupyter Notebook rendering in the web UI may fail if the notebook includes non-ASCII UTF-8 characters.

  • reStructuredText (RST) rendering in the web UI may fail and instead display raw RST markup text.

  • Dependency graph fails to parse setup.py Python manifest files, resulting in HTTP 500 errors in logs. This, combined with the duplicated logging issue, results in increased root volume utilization.

  • A race condition can cause dependency graph database migrations to appear to fail.

  • Instances with a custom timezone that were upgraded from an earlier release of GitHub Enterprise Server may have incorrect timestamps in the web UI.

  • Old builds of Pages are not cleaned up, which could fill up the user disk (/data/user/).

  • When deleting a branch after merging a pull request, an error message appears although the branch deletion succeeds.

  • When a replica node is offline in a high availability configuration, GitHub Enterprise Server may still route GitHub Pages requests to the offline node, reducing the availability of GitHub Pages for users.

Esse documento ajudou você?Política de Privacidade

Ajude-nos a tornar esses documentos ótimos!

Todos os documentos do GitHub são de código aberto. Você percebeu que algo que está errado ou não está claro? Envie um pull request.

Faça uma contribuição

Ou, aprenda como contribuir.