Skip to main content

Enterprise Server 3.3 release notes

September 21, 2022

📣 Esta não é a versão mais recente do Enterprise Server. Use a versão mais recente para acessar a segurança mais atual, correções de bugs e melhoria de desempenho.

    Security fixes

  • HIGH: A GitHub App could use a scoped user-to-server token to bypass user authorization logic and escalate privileges.

  • MEDIUM: The use of a Unicode right-to-left override character in the list of accessible files for a GitHub App could obscure additional files that the app could access.

  • Packages have been updated to the latest security versions.

    Bug fixes

  • Installation of a TLS certificate failed when the certificate's subject string included UTF-8 characters.

  • Configuration runs could fail when retry-limit or retry-sleep-duration were manually set by an administrator using ghe-config.

  • In some cases, the Management Console's monitor dashboard would not load correctly.

  • Removed a non-functional link for exporting Management Console monitor graphs as a PNG image.

  • When sending a support bundle to GitHub Enterprise Support using ghe-support-upload, the -t option would not successfully associate the uploaded bundle with the specified ticket.

  • A link back to the security settings for the instance's enterprise account could render an incorrect view.

  • Git clones or fetches over SSH could experience data corruption for transfers over 1GB in size.

  • After a user deleted or restored packages from the web interface, counts for packages could render incorrectly.

  • After successful configuration of Dependabot and alert digest emails, the instance would not send digest emails.

  • Manually disabled GitHub Actions workflows in a repository were re-enabled if the repository received a push containing more than 2048 commits, or if the repository's default branch changed.

  • When using a VPC endpoint URL as an AWS S3 URL for GitHub Packages, publication and installation of packages failed.

    Known issues

  • After upgrading to GitHub Enterprise Server 3.3, GitHub Actions may fail to start automatically. To resolve this issue, connect to the appliance via SSH and run the ghe-actions-start command.

  • On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.

  • Custom firewall rules are removed during the upgrade process.

  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.

  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

  • The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.

  • Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.

  • GitHub Actions storage settings cannot be validated and saved in the Console de Gerenciamento when "Force Path Style" is selected, and must instead be configured with the ghe-actions-precheck command line utility.

  • In some cases, GitHub Advanced Security customers who upgrade to GitHub Enterprise Server 3.5 or later may notice that alerts from secret scanning are missing in the web UI and REST API. To ensure the alerts remain visible, do not skip 3.4 when you upgrade from an earlier release to 3.5 or later. A fix is available in the 3.5.5 and 3.6.1 patch releases.

    To plan an upgrade through 3.4, see the Upgrade assistant. [Updated: 2022-09-01]

  • Hotpatch upgrades to GitHub Enterprise Server may fail. Upgrades with the full .pkg are unaffected. If the upgrade fails for your instance, either run the full .pkg upgrade, or work around the issue by performing the following steps.

    1. SSH into the affected node.

    2. To launch GRUB, run the following command.

      sudo dpkg --configure -a
      
    3. In the first GRUB window, you will see a list of devices. Do not modify the selection. Press the Tab key to highlight <Ok>, then press Return/Enter to accept.

    4. In the second GRUB window, to continue without installing GRUB, use the arrow keys to highlight <Yes>, then press Return/Enter to accept.

    5. After you are returned to the prompt, use ghe-upgrade to start the hotpatch installation again.

    If you're unable to upgrade, or if you need further assistance, contact GitHub Support. For more information, see "Creating a support ticket." [Updated: 2022-09-27]

August 30, 2022

📣 Esta não é a versão de patch mais recente desta série, e não é a versão mais recente do Enterprise Server. Use a versão mais recente para acessar a segurança mais atual, correções de bugs e melhoria de desempenho.

    Bug fixes

  • Após desbloquear um repositório para acesso temporário, o administrador do site não conseguiu gerenciar as configurações dos produtos de segurança no repositório.

  • Chaves SSH administrativas duplicadas podem aparecer tanto no Console de Gerenciamento quanto no arquivo /home/admin/.ssh/authorized_keys.

  • Em alguns casos, executar ghe-cluster-config-apply pode replicar uma configuração vazia para nós existentes em um cluster.

  • Em alguns casos, as execuções de configuração iniciadas com ghe-config-apply não foram concluídas ou retornaram um erro Incompatibilidade de contagem de contêiner.

  • Depois de atualizar um certificado TLS autoassinado em uma instância de4 servidor do GitHub Enterprise, os elementos da interface do usuário em algumas páginas da interface da Web não apareceram.

  • Em alguns casos, as tarefas em segundo plano podem parar devido a uma biblioteca que foi usada simultaneamente, apesar de não ser thread-safe.

    Known issues

  • Depois da atualização para GitHub Enterprise Server 3.3, o GitHub Actions pode ter falhas na inicialização automática. Para resolver esse problema, conecte-se ao dispositivo via SSH e execute o comando ghe-actions-start.

  • Em uma instância de GitHub Enterprise Server recém-configurada sem usuários, um invasor pode criar o primeiro usuário administrador.

  • As regras de firewall personalizadas são removidas durante o processo de atualização.

  • Arquivos LFS do Git enviados através da interface da Web são adicionados diretamente ao repositório e de forma incorreta.

  • Os problemas não podem ser fechados se contiverem um permalink para um blob no mesmo repositório, onde o caminho do arquivo de blobs é maior que 255 caracteres.

  • Quando "Usuários podem pesquisar GitHub.com" está habilitado com GitHub Connect, os problemas em repositórios privados e internos não são incluídos nos resultados de pesquisa de GitHub.com.

  • O registro npm GitHub Packages não retorna mais um valor temporal em respostas de metadados. Isso foi feito para permitir melhorias substanciais de desempenho. Continuamos a ter todos os dados necessários para retornar um valor temporal como parte da resposta de metadados e continuaremos a retornar esse valor no futuro quando tivermos resolvido os problemas de desempenho existentes.

  • Os limites de recursos que são específicos para processamento de hooks pre-receive podem causar falha em alguns hooks pre-receive.

  • As configurações de armazenamento de GitHub Actions não podem ser validadas e salvas no Console de Gerenciamento quando "Forçar estilo de caminho" for selecionado e deverão ser definidas com a ferramenta de linha de comando ghe-actions-precheck.

  • In some cases, GitHub Advanced Security customers who upgrade to GitHub Enterprise Server 3.5 or later may notice that alerts from secret scanning are missing in the web UI and REST API. To ensure the alerts remain visible, do not skip 3.4 when you upgrade from an earlier release to 3.5 or later. A fix is available in the 3.5.5 and 3.6.1 patch releases.

    To plan an upgrade through 3.4, see the Upgrade assistant. [Updated: 2022-09-01]

August 11, 2022

📣 Esta não é a versão de patch mais recente desta série, e não é a versão mais recente do Enterprise Server. Use a versão mais recente para acessar a segurança mais atual, correções de bugs e melhoria de desempenho.

    Security fixes

  • CRITICAL: GitHub Enterprise Server's Elasticsearch container used a version of OpenJDK 8 that was vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. The vulnerability is tracked as CVE-2022-34169.

  • HIGH: Previously installed apps on user accounts were automatically granted permission to access an organization on scoped access tokens after the user account was transformed into an organization account. This vulnerability was reported via the GitHub Bug Bounty program.

    Bug fixes

  • When a custom dormancy threshold was set for the instance, suspending all dormant users did not reliably respect the threshold. For more information about dormancy, see "Managing dormant users."

    Known issues

  • After upgrading to GitHub Enterprise Server 3.3, GitHub Actions may fail to start automatically. To resolve this issue, connect to the appliance via SSH and run the ghe-actions-start command.

  • On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.

  • Custom firewall rules are removed during the upgrade process.

  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.

  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

  • The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.

  • Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.

  • GitHub Actions storage settings cannot be validated and saved in the Console de Gerenciamento when "Force Path Style" is selected, and must instead be configured with the ghe-actions-precheck command line utility.

  • In some cases, GitHub Advanced Security customers who upgrade to GitHub Enterprise Server 3.5 or later may notice that alerts from secret scanning are missing in the web UI and REST API. To ensure the alerts remain visible, do not skip 3.4 when you upgrade from an earlier release to 3.5 or later. A fix is available in the 3.5.5 and 3.6.1 patch releases.

    To plan an upgrade through 3.4, see the Upgrade assistant. [Updated: 2022-09-01]

July 21, 2022

📣 Esta não é a versão de patch mais recente desta série, e não é a versão mais recente do Enterprise Server. Use a versão mais recente para acessar a segurança mais atual, correções de bugs e melhoria de desempenho.

    Security fixes

  • MEDIUM: Prevents an attack where a server-side request forgery (SSRF) could potentially force the Subversion (SVN) bridge to execute remote code by injecting arbitrary data into Memcached.

  • MEDIUM: Prevents an attacker from executing Javascript code by exploiting a cross-site scripting (XSS) vulnerability in dropdown UI elements within the GitHub Enterprise Server web interface.

  • Updates Grafana to version 7.5.16, which addresses various security vulnerabilities including CVE-2020-13379 and CVE-2022-21702.

  • Packages have been updated to the latest security versions.

  • MEDIUM: A stored XSS vulnerability was identified in GitHub Enterprise Server that allowed the injection of arbitrary attributes. This injection was blocked by Github's Content Security Policy (CSP). This vulnerability was reported via the GitHub Bug Bounty program and has been assigned CVE-2022-23733. [Updated: 2022-07-31]

    Bug fixes

  • Fixed an issue where the files inside the artifact zip archives had permissions of 000 when unpacked using an unzip tool. Now the files will have the permissions set to 644, the same way as it works in GitHub.com.

  • In some cases, the collectd daemon could consume excess memory.

  • In some cases, backups of rotated log files could accumulate and consume excess storage.

  • After an upgrade to a new feature release and subsequent configuration run, Elasticsearch could log excessive exceptions while rebuilding indices.

  • In some cases where a protected branch required more than one approving review, a pull request could be merged with fewer than the required number of approving reviews.

  • On instances using LDAP authentication, the authentication prompt for sudo mode incorrectly placed the cursor within the password field by default when text fields for both a username and password were visible.

    Changes

  • The ghe-set-password command-line utility starts required services automatically when the instance is booted in recovery mode.

  • Metrics for aqueduct background processes are gathered for Collectd forwarding and display in the Management Console.

  • The location of the database migration and configuration run log, /data/user/common/ghe-config.log, is now displayed on the page that details a migration in progress.

    Known issues

  • After upgrading to GitHub Enterprise Server 3.3, GitHub Actions may fail to start automatically. To resolve this issue, connect to the appliance via SSH and run the ghe-actions-start command.

  • On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.

  • Custom firewall rules are removed during the upgrade process.

  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.

  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

  • The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.

  • Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.

  • GitHub Actions storage settings cannot be validated and saved in the Console de Gerenciamento when "Force Path Style" is selected, and must instead be configured with the ghe-actions-precheck command line utility.

  • In some cases, GitHub Advanced Security customers who upgrade to GitHub Enterprise Server 3.5 or later may notice that alerts from secret scanning are missing in the web UI and REST API. To ensure the alerts remain visible, do not skip 3.4 when you upgrade from an earlier release to 3.5 or later. A fix is available in the 3.5.5 and 3.6.1 patch releases.

    To plan an upgrade through 3.4, see the Upgrade assistant. [Updated: 2022-09-01]

June 28, 2022

📣 Esta não é a versão de patch mais recente desta série, e não é a versão mais recente do Enterprise Server. Use a versão mais recente para acessar a segurança mais atual, correções de bugs e melhoria de desempenho.

    Security fixes

  • MÉDIO: garante que github.company.com e github-company.com não sejam avaliados por serviços internos como nomes de host idênticos, evitando um possível ataque de SSRF (falsificação de segurança do lado do servidor).

  • BAIXO: um invasor pode acessar o Console de gerenciamento com um ataque de passagem de caminho via HTTP, mesmo que regras de firewall externas bloqueiem o acesso HTTP.

  • Os pacotes foram atualizados para as últimas versões de segurança.

    Bug fixes

  • Em alguns casos, os administradores do site não foram adicionados automaticamente como proprietários da empresa.

  • Depois de mesclar um branch a um branch padrão, o link "Histórico" de um arquivo ainda será vinculado ao branch anterior em vez do de destino.

    Changes

  • A criação ou atualização de execuções de verificação ou conjuntos de verificação poderá retornar 500 Internal Server Error se o valor de determinados campos, como o nome, for muito longo.

    Known issues

  • Depois da atualização para GitHub Enterprise Server 3.3, o GitHub Actions pode ter falhas na inicialização automática. Para resolver esse problema, conecte-se ao dispositivo via SSH e execute o comando ghe-actions-start.

  • Em uma instância de GitHub Enterprise Server recém-configurada sem usuários, um invasor pode criar o primeiro usuário administrador.

  • As regras de firewall personalizadas são removidas durante o processo de atualização.

  • Arquivos LFS do Git enviados através da interface da Web são adicionados diretamente ao repositório e de forma incorreta.

  • Os problemas não podem ser fechados se contiverem um permalink para um blob no mesmo repositório, onde o caminho do arquivo de blobs é maior que 255 caracteres.

  • Quando "Usuários podem pesquisar GitHub.com" está habilitado com GitHub Connect, os problemas em repositórios privados e internos não são incluídos nos resultados de pesquisa de GitHub.com.

  • O registro npm GitHub Packages não retorna mais um valor temporal em respostas de metadados. Isso foi feito para permitir melhorias substanciais de desempenho. Continuamos a ter todos os dados necessários para retornar um valor temporal como parte da resposta de metadados e continuaremos a retornar esse valor no futuro quando tivermos resolvido os problemas de desempenho existentes.

  • Os limites de recursos que são específicos para processamento de hooks pre-receive podem causar falha em alguns hooks pre-receive.

  • As configurações de armazenamento de GitHub Actions não podem ser validadas e salvas no Console de Gerenciamento quando "Forçar estilo de caminho" for selecionado e deverão ser definidas com a ferramenta de linha de comando ghe-actions-precheck.

  • In some cases, GitHub Advanced Security customers who upgrade to GitHub Enterprise Server 3.5 or later may notice that alerts from secret scanning are missing in the web UI and REST API. To ensure the alerts remain visible, do not skip 3.4 when you upgrade from an earlier release to 3.5 or later. A fix is available in the 3.5.5 and 3.6.1 patch releases.

    To plan an upgrade through 3.4, see the Upgrade assistant. [Updated: 2022-09-01]

June 09, 2022

📣 Esta não é a versão de patch mais recente desta série, e não é a versão mais recente do Enterprise Server. Use a versão mais recente para acessar a segurança mais atual, correções de bugs e melhoria de desempenho.

    Security fixes

  • Packages have been updated to the latest security versions.

    Bug fixes

  • An internal script to validate hostnames in the GitHub Enterprise Server configuration file would return an error if the hostname string started with a "." (period character).

  • In HA configurations where the primary node's hostname was longer than 60 characters, MySQL would fail to be configured

  • The --gateway argument was added to the ghe-setup-network command, to allow passing the gateway address when configuring network settings using the command line.

  • Image attachments that were deleted would return a 500 Internal Server Error instead of a 404 Not Found error.

  • The calculation of "maximum committers across entire instance" reported in the site admin dashboard was incorrect.

  • An incorrect database entry for repository replicas caused database corruption when performing a restore using GitHub Enterprise Server Backup Utilities.

    Changes

  • Optimised the inclusion of metrics when generating a cluster support bundle.

  • In HA configurations where Elasticsearch reported a valid yellow status, changes introduced in a previous fix would block the ghe-repl-stop command and not allow replication to be stopped. Using ghe-repo-stop --force will now force Elasticsearch to stop when the service is in a normal or valid yellow status.

  • When using ghe-migrator or exporting from GitHub.com, migrations would fail to export pull request attachments.

    Known issues

  • After upgrading to GitHub Enterprise Server 3.3, GitHub Actions may fail to start automatically. To resolve this issue, connect to the appliance via SSH and run the ghe-actions-start command.

  • On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.

  • Custom firewall rules are removed during the upgrade process.

  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.

  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

  • The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.

  • Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.

  • GitHub Actions storage settings cannot be validated and saved in the Console de Gerenciamento when "Force Path Style" is selected, and must instead be configured with the ghe-actions-precheck command line utility.

  • In some cases, GitHub Advanced Security customers who upgrade to GitHub Enterprise Server 3.5 or later may notice that alerts from secret scanning are missing in the web UI and REST API. To ensure the alerts remain visible, do not skip 3.4 when you upgrade from an earlier release to 3.5 or later. A fix is available in the 3.5.5 and 3.6.1 patch releases.

    To plan an upgrade through 3.4, see the Upgrade assistant. [Updated: 2022-09-01]

May 17, 2022

📣 Esta não é a versão de patch mais recente desta série, e não é a versão mais recente do Enterprise Server. Use a versão mais recente para acessar a segurança mais atual, correções de bugs e melhoria de desempenho.

    Security fixes

  • MÉDIO: foi identificado um problema de segurança no resolvedor nginx em que um invasor que pode forjar pacotes UDP do servidor DNS que pode causar uma substituição de memória de 1 byte, resultando em falhas no processo de trabalho ou outros impactos potencialmente prejudiciais. A vulnerabilidade foi atribuída CVE-2021-23017.

  • Atualizadas as ações actions/checkout@v2 e actions/checkout@v3 para abordar novas vulnerabilidades anunciadas na [postagem do blog de aplicação de segurança do Git](https://github.blog/2022-04-12-git-security -vulnerabilidade anunciada/).

  • Os pacotes foram atualizados para as últimas versões de segurança.

    Bug fixes

  • Em algumas topologias de cluster, o comando ghe-cluster-status deixou diretórios vazios em /tmp.

  • O SNMP registrou incorretamente um grande número de mensagens de erro Falha ao registrar statfs no syslog

  • Para instâncias configuradas com autenticação SAML e fallback integrado habilitado, os usuários integrados ficariam presos em um loop de "login" ao tentar entrar na página gerada após o logout.

  • Tentativas de visualizar a saída de git fsck da página /stafftools/repositories/:owner/:repo/disk falhariam com um 500 Erro Interno do Servidor.

  • Ao usar declarações criptografadas SAML, algumas delas não marcavam corretamente as chaves SSH como verificadas.

  • Os vídeos enviados para emitir comentários não seriam renderizados corretamente.

  • Ao usar o localizador de arquivos em uma página de repositório, digitar a tecla backspace no campo de pesquisa resultaria na listagem dos resultados da pesquisa várias vezes e causaria problemas de renderização.

  • Ao usar o Importador do GitHub Enterprise para importar um repositório, alguns problemas falhariam na importação devido a eventos de cronograma de projeto configurados incorretamente.

  • Ao usar ghe-migrator, uma migração falharia ao importar anexos de arquivos de vídeo em problemas e solicitações de pull.

  • A página de Versões retornaria um erro 500 quando o repositório tivesse marcas contendo caracteres não ASCII. [Atualizado em: 10-06-2022]

    Changes

  • Em configurações de alta disponibilidade, esclareça que a página de visão geral da replicação no Console de Gerenciamento exibe apenas a configuração de replicação atual, não o status de replicação atual.

  • Ao habilitar GitHub Packages, esclareça que o uso de um token de SAS (Assinatura de Acesso Compartilhado) como cadeia de conexão não tem suporte no momento.

  • Os pacotes de suporte agora incluem a contagem de linhas de tabelas armazenadas no MySQL.

  • Ao determinar em quais redes de repositório agendar a manutenção, não contamos mais o tamanho dos objetos inacessíveis.

  • O campo de resposta run_started_at agora está incluído na O fluxo de trabalho executa a API e na carga útil do webhook do evento workflow_run.

    Known issues

  • Depois da atualização para GitHub Enterprise Server 3.3, o GitHub Actions pode ter falhas na inicialização automática. Para resolver esse problema, conecte-se ao dispositivo via SSH e execute o comando ghe-actions-start.

  • Em uma instância de GitHub Enterprise Server recém-configurada sem usuários, um invasor pode criar o primeiro usuário administrador.

  • As regras de firewall personalizadas são removidas durante o processo de atualização.

  • Arquivos LFS do Git enviados através da interface da Web são adicionados diretamente ao repositório e de forma incorreta.

  • Os problemas não podem ser fechados se contiverem um permalink para um blob no mesmo repositório, onde o caminho do arquivo de blobs é maior que 255 caracteres.

  • Quando "Usuários podem pesquisar GitHub.com" está habilitado com GitHub Connect, os problemas em repositórios privados e internos não são incluídos nos resultados de pesquisa de GitHub.com.

  • O registro npm GitHub Packages não retorna mais um valor temporal em respostas de metadados. Isso foi feito para permitir melhorias substanciais de desempenho. Continuamos a ter todos os dados necessários para retornar um valor temporal como parte da resposta de metadados e continuaremos a retornar esse valor no futuro quando tivermos resolvido os problemas de desempenho existentes.

  • Os limites de recursos que são específicos para processamento de hooks pre-receive podem causar falha em alguns hooks pre-receive.

  • As configurações de armazenamento de GitHub Actions não podem ser validadas e salvas no Console de Gerenciamento quando "Forçar estilo de caminho" for selecionado e deverão ser definidas com a ferramenta de linha de comando ghe-actions-precheck.

  • In some cases, GitHub Advanced Security customers who upgrade to GitHub Enterprise Server 3.5 or later may notice that alerts from secret scanning are missing in the web UI and REST API. To ensure the alerts remain visible, do not skip 3.4 when you upgrade from an earlier release to 3.5 or later. A fix is available in the 3.5.5 and 3.6.1 patch releases.

    To plan an upgrade through 3.4, see the Upgrade assistant. [Updated: 2022-09-01]

April 20, 2022

📣 Esta não é a versão de patch mais recente desta série, e não é a versão mais recente do Enterprise Server. Use a versão mais recente para acessar a segurança mais atual, correções de bugs e melhoria de desempenho.

    Security fixes

  • Packages have been updated to the latest security versions.

    Bug fixes

  • When a manifest file was deleted from a repository, the manifest would not be removed from the repository's "Dependency graph" page.

  • Resolved a regression that could lead to consistent failures to retrieve artifacts and download log archives for GitHub Actions. In some circumstances we stopped resolving URLs for internal communications that used localhost, and instead incorrectly used the instance hostname.

  • Upgrading the nodes in a high availability pair with an upgrade package could cause Elasticsearch to enter an inconsistent state in some cases.

  • Rotated log files with the extension .backup would accumulate in directories containing system logs.

  • In some cluster topologies, the command line utilities ghe-spokesctl and ghe-btop failed to run.

  • Elasticsearch indices could be duplicated during a package upgrade, due to an elasticsearch-upgrade service running multiple times in parallel.

  • In the pull request and commit views, rich diffs would fail to load for some files tracked by Git LFS.

  • When converting a user account to an organization, if the user account was an owner of the GitHub Enterprise Server enterprise account, the converted organization would incorrectly appear in the enterprise owner list.

  • Creating an impersonation OAuth token using the Enterprise Administration REST API resulted in an error when an integration matching the OAuth Application ID already existed.

  • The Secret Scanning REST API would return a 500 response code when there were UTF8 characters present in a detected secret.

  • Repository cache servers could serve data from non-cache locations even when the data was available in the local cache location.

    Changes

  • Configuration errors that halt a config apply run are now output to the terminal in addition to the configuration log.

  • When attempting to cache a value larger than the maximum allowed in Memcached, an error was raised however the key was not reported.

  • If GitHub Advanced Security features are enabled on your instance, the performance of background jobs has improved when processing batches for repository contributions.

    Known issues

  • After upgrading to GitHub Enterprise Server 3.3, GitHub Actions may fail to start automatically. To resolve this issue, connect to the appliance via SSH and run the ghe-actions-start command.

  • On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.

  • Custom firewall rules are removed during the upgrade process.

  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.

  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

  • The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.

  • Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.

  • GitHub Actions storage settings cannot be validated and saved in the Console de Gerenciamento when "Force Path Style" is selected, and must instead be configured with the ghe-actions-precheck command line utility.

  • GitHub Enterprise Server 3.3 instances installed on Azure and provisioned with 32+ CPU cores would fail to launch, due to a bug present in the current Linux kernel. [Updated: 2022-04-08]

  • In some cases, GitHub Advanced Security customers who upgrade to GitHub Enterprise Server 3.5 or later may notice that alerts from secret scanning are missing in the web UI and REST API. To ensure the alerts remain visible, do not skip 3.4 when you upgrade from an earlier release to 3.5 or later. A fix is available in the 3.5.5 and 3.6.1 patch releases.

    To plan an upgrade through 3.4, see the Upgrade assistant. [Updated: 2022-09-01]

April 04, 2022

📣 Esta não é a versão de patch mais recente desta série, e não é a versão mais recente do Enterprise Server. Use a versão mais recente para acessar a segurança mais atual, correções de bugs e melhoria de desempenho.

    Security fixes

  • MEDIUM: A path traversal vulnerability was identified in GitHub Enterprise Server Management Console that allowed the bypass of CSRF protections. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.5 and was fixed in versions 3.1.19, 3.2.11, 3.3.6, 3.4.1. This vulnerability was reported via the GitHub Bug Bounty program and has been assigned CVE-2022-23732.

  • MEDIUM: An integer overflow vulnerability was identified in the 1.x branch and the 2.x branch of yajil which leads to subsequent heap memory corruption when dealing with large (~2GB) inputs. This vulnerability was reported internally and has been assigned CVE-2022-24795.

  • Support bundles could include sensitive files if GitHub Actions was enabled.

  • Packages have been updated to the latest security versions.

    Bug fixes

  • When enabling Dependabot, an error caused some security advisories to temporarily read as no-longer applicable.

  • Minio processes would have high CPU usage if an old configuration option was present after upgrading GitHub Enterprise Server.

  • The options to enable TLS 1.0 and TLS 1.1 in the Privacy settings of the Management Console were shown, although removal of those protocol versions occurred in an earlier release.

  • In a HA environment, configuring MSSQL replication could require additional manual steps after enabling GitHub Actions for the first time.

  • A subset of internal configuration files are more reliably updated after a hotpatch.

  • The ghe-run-migrations script would sometimes fail to generate temporary certificate names correctly.

  • In a cluster environment, Git LFS operations could fail with failed internal API calls that crossed multiple web nodes.

  • Pre-receive hooks that used gpg --import timed out due to insufficient syscall privileges.

  • In some cluster topologies, webhook delivery information was not available.

  • Elasticsearch health checks would not allow a yellow cluster status when running migrations.

  • Repositories would display a non-functional Discussions tab in the web UI.

  • Organizations created as a result of a user transforming their user account into an organization were not added to the global enterprise account.

  • Links to inaccessible pages were removed.

  • The GitHub Actions deployment graph would display an error when rendering a pending job.

  • Some instances experienced high CPU usage due to large amounts unnecessary background jobs being queued.

  • LDAP user sync jobs would fail when trying to sync GPG keys that had been synced previously.

  • Following a link to a pull request from the users Pull Request dashboard would result in the repository header not loading.

  • Adding a team as a reviewer to a pull request would sometimes show the incorrect number of members on that team.

  • The remove team membership API endpoint would respond with an error when attempting to remove member externally managed via a SCIM Group.

  • A large number of dormant users could cause a GitHub Connect configuration to fail.

  • The "Feature & beta enrollments" page in the Site admin web UI was incorrectly available.

  • The "Site admin mode" link in the site footer did not change state when clicked.

  • The spokesctl cache-policy rm command no longer fails with the message error: failed to delete cache policy.

    Changes

  • Memcached connection limits were increased to better accommodate large cluster topologies.

  • The Dependency Graph API previously ran with a statically defined port.

  • The default shard counts for cluster-related Elasticsearch shard settings have been updated.

  • When filtering enterprise members by organization role on the "People" page, the text for the dropdown menu items has been improved.

  • The “Triage” and “Maintain” team roles are preserved during repository migrations.

  • Performance has been improved for web requests made by enterprise owners.

    Known issues

  • After upgrading to GitHub Enterprise Server 3.3, GitHub Actions may fail to start automatically. To resolve this issue, connect to the appliance via SSH and run the ghe-actions-start command.

  • On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.

  • Custom firewall rules are removed during the upgrade process.

  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.

  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

  • The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.

  • Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.

  • GitHub Actions storage settings cannot be validated and saved in the Console de Gerenciamento when "Force Path Style" is selected, and must instead be configured with the ghe-actions-precheck command line utility.

  • GitHub Enterprise Server 3.3 instances installed on Azure and provisioned with 32+ CPU cores would fail to launch, due to a bug present in the current Linux kernel. [Updated: 2022-04-08]

  • In some cases, GitHub Advanced Security customers who upgrade to GitHub Enterprise Server 3.5 or later may notice that alerts from secret scanning are missing in the web UI and REST API. To ensure the alerts remain visible, do not skip 3.4 when you upgrade from an earlier release to 3.5 or later. A fix is available in the 3.5.5 and 3.6.1 patch releases.

    To plan an upgrade through 3.4, see the Upgrade assistant. [Updated: 2022-09-01]

March 01, 2022

📣 Esta não é a versão de patch mais recente desta série, e não é a versão mais recente do Enterprise Server. Use a versão mais recente para acessar a segurança mais atual, correções de bugs e melhoria de desempenho.

    Security fixes

  • ALTO: foi identificada uma vulnerabilidade de estouro de número inteiro no analisador markdown do GitHub que poderia levar a vazamentos de informações e RCE. Essa vulnerabilidade foi relatada pelo Programa de Recompensas por Bugs do GitHub por Felix Wilhelm do Project Zero da Google e foi designada CVE-2022-24724.

    Bug fixes

  • As atualizações às vezes poderão falhar se o relógio de uma réplica de alta disponibilidade estiver fora de sincroniza com o relógio principal.

  • Os aplicativos OAuth criados após 1º de setembro de 2020 não puderam usar o ponto de extremidade da API Verificar uma Autorização.

    Known issues

  • Depois da atualização para GitHub Enterprise Server 3.3, o GitHub Actions pode ter falhas na inicialização automática. Para resolver esse problema, conecte-se ao dispositivo via SSH e execute o comando ghe-actions-start.

  • Em uma instância de GitHub Enterprise Server recém-configurada sem usuários, um invasor pode criar o primeiro usuário administrador.

  • As regras de firewall personalizadas são removidas durante o processo de atualização.

  • Arquivos LFS do Git enviados através da interface da Web são adicionados diretamente ao repositório e de forma incorreta.

  • Os problemas não podem ser fechados se contiverem um permalink para um blob no mesmo repositório, onde o caminho do arquivo de blobs é maior que 255 caracteres.

  • Quando "Usuários podem pesquisar pelo GitHub.com" está habilitado com o GitHub Connect, os problemas em repositórios privados e internos não estão incluídos nos resultados de pesquisa do GitHub.com.

  • O registro npm GitHub Packages não retorna mais um valor temporal em respostas de metadados. Isso foi feito para permitir melhorias substanciais de desempenho. Continuamos a ter todos os dados necessários para retornar um valor temporal como parte da resposta de metadados e continuaremos a retornar esse valor no futuro quando tivermos resolvido os problemas de desempenho existentes.

  • Os limites de recursos que são específicos para processamento de hooks pre-receive podem causar falha em alguns hooks pre-receive.

  • As configurações de armazenamento de GitHub Actions não podem ser validadas e salvas no Console de Gerenciamento quando "Forçar estilo de caminho" for selecionado e deverão ser definidas com a ferramenta de linha de comando ghe-actions-precheck.

  • As instâncias do GitHub Enterprise Server 3.3 instaladas no Azure e provisionadas com mais de 32 núcleos de CPU falhariam na inicialização devido a um bug presente no kernel Linux atual. [Atualizado em: 08-04/2022]

  • In some cases, GitHub Advanced Security customers who upgrade to GitHub Enterprise Server 3.5 or later may notice that alerts from secret scanning are missing in the web UI and REST API. To ensure the alerts remain visible, do not skip 3.4 when you upgrade from an earlier release to 3.5 or later. A fix is available in the 3.5.5 and 3.6.1 patch releases.

    To plan an upgrade through 3.4, see the Upgrade assistant. [Updated: 2022-09-01]

February 17, 2022

📣 Esta não é a versão de patch mais recente desta série, e não é a versão mais recente do Enterprise Server. Use a versão mais recente para acessar a segurança mais atual, correções de bugs e melhoria de desempenho.

    Security fixes

  • Foi possível para um usuário registrar um usuário ou organização com nome "saml".

  • Os pacotes foram atualizados para as versões de segurança mais recentes.

    Bug fixes

  • As configurações de armazenamento de pacotes do GitHub não puderam ser validadas e salvas no Console de Gerenciamento quando o Armazenamento de Blobs do Azure foi usado.

  • A opção de configuração mssql.backup.cadence falhou no ghe-config-check com um alerta de conjunto de caracteres inválido.

  • Corrige SystemStackError (pilha muito profunda) ao obter mais de 2^16 chaves de memcached.

  • Vários menus de seleção do site foram interpretados incorretamente e não funcionaram.

    Changes

  • O Grafo de dependência agora pode ser habilitado sem dados de vulnerabilidade, permitindo que os clientes visualizem quais dependências estão em uso e quais as versões. Habilitar o Grafo de dependência sem habilitar o GitHub Connect não fornecerá informações sobre a vulnerabilidade.

  • A verificação de segredo vai ignorar a verificação de ZIP e outros arquivos em busca de segredos.

    Known issues

  • Depois da atualização para GitHub Enterprise Server 3.3, o GitHub Actions pode ter falhas na inicialização automática. Para resolver esse problema, conecte-se ao dispositivo via SSH e execute o comando ghe-actions-start.

  • Em uma instância de GitHub Enterprise Server recém-configurada sem usuários, um invasor poderia criar o primeiro usuário administrador.

  • As regras de firewall personalizadas são removidas durante o processo de atualização.

  • Arquivos de rastreamento LFS do Git enviados por meio da interface da Web são adicionados diretamente ao repositório e de forma incorreta.

  • Os problemas não podem ser fechados se contiverem um permalink para um blob no mesmo repositório, onde o caminho do arquivo de blobs é maior que 255 caracteres.

  • Quando a opção "Usuários podem pesquisar pelo GitHub.com" está habilitada com o GitHub Connect, os problemas em repositórios privados e internos não estão incluídos nos resultados de pesquisa do GitHub.com.

  • O registro npm GitHub Packages não retorna mais um valor temporal em respostas de metadados. Isso foi feito para permitir melhorias substanciais de desempenho. Continuamos a ter todos os dados necessários para retornar um valor temporal como parte da resposta de metadados e continuaremos retornando esse valor no futuro quando tivermos resolvido os problemas de desempenho existentes.

  • Os limites de recursos específicos para processamento de ganchos de pré-recebimento podem causar falha nesses ganchos.

  • As configurações de armazenamento de GitHub Actions não podem ser validadas e salvas no Console de Gerenciamento quando a opção "Forçar estilo de caminho" for selecionada e deverão ser definidas com a ferramenta de linha de comando ghe-actions-precheck.

  • As instâncias do GitHub Enterprise Server 3.3 instaladas no Azure e provisionadas com mais de 32 núcleos de CPU falhariam na inicialização devido a um bug presente no kernel do Linux atual. [Atualizado em: 08-04-2022]

  • In some cases, GitHub Advanced Security customers who upgrade to GitHub Enterprise Server 3.5 or later may notice that alerts from secret scanning are missing in the web UI and REST API. To ensure the alerts remain visible, do not skip 3.4 when you upgrade from an earlier release to 3.5 or later. A fix is available in the 3.5.5 and 3.6.1 patch releases.

    To plan an upgrade through 3.4, see the Upgrade assistant. [Updated: 2022-09-01]

February 01, 2022

📣 Esta não é a versão de patch mais recente desta série, e não é a versão mais recente do Enterprise Server. Use a versão mais recente para acessar a segurança mais atual, correções de bugs e melhoria de desempenho.

    Security fixes

  • MÉDIO: as chamadas de API de digitalização de segredo podem retornar alertas para repositórios fora do escopo da solicitação.

  • Os pacotes foram atualizados para as últimas versões de segurança.

    Bug fixes

  • O Pages ficava indisponível após uma rotação do segredo do MySQL até nginx ser reiniciada manualmente.

  • As migrações poderiam falhar quando GitHub Actions era habilitado.

  • Ao definir o agendamento de manutenção com uma data da ISO 8601, o horário programado real não correspondia devido fato de o fuso horário não ser convertido em UTC.

  • As mensagens de erro falsas sobre o arquivo cloud-config.service eram a saída para o console.

  • O número da versão não podia ser atualizado corretamente após a instalação de um patch dinâmico que usava ghe-cluster-each.

  • Trabalhos de limpeza na tabela de Webhook podem ser executados simultaneamente, causando contenção de recursos e aumentando o tempo de execução do trabalho.

  • Quando executado no primário, o ghe-repl-teardown em uma réplica não a removia do grupo de disponibilidade do MSSQL.

  • A capacidade de limitar notificações com base em email para usuários com emails em um domínio verificado ou aprovado não funcionou corretamente.

  • Ao usar a autenticação CAS e a opção "Reativar usuários suspensos" era habilitada, os usuários suspensos não eram reativados automaticamente.

  • Uma migração de execução longa do banco de dados relacionada às configurações de alerta de segurança pode atrasar a conclusão da atualização.

    Changes

  • O registro de conexão de dados do GitHub Connect agora inclui uma contagem do número de usuários ativos e inativos e o período de inatividade configurado.

    Known issues

  • Depois da atualização para GitHub Enterprise Server 3.3, as GitHub Actions podem ter falhas na inicialização automática. Para resolver esse problema, conecte-se ao dispositivo via SSH e execute o comando ghe-actions-start.

  • Em uma instância de GitHub Enterprise Server recém-configurada sem usuários, um invasor pode criar o primeiro usuário administrador.

  • As regras de firewall personalizadas são removidas durante o processo de atualização.

  • Arquivos LFS do Git enviados através da interface Web são adicionados diretamente ao repositório e de maneira incorreta.

  • Os problemas não podem ser fechados se contiverem um permalink para um blob no mesmo repositório, em que o caminho do arquivo blob's é maior que 255 caracteres.

  • Quando "Usuários podem pesquisar pelo GitHub.com" está habilitado com o GitHub Connect, os problemas em repositórios privados e internos não estão incluídos nos resultados de pesquisa do GitHub.com.

  • O registro npm GitHub Packages não retorna mais um valor temporal em respostas de metadados. Isso foi feito para permitir melhorias substanciais de desempenho. Continuamos a ter todos os dados necessários para retornar um valor temporal como parte da resposta de metadados e continuaremos a retornar este valor no futuro quando tivermos resolvido os problemas de desempenho existentes.

  • Os limites de recursos que são específicos para processamento de hooks pre-receive podem causar falha em alguns hooks pre-receive.

  • As configurações de armazenamento de GitHub Actions não podem ser validadas e salvas no Console de Gerenciamento quando "Forçar estilo de caminho" for selecionado e deverão ser definidas com a ferramenta de linha de comando ghe-actions-precheck.

  • As instâncias do GitHub Enterprise Server 3.3 instaladas no Azure e provisionadas com mais de 32 núcleos de CPU falhavam na inicialização devido a um bug presente no kernel do Linux atual. [Atualizado em: 08-04-2022]

  • In some cases, GitHub Advanced Security customers who upgrade to GitHub Enterprise Server 3.5 or later may notice that alerts from secret scanning are missing in the web UI and REST API. To ensure the alerts remain visible, do not skip 3.4 when you upgrade from an earlier release to 3.5 or later. A fix is available in the 3.5.5 and 3.6.1 patch releases.

    To plan an upgrade through 3.4, see the Upgrade assistant. [Updated: 2022-09-01]

January 18, 2022

📣 Esta não é a versão de patch mais recente desta série, e não é a versão mais recente do Enterprise Server. Use a versão mais recente para acessar a segurança mais atual, correções de bugs e melhoria de desempenho.

    Security fixes

  • Os pacotes foram atualizados para as últimas versões de segurança. Nestas atualizações, Log4j foi atualizado para a versão 2.17.1. Observe: mitigações anteriores nas versões 3.3.1, 3.2.6, 3.1.14 e 3.0.22 são suficientes para abordar o impacto de CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 e CVE-2021-44832 nestas versões do GitHub Enterprise Server.

  • Higienize mais segredos nos pacotes de suporte gerados

  • Os usuários de equipes com a função de gerente de segurança agora serão notificados dos alertas de segurança em repositórios que estão inspecionando.

  • O componente gerente de segurança mostrará um aviso menos agressivo quando o número máximo de equipes for alcançado.

  • A página de gerenciamento do repositório deve retornar 403 ao tentar remover uma equipe do gerente de segurança do repositório.

  • Os pacotes foram atualizados para as últimas versões de segurança.

    Bug fixes

  • Os executores auto-hospedados das ações falhavam ao realizar a própria atualização ou executar novos trabalhos após a atualização a partir de uma instalação antiga do GHES.

  • Não foi possível validar as configurações de armazenamento no momento da configuração de MinIO como armazenamento blobs para pacotes do GitHub.

  • Não foi possível validar e salvar as configurações de armazenamento do GitHub Actions no Console de Gerenciamento quando o "Estilo de Caminho de Forma" foi selecionado.

  • As ações eram deixadas em um estado parado após uma atualização com o modo de manutenção definido.

  • Às vezes pode ocorrer uma falha ao executar ghe-config-apply devido a problemas de permissão em /data/user/tmp/pages.

  • O botão salvar no console de gerenciamento não era acessível usando a barra de rolagem nos navegadores de baixa resolução.

  • Grafos de monitoramento de tráfego de armazenamento e IOPS e não foram atualizados após a atualização de versão do collectd.

  • Alguns trabalhos relacionados ao Webhook poderiam gerar uma grande quantidade de registros.

  • Um item de navegação de cobrança estava visível nas páginas de administrador do site.

  • Vários links de documentação geraram um erro 404 Not Found error.

    Known issues

  • Depois da atualização para GitHub Enterprise Server 3.3, as GitHub Actions podem ter falhas na inicialização automática. Para resolver esse problema, conecte-se ao dispositivo via SSH e execute o comando ghe-actions-start.

  • Em uma instância de GitHub Enterprise Server recém-configurada sem usuários, um invasor pode criar o primeiro usuário administrador.

  • As regras de firewall personalizadas são removidas durante o processo de atualização.

  • Arquivos LFS do Git enviados através da interface Web são adicionados diretamente ao repositório e de maneira incorreta.

  • Os problemas não podem ser fechados se contiverem um permalink para um blob no mesmo repositório, em que o caminho do arquivo blob's é maior que 255 caracteres.

  • Quando "Usuários podem pesquisar pelo GitHub.com" está habilitado com o GitHub Connect, os problemas em repositórios privados e internos não estão incluídos nos resultados de pesquisa do GitHub.com.

  • O registro npm GitHub Packages não retorna mais um valor temporal em respostas de metadados. Isso foi feito para permitir melhorias substanciais de desempenho. Continuamos a ter todos os dados necessários para retornar um valor temporal como parte da resposta de metadados e continuaremos a retornar este valor no futuro quando tivermos resolvido os problemas de desempenho existentes.

  • Os limites de recursos que são específicos para processamento de hooks pre-receive podem causar falha em alguns hooks pre-receive.

  • As configurações de armazenamento de GitHub Actions não podem ser validadas e salvas no Console de Gerenciamento quando "Forçar estilo de caminho" for selecionado e deverão ser definidas com a ferramenta de linha de comando ghe-actions-precheck.

  • As instâncias do GitHub Enterprise Server 3.3 instaladas no Azure e provisionadas com mais de 32 núcleos de CPU falhavam na inicialização devido a um bug presente no kernel do Linux atual. [Atualizado em: 08-04-2022]

  • In some cases, GitHub Advanced Security customers who upgrade to GitHub Enterprise Server 3.5 or later may notice that alerts from secret scanning are missing in the web UI and REST API. To ensure the alerts remain visible, do not skip 3.4 when you upgrade from an earlier release to 3.5 or later. A fix is available in the 3.5.5 and 3.6.1 patch releases.

    To plan an upgrade through 3.4, see the Upgrade assistant. [Updated: 2022-09-01]

December 13, 2021

📣 Esta não é a versão de patch mais recente desta série, e não é a versão mais recente do Enterprise Server. Use a versão mais recente para acessar a segurança mais atual, correções de bugs e melhoria de desempenho.

    Security fixes

  • Critical: A remote code execution vulnerability in the Log4j library, identified as CVE-2021-44228, affected all versions of GitHub Enterprise Server prior to 3.3.1. The Log4j library is used in an open source service running on the GitHub Enterprise Server instance. This vulnerability was fixed in GitHub Enterprise Server versions 3.0.22, 3.1.14, 3.2.6, and 3.3.1. For more information, please see this post on the GitHub Blog.

  • December 17, 2021 update: The fixes in place for this release also mitigate CVE-2021-45046, which was published after this release. No additional upgrade for GitHub Enterprise Server is required to mitigate both CVE-2021-44228 and CVE-2021-45046.

    Known issues

  • After upgrading to GitHub Enterprise Server 3.3, GitHub Actions may fail to start automatically. To resolve this issue, connect to the appliance via SSH and run the ghe-actions-start command.

  • On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.

  • Custom firewall rules are removed during the upgrade process.

  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.

  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

  • The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.

  • Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.

  • GitHub Actions storage settings cannot be validated and saved in the Console de Gerenciamento when "Force Path Style" is selected, and must instead be configured with the ghe-actions-precheck command line utility.

  • GitHub Enterprise Server 3.3 instances installed on Azure and provisioned with 32+ CPU cores would fail to launch, due to a bug present in the current Linux kernel. [Updated: 2022-04-08]

  • In some cases, GitHub Advanced Security customers who upgrade to GitHub Enterprise Server 3.5 or later may notice that alerts from secret scanning are missing in the web UI and REST API. To ensure the alerts remain visible, do not skip 3.4 when you upgrade from an earlier release to 3.5 or later. A fix is available in the 3.5.5 and 3.6.1 patch releases.

    To plan an upgrade through 3.4, see the Upgrade assistant. [Updated: 2022-09-01]

December 07, 2021

📣 Esta não é a versão de patch mais recente desta série, e não é a versão mais recente do Enterprise Server. Use a versão mais recente para acessar a segurança mais atual, correções de bugs e melhoria de desempenho.

For upgrade instructions, see "Upgrading GitHub Enterprise Server."

Note: We are aware of an issue where GitHub Actions may fail to start automatically following the upgrade to GitHub Enterprise Server 3.3. To resolve, connect to the appliance via SSH and run the ghe-actions-start command.

    Features

    Security Manager role

  • Organization owners can now grant teams the access to manage security alerts and settings on their repositories. The "security manager" role can be applied to any team and grants the team's members the following access:

    • Read access on all repositories in the organization.
    • Write access on all security alerts in the organization.
    • Access to the organization-level security tab.
    • Write access on security settings at the organization level.
    • Write access on security settings at the repository level.

    The security manager role is available as a public beta and subject to change. For more information, see "Managing security managers in your organization." [Updated 2022-07-29]

  • Ephemeral self-hosted runners for GitHub Actions & new webhooks for auto-scaling

  • GitHub Actions now supports ephemeral (single job) self-hosted runners and a new workflow_job webhook to make autoscaling runners easier.

    Ephemeral runners are good for self-managed environments where each job is required to run on a clean image. After a job is run, ephemeral runners are automatically unregistered from your GitHub Enterprise Server instance, allowing you to perform any post-job management.

    You can combine ephemeral runners with the new workflow_job webhook to automatically scale self-hosted runners in response to GitHub Actions job requests.

    For more information, see "Autoscaling with self-hosted runners" and "Webhook events and payloads."

  • Dark high contrast theme

  • A dark high contrast theme, with greater contrast between foreground and background elements, is now available on GitHub Enterprise Server 3.3. This release also includes improvements to the color system across all GitHub themes.

    Animated image of switching between dark default theme and dark high contrast on the appearance settings page

    For more information about changing your theme, see "Managing your theme settings."

    Changes

    Administration Changes

  • GitHub Enterprise Server 3.3 includes improvements to the maintenance of repositories, especially for repositories that contain many unreachable objects. Note that the first maintenance cycle after upgrading to GitHub Enterprise Server 3.3 may take longer than usual to complete.

  • GitHub Enterprise Server 3.3 includes the public beta of a repository cache for geographically-distributed teams and CI infrastructure. The repository cache keeps a read-only copy of your repositories available in additional geographies, which prevents clients from downloading duplicate Git content from your primary instance. For more information, see "About repository caching."

  • GitHub Enterprise Server 3.3 includes improvements to the user impersonation process. An impersonation session now requires a justification for the impersonation, actions are recorded in the audit log as being performed as an impersonated user, and the user who is impersonated will receive an email notification that they have been impersonated by an enterprise administrator. For more information, see "Impersonating a user."

  • A new stream processing service has been added to facilitate the growing set of events that are published to the audit log, including events associated with Git and GitHub Actions activity.

  • The GitHub Connect data connection record now includes a list of enabled GitHub Connect features. [Updated 2021-12-09]

  • Token Changes

  • An expiration date can now be set for new and existing personal access tokens. Setting an expiration date on personal access tokens is highly recommended to prevent older tokens from leaking and compromising security. Token owners will receive an email when it's time to renew a token that's about to expire. Tokens that have expired can be regenerated, giving users a duplicate token with the same properties as the original.

    When using a personal access token with the GitHub API, a new GitHub-Authentication-Token-Expiration header is included in the response, which indicates the token's expiration date. For more information, see "Creating a personal access token."

  • Notifications changes

  • Notification emails from discussions now include (Discussion #xx) in the subject, so you can recognize and filter emails that reference discussions.

  • Repositories changes

  • Public repositories now have a Public label next to their names like private and internal repositories. This change makes it easier to identify public repositories and avoid accidentally committing private code.

  • If you specify the exact name of a branch when using the branch selector menu, the result now appears at the top of the list of matching branches. Previously, exact branch name matches could appear at the bottom of the list.

  • When viewing a branch that has a corresponding open pull request, GitHub Enterprise Server now links directly to the pull request. Previously, there would be a prompt to contribute using branch comparison or to open a new pull request.

  • You can now click a button to copy the full raw contents of a file to the clipboard. Previously, you would need to open the raw file, select all, and then copy. To copy the contents of a file, navigate to the file and click in the toolbar. Note that this feature is currently only available in some browsers.

  • When creating a new release, you can now select or create the tag using a dropdown selector, rather than specifying the tag in a text field. For more information, see "Managing releases in a repository."

  • A warning is now displayed when viewing a file that contains bidirectional Unicode text. Bidirectional Unicode text can be interpreted or compiled differently than it appears in a user interface. For example, hidden bidirectional Unicode characters can be used to swap segments of text in a file. For more information about replacing these characters, see the GitHub changelog.

  • You can now use CITATION.cff files to let others know how you would like them to cite your work. CITATION.cff files are plain text files with human- and machine-readable citation information. GitHub Enterprise Server parses this information into common citation formats such as APA and BibTeX. For more information, see "About CITATION files."

  • Markdown changes

  • You can use new keyboard shortcuts for quotes and lists in Markdown files, issues, pull requests, and comments.

    • To add quotes, use cmd shift . on Mac, or ctrl shift . on Windows and Linux.
    • To add an ordered list, use cmd shift 7 on Mac, or ctrl shift 7 on Windows and Linux.
    • To add an unordered list, use cmd shift 8 on Mac, or ctrl shift 8 on Windows and Linux.

    See "Keyboard shortcuts" for a full list of available shortcuts.

  • You can now use footnote syntax in any Markdown field. Footnotes are displayed as superscript links that you can click to jump to the referenced information, which is displayed in a new section at the bottom of the document. For more information about the syntax, see "Basic writing and formatting syntax."

  • When viewing Markdown files, you can now click in the toolbar to view the source of a Markdown file. Previously, you needed to use the blame view to link to specific line numbers in the source of a Markdown file.

  • You can now add images and videos to Markdown files in gists by pasting them into the Markdown body or selecting them from the dialog at the bottom of the Markdown file. For information about supported file types, see "Attaching files."

  • GitHub Enterprise Server now automatically generates a table of contents for Wikis, based on headings.

  • When dragging and dropping files into a Markdown editor, such as images and videos, GitHub Enterprise Server now uses the mouse pointer location instead of the cursor location when placing the file.

  • Issues and pull requests changes

  • You can now search issues by label using a logical OR operator. To filter issues using logical OR, use the comma syntax. For example, label:"good first issue","bug" will list all issues with a label of good first issue or bug. For more information, see "Filtering and searching issues and pull requests."

  • Improvements have been made to help teams manage code review assignments. You can now:

    • Limit assignment to only direct members of the team.
    • Continue with automatic assignment even if one or more members of the team are already requested.
    • Keep a team assigned to review even if one or more members is newly assigned.

    The timeline and reviewers sidebar on the pull request page now indicate if a review request was automatically assigned to one or more team members.

    For more information, see the GitHub changelog.

  • You can now filter pull request searches to only include pull requests you are directly requested to review.

  • Filtered files in pull requests are now completely hidden from view, and are no longer shown as collapsed in the "Files Changed" tab. The "File Filter" menu has also been simplified. For more information, see "Filtering files in a pull request."

  • GitHub Actions changes

  • You can now create "composite actions" which combine multiple workflow steps into one action, and includes the ability to reference other actions. This makes it easier to reduce duplication in workflows. Previously, an action could only use scripts in its YAML definition. For more information, see "Creating a composite action."

  • Managing self-hosted runners at the enterprise level no longer requires using personal access tokens with the admin:enterprise scope. You can instead use the new manage_runners:enterprise scope to restrict the permissions on your tokens. Tokens with this scope can authenticate to many REST API endpoints to manage your enterprise's self-hosted runners.

  • The audit log now includes additional events for GitHub Actions. Audit log entries are now recorded for the following events:

    • A self-hosted runner is registered or removed.
    • A self-hosted runner is added to a runner group, or removed from a runner group.
    • A runner group is created or removed.
    • A workflow run is created or completed.
    • A workflow job is prepared. Importantly, this log includes the list of secrets that were provided to the runner.

    For more information, see "Security hardening for GitHub Actions."

  • GitHub Enterprise Server 3.3 contains performance improvements for job concurrency with GitHub Actions. For more information about the new performance targets for a range of CPU and memory configurations, see "Getting started with GitHub Actions for GitHub Enterprise Server."

  • To mitigate insider man in the middle attacks when using actions resolved through GitHub Connect to GitHub.com from GitHub Enterprise Server, the actions namespace (owner/name) is retired on use. Retiring the namespace prevents that namespace from being created on your GitHub Enterprise Server instance, and ensures all workflows referencing the action will download it from GitHub.com.

  • GitHub Packages changes

  • When a repository is deleted, any associated package files are now immediately deleted from your GitHub Packages external storage.

  • Dependabot and Dependency graph changes

  • Dependency review is out of beta and is now generally available for GitHub Advanced Security customers. Dependency review provides an easy-to-understand view of dependency changes and their security impact in the "Files changed" tab of pull requests. It informs you of which dependencies were added, removed, or updated, along with vulnerability information. For more information, see "Reviewing dependency changes in a pull request."

  • Dependabot is now available as a private beta, offering both version updates and security updates for several popular ecosystems. Dependabot on GitHub Enterprise Server requires GitHub Actions and a pool of self-hosted runners configured for Dependabot use. Dependabot on GitHub Enterprise Server also requires GitHub Connect to be enabled. To learn more and sign up for the beta, contact the GitHub Sales team.

  • Code scanning and secret scanning changes

  • The depth of CodeQL's analysis has been improved by adding support for more libraries and frameworks and increasing the coverage of our existing library and framework models. JavaScript analysis now supports most common templating languages, and Java now covers more than three times the endpoints of previous CodeQL versions. As a result, CodeQL can now detect even more potential sources of untrusted user data, steps through which that data flows, and potentially dangerous sinks where the data could end up. This results in an overall improvement of the quality of code scanning alerts.

  • CodeQL now supports scanning standard language features in Java 16, such as records and pattern matching. CodeQL is able to analyze code written in Java version 7 through 16. For more information about supported languages and frameworks, see the CodeQL documentation.

  • Improvements have been made to the code scanning on:push trigger when code is pushed to a pull request. If an on:push scan returns results that are associated with a pull request, code scanning will now show these alerts on the pull request.

    Some other CI/CD systems can be exclusively configured to trigger a pipeline when code is pushed to a branch, or even exclusively for every commit. Whenever such an analysis pipeline is triggered and results are uploaded to the SARIF API, code scanning will also try to match the analysis results to an open pull request. If an open pull request is found, the results will be published as described above. For more information, see the GitHub changelog.

  • You can now use the new pull request filter on the code scanning alerts page to find all the code scanning alerts associated with a pull request. A new "View all branch alerts" link on the pull request "Checks" tab allows you to directly view code scanning alerts with the specific pull request filter already applied. For more information, see the GitHub changelog.

  • User defined patterns for secret scanning is out of beta and is now generally available for GitHub Advanced Security customers. Also new in this release is the ability to edit custom patterns defined at the repository, organization, and enterprise levels. After editing and saving a pattern, secret scanning searches for matches both in a repository's entire Git history and in any new commits. Editing a pattern will close alerts previously associated with the pattern if they no longer match the updated version. Other improvements, such as dry-runs, are planned in future releases. For more information, see "Defining custom patterns for secret scanning."

  • API and webhook changes

  • Most REST API previews have graduated and are now an official part of the API. Preview headers are no longer required for most REST API endpoints, but will still function as expected if you specify a graduated preview in the Accept header of a request. For previews that still require specifying the preview in the Accept header of a request, see "API previews."

  • You can now use the REST API to configure custom autolinks to external resources. The REST API now provides beta GET/POST/DELETE endpoints which you can use to view, add, or delete custom autolinks associated with a repository. For more information, see "Autolinks."

  • You can now use the REST API to sync a forked repository with its upstream repository. For more information, see "Branches" in the REST API documentation.

  • Enterprise administrators on GitHub Enterprise Server can now use the REST API to enable or disable Git LFS for a repository. For more information, see "Repositories."

  • You can now use the REST API to query the audit log for an enterprise. While audit log forwarding provides the ability to retain and analyze data with your own toolkit and determine patterns over time, the new endpoint can help you perform limited analysis on recent events. For more information, see "GitHub Enterprise administration" in the REST API documentation.

  • GitHub App user-to-server API requests can now read public resources using the REST API. This includes, for example, the ability to list a public repository's issues and pull requests, and to access a public repository's comments and content.

  • When creating or updating a repository, you can now configure whether forking is allowed using the REST and GraphQL APIs. Previously, APIs for creating and updating repositories didn't include the fields allow_forking (REST) or forkingAllowed (GraphQL). For more information, see "Repositories" in the REST API documentation and "Repositories" in the GraphQL API documentation.

  • A new GraphQL mutation createCommitOnBranch makes it easier to add, update, and delete files in a branch of a repository. Compared to the REST API, you do not need to manually create blobs and trees before creating the commit. This allows you to add, update, or delete multiple files in a single API call.

    Commits authored using the new API are automatically GPG signed and are marked as verified in the GitHub Enterprise Server UI. GitHub Apps can use the mutation to author commits directly or on behalf of users.

  • When a new tag is created, the push webhook payload now always includes a head_commit object that contains the data of the commit that the new tag points to. As a result, the head_commit object will always contain the commit data of the payload's after commit.

  • Performance Changes

  • Page loads and jobs are now significantly faster for repositories with many Git refs.

    Known issues

  • After upgrading to GitHub Enterprise Server 3.3, GitHub Actions may fail to start automatically. To resolve this issue, connect to the appliance via SSH and run the ghe-actions-start command.

  • On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.

  • Custom firewall rules are removed during the upgrade process.

  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository, where the blob's file path is longer than 255 characters.

  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

  • The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.

  • Resource limits that are specific to processing pre-receive hooks may cause some pre-receive hooks to fail.

  • GitHub Actions storage settings cannot be validated and saved in the Console de Gerenciamento when "Force Path Style" is selected, and must instead be configured with the ghe-actions-precheck command line utility.

  • GitHub Enterprise Server 3.3 instances installed on Azure and provisioned with 32+ CPU cores would fail to launch, due to a bug present in the current Linux kernel. [Updated: 2022-04-08]

  • In some cases, GitHub Advanced Security customers who upgrade to GitHub Enterprise Server 3.5 or later may notice that alerts from secret scanning are missing in the web UI and REST API. To ensure the alerts remain visible, do not skip 3.4 when you upgrade from an earlier release to 3.5 or later. A fix is available in the 3.5.5 and 3.6.1 patch releases.

    To plan an upgrade through 3.4, see the Upgrade assistant. [Updated: 2022-09-01]