|
| 1 | +date: '2021-04-01' |
| 2 | +intro: The minimum infrastructure requirements have increased for {% data variables.product.prodname_ghe_server %} 3.0+. For more information, see "[About minimum requirements for GitHub Enterprise Server 3.0 and later](/admin/enterprise-management/upgrading-github-enterprise-server#about-minimum-requirements-for-github-enterprise-server-30-and-later)." |
| 3 | +sections: |
| 4 | + security_fixes: |
| 5 | + - "**HIGH:** An improper access control vulnerability was identified in GitHub Enterprise Server that allowed access tokens generated via a GitHub App's [web authentication flow](https://docs.github.com/en/developers/apps/identifying-and-authorizing-users-for-github-apps#web-application-flow) to read private repository metadata without requiring appropriate permissions. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.0.4 and was fixed in 3.0.4, 2.22.10, and 2.21.18. This vulnerability was reported via the GitHub Bug Bounty program and has been assigned CVE-2021-22865." |
| 6 | + - Packages have been updated to the latest security versions. |
| 7 | + bugs: |
| 8 | + - When maintenance mode was enabled, some services continued to be listed as "active processes" even though they were expected to be running, and should not have been listed. |
| 9 | + - After upgrading from 2.22.x to 3.0.x with GitHub Actions enabled, the self-hosted runner version was not updated and no self-hosted updates were made. |
| 10 | + - Old GitHub Pages builds that were created from commits to a `gh-pages` branch were not cleaned up leading to increased disk usage. |
| 11 | + - '`memcached` was not running on active replicas.' |
| 12 | + - Upgrade failed when updating file permissions when GitHub Actions was enabled. |
| 13 | + - A timezone set on GitHub Enterprise 11.10.x or earlier was not being used by some services which were defaulting to UTC time. |
| 14 | + - Services were not transitioning to new log files as part of log rotation, resulting in increased disk usage. |
| 15 | + - The `ghe-saml-mapping-csv` command-line utility produced a warning message. |
| 16 | + - The label on search results for internal repositories was shown as "Private" instead of "Internal". |
| 17 | + known_issues: |
| 18 | + - On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user. |
| 19 | + - Custom firewall rules are not maintained during an upgrade. |
| 20 | + - Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository. |
| 21 | + - Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. |
| 22 | + - When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results. |
0 commit comments