From e0033e94e3b2300a29651ebf96077b26bf33e15d Mon Sep 17 00:00:00 2001 From: "release-controller[bot]" <110195724+release-controller[bot]@users.noreply.github.com> Date: Mon, 23 Sep 2024 11:51:44 -0700 Subject: [PATCH 1/2] Patch release notes for GitHub Enterprise Server (#52344) Co-authored-by: Release-Controller Co-authored-by: felix --- .../enterprise-server/3-10/17.yml | 72 +++++++++++++++++ .../enterprise-server/3-11/15.yml | 68 ++++++++++++++++ .../enterprise-server/3-12/9.yml | 66 ++++++++++++++++ .../enterprise-server/3-13/4.yml | 78 +++++++++++++++++++ .../enterprise-server/3-14/1.yml | 72 +++++++++++++++++ 5 files changed, 356 insertions(+) create mode 100644 data/release-notes/enterprise-server/3-10/17.yml create mode 100644 data/release-notes/enterprise-server/3-11/15.yml create mode 100644 data/release-notes/enterprise-server/3-12/9.yml create mode 100644 data/release-notes/enterprise-server/3-13/4.yml create mode 100644 data/release-notes/enterprise-server/3-14/1.yml diff --git a/data/release-notes/enterprise-server/3-10/17.yml b/data/release-notes/enterprise-server/3-10/17.yml new file mode 100644 index 000000000000..056014b7fb71 --- /dev/null +++ b/data/release-notes/enterprise-server/3-10/17.yml @@ -0,0 +1,72 @@ +date: '2024-09-23' +sections: + security_fixes: + - | + **MEDIUM:** An attacker could steal sensitive information by exploiting a Cross-Site Scripting vulnerability in the repository transfer feature. This exploitation would require social engineering. GitHub has requested CVE ID [CVE-2024-8770](https://www.cve.org/cverecord?id=CVE-2024-8770) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). + - | + **MEDIUM:** An attacker could push a commit with changes to a workflow using a PAT or OAuth app that lacks the appropriate `workflow` scope by pushing a triple-nested tag pointing at the associated commit. GitHub has requested CVE ID [CVE-2024-8263](https://www.cve.org/cverecord?id=CVE-2024-8263) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). + bugs: + - | + For instances deployed on AWS with IMDSv2 enforced, fallback to private IPs was not successful. + - | + A config apply run may not have been properly applied due to calls being made to Nomad before it was ready to accept connections. When this occurred, the `Error querying agent info: failed querying self endpoint: Get "http://127.0.0.1:4646/v1/agent/self"` error was written to the `/data/user/common/ghe-config.log` file. + - | + When configuring a high availability replica and during the database seeding of a MySQL replica node, restarting the `nomad` service could time out. Consequently, when MySQL replication attempted to start an error was reported, and setting up replication failed. + - | + When importing using `ghe-migrator`, team URLs containing dots were imported as-is, leading to 404s when attempting to view the imported teams. Dots in imported team URLs are now escaped to dashes. + - | + On an instance in a cluster configuration, the `ghe-cluster-status` command returned an error if a soft-deleted repository had a checksum mismatch. + - | + Some repositories could miss spokes information after restoring in a clustering topology due to unrescued exceptions. + - | + Fixes and improvements for the git core module. + - | + The `CommandPalette` component no longer displays repository information on `404` pages, preventing the leakage of private repository information for users without access. + - | + Custom links to other repositories displayed incorrect breadcrumbs. + - | + When a GitHub App installation had all repositories installed individually, it was not possible to remove the repositories from the selection. + - | + After an administrator enabled maintenance mode from an instance's Management Console UI using Firefox, the administrator was redirected to the Settings page, but maintenance mode was not enabled. + - | + Some custom pattern matches were incorrectly filtered during post-scan filtering. You may want to edit and republish your custom patterns. You can manually republish custom patterns with the following command: `ghe-secret-scanning jobs queue custom-patterns republish --custom-pattern-id=?`. Outdated alerts caused by edits during custom pattern backfills have been fixed in version 3.13 and above. + changes: + - | + For instances deployed on Amazon Web Services (AWS), site administrators can configure regional AWS STS endpoints for OIDC from the Management Console. + known_issues: + - | + Custom firewall rules are removed during the upgrade process. + - | + During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start. + - | + If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see "[AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)." + - | + The `mbind: Operation not permitted` error in the `/var/log/mysql/mysql.err` file can be ignored. MySQL 8 does not gracefully handle when the `CAP_SYS_NICE` capability isn't required, and outputs an error instead of a warning. + - | + {% data reusables.release-notes.upgrade-to-3-9-or-to-3-10-mysql-cannot-start-up %} + - | + {% data reusables.release-notes.upgrade-to-3-9-or-to-3-10-io-utilization-increase %} + - | + {% data reusables.release-notes.2023-08-mssql-replication-known-issue %} + - | + {% data reusables.release-notes.2023-09-config-apply-timeout-hookshot-go-replicas %} + - | + {% data reusables.release-notes.2023-11-aws-system-time %} + - | + On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as `127.0.0.1`. + - | + {% data reusables.release-notes.2023-10-git-push-made-but-not-registered %} + - | + {% data reusables.release-notes.large-adoc-files-issue %} + - | + {% data reusables.release-notes.2024-01-haproxy-upgrade-causing-increased-errors %} + - | + The `reply.[hostname]` subdomain is falsely always displaying as having no SSL and DNS record, when testing the domain settings via management console without subdomain isolation. + - | + Admin stats REST API endpoints may timeout on appliances with many users or repositories. Retrying the request until data is returned is advised. + - | + {% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %} + - | + When restoring from a backup snapshot, a large number of `mapper_parsing_exception` errors may be displayed. + - | + Services may respond with a `503` status due to an out of date `haproxy` configuration. This can usually be resolved with a `ghe-config-apply` run. diff --git a/data/release-notes/enterprise-server/3-11/15.yml b/data/release-notes/enterprise-server/3-11/15.yml new file mode 100644 index 000000000000..1466ca937782 --- /dev/null +++ b/data/release-notes/enterprise-server/3-11/15.yml @@ -0,0 +1,68 @@ +date: '2024-09-23' +sections: + security_fixes: + - | + **MEDIUM:** An attacker could steal sensitive information by exploiting a Cross-Site Scripting vulnerability in the repository transfer feature. This exploitation would require social engineering. GitHub has requested CVE ID [CVE-2024-8770](https://www.cve.org/cverecord?id=CVE-2024-8770) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). + - | + **MEDIUM:** An attacker could push a commit with changes to a workflow using a PAT or OAuth app that lacks the appropriate `workflow` scope by pushing a triple-nested tag pointing at the associated commit. GitHub has requested CVE ID [CVE-2024-8263](https://www.cve.org/cverecord?id=CVE-2024-8263) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). + bugs: + - | + For instances deployed on AWS with IMDSv2 enforced, fallback to private IPs was not successful. + - | + A config apply run may not have been properly applied due to calls being made to Nomad before it was ready to accept connections. When this occurred, the `Error querying agent info: failed querying self endpoint: Get "http://127.0.0.1:4646/v1/agent/self"` error was written to the `/data/user/common/ghe-config.log` file. + - | + `ghe-storage-find` was sometimes unable to identify a data disk. + - | + After upgrading the relevant GHES version, the `resolvconf` service failed to start due to a missing directory. + - | + When configuring a high availability replica and during the database seeding of a MySQL replica node, restarting the nomad service could time out. Consequently, when MySQL replication attempted to start an error was reported, and setting up replication failed. + - | + Placing Nomad jobs would not allow retries in cases when Nomad wasn't available yet. + - | + On an instance in a cluster configuration, the `ghe-cluster-status` command returned an error if a soft-deleted repository had a checksum mismatch. + - | + Some repositories could miss spokes information after restoring in a clustering topology due to unrescued exceptions. + - | + Fixes and improvements for the git core module. + - | + The `CommandPalette` component no longer displays repository information on `404` pages, preventing the leakage of private repository information for users without access. + - | + Custom links to other repositories displayed incorrect breadcrumbs. + - | + When a GitHub App installation had all repositories installed individually, it was not possible to remove the repositories from the selection. + - | + Some custom pattern matches were incorrectly filtered during post-scan filtering. You may want to edit and republish your custom patterns. You can manually republish custom patterns with the following command: `ghe-secret-scanning jobs queue custom-patterns republish --custom-pattern-id=?`. Outdated alerts caused by edits during custom pattern backfills have been fixed in version 3.13 and above. + changes: + - | + For instances deployed on Amazon Web Services (AWS), site administrators can configure regional AWS STS endpoints for OIDC from the Management Console. + known_issues: + - | + Custom firewall rules are removed during the upgrade process. + - | + During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start. + - | + If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see "[AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)." + - | + The `mbind: Operation not permitted` error in the `/var/log/mysql/mysql.err` file can be ignored. MySQL 8 does not gracefully handle when the `CAP_SYS_NICE` capability isn't required, and outputs an error instead of a warning. + - | + {% data reusables.release-notes.2023-11-aws-system-time %} + - | + On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as `127.0.0.1`. + - | + {% data reusables.release-notes.2023-10-git-push-made-but-not-registered %} + - | + {% data reusables.release-notes.large-adoc-files-issue %} + - | + {% data reusables.release-notes.2024-01-haproxy-upgrade-causing-increased-errors %} + - | + Repositories originally imported using ghe-migrator will not correctly track Advanced Security contributions. + - | + The reply.[hostname] subdomain is falsely always displaying as having no ssl and dns record, when testing the domain settings via management console **without subdomain isolation**. + - | + Admin stats REST API endpoints may timeout on appliances with many users or repositories. Retrying the request until data is returned is advised. + - | + {% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %} + - | + When restoring from a backup snapshot, a large number of `mapper_parsing_exception` errors may be displayed. + - | + Services may respond with a `503` status due to an out of date `haproxy` configuration. This can usually be resolved with a `ghe-config-apply` run. diff --git a/data/release-notes/enterprise-server/3-12/9.yml b/data/release-notes/enterprise-server/3-12/9.yml new file mode 100644 index 000000000000..5dcd8e37d9e6 --- /dev/null +++ b/data/release-notes/enterprise-server/3-12/9.yml @@ -0,0 +1,66 @@ +date: '2024-09-23' +sections: + security_fixes: + - | + **MEDIUM:** An attacker could steal sensitive information by exploiting a Cross-Site Scripting vulnerability in the repository transfer feature. This exploitation would require social engineering. GitHub has requested CVE ID [CVE-2024-8770](https://www.cve.org/cverecord?id=CVE-2024-8770) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). + - | + **MEDIUM:** An attacker could push a commit with changes to a workflow using a PAT or OAuth app that lacks the appropriate `workflow` scope by pushing a triple-nested tag pointing at the associated commit. GitHub has requested CVE ID [CVE-2024-8263](https://www.cve.org/cverecord?id=CVE-2024-8263) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). + bugs: + - | + For instances deployed on AWS with IMDSv2 enforced, fallback to private IPs was not successful. + - | + A config apply run may not have been properly applied due to calls being made to Nomad before it was ready to accept connections. When this occurred, the `Error querying agent info: failed querying self endpoint: Get "http://127.0.0.1:4646/v1/agent/self"` error was written to the `/data/user/common/ghe-config.log` file. + - | + `ghe-storage-find` was sometimes unable to identify a data disk. + - | + After upgrading the relevant GHES version, the `resolvconf` service failed to start due to a missing directory. + - | + When configuring a high availability replica and during the database seeding of a MySQL replica node, restarting the nomad service could time out. Consequently, when MySQL replication attempted to start an error was reported, and setting up replication failed. + - | + Placing Nomad jobs would not allow retries in cases when Nomad wasnt available yet. + - | + On an instance in a cluster configuration, the `ghe-cluster-status` command returned an error if a soft-deleted repository had a checksum mismatch. + - | + Some repositories could miss spokes information after restoring in a clustering topology due to unrescued exceptions. + - | + After a user created a Projects Insights chart with time as the X-axis, the chart became hidden and inaccessible. + - | + The `CommandPalette` component no longer displays repository information on `404` pages, preventing the leakage of private repository information for users without access. + - | + Custom links to other repositories displayed incorrect breadcrumbs. + - | + A bug introduced in 3.12 which prevented the search input in the global navigation from displaying a dropdown of search suggestions has been fixed. The search input functionality prior to 3.12 has been restored, and users are once again able to see and submit suggested search queries, including scope suggestions. + - | + When a GitHub App installation had all repositories installed individually, it was not possible to remove the repositories from the selection. + - | + Some custom pattern matches were incorrectly filtered during post-scan filtering. You may want to edit and republish your custom patterns. You can manually republish custom patterns with the following command: `ghe-secret-scanning jobs queue custom-patterns republish --custom-pattern-id=?`. Outdated alerts caused by edits during custom pattern backfills have been fixed in version 3.13 and above. + changes: + - | + For instances deployed on Amazon Web Services (AWS), site administrators can configure regional AWS STS endpoints for OIDC from the Management Console. + known_issues: + - | + Custom firewall rules are removed during the upgrade process. + - | + During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start. + - | + If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see "[AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)." + - | + The `mbind: Operation not permitted` error in the `/var/log/mysql/mysql.err` file can be ignored. MySQL 8 does not gracefully handle when the `CAP_SYS_NICE` capability isn't required, and outputs an error instead of a warning. + - | + {% data reusables.release-notes.2023-11-aws-system-time %} + - | + On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as `127.0.0.1`. + - | + {% data reusables.release-notes.large-adoc-files-issue %} + - | + Repositories originally imported using `ghe-migrator` will not correctly track Advanced Security contributions. + - | + The `reply.[hostname]` subdomain is falsely always displaying as having no ssl and dns record, when testing the domain settings via management console without subdomain isolation. + - | + Admin stats REST API endpoints may timeout on appliances with many users or repositories. Retrying the request until data is returned is advised. + - | + {% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %} + - | + When restoring from a backup snapshot, a large number of `mapper_parsing_exception` errors may be displayed. + - | + Services may respond with a `503` status due to an out of date `haproxy` configuration. This can usually be resolved with a `ghe-config-apply` run. diff --git a/data/release-notes/enterprise-server/3-13/4.yml b/data/release-notes/enterprise-server/3-13/4.yml new file mode 100644 index 000000000000..37c95aeaa719 --- /dev/null +++ b/data/release-notes/enterprise-server/3-13/4.yml @@ -0,0 +1,78 @@ +date: '2024-09-23' +sections: + security_fixes: + - | + **MEDIUM:** An attacker could steal sensitive information by exploiting a Cross-Site Scripting vulnerability in the repository transfer feature. This exploitation would require social engineering. GitHub has requested CVE ID [CVE-2024-8770](https://www.cve.org/cverecord?id=CVE-2024-8770) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). + - | + **MEDIUM:** An attacker could push a commit with changes to a workflow using a PAT or OAuth app that lacks the appropriate `workflow` scope by pushing a triple-nested tag pointing at the associated commit. GitHub has requested CVE ID [CVE-2024-8263](https://www.cve.org/cverecord?id=CVE-2024-8263) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). + bugs: + - | + For instances deployed on AWS with IMDSv2 enforced, fallback to private IPs was not successful. + - | + A config apply run may not have been properly applied due to calls being made to Nomad before it was ready to accept connections. When this occurred, the `Error querying agent info: failed querying self endpoint: Get "http://127.0.0.1:4646/v1/agent/self"` error was written to the `/data/user/common/ghe-config.log` file. + - | + `ghe-storage-find` was sometimes unable to identify a data disk. + - | + Replication could be stuck in an loop running `ghe-repl-start` because `GHE_REPL_SSH_RETRY_COUNT` was set to 60 by default for the whole scope of `ghe-repl-start` which will retry config apply (up to 60 times). + - | + After upgrading the relevant GHES version, the `resolvconf` service failed to start due to a missing directory. + - | + When configuring a high availability replica and during the database seeding of a MySQL replica node, restarting the nomad service could time out. Consequently, when MySQL replication attempted to start an error was reported, and setting up replication failed. + - | + Some pre-receive hooks using the `faccessat2` system call, such as those using Alpine Linux as the base, failed unexpectedly. + - | + Placing Nomad jobs would not allow retries in cases when Nomad wasn't available yet. + - | + A repeated error message concerning connectivity to port 6002 was emitted to the system logs when Actions was enabled. + - | + On an instance in a cluster configuration, the `ghe-cluster-status` command returned an error if a soft-deleted repository had a checksum mismatch. + - | + Some repositories could miss spokes information after restoring in a clustering topology due to unrescued exceptions. + - | + In organizations with a large number of repositories, when an administrator used repository properties to target repositories in an organization ruleset, the ruleset index page timed out. + - | + After a user created a Projects Insights chart with time as the X-axis, the chart became hidden and inaccessible. + - | + The `CommandPalette` component no longer displays repository information on `404` pages, preventing the leakage of private repository information for users without access. + - | + A bug introduced in 3.12 which prevented the search input in the global navigation from displaying a dropdown of search suggestions has been fixed. The search input functionality prior to 3.12 has been restored, and users are once again able to see and submit suggested search queries, including scope suggestions. + - | + Custom links to other repositories displayed incorrect breadcrumbs. + - | + Some custom pattern matches were incorrectly filtered during post-scan filtering and outdated alerts were sometimes published. You may want to edit and republish your custom patterns. You can manually republish custom patterns with the following command: `ghe-secret-scanning jobs queue custom-patterns republish --custom-pattern-id=?`. + - | + On an instance with secret scanning enabled, a banner indicated that secret scanning was running on pull request comments and discussions. This feature is not available in this version of GitHub Enterprise Server. + - | + Memory utilization would sometimes exceed levels comparable to GitHub Enterprise Server 3.12. + - | + Some custom pattern matches were incorrectly filtered during post-scan filtering and outdated alerts were sometimes published. You may want to edit and republish your custom patterns. You can manually republish custom patterns with the following command: `ghe-secret-scanning jobs queue custom-patterns republish --custom-pattern-id=?.` + changes: + - | + For instances deployed on Amazon Web Services (AWS), site administrators can configure regional AWS STS endpoints for OIDC from the Management Console. + known_issues: + - | + During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start. + - | + If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see "[AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)." + - | + On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as `127.0.0.1`. + - | + Repositories originally imported using ghe-migrator will not correctly track Advanced Security contributions. + - | + For an instance in a cluster configuration and with GitHub Actions enabled, restoring a cluster from backup requires targeting the primary DB node. + - | + When following the steps for [Replacing the primary MySQL node](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-the-primary-mysql-node), step 14 (running `ghe-cluster-config-apply`) might fail with errors. If this occurs, re-running `ghe-cluster-config-apply` is expected to succeed. + - | + Running a config apply as part of the steps for [Replacing a node in an emergency](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-a-node-in-an-emergency) may fail with errors if the node being replaced is still reachable. If this occurs, shutdown the node and repeat the steps. + - | + {% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %} + - | + When restoring data originally backed up from a 3.13 appliance onto a 3.13 appliance, the elasticsearch indices need to be reindexed before some of the data will show up. This happens via a nightly scheduled job. It can also be forced by running `/usr/local/share/enterprise/ghe-es-search-repair`. + - | + When restoring from a backup snapshot, a large number of `mapper_parsing_exception` errors may be displayed. + - | + Services may respond with a `503` status due to an out of date `haproxy` configuration. This can usually be resolved with a `ghe-config-apply` run. + - | + Instance setup in AWS with IMDSv2 enforced fails if no public IP is present. + - | + For customers using Secret Scanning, internal jobs were created and not worked that could contribute to performance issues. diff --git a/data/release-notes/enterprise-server/3-14/1.yml b/data/release-notes/enterprise-server/3-14/1.yml new file mode 100644 index 000000000000..36a7ac924875 --- /dev/null +++ b/data/release-notes/enterprise-server/3-14/1.yml @@ -0,0 +1,72 @@ +date: '2024-09-23' +sections: + security_fixes: + - | + **MEDIUM:** An attacker could steal sensitive information by exploiting a Cross-Site Scripting vulnerability in the repository transfer feature. This exploitation would require social engineering. GitHub has requested CVE ID [CVE-2024-8770](https://www.cve.org/cverecord?id=CVE-2024-8770) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). + bugs: + - | + On an instance with GitHub Actions enabled, due to an insufficient wait time, MS SQL and MySQL replication could fail with the error message `Failed to start nomad service!`. + - | + `ghe-storage-find` was sometimes unable to identify a data disk. + - | + After upgrading the relevant GHES version, the `resolvconf` service failed to start due to a missing directory. + - | + Some pre-receive hooks using the `faccessat2` system call, such as those using Alpine Linux as the base, failed unexpectedly. + - | + When configuring a high availability replica and during the database seeding of a MySQL replica node, restarting the nomad service could time out. Consequently, when MySQL replication attempted to start an error was reported, and setting up replication failed. + - | + On an instance in a cluster configuration, the `ghe-cluster-status` command returned an error if a soft-deleted repository had a checksum mismatch. + - | + Fixes and improvements for the git core module. + - | + Some repositories could miss spokes information after restoring in a clustering topology due to unrescued exceptions. + - | + In organizations with a large number of repositories, when an administrator used repository properties to target repositories in an organization ruleset, the ruleset index page timed out. + - | + After a user created a Projects Insights chart with time as the X-axis, the chart became hidden and inaccessible. + - | + Fixes a known issue where some links to GitHub Docs from GitHub Enterprise Server may lead to a “Page not found.” Previously, the links incorrectly added `enterprise-cloud@latest` to the URL. + - | + A bug introduced in 3.12 which prevented the search input in the global navigation from displaying a dropdown of search suggestions has been fixed. The search input functionality prior to 3.12 has been restored, and users are once again able to see and submit suggested search queries, including scope suggestions. + - | + Custom links to other repositories displayed incorrect breadcrumbs. + - | + The Secret Scanning Push Protection custom resource link set at the Enterprise level was not being displayed to users being blocked when pushing secrets to a repository using git through the command line interface. + changes: + - | + For instances deployed on Amazon Web Services (AWS), site administrators can configure regional AWS STS endpoints for OIDC from the Management Console. + - | + Site administrators can now configure the instance with NUMA optimizations. + known_issues: + - | + During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start. + - | + If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see "[AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)." + - | + On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as `127.0.0.1`. + - | + {% data reusables.release-notes.large-adoc-files-issue %} + - | + Repositories originally imported using ghe-migrator will not correctly track Advanced Security contributions. + - | + Admin stats REST API endpoints may timeout on appliances with many users or repositories. Retrying the request until data is returned is advised. + - | + When following the steps for [Replacing the primary MySQL node](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-the-primary-mysql-node), step 14 (running `ghe-cluster-config-apply`) might fail with errors. If this occurs, re-running `ghe-cluster-config-apply` is expected to succeed. + - | + Running a config apply as part of the steps for [Replacing a node in an emergency](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-a-node-in-an-emergency) may fail with errors if the node being replaced is still reachable. If this occurs, shutdown the node and repeat the steps. + - | + {% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %} + - | + When restoring data originally backed up from a 3.13 appliance onto a 3.13 appliance, the elasticsearch indices need to be reindexed before some of the data will show up. This happens via a nightly scheduled job. It can also be forced by running `/usr/local/share/enterprise/ghe-es-search-repair`. + - | + An organization-level code scanning configuration page is displayed on instances that do not use GitHub Advanced Security or code scanning. + - | + When following the steps for [Replacing the primary MySQL node](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-the-primary-mysql-node), step 14 (running `ghe-cluster-config-apply`) might fail with errors. If this occurs, re-running `ghe-cluster-config-apply` is expected to succeed. + - | + In the header bar displayed to site administrators, some icons are not available. + - | + When enabling automatic update checks for the first time in the Management Console, the status is not dynamically reflected until the "Updates" page is reloaded. + - | + When restoring from a backup snapshot, a large number of `mapper_parsing_exception` errors may be displayed. + - | + Services may respond with a `503` status due to an out of date `haproxy` configuration. This can usually be resolved with a `ghe-config-apply` run. From a55e4f752abd936f85921f35c487fb95ec7223a9 Mon Sep 17 00:00:00 2001 From: docs-bot <77750099+docs-bot@users.noreply.github.com> Date: Mon, 23 Sep 2024 16:21:12 -0400 Subject: [PATCH 2/2] Sync secret scanning data (#52393) --- src/secret-scanning/data/public-docs.yml | 15 ++------------- src/secret-scanning/lib/config.json | 4 ++-- 2 files changed, 4 insertions(+), 15 deletions(-) diff --git a/src/secret-scanning/data/public-docs.yml b/src/secret-scanning/data/public-docs.yml index 4e182e6c04d4..ab38c500b04b 100644 --- a/src/secret-scanning/data/public-docs.yml +++ b/src/secret-scanning/data/public-docs.yml @@ -338,17 +338,6 @@ hasPushProtection: true hasValidityCheck: false isduplicate: false -- provider: Azure - supportedSecret: Unclassified Azure Common Annotated Security Key - secretType: azure_common_annotated_security_key - versions: - fpt: '*' - ghec: '*' - isPublic: true - isPrivateWithGhas: false - hasPushProtection: false - hasValidityCheck: false - isduplicate: false - provider: Azure supportedSecret: Azure Communication Services Connection String secretType: azure_communication_services_connection_string @@ -2993,8 +2982,8 @@ hasValidityCheck: false isduplicate: false - provider: Siemens - supportedSecret: Siemens Code Access Token - secretType: siemens_code_access_token + supportedSecret: Siemens Code Token + secretType: siemens_code_token versions: fpt: '*' ghec: '*' diff --git a/src/secret-scanning/lib/config.json b/src/secret-scanning/lib/config.json index 71d5280a661d..07656cae2d8a 100644 --- a/src/secret-scanning/lib/config.json +++ b/src/secret-scanning/lib/config.json @@ -1,5 +1,5 @@ { - "sha": "c981b0cef4c81074d3009a3850819804aa6f5b37", - "blob-sha": "efdb221a75553fb09b3bff43027cc4b64a63832c", + "sha": "e7e694827d5b0076e65765c704bd594485eee15b", + "blob-sha": "612e8fb3ccba3b0278376fc88e2b9e10e486714e", "targetFilename": "code-security/secret-scanning/introduction/supported-secret-scanning-patterns" } \ No newline at end of file