github · docs-bot · Jul 18, 2023 · Jul 18, 2023 · Jul 18, 2023
@@ -0,0 +1,56 @@
+date: '2023-07-18'
+sections:
+  security_fixes:
+    - |
+      An attacker with access to the password hash of the root site administrator user for the instance's Management Console could make requests to the password API endpoint from outside of the instance. 
+    - |
+      Packages have been updated to the latest security versions. 
+  bugs:
+    - |
+      Customers who use Azure Blob store as the remote blob provider to back GitHub Packages would have validation errors if the `EndpointSuffix` part of their Connection string was anything other than `core.windows.net`.  Now all valid `EndpointSuffix` are accepted. 
+    - |
+      After creation of a blob object from the web UI, pre-receive hook events were missing from the instance's audit log. 
+    - |
+      On an instance with an outbound web proxy server configured, the proxy interfered with internal operations that used `nomad alloc exec`. 
+    - |
+      On an instance in a cluster configuration, the `ghe-cluster-balance` behaved inconsistently when displaying status or managing jobs with more than one task group. 
+    - |
+      On an instance configured for LDAP authentication, if the LDAP server sent an empty string for the `sshPublicKey` attribute, LDAP user sync would fail. 
+    - |
+      On an instance with Dependabot enabled, in some situations, Dependabot alerts were not updated when a user pushed to a repository. 
+    - |
+      On an instance that was not configured to deliver email notifications using SMTP, background jobs to deliver email were enqueued unnecessarily. 
+    - |
+      Determining suggested reviewers on a pull request could time out or be very slow. 
+    - |
+      In some cases, users could reopen a pull request that should not have been able to be reopened. 
+    - |
+      On an instance with a GitHub Advanced Security license and secret scanning enabled, output from Git for a push blocked by push protection always included an `http://` link. 
+  changes:
+    - |
+      On an instance in a cluster configuration, the `ghe-cluster-config-check` command-line utility will return an affirmative message when no warnings or errors are detected. The affirmative message is "Configuration validation complete. No errors found." 
+    - |
+      On an instance with 170 or fewer vCPUs, the default for `app.babeld.threads-max` is 512 instead of 3 times the number of vCPUs. The monitor dashboard also includes metrics within the "Babeld threads" section. 
+    - |
+      The Management Console displays a warning about unexpected consequences that may result from modification of the instance's hostname after initial configuration. 
+  known_issues:
+    - |
+      Custom firewall rules are removed during the upgrade process.
+    - |
+      Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository.
+    - |
+      The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
+    - |
+      {% data reusables.release-notes.babeld-max-threads-performance-issue %}
+    - |
+      In a repository's settings, enabling the option to allow users with read access to create discussions does not enable this functionality.
+    - |
+      Custom patterns for secret scanning have `.*` as an end delimiter, specifically in the "After secret" field. This delimiter causes inconsistencies in scans for secrets across repositories, and you may notice gaps in a repository's history where no scans completed. Incremental scans may also be impacted. To prevent issues with scans, modify the end of the pattern to remove the `.*` delimiter.
+    - |
+      {% data reusables.release-notes.repository-inconsistencies-errors %}
+    - |
+      On an instance in a high-availability configuration, passive replica nodes accept Git client requests and forward the requests to the primary node.
+    - |
+      If an instance is configured to forward logs to a target server with TLS enabled, certificate authority (CA) bundles that a site administrator uploads using `ghe-ssl-ca-certificate-install` are not respected, and connections to the server fail.
+    - |
+      When running `ghe-config-apply`, the process may stall with the message `Deployment is running pending automatic promotion`.
@@ -0,0 +1,78 @@
+date: '2023-07-18'
+sections:
+  security_fixes:
+    - |
+      An attacker with access to the password hash of the root site administrator user for the instance's Management Console could make requests to the password API endpoint from outside of the instance. 
+    - |
+      Packages have been updated to the latest security versions. 
+  bugs:
+    - |
+      If MinIO was configured for external blob storage on an instance with GitHub Actions enabled and MinIO was configured for bucket replication, the instance's credential validation with MinIO would occasionally fail. 
+    - |
+      Customers who use Azure Blob store as the remote blob provider to back GitHub Packages would have validation errors if the `EndpointSuffix` part of their Connection string was anything other than `core.windows.net`.  Now all valid `EndpointSuffix` are accepted. 
+    - |
+      After creation of a blob object from the web UI, pre-receive hook events were missing from the instance's audit log. 
+    - |
+      On an instance with custom firewall rules defined, a configuration run with `ghe-config-apply` could take longer than expected. 
+    - |
+      On an instance with an outbound web proxy server configured, the proxy interfered with internal operations that used `nomad alloc exec`. 
+    - |
+      On an instance in a cluster configuration, the `ghe-cluster-balance` behaved inconsistently when displaying status or managing jobs with more than one task group. 
+    - |
+      On an instance configured for LDAP authentication, if the LDAP server sent an empty string for the `sshPublicKey` attribute, LDAP user sync would fail. 
+    - |
+      When an administrator updated an instance's TLS certificate via the API as a query parameter instead of in the request body, the certificate and key appeared in `unicorn.log`. 
+    - |
+      On an instance with Dependabot enabled, in some situations, Dependabot alerts were not updated when a user pushed to a repository. 
+    - |
+      Determining suggested reviewers on a pull request could time out or be very slow. 
+    - |
+      After a migration using GitHub Enterprise Importer, some repository autolink references were created with an incorrect format. 
+    - |
+      On an instance that was not configured to deliver email notifications using SMTP, background jobs to deliver email were enqueued unnecessarily. 
+    - |
+      Events related to repository notifications did not appear in the audit log. 
+    - |
+      On an instance with a GitHub Advanced Security license and secret scanning enabled, in some cases, a committer would not receive an email notification for a secret scanning alert where push protections were bypassed. 
+    - |
+      In some cases, users could reopen a pull request that should not have been able to be reopened. 
+    - |
+      On an instance with a GitHub Advanced Security license, if a user filtered by a custom pattern on an organizations "Code & security analysis" page using an invalid query, the entire GitHub Advanced Security disappeared and an error reading "Sorry, something went wrong loading GitHub Advanced Security settings" appeared. 
+    - |
+      On an instance with a GitHub Advanced Security license and secret scanning enabled, output from Git for a push blocked by push protection always included an `http://` link. 
+    - |
+      The audit log reported the incorrect target repository for pre-receive hook failures. 
+    - |
+      On an instance in a high availability configuration, existing nodes with out-of-sync repositories prevented new nodes from replicating those repositories. 
+    - |
+      On an instance with multiple nodes, when using the `spokesctl` command-line utility to manage repositories with replicas that failed to fully create, the utility would spuriously attempt to repair healthy replicas. 
+  changes:
+    - |
+      On an instance in a cluster configuration, the `ghe-cluster-config-check` command-line utility will return an affirmative message when no warnings or errors are detected. The affirmative message is "Configuration validation complete. No errors found." 
+    - |
+      During initialization of a cluster configuration, output from the `ghe-cluster-config-init` command-line utility is improved and simplified. 
+    - |
+      On an instance with 170 or fewer vCPUs, the default for `app.babeld.threads-max` is 512 instead of 3 times the number of vCPUs. The monitor dashboard also includes metrics within the "Babeld threads" section. 
+    - |
+      The Management Console displays a warning about unexpected consequences that may result from modification of the instance's hostname after initial configuration. 
+  known_issues:
+    - |
+      Custom firewall rules are removed during the upgrade process.
+    - |
+      The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
+    - |
+      {% data reusables.release-notes.babeld-max-threads-performance-issue %}
+    - |
+      In a repository's settings, enabling the option to allow users with read access to create discussions does not enable this functionality.
+    - |
+      {% data reusables.release-notes.repository-inconsistencies-errors %}
+    - |
+      During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
+    - |
+      On an instance in a high-availability configuration, passive replica nodes accept Git client requests and forward the requests to the primary node.
+    - |
+      If an instance is configured to forward logs to a target server with TLS enabled, certificate authority (CA) bundles that a site administrator uploads using `ghe-ssl-ca-certificate-install` are not respected, and connections to the server fail.
+    - |
+      When running `ghe-config-apply`, the process may stall with the message `Deployment is running pending automatic promotion`.
+    - |
+      {% data reusables.release-notes.enterprise-backup-utils-encryption-keys %}
@@ -0,0 +1,98 @@
+date: '2023-07-18'
+sections:
+  security_fixes:
+    - |
+      An attacker with access to the password hash of the root site administrator user for the instance's Management Console could make requests to the password API endpoint from outside of the instance. 
+    - |
+      Packages have been updated to the latest security versions. 
+  bugs:
+    - |
+      If MinIO was configured for external blob storage on an instance with GitHub Actions enabled and MinIO was configured for bucket replication, the instance's credential validation with MinIO would occasionally fail. 
+    - |
+      Customers who use Azure Blob store as the remote blob provider to back GitHub Packages would have validation errors if the `EndpointSuffix` part of their Connection string was anything other than `core.windows.net`.  Now all valid `EndpointSuffix` are accepted. 
+    - |
+      When a user viewed a Jupyter notebook, GitHub Enterprise Server returned a `500` error code if the instance was configured with a self-signed TLS certificate. 
+    - |
+      After creation of a blob object from the web UI, pre-receive hook events were missing from the instance's audit log. 
+    - |
+      On an instance in a high availability configuration, on some platforms, replication could perform poorly over links with very high latency. 
+    - |
+      On an instance with custom firewall rules defined, a configuration run with `ghe-config-apply` could take longer than expected. 
+    - |
+      On an instance with an outbound web proxy server configured, the proxy interfered with internal operations that used `nomad alloc exec`. 
+    - |
+      On an instance in a cluster configuration, the `ghe-cluster-balance` behaved inconsistently when displaying status or managing jobs with more than one task group. 
+    - |
+      On an instance configured for LDAP authentication, if the LDAP server sent an empty string for the `sshPublicKey` attribute, LDAP user sync would fail. 
+    - |
+      When an administrator updated an instance's TLS certificate via the API as a query parameter instead of in the request body, the certificate and key appeared in `unicorn.log`. 
+    - |
+      Jobs that performed daily clean-up tasks failed to run, so old data was not removed from the MySQL database. 
+    - |
+      After creation of a new Management Console user, the Management Console did not display the button to copy the new users invitation. 
+    - |
+      `ghe-service-list` erroneously reported errors because the utility looked for systemd services that have been migrated to Nomad. 
+    - |
+      On an instance in a high availability configuration, when adding a new node, connection checks between existing nodes would fail. 
+    - |
+      On an instance with Dependabot enabled, in some situations, Dependabot alerts were not updated when a user pushed to a repository. 
+    - |
+      In rare circumstances, Git commits signed with SSH keys using the RSA algorithm would incorrectly indicate the signature was invalid. 
+    - |
+      After a migration using GitHub Enterprise Importer, some repository autolink references were created with an incorrect format. 
+    - |
+      In some cases on an instance without a GitHub Advanced Security license, Redis exceeded the maximum default memory allocation, causing `500` errors for the instance's users. 
+    - |
+      On an instance with many organizations, the enterprise security overview page returned a `500` error. 
+    - |
+      On an instance that was not configured to deliver email notifications using SMTP, background jobs to deliver email were enqueued unnecessarily. 
+    - |
+      Users were unable to configure a SSH certificate authority for an organization. 
+    - |
+      An erroneous "Blocked Copilot Repositories" link was visible in site admin pages for organizations. 
+    - |
+      Events related to repository notifications did not appear in the audit log. 
+    - |
+      On an instance with a GitHub Advanced Security license and secret scanning enabled, in some cases, a committer would not receive an email notification for a secret scanning alert where push protections were bypassed. 
+    - |
+      On an instance with a GitHub Advanced Security license, if a user filtered by a custom pattern on an organizations "Code & security analysis" page using an invalid query, the entire GitHub Advanced Security disappeared and an error reading "Sorry, something went wrong loading GitHub Advanced Security settings" appeared. 
+    - |
+      In some cases, users could reopen a pull request that should not have been able to be reopened. 
+    - |
+      On an instance with a GitHub Advanced Security license and secret scanning enabled, output from Git for a push blocked by push protection always included an `http://` link. 
+    - |
+      Querying the audit log for `hashed_token` returned no results. 
+    - |
+      The audit log reported the incorrect target repository for pre-receive hook failures. 
+    - |
+      Links to wiki pages in Markdown headers did not point to the correct path, resulting in a `404 Not Found` error. 
+    - |
+      GitHub Actions will now properly execute after restoring a deleted repository. 
+    - |
+      On an instance with multiple nodes, when using the `spokesctl` command-line utility to manage repositories with replicas that failed to fully create, the utility would spuriously attempt to repair healthy replicas. 
+  changes:
+    - |
+      On an instance in a cluster configuration, the `ghe-cluster-config-check` command-line utility will return an affirmative message when no warnings or errors are detected. The affirmative message is "Configuration validation complete. No errors found." 
+    - |
+      During initialization of a cluster configuration, output from the `ghe-cluster-config-init` command-line utility is improved and simplified. 
+    - |
+      The Management Console displays a warning about unexpected consequences that may result from modification of the instance's hostname after initial configuration. 
+  known_issues:
+    - |
+      Custom firewall rules are removed during the upgrade process.
+    - |
+      The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.
+    - |
+      During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.
+    - |
+      If the root site administrator is locked out of the Management Console after failed login attempts, the account will not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see "[Troubleshooting access to the Management Console](https://docs.github.com/en/enterprise-server@3.8/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)." [Updated: 2023-02-23]
+    - |
+      On an instance in a high-availability configuration, passive replica nodes accept Git client requests and forward the requests to the primary node.
+    - |
+      If an instance is configured to forward logs to a target server with TLS enabled, certificate authority (CA) bundles that a site administrator uploads using `ghe-ssl-ca-certificate-install` are not respected, and connections to the server fail.
+    - |
+      When running `ghe-config-apply`, the process may stall with the message `Deployment is running pending automatic promotion`.
+    - |
+      On an instance with subdomain isolation disabled, Mermaid diagrams in the web UI display an "Unable to render rich display" error and fail to render.
+    - |
+      {% data reusables.release-notes.enterprise-backup-utils-encryption-keys %}