Skip to content

Commit

Permalink
Merge pull request github#27874 from github/repo-sync
Browse files Browse the repository at this point in the history 
Repo sync
  • Loading branch information
@docs-bot
docs-bot authored Aug 30, 2023
2 parents 62f019a + 3fa9064 commit 9cb52e1
Show file tree
Hide file tree
Showing 5 changed files with 9 additions and 10 deletions.
5 changes: 3 additions & 2 deletions data/release-notes/enterprise-server/3-6/16.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,9 @@ sections:
An attacker with access to the password hash of the root site administrator user for the instance's Management Console could make requests to the password API endpoint from outside of the instance.
- |
Packages have been updated to the latest security versions.
- |
An incorrect comparison vulnerability was identified in GitHub Enterprise Server that allowed commit smuggling by displaying an incorrect diff in a re-opened Pull Request. To exploit this vulnerability, an attacker would need write access to the repository. This vulnerability was reported via the [GitHub Bug Bounty Program](https://bounty.github.com/) and was assigned [CVE-2023-23765](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23765).
bugs:
- |
Customers who use Azure Blob store as the remote blob provider to back GitHub Packages would have validation errors if the `EndpointSuffix` part of their Connection string was anything other than `core.windows.net`. Now all valid `EndpointSuffix` are accepted.
Expand All @@ -22,8 +25,6 @@ sections:
On an instance that was not configured to deliver email notifications using SMTP, background jobs to deliver email were enqueued unnecessarily.
- |
Determining suggested reviewers on a pull request could time out or be very slow.
- |
In some cases, users could reopen a pull request that should not have been able to be reopened.
- |
On an instance with a GitHub Advanced Security license and secret scanning enabled, output from Git for a push blocked by push protection always included an `http://` link.
changes:
Expand Down
4 changes: 2 additions & 2 deletions data/release-notes/enterprise-server/3-7/13.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@ sections:
An attacker with access to the password hash of the root site administrator user for the instance's Management Console could make requests to the password API endpoint from outside of the instance.
- |
Packages have been updated to the latest security versions.
- |
An incorrect comparison vulnerability was identified in GitHub Enterprise Server that allowed commit smuggling by displaying an incorrect diff in a re-opened Pull Request. To exploit this vulnerability, an attacker would need write access to the repository. This vulnerability was reported via the [GitHub Bug Bounty Program](https://bounty.github.com/) and was assigned [CVE-2023-23765](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23765).
bugs:
- |
If MinIO was configured for external blob storage on an instance with GitHub Actions enabled and MinIO was configured for bucket replication, the instance's credential validation with MinIO would occasionally fail.
Expand Down Expand Up @@ -34,8 +36,6 @@ sections:
Events related to repository notifications did not appear in the audit log.
- |
On an instance with a GitHub Advanced Security license and secret scanning enabled, in some cases, a committer would not receive an email notification for a secret scanning alert where push protections were bypassed.
- |
In some cases, users could reopen a pull request that should not have been able to be reopened.
- |
On an instance with a GitHub Advanced Security license, if a user filtered by a custom pattern on an organizations "Code & security analysis" page using an invalid query, the entire GitHub Advanced Security disappeared and an error reading "Sorry, something went wrong loading GitHub Advanced Security settings" appeared.
- |
Expand Down
2 changes: 0 additions & 2 deletions data/release-notes/enterprise-server/3-7/15.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,6 @@ sections:
security_fixes:
- |
**LOW:** An attacker could circumvent branch protection by changing a PR base branch to an invalid ref name. This vulnerability was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
- |
In some cases, users could reopen a pull request that should not have been able to be reopened.
- |
Packages have been updated to the latest security versions.
bugs:
Expand Down
4 changes: 2 additions & 2 deletions data/release-notes/enterprise-server/3-8/6.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@ sections:
An attacker with access to the password hash of the root site administrator user for the instance's Management Console could make requests to the password API endpoint from outside of the instance.
- |
Packages have been updated to the latest security versions.
- |
An incorrect comparison vulnerability was identified in GitHub Enterprise Server that allowed commit smuggling by displaying an incorrect diff in a re-opened Pull Request. To exploit this vulnerability, an attacker would need write access to the repository. This vulnerability was reported via the [GitHub Bug Bounty Program](https://bounty.github.com/) and was assigned [CVE-2023-23765](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23765).
bugs:
- |
If MinIO was configured for external blob storage on an instance with GitHub Actions enabled and MinIO was configured for bucket replication, the instance's credential validation with MinIO would occasionally fail.
Expand Down Expand Up @@ -56,8 +58,6 @@ sections:
On an instance with a GitHub Advanced Security license and secret scanning enabled, in some cases, a committer would not receive an email notification for a secret scanning alert where push protections were bypassed.
- |
On an instance with a GitHub Advanced Security license, if a user filtered by a custom pattern on an organizations "Code & security analysis" page using an invalid query, the entire GitHub Advanced Security disappeared and an error reading "Sorry, something went wrong loading GitHub Advanced Security settings" appeared.
- |
In some cases, users could reopen a pull request that should not have been able to be reopened.
- |
On an instance with a GitHub Advanced Security license and secret scanning enabled, output from Git for a push blocked by push protection always included an `http://` link.
- |
Expand Down
4 changes: 2 additions & 2 deletions data/release-notes/enterprise-server/3-9/1.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,9 +14,9 @@ sections:
An attacker with access to the password hash of the root site administrator user for the instance's Management Console could make requests to the password API endpoint from outside of the instance.
- |
Packages have been updated to the latest security versions.
bugs:
- |
In some cases, users could reopen a pull request that should not have been able to be reopened.
An incorrect comparison vulnerability was identified in GitHub Enterprise Server that allowed commit smuggling by displaying an incorrect diff in a re-opened Pull Request. To exploit this vulnerability, an attacker would need write access to the repository. This vulnerability was reported via the [GitHub Bug Bounty Program](https://bounty.github.com/) and was assigned [CVE-2023-23765](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23765).
bugs:
- |
If MinIO was configured for external blob storage on an instance with GitHub Actions enabled and MinIO was configured for bucket replication, the instance's credential validation with MinIO would occasionally fail.
- |
Expand Down

0 comments on commit 9cb52e1

Please sign in to comment.