diff --git a/data/release-notes/2-20/0.yml b/data/release-notes/2-20/0.yml new file mode 100644 index 000000000000..f98db2dac3c4 --- /dev/null +++ b/data/release-notes/2-20/0.yml @@ -0,0 +1,43 @@ +date: '2020-02-11' +sections: + features: + - 'On a repository branch, repository administrators can reject any push that contains a merge commit by enabling `Require linear history` using [branch protection rules](https://help.github.com/en/github/administering-a-repository/enabling-branch-restrictions). {% comment %} https://github.blog/changelog/2019-12-04-expanded-branch-protection-rules/ {% endcomment %}' + - 'Repository administrators can grant all users with push access the ability to force-push to a protected branch by enabling `Allow force pushes` using [branch protection rules](https://help.github.com/en/github/administering-a-repository/enabling-branch-restrictions). {% comment %} https://github.blog/changelog/2019-12-04-expanded-branch-protection-rules/, https://github.com/github/ce-oss-happiness/issues/42, https://github.com/github/github/pull/125950 {% endcomment %}' + - 'Repository administrators can grant all users with push access the ability to delete a protected branch by enabling `Allow deletions` using [branch protection rules](https://help.github.com/en/github/administering-a-repository/enabling-branch-restrictions). {% comment %} https://github.blog/changelog/2019-12-04-expanded-branch-protection-rules/ {% endcomment %}' + - 'Administrators can set a `maxobjectsize` limit on repositories, [limiting the size of push commits](https://help.github.com/en/enterprise/admin/installation/setting-git-push-limits) to a repository that are not in [Git LFS](https://help.github.com/en/enterprise/admin/installation/configuring-git-large-file-storage-on-github-enterprise-server). {% comment %} https://github.com/github/babeld/pull/864, https://team.githubapp.com/posts/33519, https://github.com/githubcustomers/Slack/issues/27 {% endcomment %}' + - 'Organization owners can create a set of default labels when creating a new repository.{% comment %} https://github.com/github/issues-projects/issues/237, https://github.com/github/issues-projects/issues/179 {% endcomment %}' + security_fixes: + - Packages have been updated to the latest security versions. + bugs: + - 'When a member of an organization tried to view a public repository in that organization, an SSO prompt could break the page display. {% comment %} https://github.com/github/github/issues/126677, https://github.com/github/github/pull/127501 {% endcomment %}' + - "When viewing a users' profile, the links to that users' teams could be broken. {% comment %} https://github.com/github/github/issues/131771, https://github.com/github/github/pull/131865 {% endcomment %}" + - 'Users with the `maintain` role were unable to edit repository topics. {% comment %} https://github.com/github/github/pull/129503, https://github.com/github/github/issues/119456 {% endcomment %}' + - "A user who isn't an administrator for an organization would receive a 500 error when attempting to access the sign up page. {% comment %} https://github.com/github/github/pull/129213, https://github.com/github/github/issues/129210, https://github.com/github/github/issues/129212 {% endcomment %}" + - 'The edit history popup would not display on gist comments. {% comment %} https://github.com/github/github/pull/129134, https://github.com/github/github/issues/128496 {% endcomment %}' + - 'A new account could be registered with an email that was already registered. {% comment %} https://github.com/github/github/pull/127905, https://github.com/github/github/issues/127858 {% endcomment %}' + - 'A storage service was hitting a file descriptor limit and causing kernel hanging and other services to log errors. {% comment %} https://github.com/github/enterprise2/pull/18775 {% endcomment %}' + - 'When an autolink reference was part of a url, the hyperlink could be removed. {% comment %} https://github.com/github/github/pull/126776 {% endcomment %}' + - 'When adding a comment to a pull request, the `Linked Issues` section from the sidebar could disappear. {% comment %} https://github.com/github/issues-projects/issues/384, https://github.com/github/github/pull/130514 {% endcomment %}' + - 'When editing an existing organization invitation for a user, a duplicate header could be appear on the `Teams` table. {% comment %} https://github.com/github/github/issues/120381, https://github.com/github/github/pull/128939 {% endcomment %}' + - 'The `resqued` service could stop logging events when the queues became too large. {% comment %} https://github.com/github/github/pull/130087, https://github.com/github/business-support/issues/2696 {% endcomment %}' + - 'Self-signed certificates are not automatically generated when running the `ghe-config-apply` command for cluster and high-availability configurations. {% comment %} https://github.com/github/enterprise2/pull/18773 {% endcomment %}' + changes: + - 'No logo will be displayed for a topic if one has not been uploaded. {% comment %} https://github.com/github/github/issues/130513, https://github.com/github/github/pull/130515 {% endcomment %}' + - 'When viewing an issue on a mobile browser, the issue metadata is listed at the top of the page. {% comment %} https://github.com/github/github/pull/127560 {% endcomment %}' + - 'Consul''s top-level domain has changed from ".consul" to ".ghe.local". {% comment %} https://github.com/github/enterprise2/pull/17443, https://github.com/github/enterprise2/issues/17701 {% endcomment %}' + - 'The hookshot service no longer relies on ElasticSearch and only uses MySQL as a database store. {% comment %} https://github.com/github/enterprise2/pull/18158, https://github.com/github/hookshot/pull/1128, https://github.com/github/enterprise2/pull/15898 {% endcomment %}' + - 'Improved visual distinction between issue, project and discussion has been implemented on project note cards. {% comment %} https://github.com/github/github/pull/132038 {% endcomment %}' + - 'On a pull request review, a notice is displayed if a multi-line comment is truncated. {% comment %} https://github.com/github/github/issues/125948, https://github.com/github/github/pull/128677 {% endcomment %}' + - 'Users can view their audit log on the `Security Log` tab of their personal settings page. {% comment %} https://github.com/github/github/pull/123041{% endcomment %}' + known_issues: + - 'On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user. {% comment %} https://github.com/github/enterprise2/issues/1889 {% endcomment %}' + - 'Custom firewall rules are not maintained during an upgrade. {% comment %} https://github.com/github/enterprise2/issues/2823 {% endcomment %}' + - 'Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository. {% comment %} https://github.com/github/github/issues/54684 {% endcomment %}' + - 'Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. {% comment %} https://github.com/github/github/issues/107731 {% endcomment %}' + - 'When pushing to a gist, an exception could be triggered during the post-receive hook. {% comment %} https://github.com/github/github/issues/129091 {% endcomment %}' + - Duplicate webhook entries in the database can cause upgrades from previous versions to fail. (updated 2020-02-26) + - 'Upgrades and settings updates will fail if background worker configurations have been customised. {% comment %} https://github.com/github/enterprise2/issues/19119 {% endcomment %}' + - 'When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results. {% comment %} https://github.com/github/admin-experience/issues/571 {% endcomment %}' + - 'When upgrading from previous versions, background job workers may not be spawned, preventing essential features such as merging pull requests. (updated 2020-04-07) {% comment %} https://github.com/github/enterprise2/issues/19232 {% endcomment %}' + - 'Security alerts are not reported when pushing to a repository on the command line. (updated 2020-06-23) {% comment %} https://github.com/github/github/issues/143190 {% endcomment %}' + - 'Dependency graph is not detecting dependencies when deployed in a cluster configuration with multiple Redis nodes. (updated 2020-06-30) {% comment %} https://github.com/github/dependency-graph/issues/81 {% endcomment %}' diff --git a/data/release-notes/2-20/1.yml b/data/release-notes/2-20/1.yml new file mode 100644 index 000000000000..1443252b2ea3 --- /dev/null +++ b/data/release-notes/2-20/1.yml @@ -0,0 +1,20 @@ +date: '2020-02-27' +sections: + security_fixes: + - 'Packages have been updated to the latest security versions. {% comment %} https://github.com/github/enterprise2/pull/19116, https://github.com/github/enterprise2/pull/19110, https://github.com/github/enterprise2/pull/19154, https://github.com/github/enterprise2/pull/19142 {% endcomment %}' + bugs: + - 'Restore from backups would fail with an `Invalid RDB version number` error. {% comment %} https://github.com/github/enterprise2/pull/19117, https://github.com/github/enterprise2/pull/19109 {% endcomment %}' + - 'Upgrading an HA replica would stall indefinitely waiting for MySQL to start. {% comment %} https://github.com/github/enterprise2/pull/19168, https://github.com/github/enterprise2/pull/19101 {% endcomment %}' + - 'PR review comments with unexpected values for "position" or "original_position" caused imports to fail. {% comment %} https://github.com/github/github/pull/135439, https://github.com/github/github/pull/135374 {% endcomment %}' + - 'Duplicate webhook entries in the database could cause upgrades from previous versions to fail. {% comment %} https://github.com/github/hookshot/pull/1541, https://github.com/github/hookshot/pull/1426, https://github.com/github/hookshot/pull/1540 {% endcomment %}' + known_issues: + - 'On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user. {% comment %} https://github.com/github/enterprise2/issues/1889 {% endcomment %}' + - 'Custom firewall rules are not maintained during an upgrade. {% comment %} https://github.com/github/enterprise2/issues/2823 {% endcomment %}' + - 'Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository. {% comment %} https://github.com/github/github/issues/54684 {% endcomment %}' + - 'Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. {% comment %} https://github.com/github/github/issues/107731 {% endcomment %}' + - 'When pushing to a gist, an exception could be triggered during the post-receive hook. {% comment %} https://github.com/github/github/issues/129091 {% endcomment %}' + - 'Upgrades and settings updates will fail if background worker configurations have been customised. {% comment %} https://github.com/github/enterprise2/issues/19119 {% endcomment %}' + - 'When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results. {% comment %} https://github.com/github/admin-experience/issues/571 {% endcomment %}' + - 'When upgrading from previous versions, background job workers may not be spawned, preventing essential features such as merging pull requests. (updated 2020-04-07) {% comment %} https://github.com/github/enterprise2/issues/19232 {% endcomment %}' + - 'Security alerts are not reported when pushing to a repository on the command line. (updated 2020-06-23) {% comment %} https://github.com/github/github/issues/143190 {% endcomment %}' + - 'Dependency graph is not detecting dependencies when deployed in a cluster configuration with multiple Redis nodes. (updated 2020-06-30) {% comment %} https://github.com/github/dependency-graph/issues/81 {% endcomment %}' diff --git a/data/release-notes/2-20/10.yml b/data/release-notes/2-20/10.yml new file mode 100644 index 000000000000..0ad337942d80 --- /dev/null +++ b/data/release-notes/2-20/10.yml @@ -0,0 +1,20 @@ +date: '2020-06-23' +sections: + security_fixes: + - 'Packages have been updated to the latest security versions. {% comment %} https://github.com/github/enterprise2/pull/20746, https://github.com/github/enterprise2/pull/20727 {% endcomment %}' + bugs: + - 'Excessively large log events could lead to log forwarding instability when UDP was used as the transport mechanism. {% comment %} https://github.com/github/enterprise2/pull/20457, https://github.com/github/enterprise2/pull/20445 {% endcomment %}' + - "Automatic unsuspension of a user through SSO did not complete if the SSH keys attribute had keys already associated with the user's account. {% comment %} https://github.com/github/github/pull/143474, https://github.com/github/github/pull/142927 {% endcomment %}" + - 'The repository permission hash from the REST API indicated no access for business members who have pull access to internal repositories. {% comment %} https://github.com/github/github/pull/144755, https://github.com/github/github/pull/144292 {% endcomment %}' + - 'Previewing a GitHub App description written in markdown was not properly rendered. {% comment %} https://github.com/github/github/pull/145038, https://github.com/github/github/pull/133360 {% endcomment %}' + - 'The audit log did not include branch protection changes events. {% comment %} https://github.com/github/github/pull/145995, https://github.com/github/github/pull/145014 {% endcomment %}' + - "Trying to assign code review to a member of an empty team would result in a '500 Internal Server Error'. {% comment %} https://github.com/github/github/pull/146328, https://github.com/github/github/pull/139330 {% endcomment %}" + - 'Code review assignment using the load balancing algorithm could repeatedly assign to the same team member. {% comment %} https://github.com/github/github/pull/146329, https://github.com/github/github/pull/136504 {% endcomment %}' + known_issues: + - 'On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user. {% comment %} https://github.com/github/enterprise2/issues/1889 {% endcomment %}' + - 'Custom firewall rules are not maintained during an upgrade. {% comment %} https://github.com/github/enterprise2/issues/2823 {% endcomment %}' + - 'Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository. {% comment %} https://github.com/github/github/issues/54684 {% endcomment %}' + - 'Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. {% comment %} https://github.com/github/github/issues/107731 {% endcomment %}' + - 'When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results. {% comment %} https://github.com/github/admin-experience/issues/571 {% endcomment %}' + - 'Security alerts are not reported when pushing to a repository on the command line. {% comment %} https://github.com/github/github/issues/143190 {% endcomment %}' + - 'Dependency graph is not detecting dependencies when deployed in a cluster configuration with multiple Redis nodes. (updated 2020-06-30) {% comment %} https://github.com/github/dependency-graph/issues/81 {% endcomment %}' diff --git a/data/release-notes/2-20/11.yml b/data/release-notes/2-20/11.yml new file mode 100644 index 000000000000..b3882140d61a --- /dev/null +++ b/data/release-notes/2-20/11.yml @@ -0,0 +1,18 @@ +date: '2020-07-09' +sections: + security_fixes: + - '**MEDIUM:** Updated nginx to 1.16.1 and addressed CVE-2019-20372. (updated 2020-07-22) {% comment %} https://github.com/github/enterprise2/pull/21251 {% endcomment %}' + - 'Packages have been updated to the latest security versions. {% comment %} https://github.com/github/enterprise2/pull/21088, https://github.com/github/enterprise2/pull/21036 {% endcomment %}' + bugs: + - 'Dependency graph was not detecting dependencies when deployed in a cluster configuration with multiple Redis nodes. {% comment %} https://github.com/github/enterprise2/pull/21260, https://github.com/github/enterprise2/pull/21102 {% endcomment %}' + - 'Certain log files did not rotate every 7 days. {% comment %} https://github.com/github/enterprise2/pull/21278, https://github.com/github/enterprise2/pull/21264 {% endcomment %}' + - 'Rapid reuse of webhook source ports resulted in rejected connections. {% comment %} https://github.com/github/enterprise2/pull/21289 {% endcomment %}' + - 'Incorrect background jobs could attempt to run on instances configured as passive replicas. {% comment %} https://github.com/github/enterprise2/pull/21318, https://github.com/github/enterprise2/pull/21212, https://github.com/github/enterprise2/issues/21167 {% endcomment %}' + - 'Internal repositories were not correctly included in search results for SAML-enabled orgs. {% comment %} https://github.com/github/github/pull/147503, https://github.com/github/github/pull/145692 {% endcomment %}' + known_issues: + - 'On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user. {% comment %} https://github.com/github/enterprise2/issues/1889 {% endcomment %}' + - 'Custom firewall rules are not maintained during an upgrade. {% comment %} https://github.com/github/enterprise2/issues/2823 {% endcomment %}' + - 'Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository. {% comment %} https://github.com/github/github/issues/54684 {% endcomment %}' + - 'Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. {% comment %} https://github.com/github/github/issues/107731 {% endcomment %}' + - 'When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results. {% comment %} https://github.com/github/admin-experience/issues/571 {% endcomment %}' + - 'Security alerts are not reported when pushing to a repository on the command line. {% comment %} https://github.com/github/github/issues/143190 {% endcomment %}' diff --git a/data/release-notes/2-20/12.yml b/data/release-notes/2-20/12.yml new file mode 100644 index 000000000000..3676b825d449 --- /dev/null +++ b/data/release-notes/2-20/12.yml @@ -0,0 +1,16 @@ +date: '2020-07-21' +sections: + security_fixes: + - 'Packages have been updated to the latest security versions. {% comment %} https://github.com/github/enterprise2/pull/21437, https://github.com/github/enterprise2/pull/21402, https://github.com/github/enterprise2/pull/21495, https://github.com/github/enterprise2/pull/21479 {% endcomment %}' + bugs: + - 'The Management Console monitor graphs would sometimes not display correctly on larger screens. {% comment %} https://github.com/github/enterprise2/pull/21397, https://github.com/github/enterprise2/pull/21381 {% endcomment %}' + - 'GitHub App Manifest creation flow was unusable in some scenarios when a SameSite Cookie policy was applied. {% comment %} https://github.com/github/github/pull/147826, https://github.com/github/github/pull/144121 {% endcomment %}' + changes: + - 'Improvements to HAProxy scaling. {% comment %} https://github.com/github/enterprise2/pull/21383 {% endcomment %}' + known_issues: + - 'On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user. {% comment %} https://github.com/github/enterprise2/issues/1889 {% endcomment %}' + - 'Custom firewall rules are not maintained during an upgrade. {% comment %} https://github.com/github/enterprise2/issues/2823 {% endcomment %}' + - 'Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository. {% comment %} https://github.com/github/github/issues/54684 {% endcomment %}' + - 'Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. {% comment %} https://github.com/github/github/issues/107731 {% endcomment %}' + - 'When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results. {% comment %} https://github.com/github/admin-experience/issues/571 {% endcomment %}' + - 'Security alerts are not reported when pushing to a repository on the command line. {% comment %} https://github.com/github/github/issues/143190 {% endcomment %}' diff --git a/data/release-notes/2-20/13.yml b/data/release-notes/2-20/13.yml new file mode 100644 index 000000000000..45da9341ffa1 --- /dev/null +++ b/data/release-notes/2-20/13.yml @@ -0,0 +1,21 @@ +date: '2020-08-11' +sections: + security_fixes: + - '**CRITICAL:** A remote code execution vulnerability was identified in GitHub Pages that could allow an attacker to execute commands as part building a GitHub Pages site. This issue was due to an outdated and vulnerable dependency used in the Pages build process. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server. To mitigate this vulnerability, Kramdown has been updated to address CVE-2020-14001. {% comment %} https://github.com/github/pages/pull/2836, https://github.com/github/pages/pull/2827 {% endcomment %}' + - '**HIGH:** An attacker could inject a malicious argument into a Git sub-command when executed on GitHub Enterprise Server. This could allow an attacker to overwrite arbitrary files with partially user-controlled content and potentially execute arbitrary commands on the GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need permission to access repositories within the GitHub Enterprise Server instance. However, due to other protections in place, we could not identify a way to actively exploit this vulnerability. This vulnerability was reported through the GitHub Security Bug Bounty program. {% comment %} https://github.com/github/github/pull/151097 {% endcomment %}' + - 'Packages have been updated to the latest security versions. {% comment %} https://github.com/github/enterprise2/pull/21811, https://github.com/github/enterprise2/pull/21700 {% endcomment %}' + bugs: + - 'A Consul configuration error prevented some background jobs from being processed on standalone instances. {% comment %} https://github.com/github/enterprise2/pull/21464 {% endcomment %}' + - 'The service memory allocation calculation could allocate an incorrect or unbounded memory allocation to a service resulting in poor system performance. {% comment %} https://github.com/github/enterprise2/pull/21716 {% endcomment %}' + - 'The virtualization platform for oVirt KVM systems was not properly detected, causing problems during upgrades. {% comment %} https://github.com/github/enterprise2/pull/21730, https://github.com/github/enterprise2/pull/21669 {% endcomment %}' + - "The error message for invalid authentication with a password via Git command line didn't populate the URL linking to adding the appropriate token or SSH key. {% comment %} https://github.com/github/github/pull/149714 {% endcomment %}" + - 'GitHub Connect was using a deprecated GitHub.com API endpoint. {% comment %} https://github.com/github/github/pull/150828, https://github.com/github/github/pull/150545 {% endcomment %}' + - 'Issues could not be sorted by *Recently updated* on repositories migrated to a new instance. {% comment %} https://github.com/github/github/pull/150843, https://github.com/github/github/pull/149330 {% endcomment %}' + - 'The 404 page contained GitHub.com contact and status links in the footer. {% comment %} https://github.com/github/github/pull/151316 {% endcomment %}' + known_issues: + - 'On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user. {% comment %} https://github.com/github/enterprise2/issues/1889 {% endcomment %}' + - 'Custom firewall rules are not maintained during an upgrade. {% comment %} https://github.com/github/enterprise2/issues/2823 {% endcomment %}' + - 'Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository. {% comment %} https://github.com/github/github/issues/54684 {% endcomment %}' + - 'Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. {% comment %} https://github.com/github/github/issues/107731 {% endcomment %}' + - 'When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results. {% comment %} https://github.com/github/admin-experience/issues/571 {% endcomment %}' + - 'Security alerts are not reported when pushing to a repository on the command line. {% comment %} https://github.com/github/github/issues/143190 {% endcomment %}' diff --git a/data/release-notes/2-20/14.yml b/data/release-notes/2-20/14.yml new file mode 100644 index 000000000000..f50a3089c171 --- /dev/null +++ b/data/release-notes/2-20/14.yml @@ -0,0 +1,12 @@ +date: '2020-08-12' +sections: + bugs: + - 'Resolved an issue that could lead to high CPU usage while generating system configuration templates. {% comment %} https://github.com/github/enterprise2/pull/21784, https://github.com/github/enterprise2/pull/21741 {% endcomment %}' + - 'Recent changes to memory allocations could lead to a degradation in system performance {% comment %} https://github.com/github/enterprise2/pull/22067 {% endcomment %}' + known_issues: + - 'On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user. {% comment %} https://github.com/github/enterprise2/issues/1889 {% endcomment %}' + - 'Custom firewall rules are not maintained during an upgrade. {% comment %} https://github.com/github/enterprise2/issues/2823 {% endcomment %}' + - 'Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository. {% comment %} https://github.com/github/github/issues/54684 {% endcomment %}' + - 'Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. {% comment %} https://github.com/github/github/issues/107731 {% endcomment %}' + - 'When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results. {% comment %} https://github.com/github/admin-experience/issues/571 {% endcomment %}' + - 'Security alerts are not reported when pushing to a repository on the command line. {% comment %} https://github.com/github/github/issues/143190 {% endcomment %}' diff --git a/data/release-notes/2-20/15.yml b/data/release-notes/2-20/15.yml new file mode 100644 index 000000000000..aa3c664487d3 --- /dev/null +++ b/data/release-notes/2-20/15.yml @@ -0,0 +1,24 @@ +date: '2020-08-26' +sections: + security_fixes: + - >- + **CRITICAL:** A remote code execution vulnerability was identified in GitHub Pages that could be exploited when building a GitHub Pages site. User-controlled configuration of the underlying parsers used by GitHub Pages were not sufficiently restricted and made it possible to execute commands on the GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server. The underlying issues contributing to this vulnerability were identified both internally and through the GitHub Security Bug Bounty program. We have issued CVE-2020-10518. {% comment %} https://github.com/github/pages/pull/2883, https://github.com/github/pages/pull/2902, https://github.com/github/pages/pull/2894, https://github.com/github/pages/pull/2877, https://github.com/github/pages-gem/pull/700, + https://github.com/github/pages/pull/2890, https://github.com/github/pages/pull/2898, https://github.com/github/pages/pull/2909, https://github.com/github/pages/pull/2891, https://github.com/github/pages/pull/2884, https://github.com/github/pages/pull/2889 {% endcomment %} + - '**MEDIUM:** An improper access control vulnerability was identified that allowed authenticated users of the instance to determine the names of unauthorized private repositories given their numerical IDs. This vulnerability did not allow unauthorized access to any repository content besides the name. This vulnerability affected all versions of GitHub Enterprise Server prior to 2.22 and has been assigned [CVE-2020-10517](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10517). The vulnerability was reported via the [GitHub Bug Bounty program](https://bounty.github.com). {% comment %} https://github.com/github/github/pull/151987, https://github.com/github/github/pull/151713 {% endcomment %}' + - 'Packages have been updated to the latest security versions. {% comment %} https://github.com/github/enterprise2/pull/21852, https://github.com/github/enterprise2/pull/21828, https://github.com/github/enterprise2/pull/22153, https://github.com/github/enterprise2/pull/21920, https://github.com/github/enterprise2/pull/22215, https://github.com/github/enterprise2/pull/22190 {% endcomment %}' + bugs: + - 'A message was not logged when the ghe-config-apply process had finished running ghe-es-auto-expand. {% comment %} https://github.com/github/enterprise2/pull/22177, https://github.com/github/enterprise2/pull/22171 {% endcomment %}' + - 'Excessive logging to the `syslog` file could occur on high-availability replicas if the primary appliance is unavailable. {% comment %} https://github.com/github/enterprise2/pull/22267, https://github.com/github/enterprise2/pull/22124 {% endcomment %}' + - "Database re-seeding on a replica could fail with an error: `Got packet bigger than 'max_allowed_packet'` {% comment %} https://github.com/github/enterprise2/pull/22321, https://github.com/github/enterprise2/pull/20063 {% endcomment %}" + - 'In some cases duplicate user data could cause a 500 error while running the ghe-license-usage script. {% comment %} https://github.com/github/github/pull/152638 {% endcomment %}' + changes: + - 'In a high availability or geo-replication configuration, replica instances would exit maintenance mode when ghe-config-apply ran. {% comment %} https://github.com/github/enterprise2/pull/21776, https://github.com/github/enterprise2/pull/21440 {% endcomment %}' + - "We've added support for the R5a and R5n AWS instance types. {% comment %} https://github.com/github/enterprise2/pull/21902, https://github.com/github/enterprise2/pull/21173 {% endcomment %}" + - 'Removed the license seat count information on the administrative SSH MOTD due to a performance issue impacting GitHub Enterprise Server clusters. {% comment %} https://github.com/github/enterprise2/pull/21993, https://github.com/github/enterprise2/pull/21870 {% endcomment %}' + known_issues: + - 'On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user. {% comment %} https://github.com/github/enterprise2/issues/1889 {% endcomment %}' + - 'Custom firewall rules are not maintained during an upgrade. {% comment %} https://github.com/github/enterprise2/issues/2823 {% endcomment %}' + - 'Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository. {% comment %} https://github.com/github/github/issues/54684 {% endcomment %}' + - 'Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. {% comment %} https://github.com/github/github/issues/107731 {% endcomment %}' + - 'When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results. {% comment %} https://github.com/github/admin-experience/issues/571 {% endcomment %}' + - 'Security alerts are not reported when pushing to a repository on the command line. {% comment %} https://github.com/github/github/issues/143190 {% endcomment %}' diff --git a/data/release-notes/2-20/16.yml b/data/release-notes/2-20/16.yml new file mode 100644 index 000000000000..79609121a5f0 --- /dev/null +++ b/data/release-notes/2-20/16.yml @@ -0,0 +1,12 @@ +date: '2020-09-08' +sections: + bugs: + - 'A service health check caused session growth resulting in filesystem inode exhaustion. {% comment %} https://github.com/github/enterprise2/pull/22480, https://github.com/github/enterprise2/pull/22475 {% endcomment %}' + - "Upgrading using a hotpatch could fail with an error: `'libdbi1' was not found` {% comment %} https://github.com/github/enterprise2/pull/22558, https://github.com/github/enterprise2/pull/22552 {% endcomment %}" + known_issues: + - 'On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user. {% comment %} https://github.com/github/enterprise2/issues/1889 {% endcomment %}' + - 'Custom firewall rules are not maintained during an upgrade. {% comment %} https://github.com/github/enterprise2/issues/2823 {% endcomment %}' + - 'Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository. {% comment %} https://github.com/github/github/issues/54684 {% endcomment %}' + - 'Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. {% comment %} https://github.com/github/github/issues/107731 {% endcomment %}' + - 'When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results. {% comment %} https://github.com/github/admin-experience/issues/571 {% endcomment %}' + - 'Security alerts are not reported when pushing to a repository on the command line. {% comment %} https://github.com/github/github/issues/143190 {% endcomment %}' diff --git a/data/release-notes/2-20/17.yml b/data/release-notes/2-20/17.yml new file mode 100644 index 000000000000..e8c45cd718e7 --- /dev/null +++ b/data/release-notes/2-20/17.yml @@ -0,0 +1,12 @@ +date: '2020-09-23' +sections: + security_fixes: + - '**MEDIUM**: ImageMagick has been updated to address [DSA-4715-1](https://www.debian.org/security/2020/dsa-4715). {% comment %} https://github.com/github/enterprise2/pull/22625, https://github.com/github/enterprise2/pull/22610 {% endcomment %}' + - 'Packages have been updated to the latest security versions. {% comment %} https://github.com/github/enterprise2/pull/22601, https://github.com/github/enterprise2/pull/22592, https://github.com/github/enterprise2/pull/22605, https://github.com/github/enterprise2/pull/22426, https://github.com/github/enterprise2/pull/22718, https://github.com/github/enterprise2/pull/22699 {% endcomment %}' + known_issues: + - 'On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user. {% comment %} https://github.com/github/enterprise2/issues/1889 {% endcomment %}' + - 'Custom firewall rules are not maintained during an upgrade. {% comment %} https://github.com/github/enterprise2/issues/2823 {% endcomment %}' + - 'Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository. {% comment %} https://github.com/github/github/issues/54684 {% endcomment %}' + - 'Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. {% comment %} https://github.com/github/github/issues/107731 {% endcomment %}' + - 'When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results. {% comment %} https://github.com/github/admin-experience/issues/571 {% endcomment %}' + - 'Security alerts are not reported when pushing to a repository on the command line. {% comment %} https://github.com/github/github/issues/143190 {% endcomment %}' diff --git a/data/release-notes/2-20/18.yml b/data/release-notes/2-20/18.yml new file mode 100644 index 000000000000..997d71d92e7d --- /dev/null +++ b/data/release-notes/2-20/18.yml @@ -0,0 +1,25 @@ +date: '2020-10-09' +sections: + security_fixes: + - 'A user whose LDAP directory username standardizes to an existing GHES account login could authenticate into the existing account. {% comment %} https://github.com/github/github/pull/156518, https://github.com/github/github/pull/155512 {% endcomment %}' + - 'Packages have been updated to the latest security versions. {% comment %} https://github.com/github/enterprise2/pull/22910, https://github.com/github/enterprise2/pull/22878 {% endcomment %}' + bugs: + - 'The NameID Format dropdown in the Management Console would be reset to "unspecified" after setting it to "persistent". {% comment %} https://github.com/github/enterprise2/pull/22403, https://github.com/github/enterprise2/pull/22331, https://github.com/github/enterprise2/issues/13446 {% endcomment %}' + - 'Saving settings via the [management console](https://docs.github.com/en/enterprise-server@latest/admin/configuration/accessing-the-management-console) would append a newline to the [TLS/SSL certificate and key](https://docs.github.com/en/enterprise-server@latest/admin/configuration/configuring-tls) files which triggered unnecessary reloading of some services. {% comment %} https://github.com/github/enterprise2/pull/22607, https://github.com/github/enterprise2/pull/22540 {% endcomment %}' + - 'System logs for Dependency Graph were not rotating, allowing unbounded storage growth. {% comment %} https://github.com/github/enterprise2/pull/22765, https://github.com/github/enterprise2/pull/22733 {% endcomment %}' + - 'Links to GitHub Security Advisories would use a URL with the hostname of the GitHub Enterprise Server instance instead of GitHub.com, directing the user to a nonexistent URL. {% comment %} https://github.com/github/github/pull/153444, https://github.com/github/github/pull/151301 {% endcomment %}' + - 'When importing a repository with `ghe-migrator`, an unexpected exception could occur when inconsistent data is present. {% comment %} https://github.com/github/github/pull/153848, https://github.com/github/github/pull/151552 {% endcomment %}' + - 'When using `ghe-migrator` to import PR review requests, records associated with deleted users would result in extraneous database records. {% comment %} https://github.com/github/github/pull/154958, https://github.com/github/github/pull/153169 {% endcomment %}' + - 'When importing users with `ghe-migrator`, an error of "Emails is invalid" would occur if the system-generated email address were longer than 100 characters. {% comment %} https://github.com/github/github/pull/155112, https://github.com/github/github/pull/152418 {% endcomment %}' + - 'Logging webhook activity could use large amounts of disk space and cause the root disk to become full. {% comment %} https://github.com/github/github/pull/155655, https://github.com/github/github/pull/154100 {% endcomment %}' + changes: + - 'Support is added for the AWS EC2 instance type `m5.16xlarge`. {% comment %} https://github.com/github/enterprise2/pull/22500, https://github.com/github/enterprise2/pull/22473 {% endcomment %}' + - 'Remove the requirement for SSH fingerprints in `ghe-migrator` archives as it can always be computed. {% comment %} https://github.com/github/github/pull/156944, https://github.com/github/github/pull/155387 {% endcomment %}' + - 'GitHub App Manifests now include the `request_oauth_on_install` field. {% comment %} https://github.com/github/github/pull/156996, https://github.com/github/github/pull/155010, https://github.com/github/ecosystem-apps/issues/1055 {% endcomment %}' + known_issues: + - 'On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user. {% comment %} https://github.com/github/enterprise2/issues/1889 {% endcomment %}' + - 'Custom firewall rules are not maintained during an upgrade. {% comment %} https://github.com/github/enterprise2/issues/2823 {% endcomment %}' + - 'Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository. {% comment %} https://github.com/github/github/issues/54684 {% endcomment %}' + - 'Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. {% comment %} https://github.com/github/github/issues/107731 {% endcomment %}' + - 'When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results. {% comment %} https://github.com/github/admin-experience/issues/571 {% endcomment %}' + - 'Security alerts are not reported when pushing to a repository on the command line. {% comment %} https://github.com/github/github/issues/143190 {% endcomment %}' diff --git a/data/release-notes/2-20/19.yml b/data/release-notes/2-20/19.yml new file mode 100644 index 000000000000..456374eb0d8c --- /dev/null +++ b/data/release-notes/2-20/19.yml @@ -0,0 +1,13 @@ +date: '2020-10-20' +sections: + security_fixes: + - 'Packages have been updated to the latest security versions. {% comment %} https://github.com/github/enterprise2/pull/23095, https://github.com/github/enterprise2/pull/23081 {% endcomment %}' + bugs: + - 'The enterprise account "Confirm two-factor requirement policy" messaging was incorrect. {% comment %} https://github.com/github/github/pull/158737 {% endcomment %}' + known_issues: + - 'On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user. {% comment %} https://github.com/github/enterprise2/issues/1889 {% endcomment %}' + - 'Custom firewall rules are not maintained during an upgrade. {% comment %} https://github.com/github/enterprise2/issues/2823 {% endcomment %}' + - 'Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository. {% comment %} https://github.com/github/github/issues/54684 {% endcomment %}' + - 'Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. {% comment %} https://github.com/github/github/issues/107731 {% endcomment %}' + - 'When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results. {% comment %} https://github.com/github/admin-experience/issues/571 {% endcomment %}' + - 'Security alerts are not reported when pushing to a repository on the command line. {% comment %} https://github.com/github/github/issues/143190 {% endcomment %}' diff --git a/data/release-notes/2-20/2.yml b/data/release-notes/2-20/2.yml new file mode 100644 index 000000000000..767e20ab3f85 --- /dev/null +++ b/data/release-notes/2-20/2.yml @@ -0,0 +1,27 @@ +date: '2020-03-10' +sections: + security_fixes: + - 'Packages have been updated to the latest security versions. {% comment %} https://github.com/github/enterprise2/pull/19204, https://github.com/github/enterprise2/pull/19187 {% endcomment %}' + bugs: + - 'In some cases the forwarded log entries, mainly for audit.log were getting truncated. {% comment %} https://github.com/github/enterprise2/pull/19244, https://github.com/github/enterprise2/pull/19192, https://github.com/github/enterprise2/issues/16655 {% endcomment %}' + - 'The `ghe-license-check` command-line utility returned an "Invalid license file" error for some valid licenses, causing configuration changes to fail. {% comment %} https://github.com/github/enterprise2/pull/19249, https://github.com/github/enterprise2/pull/19185, https://github.zendesk.com/agent/tickets/549903 {% endcomment %}' + - 'Alambic exception logs were not forwarded by syslog. {% comment %} https://github.com/github/enterprise2/pull/19263, https://github.com/github/enterprise2/pull/19123, https://github.com/github/enterprise2/issues/18734 {% endcomment %}' + - 'The [`org_block event`](https://developer.github.com/v3/activity/events/types/#orgblockevent) is not unavailable but was appearing for GitHub Apps on GitHub Enterprise Server. {% comment %} https://github.com/github/github/pull/136227, https://github.com/github/github/pull/135640, https://github.com/github/ecosystem-apps/issues/693 {% endcomment %}' + - 'GraphQL query responses sometimes returned unmatched node identifiers for `ProtectedBranch` objects. {% comment %} https://github.com/github/github/pull/136376, https://github.com/github/github/pull/136214, https://github.com/github/github/issues/135407 {% endcomment %}' + - 'The GitHub App credential used by GitHub Connect failed to refresh immediately after expiry. {% comment %} https://github.com/github/github/pull/136384, https://github.com/github/github/pull/136259 {% endcomment %}' + - 'Leaving a comment in reply to a pull request comment was intermittently creating a pending pull request review. {% comment %} https://github.com/github/github/pull/136454, https://github.com/github/github/pull/133697, https://github.com/github/github/issues/127401 {% endcomment %}' + - 'Using ghe-migrator or exporting from GitHub.com, an export would silently fail to export non-image attachments. {% comment %} https://github.com/github/github/pull/136487, https://github.com/github/github/pull/134524, https://github.com/github/github/issues/134358 {% endcomment %}' + - 'Pre-receive hook returned 500 error on web UI when UTF-8 characters were encountered. {% comment %} https://github.com/github/github/pull/136699, https://github.com/github/github/pull/136014, https://github.com/github/github/issues/133501 {% endcomment %}' + changes: + - 'The ` ghe-license-usage ` command-line utility includes a new `--unencrypted` option to provide visibility into the exported license usage file. {% comment %} https://github.com/github/github/pull/136134, https://github.com/github/github/pull/136000 {% endcomment %}' + known_issues: + - 'On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user. {% comment %} https://github.com/github/enterprise2/issues/1889 {% endcomment %}' + - 'Custom firewall rules are not maintained during an upgrade. {% comment %} https://github.com/github/enterprise2/issues/2823 {% endcomment %}' + - 'Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository. {% comment %} https://github.com/github/github/issues/54684 {% endcomment %}' + - 'Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. {% comment %} https://github.com/github/github/issues/107731 {% endcomment %}' + - 'When pushing to a gist, an exception could be triggered during the post-receive hook. {% comment %} https://github.com/github/github/issues/129091 {% endcomment %}' + - 'Upgrades and settings updates will fail if background worker configurations have been customised. {% comment %} https://github.com/github/enterprise2/issues/19119 {% endcomment %}' + - 'When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results. {% comment %} https://github.com/github/admin-experience/issues/571 {% endcomment %}' + - 'When upgrading from previous versions, background job workers may not be spawned, preventing essential features such as merging pull requests. (updated 2020-04-07) {% comment %} https://github.com/github/enterprise2/issues/19232 {% endcomment %}' + - 'Security alerts are not reported when pushing to a repository on the command line. (updated 2020-06-23) {% comment %} https://github.com/github/github/issues/143190 {% endcomment %}' + - 'Dependency graph is not detecting dependencies when deployed in a cluster configuration with multiple Redis nodes. (updated 2020-06-30) {% comment %} https://github.com/github/dependency-graph/issues/81 {% endcomment %}' diff --git a/data/release-notes/2-20/20.yml b/data/release-notes/2-20/20.yml new file mode 100644 index 000000000000..b882fd06c0a2 --- /dev/null +++ b/data/release-notes/2-20/20.yml @@ -0,0 +1,15 @@ +date: '2020-11-03' +sections: + security_fixes: + - '**MEDIUM:** High CPU usage could be triggered by a specially crafted request to the SVN bridge resulting in Denial of Service (DoS). {% comment %} https://github.com/github/slumlord/pull/1003, https://github.com/github/slumlord/pull/1000 {% endcomment %}' + - "**LOW:** Incorrect token validation resulted in a reduced entropy for matching tokens during authentication. Analysis shows that in practice there's no significant security risk here. {% comment %} https://github.com/github/github/pull/159453, https://github.com/github/github/pull/159193 {% endcomment %}" + - 'Packages have been updated to the latest security versions. {% comment %} https://github.com/github/enterprise2/pull/23538, https://github.com/github/enterprise2/pull/23171, https://github.com/github/enterprise2/pull/23691, https://github.com/github/enterprise2/pull/23677 {% endcomment %}' + bugs: + - 'Suspended users were included in the list of suggested users, potentially hiding unsuspended users. {% comment %} https://github.com/github/github/pull/159809, https://github.com/github/github/pull/140563, https://github.com/github/github/pull/142146 {% endcomment %}' + known_issues: + - 'On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user. {% comment %} https://github.com/github/enterprise2/issues/1889 {% endcomment %}' + - 'Custom firewall rules are not maintained during an upgrade. {% comment %} https://github.com/github/enterprise2/issues/2823 {% endcomment %}' + - 'Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository. {% comment %} https://github.com/github/github/issues/54684 {% endcomment %}' + - 'Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. {% comment %} https://github.com/github/github/issues/107731 {% endcomment %}' + - 'When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results. {% comment %} https://github.com/github/admin-experience/issues/571 {% endcomment %}' + - 'Security alerts are not reported when pushing to a repository on the command line. {% comment %} https://github.com/github/github/issues/143190 {% endcomment %}' diff --git a/data/release-notes/2-20/21.yml b/data/release-notes/2-20/21.yml new file mode 100644 index 000000000000..fe7880840dee --- /dev/null +++ b/data/release-notes/2-20/21.yml @@ -0,0 +1,14 @@ +date: '2020-11-17' +sections: + security_fixes: + - 'Packages have been updated to the latest security versions. {% comment %} https://github.com/github/enterprise2/pull/23843, https://github.com/github/enterprise2/pull/23712 {% endcomment %}' + bugs: + - 'The babeld logs were missing a separator between seconds and microseconds. {% comment %} https://github.com/github/babeld/pull/1004, https://github.com/github/babeld/pull/1002 {% endcomment %}' + - 'When the enterprise account "Repository visibility change" policy was set to "Enabled", organization owners could not change the visibility of repositories within the organization. {% comment %} https://github.com/github/github/pull/160922, https://github.com/github/github/pull/160773 {% endcomment %}' + known_issues: + - 'On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user. {% comment %} https://github.com/github/enterprise2/issues/1889 {% endcomment %}' + - 'Custom firewall rules are not maintained during an upgrade. {% comment %} https://github.com/github/enterprise2/issues/2823 {% endcomment %}' + - 'Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository. {% comment %} https://github.com/github/github/issues/54684 {% endcomment %}' + - 'Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. {% comment %} https://github.com/github/github/issues/107731 {% endcomment %}' + - 'When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results. {% comment %} https://github.com/github/admin-experience/issues/571 {% endcomment %}' + - 'Security alerts are not reported when pushing to a repository on the command line. {% comment %} https://github.com/github/github/issues/143190 {% endcomment %}' diff --git a/data/release-notes/2-20/22.yml b/data/release-notes/2-20/22.yml new file mode 100644 index 000000000000..083e011cb30e --- /dev/null +++ b/data/release-notes/2-20/22.yml @@ -0,0 +1,18 @@ +date: '2020-12-03' +sections: + bugs: + - 'Authorization service was being detected as unhealthy due to a race condition in the bootstrap which led to restart of the service. {% comment %} https://github.com/github/authzd/pull/1279 {% endcomment %}' + - 'An underlying behavior was causing a service to become unavailable during the hotpatch upgrade process. {% comment %} https://github.com/github/enterprise2/pull/24053, https://github.com/github/enterprise2/issues/23947 {% endcomment %}' + - 'A subset of log forwarding SSL certificates was not being applied correctly. {% comment %} https://github.com/github/enterprise2/pull/24112, https://github.com/github/enterprise2/pull/23981 {% endcomment %}' + - 'Email notifications sent to suspended users when they were removed from a Team or an Organization. {% comment %} https://github.com/github/github/pull/163107, https://github.com/github/github/pull/162742 {% endcomment %}' + - 'The way SSH certificates were applied between Organizations and Businesses was inconsistent. {% comment %} https://github.com/github/github/pull/163429, https://github.com/github/github/pull/159538, https://github.com/github/authentication/issues/115 {% endcomment %}' + - 'When an account was rate limited due to using incorrect passwords, it could be locked out for up to 24 hours. {% comment %} https://github.com/github/github/pull/163456, https://github.com/github/github/pull/162938, https://github.com/github/github-ds/pull/51 {% endcomment %}' + - 'Pull request synchronization on repositories with many references could cause worker queues to fall behind. {% comment %} https://github.com/github/github/pull/163576, https://github.com/github/github/pull/163142 {% endcomment %}' + - 'When signing in after attempting to visit a specific page, people were sent to the home page instead of their intended destination. {% comment %} https://github.com/github/github/pull/163785, https://github.com/github/github/pull/163579, https://github.com/github/github/pull/154117, https://github.com/github/ecosystem-apps/issues/1076 {% endcomment %}' + known_issues: + - 'On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user. {% comment %} https://github.com/github/enterprise2/issues/1889 {% endcomment %}' + - 'Custom firewall rules are not maintained during an upgrade. {% comment %} https://github.com/github/enterprise2/issues/2823 {% endcomment %}' + - 'Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository. {% comment %} https://github.com/github/github/issues/54684 {% endcomment %}' + - 'Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. {% comment %} https://github.com/github/github/issues/107731 {% endcomment %}' + - 'When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results. {% comment %} https://github.com/github/admin-experience/issues/571 {% endcomment %}' + - 'Security alerts are not reported when pushing to a repository on the command line. {% comment %} https://github.com/github/github/issues/143190 {% endcomment %}' diff --git a/data/release-notes/2-20/3.yml b/data/release-notes/2-20/3.yml new file mode 100644 index 000000000000..f2bab87d7ab1 --- /dev/null +++ b/data/release-notes/2-20/3.yml @@ -0,0 +1,14 @@ +date: '2020-03-12' +sections: + bugs: + - 'Upgrades and settings updates would fail if background worker configurations had been customised. {% comment %} https://github.com/github/enterprise2/pull/19321, https://github.com/github/enterprise2/pull/19299 {% endcomment %}' + known_issues: + - 'On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user. {% comment %} https://github.com/github/enterprise2/issues/1889 {% endcomment %}' + - 'Custom firewall rules are not maintained during an upgrade. {% comment %} https://github.com/github/enterprise2/issues/2823 {% endcomment %}' + - 'Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository. {% comment %} https://github.com/github/github/issues/54684 {% endcomment %}' + - 'Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. {% comment %} https://github.com/github/github/issues/107731 {% endcomment %}' + - 'When pushing to a gist, an exception could be triggered during the post-receive hook. {% comment %} https://github.com/github/github/issues/129091 {% endcomment %}' + - 'When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results. {% comment %} https://github.com/github/admin-experience/issues/571 {% endcomment %}' + - 'When upgrading from previous versions, background job workers may not be spawned, preventing essential features such as merging pull requests. (updated 2020-04-07) {% comment %} https://github.com/github/enterprise2/issues/19232 {% endcomment %}' + - 'Security alerts are not reported when pushing to a repository on the command line. (updated 2020-06-23) {% comment %} https://github.com/github/github/issues/143190 {% endcomment %}' + - 'Dependency graph is not detecting dependencies when deployed in a cluster configuration with multiple Redis nodes. (updated 2020-06-30) {% comment %} https://github.com/github/dependency-graph/issues/81 {% endcomment %}' diff --git a/data/release-notes/2-20/4.yml b/data/release-notes/2-20/4.yml new file mode 100644 index 000000000000..9953f234515b --- /dev/null +++ b/data/release-notes/2-20/4.yml @@ -0,0 +1,17 @@ +date: '2020-03-25' +sections: + bugs: + - 'SAML Authentication requests and Metadata were not strictly encoded, causing some Identity Providers to not correctly process Service Provider initiated Authentication requests. {% comment %} https://github.com/github/github/pull/137150, https://github.com/github/github/pull/136770, https://github.com/github/github/issues/136766 {% endcomment %}' + - '`ghe-migrator` exports did not contain milestone users, which could break import operations. {% comment %} https://github.com/github/github/pull/138100, https://github.com/github/github/pull/137987, https://github.com/github/github/issues/137779 {% endcomment %}' + - 'When pushing to a Gist, an exception could be triggered during the post-receive hook. {% comment %} https://github.com/github/github/pull/138460, https://github.com/github/github/pull/138313 {% endcomment %}' + - '`ghe-repl-status` could fail when trying to display repositories that were not fully replicated. {% comment %} https://github.com/github/github/pull/138463, https://github.com/github/github/pull/138388 {% endcomment %}' + known_issues: + - 'On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user. {% comment %} https://github.com/github/enterprise2/issues/1889 {% endcomment %}' + - 'Custom firewall rules are not maintained during an upgrade. {% comment %} https://github.com/github/enterprise2/issues/2823 {% endcomment %}' + - 'Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository. {% comment %} https://github.com/github/github/issues/54684 {% endcomment %}' + - 'Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. {% comment %} https://github.com/github/github/issues/107731 {% endcomment %}' + - 'When pushing to a gist, an exception could be triggered during the post-receive hook. {% comment %} https://github.com/github/github/issues/129091 {% endcomment %}' + - 'When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results. {% comment %} https://github.com/github/admin-experience/issues/571 {% endcomment %}' + - 'When upgrading from previous versions, background job workers may not be spawned, preventing essential features such as merging pull requests. (updated 2020-04-07) {% comment %} https://github.com/github/enterprise2/issues/19232 {% endcomment %}' + - 'Security alerts are not reported when pushing to a repository on the command line. (updated 2020-06-23) {% comment %} https://github.com/github/github/issues/143190 {% endcomment %}' + - 'Dependency graph is not detecting dependencies when deployed in a cluster configuration with multiple Redis nodes. (updated 2020-06-30) {% comment %} https://github.com/github/dependency-graph/issues/81 {% endcomment %}' diff --git a/data/release-notes/2-20/5.yml b/data/release-notes/2-20/5.yml new file mode 100644 index 000000000000..f113bad45946 --- /dev/null +++ b/data/release-notes/2-20/5.yml @@ -0,0 +1,19 @@ +date: '2020-04-07' +sections: + security_fixes: + - 'Packages have been updated to the latest security versions. {% comment %} https://github.com/github/enterprise2/pull/19536, https://github.com/github/enterprise2/pull/19494 {% endcomment %}' + bugs: + - 'A maximum Git object size of 100MB option could not be selected for a repository when the global enterprise account had a Git object size option other than 100MB set. {% comment %} https://github.com/github/github/pull/138805, https://github.com/github/github/pull/138683 {% endcomment %}' + - 'Results from the the Issues and Pull Requests API could have inconsistent behaviour when ordering by the `updated_at` field. {% comment %} https://github.com/github/github/pull/139247, https://github.com/github/github/pull/138486 {% endcomment %}' + - 'The SecurityVulnerability `package` field could not be queried via the GraphQL API. {% comment %} https://github.com/github/github/pull/139418, https://github.com/github/github/pull/138245 {% endcomment %}' + - 'Changing a repository from *public* to *internal* displayed an irrelevant billing message. {% comment %} https://github.com/github/github/pull/139531, https://github.com/github/github/pull/139492 {% endcomment %}' + known_issues: + - 'On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user. {% comment %} https://github.com/github/enterprise2/issues/1889 {% endcomment %}' + - 'Custom firewall rules are not maintained during an upgrade. {% comment %} https://github.com/github/enterprise2/issues/2823 {% endcomment %}' + - 'Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository. {% comment %} https://github.com/github/github/issues/54684 {% endcomment %}' + - 'Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. {% comment %} https://github.com/github/github/issues/107731 {% endcomment %}' + - 'When pushing to a gist, an exception could be triggered during the post-receive hook. {% comment %} https://github.com/github/github/issues/129091 {% endcomment %}' + - 'When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results. {% comment %} https://github.com/github/admin-experience/issues/571 {% endcomment %}' + - 'When upgrading from previous versions, background job workers may not be spawned, preventing essential features such as merging pull requests. {% comment %} https://github.com/github/enterprise2/issues/19232 {% endcomment %}' + - 'Security alerts are not reported when pushing to a repository on the command line. (updated 2020-06-23) {% comment %} https://github.com/github/github/issues/143190 {% endcomment %}' + - 'Dependency graph is not detecting dependencies when deployed in a cluster configuration with multiple Redis nodes. (updated 2020-06-30) {% comment %} https://github.com/github/dependency-graph/issues/81 {% endcomment %}' diff --git a/data/release-notes/2-20/6.yml b/data/release-notes/2-20/6.yml new file mode 100644 index 000000000000..df23cf792dfe --- /dev/null +++ b/data/release-notes/2-20/6.yml @@ -0,0 +1,26 @@ +date: '2020-04-23' +sections: + security_fixes: + - '**HIGH**: OpenSSL has been updated to address [CVE-2020-1967](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1967). {% comment %} https://github.com/github/enterprise2/pull/19889, https://github.com/github/enterprise2/pull/19885 {% endcomment %}' + - '**HIGH**: Git has been updated to address [CVE-2020-5260](https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q) and [CVE-2020-11008](https://github.com/git/git/security/advisories/GHSA-hjc9-x69f-jqj7). New restrictions prevent malicious repositories from being pushed to the server instance, protecting clients which have not yet been patched. {% comment %} https://github.com/github/git/pull/990 {% endcomment %}' + - '**LOW**: ImageMagick has been updated to address [CVE-2019-10131](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10131). {% comment %} https://github.com/github/enterprise2/pull/19655, https://github.com/github/enterprise2/pull/19617 {% endcomment %}' + - 'Packages have been updated to the latest security versions. {% comment %} https://github.com/github/enterprise2/pull/19809, https://github.com/github/enterprise2/pull/19792, https://github.com/github/enterprise2/pull/19899, https://github.com/github/enterprise2/pull/19882 {% endcomment %}' + bugs: + - 'The git user lacked permissions to invoke the processes required to convert existing repositories using Subversion, from the v4 format to v3 LRS. {% comment %} https://github.com/github/enterprise2/pull/19465, https://github.com/github/enterprise2/pull/19150 {% endcomment %}' + - 'A mismatch in MySQL configurations could cause backups to fail in large installations. {% comment %} https://github.com/github/enterprise2/pull/19688, https://github.com/github/enterprise2/pull/19409, https://github.com/github/enterprise2/issues/19055 {% endcomment %}' + - 'When upgrading from previous versions, background job workers would sometimes not spawn, preventing essential features such as merging pull requests. {% comment %} https://github.com/github/enterprise2/pull/19771, https://github.com/github/enterprise2/pull/19712 {% endcomment %}' + - "When a GitHub Enterprise Server license contained non-ASCII characters, a `GET` request to the Management Console's API `/setup/api/settings` endpoint would result in an Internal Server Error. {% comment %} https://github.com/github/enterprise2/pull/19790 {% endcomment %}" + - 'The recovery console would prompt for a root password, even if the root account was locked. {% comment %} https://github.com/github/enterprise2/pull/19810, https://github.com/github/enterprise2/pull/19788, https://github.com/github/enterprise2/issues/18425 {% endcomment %}' + - 'A CODEOWNERS file with a leading UTF-8 Byte Order Mark would cause all codeowner rules to be ignored. {% comment %} https://github.com/github/github/pull/140974, https://github.com/github/github/pull/140729 {% endcomment %}' + changes: + - 'When the orchestrator-client cron job failed, multiple emails would be sent to the root account. {% comment %} https://github.com/github/enterprise2/pull/19761, https://github.com/github/enterprise2/pull/19748 {% endcomment %}' + - "When an external identity provider controlled user's site administrator status, users could not be demoted via the command line utility. {% comment %} https://github.com/github/github/pull/140522, https://github.com/github/github/pull/137807, https://github.com/github/github/issues/42727 {% endcomment %}" + known_issues: + - 'On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user. {% comment %} https://github.com/github/enterprise2/issues/1889 {% endcomment %}' + - 'Custom firewall rules are not maintained during an upgrade. {% comment %} https://github.com/github/enterprise2/issues/2823 {% endcomment %}' + - 'Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository. {% comment %} https://github.com/github/github/issues/54684 {% endcomment %}' + - 'Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. {% comment %} https://github.com/github/github/issues/107731 {% endcomment %}' + - 'When pushing to a gist, an exception could be triggered during the post-receive hook. {% comment %} https://github.com/github/github/issues/129091 {% endcomment %}' + - 'When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results. {% comment %} https://github.com/github/admin-experience/issues/571 {% endcomment %}' + - 'Security alerts are not reported when pushing to a repository on the command line. (updated 2020-06-23) {% comment %} https://github.com/github/github/issues/143190 {% endcomment %}' + - 'Dependency graph is not detecting dependencies when deployed in a cluster configuration with multiple Redis nodes. (updated 2020-06-30) {% comment %} https://github.com/github/dependency-graph/issues/81 {% endcomment %}' diff --git a/data/release-notes/2-20/7.yml b/data/release-notes/2-20/7.yml new file mode 100644 index 000000000000..8a67f051c31b --- /dev/null +++ b/data/release-notes/2-20/7.yml @@ -0,0 +1,20 @@ +date: '2020-05-05' +sections: + security_fixes: + - 'Packages have been updated to the latest security versions. {% comment %} https://github.com/github/enterprise2/pull/20027, https://github.com/github/enterprise2/pull/19997 {% endcomment %}' + bugs: + - '`ghe-repl-start` and `ghe-repl-status` displayed syntax errors. {% comment %} https://github.com/github/enterprise2/pull/19954, https://github.com/github/enterprise2/pull/19927 {% endcomment %}' + - 'If a repository has the "automatically delete head branches" setting enabled, the head branch wasn''t automatically deleted, when a pull request was merged by a GitHub App installation. {% comment %} https://github.com/github/github/pull/141588, https://github.com/github/github/pull/133698, https://github.com/github/github/pull/133871, https://github.com/github/github/issues/132588 {% endcomment %}' + - 'When an organization member was reinstated, the webhook payload reported the `ghost` user as the sender and not the actual user performing the reinstatement. {% comment %} https://github.com/github/github/pull/141731, https://github.com/github/github/pull/140609 {% endcomment %}' + - 'If a repository has the "automatically delete head branches" setting enabled, the head branch wasn''t automatically deleted where the head repository was different from the base repository. {% comment %} https://github.com/github/github/pull/142096, https://github.com/github/github/pull/133871 {% endcomment %}' + - 'The garbage collection of temporary files could lead to a license validation error. {% comment %} https://github.com/github/github/pull/142209, https://github.com/github/github/pull/142189 {% endcomment %}' + - 'In some situations, including when a repository is first created, the pre-receive hook would be run without a value populated for the GITHUB_REPO_PUBLIC environment variable. {% comment %} https://github.com/github/github/pull/139419, https://github.com/github/github/pull/136228, https://github.com/github/github/pull/134363 {% endcomment %}' + known_issues: + - 'On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user. {% comment %} https://github.com/github/enterprise2/issues/1889 {% endcomment %}' + - 'Custom firewall rules are not maintained during an upgrade. {% comment %} https://github.com/github/enterprise2/issues/2823 {% endcomment %}' + - 'Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository. {% comment %} https://github.com/github/github/issues/54684 {% endcomment %}' + - 'Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. {% comment %} https://github.com/github/github/issues/107731 {% endcomment %}' + - 'When pushing to a gist, an exception could be triggered during the post-receive hook. {% comment %} https://github.com/github/github/issues/129091 {% endcomment %}' + - 'When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results. {% comment %} https://github.com/github/admin-experience/issues/571 {% endcomment %}' + - 'Security alerts are not reported when pushing to a repository on the command line. (updated 2020-06-23) {% comment %} https://github.com/github/github/issues/143190 {% endcomment %}' + - 'Dependency graph is not detecting dependencies when deployed in a cluster configuration with multiple Redis nodes. (updated 2020-06-30) {% comment %} https://github.com/github/dependency-graph/issues/81 {% endcomment %}' diff --git a/data/release-notes/2-20/8.yml b/data/release-notes/2-20/8.yml new file mode 100644 index 000000000000..add5c2ec0986 --- /dev/null +++ b/data/release-notes/2-20/8.yml @@ -0,0 +1,19 @@ +date: '2020-05-19' +sections: + security_fixes: + - 'Packages have been updated to the latest security versions. {% comment %} https://github.com/github/enterprise2/pull/20108, https://github.com/github/enterprise2/pull/20086 {% endcomment %}' + bugs: + - 'After the license file was updated, services were not properly reloaded causing functionality loss. {% comment %} https://github.com/github/enterprise2/pull/20072, https://github.com/github/enterprise2/pull/19989 {% endcomment %}' + - 'Internal API requests updating Dependency Graph information could fail if the response body was too large. {% comment %} https://github.com/github/enterprise2/pull/20231, https://github.com/github/enterprise2/pull/20208 {% endcomment %}' + - 'The `affiliations` argument to some GraphQL repository connections was not respected. {% comment %} https://github.com/github/github/pull/142036, https://github.com/github/github/pull/140658 {% endcomment %}' + - 'Automatic unsuspension of a user through SSO did not complete if the SAML email attribute had different casing than the GitHub user email. {% comment %} https://github.com/github/github/pull/143321, https://github.com/github/github/pull/142915 {% endcomment %}' + - 'Restoring the membership of a user to an organization did not instrument the actor in webhook and audit log payloads. {% comment %} https://github.com/github/github/pull/143231, https://github.com/github/github/pull/140849 {% endcomment %}' + known_issues: + - 'On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user. {% comment %} https://github.com/github/enterprise2/issues/1889 {% endcomment %}' + - 'Custom firewall rules are not maintained during an upgrade. {% comment %} https://github.com/github/enterprise2/issues/2823 {% endcomment %}' + - 'Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository. {% comment %} https://github.com/github/github/issues/54684 {% endcomment %}' + - 'Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. {% comment %} https://github.com/github/github/issues/107731 {% endcomment %}' + - 'When pushing to a gist, an exception could be triggered during the post-receive hook. {% comment %} https://github.com/github/github/issues/129091 {% endcomment %}' + - 'When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results. {% comment %} https://github.com/github/admin-experience/issues/571 {% endcomment %}' + - 'Security alerts are not reported when pushing to a repository on the command line. (updated 2020-06-23) {% comment %} https://github.com/github/github/issues/143190 {% endcomment %}' + - 'Dependency graph is not detecting dependencies when deployed in a cluster configuration with multiple Redis nodes. (updated 2020-06-30) {% comment %} https://github.com/github/dependency-graph/issues/81 {% endcomment %}' diff --git a/data/release-notes/2-20/9.yml b/data/release-notes/2-20/9.yml new file mode 100644 index 000000000000..9c9512e6b4fc --- /dev/null +++ b/data/release-notes/2-20/9.yml @@ -0,0 +1,16 @@ +date: '2020-06-02' +sections: + security_fixes: + - '**HIGH:** An improper access control vulnerability was identified in the GitHub Enterprise Server API that allowed an organization member to escalate permissions and gain access to unauthorized repositories within an organization. This vulnerability affected all versions of GitHub Enterprise Server prior to 2.21. We have issued [CVE-2020-10516](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10516) in response to this issue. The vulnerability was reported via the [GitHub Bug Bounty program](https://bounty.github.com). {% comment %} https://github.com/github/github/pull/144454, https://github.com/github/github/pull/143444 {% endcomment %}' + - 'Packages have been updated to the latest security versions. {% comment %} https://github.com/github/enterprise2/pull/20421, https://github.com/github/enterprise2/pull/20315 {% endcomment %}' + bugs: + - 'Internet-facing GitHub Enterprise Server instances could be indexed by search engines. {% comment %} https://github.com/github/github/pull/145073, https://github.com/github/github/pull/144973 {% endcomment %}' + known_issues: + - 'On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user. {% comment %} https://github.com/github/enterprise2/issues/1889 {% endcomment %}' + - 'Custom firewall rules are not maintained during an upgrade. {% comment %} https://github.com/github/enterprise2/issues/2823 {% endcomment %}' + - 'Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository. {% comment %} https://github.com/github/github/issues/54684 {% endcomment %}' + - 'Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. {% comment %} https://github.com/github/github/issues/107731 {% endcomment %}' + - 'When pushing to a gist, an exception could be triggered during the post-receive hook. {% comment %} https://github.com/github/github/issues/129091 {% endcomment %}' + - 'When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results. {% comment %} https://github.com/github/admin-experience/issues/571 {% endcomment %}' + - 'Security alerts are not reported when pushing to a repository on the command line. (updated 2020-06-23) {% comment %} https://github.com/github/github/issues/143190 {% endcomment %}' + - 'Dependency graph is not detecting dependencies when deployed in a cluster configuration with multiple Redis nodes. (updated 2020-06-30) {% comment %} https://github.com/github/dependency-graph/issues/81 {% endcomment %}' diff --git a/data/release-notes/2-21/0.yml b/data/release-notes/2-21/0.yml new file mode 100644 index 000000000000..6bb9fb5cb8ba --- /dev/null +++ b/data/release-notes/2-21/0.yml @@ -0,0 +1,71 @@ +date: '2020-06-09' +sections: + features: + - 'Users can [manage notifications](https://help.github.com/en/enterprise/2.21/user/github/managing-subscriptions-and-notifications-on-github/about-notifications) on issues, pull requests and other subjects when navigating from a web notification. {% comment %} https://github.com/github/enterprise-releases/issues/2135#issuecomment-633905096 {% endcomment %}' + - 'Users can [convert a pull request back to a "Draft"](https://github.blog/changelog/2020-04-08-convert-pull-request-to-draft/). {% comment %} https://github.com/github/releases/issues/800 {% endcomment %}' + - '[Multi-line suggestions](https://github.blog/changelog/2020-04-15-multi-line-code-suggestions-general-availability/) let a user suggest a specific change to multiple lines of code when reviewing a pull request. {% comment %} https://github.com/github/releases/issues/810 {% endcomment %}' + - 'Users with write access to a repository can [hide a comment in an issue or pull request as a "Duplicate" ](https://help.github.com/en/enterprise/2.21/user/github/building-a-strong-community/managing-disruptive-comments#hiding-a-comment). {% comment %}https://github.com/github/github/pull/131746 {% endcomment %}' + - 'When [creating a repository from a template](https://help.github.com/en/enterprise/2.21/user/github/creating-cloning-and-archiving-repositories/creating-a-repository-from-a-template) a user can optionally select to include all branches, rather than just the default branch. {% comment %} https://github.com/github/releases/issues/580 {% endcomment %}' + - '[Issue project cards include a linked pull requests section](https://github.blog/changelog/2020-02-04-project-issue-cards-include-linked-pull-requests/) so a user can see what development work is related to the issue directly from the project board. {% comment %} https://github.com/github/releases/issues/743 {% endcomment %}' + - 'There are a new set of ["Deleting reactions" endpoints](https://developer.github.com/changes/2020-02-26-new-delete-reactions-endpoints/) in the Reactions API. The existing "Delete reactions" endpoints will be deprecated in early 2021. {% comment %} https://developer.github.com/changes/2020-02-26-new-delete-reactions-endpoints/ {% endcomment %}' + - 'There are a new set of [Teams API endpoints](https://developer.github.com/changes/2020-01-21-moving-the-team-api-endpoints/) which will allow GitHub to scale and support the Teams API long-term. The existing API endpoints will be deprecated in early 2021. {% comment %} https://developer.github.com/changes/2020-01-21-moving-the-team-api-endpoints/ {% endcomment %}' + - 'Users can [create links between issues and pull requests](https://help.github.com/en/enterprise/2.21/user/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue#manually-linking-a-pull-request-to-an-issue) without needing to use closing keywords in the pull request description. {% comment %} https://github.com/github/releases/issues/704 {% endcomment %}' + security_fixes: + - 'An improper access control vulnerability was identified in the GitHub Enterprise Server API that allowed an organization member to escalate permissions and gain access to unauthorized repositories within an organization. This vulnerability affected all versions of GitHub Enterprise Server prior to 2.21. We have issued [CVE-2020-10516](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10516) in response to this issue. The vulnerability was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). {% comment %} https://developer.github.com/changes/2020-02-26-new-delete-reactions-endpoints/ {% endcomment %}' + bugs: + - "If a user with push access minimized another user's comment, the author of the comment could unminimize it even if they had insufficient privileges. {% comment %} https://github.com/github/github/pull/141237 {% endcomment %}" + - 'Users could accidentally merge to master from the issue template editor and blob editor. {% comment %} https://github.com/github/github/pull/134483, https://github.com/github/github/pull/134323 {% endcomment %}' + - 'When a user deleted an account from GitHub, the audit log records did not correctly show organization removal records. {% comment %} https://github.com/github/github/pull/140940 {% endcomment %}' + - 'The gist avatar for the current user would link to a non-existent URL. {% comment %} https://github.com/github/github/pull/140925 {% endcomment %}' + - 'The organization repositories tab count did not include internal repositories. {% comment %} https://github.com/github/github/pull/136323 {% endcomment %}' + - 'Clicking the "Show All Teams" button when transferring a repository caused a 500 error. {% comment %} https://github.com/github/github/pull/134455 {% endcomment %}' + - "Long filenames could cause overflow issues when showing the 'Changed since last view' label or the 'Show rich' diff toggle on the diff file view. {% comment %} https://github.com/github/github/pull/134453 {% endcomment %}" + - 'Hovercards for organization teams misreported their member size. {% comment %} https://github.com/github/github/pull/133879 {% endcomment %}' + - 'The pull request review comment popup window had a scrolling issue. {% comment %} https://github.com/github/github/pull/141157 {% endcomment %}' + - 'Haproxy could become saturated causing a slowdown in git operations. {% comment %} https://github.com/github/enterprise2/issues/19322 {% endcomment %}' + - 'The Dependency Graph feature was not automatically enabled after HA replica promotion. {% comment %} https://github.com/github/enterprise2/issues/18698 {% endcomment %}' + - 'A timeout could be triggered on the releases index page for repositories with thousands of draft pull requests. {% comment %} https://github.com/github/github/pull/131802 {% endcomment %}' + - 'It was not possible to filter pull requests by both state and draft at the same time. {% comment %} https://github.com/github/github/pull/132567 {% endcomment %}' + - 'If a pull request changed a submodule pointer, then clicking "Edit file" on that submodule file from the "Files changed" tab of the pull request page caused a 404 error. {% comment %} https://github.com/github/github/pull/132448 {% endcomment %}' + - 'It was not possible to add users to an organization, or delete the organization, following the bulk removal of all users and admins from that organization. {% comment %} https://github.com/github/github/pull/132238 {% endcomment %}' + - 'Review comments against files containing diacritics and non-Latin characters in the filename on the "Files changed" page would disappear when the page is reloaded. {% comment %} https://github.com/github/github/pull/131836 {% endcomment %}' + - 'The state of the "Viewed" checkbox was not retained for files containing diacritics and non-Latin characters in the filename on the "Files changed" page. {% comment %} https://github.com/github/github/pull/131836 {% endcomment %}' + - 'Pull requests showed the "Approved" badge when not all required reviews were in place. {% comment %} https://github.com/github/github/pull/131823 {% endcomment %}' + - 'The tag dropdown was empty when searching for a tag in repositories with more than 100 tags. {% comment %} https://github.com/github/github/pull/131914 {% endcomment %}' + - 'Pull request pages showing annotations with non UTF-8 titles could encounter encoding errors in view rendering. {% comment %} https://github.com/github/github/pull/138534 {% endcomment %}' + - 'A race condition for refresh on the OAuth page could cause a redirect to be executed twice. {% comment %} https://github.com/github/github/pull/131964 {% endcomment %}' + - 'The "Personal Access Tokens" page would timeout if there are more than 10 tokens. {% comment %} https://github.com/github/github/pull/132064 {% endcomment %}' + - 'Scheduled LDAP User and Team Sync jobs could be started while previously scheduled Sync jobs were still in process. A locking mechanism has been implemented to prevent new Sync jobs from starting if one is still running. {% comment %} https://github.com/github/github/pull/139205, https://github.com/github/support/issues/429, https://github.com/github/github/issues/54386, https://github.com/github/iam/issues/40 {% endcomment %}' + changes: + - 'The web notifications interface, including new [states](https://help.github.com/en/enterprise/2.21/user/github/managing-subscriptions-and-notifications-on-github/managing-notifications-from-your-inbox#triaging-options) , [filters](https://help.github.com/en/enterprise/2.21/user/github/managing-subscriptions-and-notifications-on-github/managing-notifications-from-your-inbox#supported-queries-for-custom-filters) and [shortcuts](https://help.github.com/en/enterprise/2.21/user/github/getting-started-with-github/keyboard-shortcuts#notifications) have been updated. {% comment %} https://github.com/github/enterprise-releases/issues/2135#issuecomment-633905096 {% endcomment %}' + - 'It is now possible to disable reactivation of LDAP users on LDAP sync. {% comment %} https://github.com/github/github/pull/139023 {% endcomment %}' + - 'The push protected branch wording has been updated to clarify that admins can always push and that users with the Maintain role can push when status checks pass. {% comment %} https://github.com/github/github/pull/141555 {% endcomment %}' + - 'Prevent blank commit when suggestion is identical to original text. {% comment %} https://github.com/github/github/pull/138587 {% endcomment %}' + - 'Pagination is supported as a way to get more files in the diff associated with a commit via the REST API. {% comment %} https://github.com/github/github/pull/134341 {% endcomment %}' + - 'Admins can enable, disable, delete, and search for webhooks using the webhook ID from the command line using `ghe-webhook-manage`. {% comment %} https://github.com/github/enterprise2/pull/19027 {% endcomment %}' + - 'Automatic base retargeting will happen after manual head reference cleanup for a merged pull request. {% comment %} https://github.com/github/github/pull/142133 {% endcomment %}' + - 'SVG files are handled as text and as images in the diff viewer. {% comment %} https://github.com/github/render/pull/1129 {% endcomment %}' + - 'The "auto delete branches on merge" setting can be set when creating and updating repositories using the REST API. {% comment %} https://github.com/github/github/pull/131728 {% endcomment %}' + - 'A new endpoint has been added to delete a deployment through the REST API. {% comment %} https://github.com/github/github/pull/128733 {% endcomment %}' + - 'Admins can [enable security alerts](https://help.github.com/en/enterprise/2.21/admin/installation/enabling-security-alerts-for-vulnerable-dependencies-on-github-enterprise-server#enabling-security-alerts-for-vulnerable-dependencies-on-github-enterprise-server) but disable all notifications from those alerts. {% comment %} https://github.com/github/releases/issues/841 {% endcomment %}' + - 'The Pages log shows the user login accessing the GitHub Pages site. {% comment %} https://github.com/github/enterprise2/pull/19905 {% endcomment %}' + - 'Enterprise members can see all of the organizations they belong to as part of their Enterprise account from one view by navigating to `https://[ghes-hostname]/enterprises/[account-name]`. {% comment %} https://github.com/github/releases/issues/832 {% endcomment %}' + - '[REST API support for triage and maintain roles](https://developer.github.com/changes/2020-04-07-expanding-rest-api-support-for-the-triage-and-maintain-roles/) has been expanded. {% comment %} https://github.com/github/releases/issues/748 {% endcomment %}' + - 'A user can create and share search queries that resolve to the current user by using the `@me` search syntax. {% comment %} https://github.com/github/github/pull/129624 {% endcomment %}' + - 'New issue template configuration options have been [added](https://github.blog/changelog/2019-10-28-new-issue-template-configuration-options/). {% comment %} https://github.com/github/releases/issues/660 {% endcomment %}' + - 'MySQL backup and restore reliability and time to completion has been improved. {% comment %} https://github.com/github/ghes-infrastructure/issues/162 {% endcomment %}' + - '[Improved visibility](https://github.blog/2020-02-06-get-more-information-at-a-glance-with-issue-and-pull-request-linking/) of pull requests and issue references in the issue sidebar, issue cards and issue list. {% comment %} https://github.com/github/releases/issues/704 {% endcomment %}' + - 'Users can filter and search by `linked:pr` or `linked:issue`. {% comment %} https://github.com/github/releases/issues/744 {% endcomment %}' + - 'Automatic failover of MySQL within a single region for Cluster deployments is now possible. {% comment %} https://github.com/github/ghes-infrastructure/issues/136 {% endcomment %}' + - 'A user can compare tags between two releases to determine what changes have been made on the releases page. {% comment %} https://github.com/github/github/issues/107054 {% endcomment %}' + - 'Outdated comments are no longer collapsed by default on the Pull Request timeline. They can be collapsed by resolving the thread. {% comment %} https://github.com/github/enterprise-web/pull/6389#issuecomment-634201583 {% endcomment %}' + - 'Admins can view a list of logins reserved for internal use by navigating to the "Reserved logins" stafftools tab. {% comment %} https://github.com/github/enterprise-web/pull/6389#issuecomment-637846206 {% endcomment %}' + known_issues: + - 'On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user. {% comment %} https://github.com/github/enterprise2/issues/1889 {% endcomment %}' + - 'Custom firewall rules are not maintained during an upgrade. {% comment %} https://github.com/github/enterprise2/issues/2823 {% endcomment %}' + - 'Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository. {% comment %} https://github.com/github/github/issues/54684 {% endcomment %}' + - 'Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. {% comment %} https://github.com/github/github/issues/107731 {% endcomment %}' + - 'When pushing to a gist, an exception could be triggered during the post-receive hook. {% comment %} https://github.com/github/github/issues/129091 {% endcomment %}' + - 'When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results. {% comment %} https://github.com/github/admin-experience/issues/571 {% endcomment %}' + - 'Security alerts are not reported when pushing to a repository on the command line. (updated 2020-06-23) {% comment %} https://github.com/github/github/issues/143190 {% endcomment %}' + - 'Audit logs may be attributed to 127.0.0.1 instead of the actual source IP address. (updated 2020-11-02) {% comment %} https://github.com/github/enterprise2/issues/21514 {% endcomment %}' diff --git a/data/release-notes/2-21/1.yml b/data/release-notes/2-21/1.yml new file mode 100644 index 000000000000..5f5e6f7797da --- /dev/null +++ b/data/release-notes/2-21/1.yml @@ -0,0 +1,19 @@ +date: '2020-06-23' +sections: + security_fixes: + - 'Packages have been updated to the latest security versions. {% comment %} https://github.com/github/enterprise2/pull/20747, https://github.com/github/enterprise2/pull/20727 {% endcomment %}' + bugs: + - 'Excessively large log events could lead to log forwarding instability when UDP was used as the transport mechanism. {% comment %} https://github.com/github/enterprise2/pull/20458, https://github.com/github/enterprise2/pull/20445 {% endcomment %}' + - 'The internal communication service used to access MySQL could restart more often than required, including part way through the upgrade process, which could cause the upgrade to partially fail. We have reduced the rate of restarts and made the code more robust. {% comment %} https://github.com/github/enterprise2/pull/20957, https://github.com/github/enterprise2/pull/20972, https://github.com/github/github/pull/146974 {% endcomment %}' + - "Automatic unsuspension of a user through SSO did not complete if the SSH keys attribute had keys already associated with the user's account. {% comment %} https://github.com/github/github/pull/143475, https://github.com/github/github/pull/142927 {% endcomment %}" + - 'The repository permission hash from the REST API indicated no access for business members who have pull access to internal repositories. {% comment %} https://github.com/github/github/pull/144756, https://github.com/github/github/pull/144292 {% endcomment %}' + - 'The "Repository issue deletion" Enterprise account policy did not reflect the currently saved setting. {% comment %} https://github.com/github/github/pull/145218, https://github.com/github/github/pull/145067 {% endcomment %}' + - 'The audit log did not include branch protection changes events. {% comment %} https://github.com/github/github/pull/145998, https://github.com/github/github/pull/145014 {% endcomment %}' + known_issues: + - 'On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user. {% comment %} https://github.com/github/enterprise2/issues/1889 {% endcomment %}' + - 'Custom firewall rules are not maintained during an upgrade. {% comment %} https://github.com/github/enterprise2/issues/2823 {% endcomment %}' + - 'Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository. {% comment %} https://github.com/github/github/issues/54684 {% endcomment %}' + - 'Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. {% comment %} https://github.com/github/github/issues/107731 {% endcomment %}' + - 'When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results. {% comment %} https://github.com/github/admin-experience/issues/571 {% endcomment %}' + - 'Security alerts are not reported when pushing to a repository on the command line. {% comment %} https://github.com/github/github/issues/143190 {% endcomment %}' + - 'Audit logs may be attributed to 127.0.0.1 instead of the actual source IP address. (updated 2020-11-02) {% comment %} https://github.com/github/enterprise2/issues/21514 {% endcomment %}' diff --git a/data/release-notes/2-21/10.yml b/data/release-notes/2-21/10.yml new file mode 100644 index 000000000000..34e055f16924 --- /dev/null +++ b/data/release-notes/2-21/10.yml @@ -0,0 +1,14 @@ +date: '2020-10-20' +sections: + security_fixes: + - 'Packages have been updated to the latest security versions. {% comment %} https://github.com/github/enterprise2/pull/23096, https://github.com/github/enterprise2/pull/23081 {% endcomment %}' + bugs: + - 'The enterprise account "Confirm two-factor requirement policy" messaging was incorrect. {% comment %} https://github.com/github/github/pull/158736 {% endcomment %}' + known_issues: + - 'On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user. {% comment %} https://github.com/github/enterprise2/issues/1889 {% endcomment %}' + - 'Custom firewall rules are not maintained during an upgrade. {% comment %} https://github.com/github/enterprise2/issues/2823 {% endcomment %}' + - 'Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository. {% comment %} https://github.com/github/github/issues/54684 {% endcomment %}' + - 'Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. {% comment %} https://github.com/github/github/issues/107731 {% endcomment %}' + - 'When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results. {% comment %} https://github.com/github/admin-experience/issues/571 {% endcomment %}' + - 'Security alerts are not reported when pushing to a repository on the command line. {% comment %} https://github.com/github/github/issues/143190 {% endcomment %}' + - 'Audit logs may be attributed to 127.0.0.1 instead of the actual source IP address. (updated 2020-11-02) {% comment %} https://github.com/github/enterprise2/issues/21514 {% endcomment %}' diff --git a/data/release-notes/2-21/11.yml b/data/release-notes/2-21/11.yml new file mode 100644 index 000000000000..4948f9c59d22 --- /dev/null +++ b/data/release-notes/2-21/11.yml @@ -0,0 +1,17 @@ +date: '2020-11-03' +sections: + security_fixes: + - '**MEDIUM:** High CPU usage could be triggered by a specially crafted request to the SVN bridge resulting in Denial of Service (DoS). {% comment %} https://github.com/github/slumlord/pull/1004, https://github.com/github/slumlord/pull/1000 {% endcomment %}' + - "**LOW:** Incorrect token validation resulted in a reduced entropy for matching tokens during authentication. Analysis shows that in practice there's no significant security risk here. {% comment %} https://github.com/github/github/pull/159455, https://github.com/github/github/pull/159193 {% endcomment %}" + - 'Packages have been updated to the latest security versions. {% comment %} https://github.com/github/enterprise2/pull/23539, https://github.com/github/enterprise2/pull/23171, https://github.com/github/enterprise2/pull/23692, https://github.com/github/enterprise2/pull/23677 {% endcomment %}' + bugs: + - 'Editing issues templates with filenames containing non-ASCII characters would fail with a "500 Internal Server Error". {% comment %} https://github.com/github/github/pull/160589, https://github.com/github/github/pull/159747 {% endcomment %}' + - 'A metric gathering method for background jobs increased CPU utilization. (updated 2020-11-03) {% comment %} https://github.com/github/github/pull/160109 {% endcomment %}' + known_issues: + - 'On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user. {% comment %} https://github.com/github/enterprise2/issues/1889 {% endcomment %}' + - 'Custom firewall rules are not maintained during an upgrade. {% comment %} https://github.com/github/enterprise2/issues/2823 {% endcomment %}' + - 'Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository. {% comment %} https://github.com/github/github/issues/54684 {% endcomment %}' + - 'Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. {% comment %} https://github.com/github/github/issues/107731 {% endcomment %}' + - 'When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results. {% comment %} https://github.com/github/admin-experience/issues/571 {% endcomment %}' + - 'Security alerts are not reported when pushing to a repository on the command line. {% comment %} https://github.com/github/github/issues/143190 {% endcomment %}' + - 'Audit logs may be attributed to 127.0.0.1 instead of the actual source IP address. {% comment %} https://github.com/github/enterprise2/issues/21514 {% endcomment %}' diff --git a/data/release-notes/2-21/12.yml b/data/release-notes/2-21/12.yml new file mode 100644 index 000000000000..99dfcb7f9330 --- /dev/null +++ b/data/release-notes/2-21/12.yml @@ -0,0 +1,15 @@ +date: '2020-11-17' +sections: + security_fixes: + - 'Packages have been updated to the latest security versions. {% comment %} https://github.com/github/enterprise2/pull/23844, https://github.com/github/enterprise2/pull/23712 {% endcomment %}' + bugs: + - 'The babeld logs were missing a separator between seconds and microseconds. {% comment %} https://github.com/github/babeld/pull/1005, https://github.com/github/babeld/pull/1002 {% endcomment %}' + - 'When the enterprise account "Repository visibility change" policy was set to "Enabled", organization owners could not change the visibility of repositories within the organization. {% comment %} https://github.com/github/github/pull/160921, https://github.com/github/github/pull/160773 {% endcomment %}' + - 'Audit logs could be attributed to 127.0.0.1 instead of the actual source IP address. {% comment %} https://github.com/github/github/pull/162436, https://github.com/github/github/pull/161215 {% endcomment %}' + known_issues: + - 'On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user. {% comment %} https://github.com/github/enterprise2/issues/1889 {% endcomment %}' + - 'Custom firewall rules are not maintained during an upgrade. {% comment %} https://github.com/github/enterprise2/issues/2823 {% endcomment %}' + - 'Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository. {% comment %} https://github.com/github/github/issues/54684 {% endcomment %}' + - 'Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. {% comment %} https://github.com/github/github/issues/107731 {% endcomment %}' + - 'When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results. {% comment %} https://github.com/github/admin-experience/issues/571 {% endcomment %}' + - 'Security alerts are not reported when pushing to a repository on the command line. {% comment %} https://github.com/github/github/issues/143190 {% endcomment %}' diff --git a/data/release-notes/2-21/13.yml b/data/release-notes/2-21/13.yml new file mode 100644 index 000000000000..6c6b99c3ab49 --- /dev/null +++ b/data/release-notes/2-21/13.yml @@ -0,0 +1,18 @@ +date: '2020-12-03' +sections: + bugs: + - 'Authorization service was being detected as unhealthy due to a race condition in the bootstrap which led to restart of the service. {% comment %} https://github.com/github/authzd/pull/1278 {% endcomment %}' + - 'An underlying behavior was causing a service to become unavailable during the hotpatch upgrade process. {% comment %} https://github.com/github/enterprise2/pull/24054, https://github.com/github/enterprise2/issues/23947 {% endcomment %}' + - 'A subset of log forwarding SSL certificates was not being applied correctly. {% comment %} https://github.com/github/enterprise2/pull/24113, https://github.com/github/enterprise2/pull/23981 {% endcomment %}' + - 'Email notifications sent to suspended users when they were removed from a Team or an Organization. {% comment %} https://github.com/github/github/pull/162971, https://github.com/github/github/pull/162742 {% endcomment %}' + - 'The way SSH certificates were applied between Organizations and Businesses was inconsistent. {% comment %} https://github.com/github/github/pull/163426, https://github.com/github/github/pull/159538, https://github.com/github/authentication/issues/115 {% endcomment %}' + - 'When an account was rate limited due to using incorrect passwords, it could be locked out for up to 24 hours. {% comment %} https://github.com/github/github/pull/163436, https://github.com/github/github/pull/162938, https://github.com/github/github-ds/pull/51 {% endcomment %}' + - 'Pull request synchronization on repositories with many references could cause worker queues to fall behind. {% comment %} https://github.com/github/github/pull/163575, https://github.com/github/github/pull/163142 {% endcomment %}' + - 'When signing in after attempting to visit a specific page, people were sent to the home page instead of their intended destination. {% comment %} https://github.com/github/github/pull/163784, https://github.com/github/github/pull/163579, https://github.com/github/github/pull/154117, https://github.com/github/ecosystem-apps/issues/1076 {% endcomment %}' + known_issues: + - 'On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user. {% comment %} https://github.com/github/enterprise2/issues/1889 {% endcomment %}' + - 'Custom firewall rules are not maintained during an upgrade. {% comment %} https://github.com/github/enterprise2/issues/2823 {% endcomment %}' + - 'Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository. {% comment %} https://github.com/github/github/issues/54684 {% endcomment %}' + - 'Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. {% comment %} https://github.com/github/github/issues/107731 {% endcomment %}' + - 'When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results. {% comment %} https://github.com/github/admin-experience/issues/571 {% endcomment %}' + - 'Security alerts are not reported when pushing to a repository on the command line. {% comment %} https://github.com/github/github/issues/143190 {% endcomment %}' diff --git a/data/release-notes/2-21/2.yml b/data/release-notes/2-21/2.yml new file mode 100644 index 000000000000..6a53b827e1a0 --- /dev/null +++ b/data/release-notes/2-21/2.yml @@ -0,0 +1,19 @@ +date: '2020-07-09' +sections: + security_fixes: + - '**MEDIUM:** Updated nginx to 1.16.1 and addressed CVE-2019-20372. (updated 2020-07-22) {% comment %} https://github.com/github/enterprise2/pull/21252 {% endcomment %}' + - 'Packages have been updated to the latest security versions. {% comment %} https://github.com/github/enterprise2/pull/21089, https://github.com/github/enterprise2/pull/21036 {% endcomment %}' + bugs: + - 'Certain log files did not rotate every 7 days. {% comment %} https://github.com/github/enterprise2/pull/21279, https://github.com/github/enterprise2/pull/21264 {% endcomment %}' + - 'Rapid reuse of webhook source ports resulted in rejected connections. {% comment %} https://github.com/github/enterprise2/pull/21286, https://github.com/github/enterprise2/pull/21280 {% endcomment %}' + - 'Incorrect background jobs could attempt to run on instances configured as passive replicas. {% comment %} https://github.com/github/enterprise2/pull/21317, https://github.com/github/enterprise2/pull/21212, https://github.com/github/enterprise2/issues/21167 {% endcomment %}' + - 'The VPN between nodes could become unstable causing errors to be logged and free space on the root volume to be exhausted. {% comment %} https://github.com/github/enterprise2/pull/21360, https://github.com/github/enterprise2/pull/21357 {% endcomment %}' + - 'Internal repositories were not correctly included in search results for SAML-enabled orgs. {% comment %} https://github.com/github/github/pull/147505, https://github.com/github/github/pull/145692 {% endcomment %}' + known_issues: + - 'On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user. {% comment %} https://github.com/github/enterprise2/issues/1889 {% endcomment %}' + - 'Custom firewall rules are not maintained during an upgrade. {% comment %} https://github.com/github/enterprise2/issues/2823 {% endcomment %}' + - 'Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository. {% comment %} https://github.com/github/github/issues/54684 {% endcomment %}' + - 'Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. {% comment %} https://github.com/github/github/issues/107731 {% endcomment %}' + - 'When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results. {% comment %} https://github.com/github/admin-experience/issues/571 {% endcomment %}' + - 'Security alerts are not reported when pushing to a repository on the command line. {% comment %} https://github.com/github/github/issues/143190 {% endcomment %}' + - 'Audit logs may be attributed to 127.0.0.1 instead of the actual source IP address. (updated 2020-11-02) {% comment %} https://github.com/github/enterprise2/issues/21514 {% endcomment %}' diff --git a/data/release-notes/2-21/3.yml b/data/release-notes/2-21/3.yml new file mode 100644 index 000000000000..c7f17686e508 --- /dev/null +++ b/data/release-notes/2-21/3.yml @@ -0,0 +1,16 @@ +date: '2020-07-21' +sections: + security_fixes: + - 'Packages have been updated to the latest security versions. {% comment %} https://github.com/github/enterprise2/pull/21438, https://github.com/github/enterprise2/pull/21402, https://github.com/github/enterprise2/pull/21496, https://github.com/github/enterprise2/pull/21479 {% endcomment %}' + bugs: + - 'The Management Console monitor graphs would sometimes not display correctly on larger screens. {% comment %} https://github.com/github/enterprise2/pull/21398, https://github.com/github/enterprise2/pull/21381 {% endcomment %}' + - 'GitHub App Manifest creation flow was unusable in some scenarios when a SameSite Cookie policy was applied. {% comment %} https://github.com/github/github/pull/147829, https://github.com/github/github/pull/144121 {% endcomment %}' + - "In some circumstances, accessing the 'Explore' page would throw an application error. {% comment %} https://github.com/github/github/pull/149605, https://github.com/github/github/pull/148949 {% endcomment %}" + known_issues: + - 'On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user. {% comment %} https://github.com/github/enterprise2/issues/1889 {% endcomment %}' + - 'Custom firewall rules are not maintained during an upgrade. {% comment %} https://github.com/github/enterprise2/issues/2823 {% endcomment %}' + - 'Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository. {% comment %} https://github.com/github/github/issues/54684 {% endcomment %}' + - 'Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. {% comment %} https://github.com/github/github/issues/107731 {% endcomment %}' + - 'When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results. {% comment %} https://github.com/github/admin-experience/issues/571 {% endcomment %}' + - 'Security alerts are not reported when pushing to a repository on the command line. {% comment %} https://github.com/github/github/issues/143190 {% endcomment %}' + - 'Audit logs may be attributed to 127.0.0.1 instead of the actual source IP address. (updated 2020-11-02) {% comment %} https://github.com/github/enterprise2/issues/21514 {% endcomment %}' diff --git a/data/release-notes/2-21/4.yml b/data/release-notes/2-21/4.yml new file mode 100644 index 000000000000..b73e682200b4 --- /dev/null +++ b/data/release-notes/2-21/4.yml @@ -0,0 +1,26 @@ +date: '2020-08-11' +sections: + security_fixes: + - '**CRITICAL:** A remote code execution vulnerability was identified in GitHub Pages that could allow an attacker to execute commands as part building a GitHub Pages site. This issue was due to an outdated and vulnerable dependency used in the Pages build process. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server. To mitigate this vulnerability, Kramdown has been updated to address CVE-2020-14001. {% comment %} https://github.com/github/pages/pull/2835, https://github.com/github/pages/pull/2827 {% endcomment %}' + - '**HIGH:** High: An attacker could inject a malicious argument into a Git sub-command when executed on GitHub Enterprise Server. This could allow an attacker to overwrite arbitrary files with partially user-controlled content and potentially execute arbitrary commands on the GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need permission to access repositories within the GHES instance. However, due to other protections in place, we could not identify a way to actively exploit this vulnerability. This vulnerability was reported through the GitHub Security Bug Bounty program. {% comment %} https://github.com/github/github/pull/150936, https://github.com/github/github/pull/150634 {% endcomment %}' + - 'Packages have been updated to the latest security versions. {% comment %} https://github.com/github/enterprise2/pull/21679, https://github.com/github/enterprise2/pull/21542, https://github.com/github/enterprise2/pull/21812, https://github.com/github/enterprise2/pull/21700 {% endcomment %}' + bugs: + - 'A Consul configuration error prevented some background jobs from being processed on standalone instances. {% comment %} https://github.com/github/enterprise2/pull/21463 {% endcomment %}' + - 'The service memory allocation calculation could allocate an incorrect or unbounded memory allocation to a service resulting in poor system performance. {% comment %} https://github.com/github/enterprise2/pull/21689 {% endcomment %}' + - 'The virtualization platform for oVirt KVM systems was not properly detected, causing problems during upgrades. {% comment %} https://github.com/github/enterprise2/pull/21731, https://github.com/github/enterprise2/pull/21669 {% endcomment %}' + - "The error message for invalid authentication with a password via Git command line didn't populate the URL linking to adding the appropriate token or SSH key. {% comment %} https://github.com/github/github/pull/149607, https://github.com/github/github/pull/149351 {% endcomment %}" + - 'Creating an issue on a user repository using the Issue Template feature could fail with an Internal Server Error. {% comment %} https://github.com/github/github/pull/150173, https://github.com/github/github/pull/149445 {% endcomment %}' + - 'Visiting the *Explore* section failed with a 500 Internal Server error. {% comment %} https://github.com/github/github/pull/150512, https://github.com/github/github/pull/150504 {% endcomment %}' + - 'Issues could not be sorted by *Recently updated* on repositories migrated to a new instance. {% comment %} https://github.com/github/github/pull/150688, https://github.com/github/github/pull/149330 {% endcomment %}' + - 'GitHub Connect was using a deprecated GitHub.com API endpoint. {% comment %} https://github.com/github/github/pull/150827, https://github.com/github/github/pull/150545 {% endcomment %}' + - 'Internal metrics gathering for background jobs contributed to CPU and memory use unnecessarily. {% comment %} https://github.com/github/github/pull/151182, https://github.com/github/github/pull/147695 {% endcomment %}' + - 'The 404 page contained GitHub.com contact and status links in the footer. {% comment %} https://github.com/github/github/pull/151315 {% endcomment %}' + - 'Background jobs for an unreleased feature were queued and left unprocessed. {% comment %} https://github.com/github/github/pull/151395, https://github.com/github/github/pull/146248 {% endcomment %}' + known_issues: + - 'On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user. {% comment %} https://github.com/github/enterprise2/issues/1889 {% endcomment %}' + - 'Custom firewall rules are not maintained during an upgrade. {% comment %} https://github.com/github/enterprise2/issues/2823 {% endcomment %}' + - 'Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository. {% comment %} https://github.com/github/github/issues/54684 {% endcomment %}' + - 'Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. {% comment %} https://github.com/github/github/issues/107731 {% endcomment %}' + - 'When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results. {% comment %} https://github.com/github/admin-experience/issues/571 {% endcomment %}' + - 'Security alerts are not reported when pushing to a repository on the command line. {% comment %} https://github.com/github/github/issues/143190 {% endcomment %}' + - 'Audit logs may be attributed to 127.0.0.1 instead of the actual source IP address. (updated 2020-11-02) {% comment %} https://github.com/github/enterprise2/issues/21514 {% endcomment %}' diff --git a/data/release-notes/2-21/5.yml b/data/release-notes/2-21/5.yml new file mode 100644 index 000000000000..21942a85b650 --- /dev/null +++ b/data/release-notes/2-21/5.yml @@ -0,0 +1,14 @@ +date: '2020-08-12' +sections: + bugs: + - 'Resolved an issue that could lead to high CPU usage while generating system configuration templates. {% comment %} https://github.com/github/enterprise2/pull/21786, https://github.com/github/enterprise2/pull/21741 {% endcomment %}' + - 'Recent changes to memory allocations could lead to a degradation in system performance {% comment %} https://github.com/github/enterprise2/pull/22066 {% endcomment %}' + - 'Temporary connectivity issues while running database migrations could cause data loss. {% comment %} https://github.com/github/enterprise2/pull/22128, https://github.com/github/enterprise2/pull/22100 {% endcomment %}' + known_issues: + - 'On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user. {% comment %} https://github.com/github/enterprise2/issues/1889 {% endcomment %}' + - 'Custom firewall rules are not maintained during an upgrade. {% comment %} https://github.com/github/enterprise2/issues/2823 {% endcomment %}' + - 'Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository. {% comment %} https://github.com/github/github/issues/54684 {% endcomment %}' + - 'Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. {% comment %} https://github.com/github/github/issues/107731 {% endcomment %}' + - 'When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results. {% comment %} https://github.com/github/admin-experience/issues/571 {% endcomment %}' + - 'Security alerts are not reported when pushing to a repository on the command line. {% comment %} https://github.com/github/github/issues/143190 {% endcomment %}' + - 'Audit logs may be attributed to 127.0.0.1 instead of the actual source IP address. (updated 2020-11-02) {% comment %} https://github.com/github/enterprise2/issues/21514 {% endcomment %}' diff --git a/data/release-notes/2-21/6.yml b/data/release-notes/2-21/6.yml new file mode 100644 index 000000000000..8638d1d9cdc1 --- /dev/null +++ b/data/release-notes/2-21/6.yml @@ -0,0 +1,26 @@ +date: '2020-08-26' +sections: + security_fixes: + - >- + **CRITICAL:** A remote code execution vulnerability was identified in GitHub Pages that could be exploited when building a GitHub Pages site. User-controlled configuration of the underlying parsers used by GitHub Pages were not sufficiently restricted and made it possible to execute commands on the GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server. The underlying issues contributing to this vulnerability were identified both internally and through the GitHub Security Bug Bounty program. We have issued CVE-2020-10518. {% comment %} https://github.com/github/pages/pull/2882, https://github.com/github/pages/pull/2902, https://github.com/github/pages/pull/2894, https://github.com/github/pages/pull/2877, https://github.com/github/pages-gem/pull/700, + https://github.com/github/pages/pull/2889, https://github.com/github/pages/pull/2899, https://github.com/github/pages/pull/2903, https://github.com/github/pages/pull/2890, https://github.com/github/pages/pull/2891, https://github.com/github/pages/pull/2884 {% endcomment %} + - '**MEDIUM:** An improper access control vulnerability was identified that allowed authenticated users of the instance to determine the names of unauthorized private repositories given their numerical IDs. This vulnerability did not allow unauthorized access to any repository content besides the name. This vulnerability affected all versions of GitHub Enterprise Server prior to 2.22 and has been assigned [CVE-2020-10517](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10517). The vulnerability was reported via the [GitHub Bug Bounty program](https://bounty.github.com). {% comment %} https://github.com/github/github/pull/151986, https://github.com/github/github/pull/151713 {% endcomment %}' + - 'Packages have been updated to the latest security versions. {% comment %} https://github.com/github/enterprise2/pull/21853, https://github.com/github/enterprise2/pull/21828, https://github.com/github/enterprise2/pull/22154, https://github.com/github/enterprise2/pull/21920, https://github.com/github/enterprise2/pull/22216, https://github.com/github/enterprise2/pull/22190 {% endcomment %}' + bugs: + - 'A message was not logged when the ghe-config-apply process had finished running ghe-es-auto-expand. {% comment %} https://github.com/github/enterprise2/pull/22178, https://github.com/github/enterprise2/pull/22171 {% endcomment %}' + - 'Excessive logging to the `syslog` file could occur on high-availability replicas if the primary appliance is unavailable. {% comment %} https://github.com/github/enterprise2/pull/22268, https://github.com/github/enterprise2/pull/22124 {% endcomment %}' + - "Database re-seeding on a replica could fail with an error: `Got packet bigger than 'max_allowed_packet'` {% comment %} https://github.com/github/enterprise2/pull/22322, https://github.com/github/enterprise2/pull/20063 {% endcomment %}" + - 'In some cases duplicate user data could cause a 500 error while running the ghe-license-usage script. {% comment %} https://github.com/github/github/pull/152637 {% endcomment %}' + - 'Using `ghe-migrator`, the `add` command would fail to lock a repository when using the `--lock` flag. {% comment %} https://github.com/github/github/pull/152780, https://github.com/github/github/pull/152588 {% endcomment %}' + changes: + - 'In a high availability or geo-replication configuration, replica instances would exit maintenance mode when ghe-config-apply ran. {% comment %} https://github.com/github/enterprise2/pull/21777, https://github.com/github/enterprise2/pull/21440 {% endcomment %}' + - "We've added support for the R5a and R5n AWS instance types. {% comment %} https://github.com/github/enterprise2/pull/21903, https://github.com/github/enterprise2/pull/21173 {% endcomment %}" + - 'Removed the license seat count information on the administrative SSH MOTD due to a performance issue impacting GitHub Enterprise Server clusters. {% comment %} https://github.com/github/enterprise2/pull/21994, https://github.com/github/enterprise2/pull/21870 {% endcomment %}' + known_issues: + - 'On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user. {% comment %} https://github.com/github/enterprise2/issues/1889 {% endcomment %}' + - 'Custom firewall rules are not maintained during an upgrade. {% comment %} https://github.com/github/enterprise2/issues/2823 {% endcomment %}' + - 'Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository. {% comment %} https://github.com/github/github/issues/54684 {% endcomment %}' + - 'Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. {% comment %} https://github.com/github/github/issues/107731 {% endcomment %}' + - 'When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results. {% comment %} https://github.com/github/admin-experience/issues/571 {% endcomment %}' + - 'Security alerts are not reported when pushing to a repository on the command line. {% comment %} https://github.com/github/github/issues/143190 {% endcomment %}' + - 'Audit logs may be attributed to 127.0.0.1 instead of the actual source IP address. (updated 2020-11-02) {% comment %} https://github.com/github/enterprise2/issues/21514 {% endcomment %}' diff --git a/data/release-notes/2-21/7.yml b/data/release-notes/2-21/7.yml new file mode 100644 index 000000000000..7dbc04c989b3 --- /dev/null +++ b/data/release-notes/2-21/7.yml @@ -0,0 +1,13 @@ +date: '2020-09-08' +sections: + bugs: + - 'A service health check caused session growth resulting in filesystem inode exhaustion. {% comment %} https://github.com/github/enterprise2/pull/22481, https://github.com/github/enterprise2/pull/22475 {% endcomment %}' + - "Upgrading using a hotpatch could fail with an error: `'libdbi1' was not found` {% comment %} https://github.com/github/enterprise2/pull/22556, https://github.com/github/enterprise2/pull/22552 {% endcomment %}" + known_issues: + - 'On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user. {% comment %} https://github.com/github/enterprise2/issues/1889 {% endcomment %}' + - 'Custom firewall rules are not maintained during an upgrade. {% comment %} https://github.com/github/enterprise2/issues/2823 {% endcomment %}' + - 'Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository. {% comment %} https://github.com/github/github/issues/54684 {% endcomment %}' + - 'Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. {% comment %} https://github.com/github/github/issues/107731 {% endcomment %}' + - 'When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results. {% comment %} https://github.com/github/admin-experience/issues/571 {% endcomment %}' + - 'Security alerts are not reported when pushing to a repository on the command line. {% comment %} https://github.com/github/github/issues/143190 {% endcomment %}' + - 'Audit logs may be attributed to 127.0.0.1 instead of the actual source IP address. (updated 2020-11-02) {% comment %} https://github.com/github/enterprise2/issues/21514 {% endcomment %}' diff --git a/data/release-notes/2-21/8.yml b/data/release-notes/2-21/8.yml new file mode 100644 index 000000000000..6e1f356472e5 --- /dev/null +++ b/data/release-notes/2-21/8.yml @@ -0,0 +1,15 @@ +date: '2020-09-23' +sections: + security_fixes: + - '**MEDIUM**: ImageMagick has been updated to address [DSA-4715-1](https://www.debian.org/security/2020/dsa-4715). {% comment %} https://github.com/github/enterprise2/pull/22621, https://github.com/github/enterprise2/pull/22610 {% endcomment %}' + - 'Packages have been updated to the latest security versions. {% comment %} https://github.com/github/enterprise2/pull/22571, https://github.com/github/enterprise2/pull/22426, https://github.com/github/enterprise2/pull/22602, https://github.com/github/enterprise2/pull/22592, https://github.com/github/enterprise2/pull/22719, https://github.com/github/enterprise2/pull/22699 {% endcomment %}' + bugs: + - 'Admins were unable to see delivered repository webhooks and instead saw "Sorry, something went wrong and we weren''t able to fetch the deliveries for this hook". {% comment %} https://github.com/github/authzd/pull/1181, https://github.com/github/authzd/pull/980 {% endcomment %}' + known_issues: + - 'On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user. {% comment %} https://github.com/github/enterprise2/issues/1889 {% endcomment %}' + - 'Custom firewall rules are not maintained during an upgrade. {% comment %} https://github.com/github/enterprise2/issues/2823 {% endcomment %}' + - 'Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository. {% comment %} https://github.com/github/github/issues/54684 {% endcomment %}' + - 'Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. {% comment %} https://github.com/github/github/issues/107731 {% endcomment %}' + - 'When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results. {% comment %} https://github.com/github/admin-experience/issues/571 {% endcomment %}' + - 'Security alerts are not reported when pushing to a repository on the command line. {% comment %} https://github.com/github/github/issues/143190 {% endcomment %}' + - 'Audit logs may be attributed to 127.0.0.1 instead of the actual source IP address. (updated 2020-11-02) {% comment %} https://github.com/github/enterprise2/issues/21514 {% endcomment %}' diff --git a/data/release-notes/2-21/9.yml b/data/release-notes/2-21/9.yml new file mode 100644 index 000000000000..af8578e3183e --- /dev/null +++ b/data/release-notes/2-21/9.yml @@ -0,0 +1,28 @@ +date: '2020-10-09' +sections: + security_fixes: + - 'A user whose **LDAP** directory username standardizes to an existing GHES account login could authenticate into the existing account. {% comment %} https://github.com/github/github/pull/156517, https://github.com/github/github/pull/155512 {% endcomment %}' + - 'Packages have been updated to the latest security versions. {% comment %} https://github.com/github/enterprise2/pull/22911, https://github.com/github/enterprise2/pull/22878 {% endcomment %}' + bugs: + - 'The NameID Format dropdown in the Management Console would be reset to "unspecified" after setting it to "persistent". {% comment %} https://github.com/github/enterprise2/pull/22402, https://github.com/github/enterprise2/pull/22331, https://github.com/github/enterprise2/issues/13446 {% endcomment %}' + - 'Saving settings via the [management console](https://docs.github.com/en/enterprise-server@latest/admin/configuration/accessing-the-management-console) would append a newline to the [TLS/SSL certificate and key](https://docs.github.com/en/enterprise-server@latest/admin/configuration/configuring-tls) files which triggered unnecessary reloading of some services. {% comment %} https://github.com/github/enterprise2/pull/22608, https://github.com/github/enterprise2/pull/22540 {% endcomment %}' + - 'System logs for Dependency Graph were not rotating, allowing unbounded storage growth. {% comment %} https://github.com/github/enterprise2/pull/22766, https://github.com/github/enterprise2/pull/22733 {% endcomment %}' + - 'Upgrade could fail if the resqued workers override setting is in use. {% comment %} https://github.com/github/enterprise2/pull/22838, https://github.com/github/enterprise2/pull/22814 {% endcomment %}' + - 'When importing a repository with `ghe-migrator`, an unexpected exception could occur when inconsistent data is present. {% comment %} https://github.com/github/github/pull/153849, https://github.com/github/github/pull/151552 {% endcomment %}' + - 'Links to GitHub Security Advisories would use a URL with the hostname of the GitHub Enterprise Server instance instead of GitHub.com, directing the user to a nonexistent URL. {% comment %} https://github.com/github/github/pull/153853, https://github.com/github/github/pull/151301 {% endcomment %}' + - 'The enterprise account security settings page showed a "View your organizations'' current configurations" link for the "Two-factor authentication" setting when the authentication mode in use does not support built in two-factor authentication. {% comment %} https://github.com/github/github/pull/153861 {% endcomment %}' + - 'When using `ghe-migrator` to import PR review requests, records associated with deleted users would result in extraneous database records. {% comment %} https://github.com/github/github/pull/154959, https://github.com/github/github/pull/153169 {% endcomment %}' + - 'When importing users with `ghe-migrator`, an error of "Emails is invalid" would occur if the system-generated email address were longer than 100 characters. {% comment %} https://github.com/github/github/pull/155110, https://github.com/github/github/pull/152418 {% endcomment %}' + - 'Logging webhook activity could use large amounts of disk space and cause the root disk to become full. {% comment %} https://github.com/github/github/pull/155656, https://github.com/github/github/pull/154100 {% endcomment %}' + changes: + - 'Support is added for the AWS EC2 instance type `m5.16xlarge`. {% comment %} https://github.com/github/enterprise2/pull/22501, https://github.com/github/enterprise2/pull/22473 {% endcomment %}' + - 'Remove the requirement for SSH fingerprints in `ghe-migrator` archives as it can always be computed. {% comment %} https://github.com/github/github/pull/156945, https://github.com/github/github/pull/155387 {% endcomment %}' + - 'GitHub App Manifests now include the `request_oauth_on_install` field. {% comment %} https://github.com/github/github/pull/156994, https://github.com/github/github/pull/155010, https://github.com/github/ecosystem-apps/issues/1055 {% endcomment %}' + known_issues: + - 'On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user. {% comment %} https://github.com/github/enterprise2/issues/1889 {% endcomment %}' + - 'Custom firewall rules are not maintained during an upgrade. {% comment %} https://github.com/github/enterprise2/issues/2823 {% endcomment %}' + - 'Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository. {% comment %} https://github.com/github/github/issues/54684 {% endcomment %}' + - 'Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. {% comment %} https://github.com/github/github/issues/107731 {% endcomment %}' + - 'When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results. {% comment %} https://github.com/github/admin-experience/issues/571 {% endcomment %}' + - 'Security alerts are not reported when pushing to a repository on the command line. {% comment %} https://github.com/github/github/issues/143190 {% endcomment %}' + - 'Audit logs may be attributed to 127.0.0.1 instead of the actual source IP address. (updated 2020-11-02) {% comment %} https://github.com/github/enterprise2/issues/21514 {% endcomment %}' diff --git a/data/release-notes/2-22/5.yml b/data/release-notes/2-22/5.yml new file mode 100644 index 000000000000..6801ba1b04b1 --- /dev/null +++ b/data/release-notes/2-22/5.yml @@ -0,0 +1,21 @@ +date: '2020-12-03' +sections: + bugs: + - 'Authorization service was being detected as unhealthy due to a race condition in the bootstrap which led to restart of the service. {% comment %} https://github.com/github/authzd/pull/1275, https://github.com/github/authzd/pull/1274 {% endcomment %}' + - 'The Elasticsearch upgrade process was not getting captured by ghe-diagnostics. {% comment %} https://github.com/github/enterprise2/pull/23905, https://github.com/github/enterprise2/pull/23874 {% endcomment %}' + - 'Enabling GitHub Actions on an upgraded high availability configuration caused errors in replication. {% comment %} https://github.com/github/enterprise2/pull/23979, https://github.com/github/c2c-actions-platform/issues/2479 {% endcomment %}' + - 'An underlying behavior was causing a service to become unavailable during the hotpatch upgrade process. {% comment %} https://github.com/github/enterprise2/pull/24055 {% endcomment %}' + - 'Users connecting to an active replica would get an error connecting to the live updates websocket. {% comment %} https://github.com/github/enterprise2/pull/24079, https://github.com/github/enterprise2/pull/24058 {% endcomment %}' + - 'A subset of log forwarding SSL certificates was not being applied correctly. {% comment %} https://github.com/github/enterprise2/pull/24114, https://github.com/github/enterprise2/pull/23981 {% endcomment %}' + - 'Email notifications sent to suspended users when they were removed from a Team or an Organization. {% comment %} https://github.com/github/github/pull/162973, https://github.com/github/github/pull/162742 {% endcomment %}' + - 'The way SSH certificates were applied between Organizations and Businesses was inconsistent. {% comment %} https://github.com/github/github/pull/163423, https://github.com/github/github/pull/159538, https://github.com/github/authentication/issues/115 {% endcomment %}' + - 'When an account was rate limited due to using incorrect passwords, it could be locked out for up to 24 hours. {% comment %} https://github.com/github/github/pull/163433, https://github.com/github/github/pull/162938, https://github.com/github/github-ds/pull/51 {% endcomment %}' + - 'Pull request synchronization on repositories with many references could cause worker queues to fall behind. {% comment %} https://github.com/github/github/pull/163573, https://github.com/github/github/pull/163142 {% endcomment %}' + - 'When signing in after attempting to visit a specific page, people were sent to the home page instead of their intended destination. {% comment %} https://github.com/github/github/pull/163782, https://github.com/github/github/pull/163579, https://github.com/github/github/pull/154117, https://github.com/github/ecosystem-apps/issues/1076 {% endcomment %}' + - 'For GHES instances using built-in authentication with an internal SAML identity provider, users without an associated email address could not create a commit from the web interface. {% comment %} https://github.com/github/github/pull/164009, https://github.com/github/github/pull/163530, https://github.com/github/github/issues/163524 {% endcomment %}' + known_issues: + - 'On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user. {% comment %} https://github.com/github/enterprise2/issues/1889 {% endcomment %}' + - 'Custom firewall rules are not maintained during an upgrade. {% comment %} https://github.com/github/enterprise2/issues/2823 {% endcomment %}' + - 'Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository. {% comment %} https://github.com/github/github/issues/54684 {% endcomment %}' + - 'Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. {% comment %} https://github.com/github/github/issues/107731 {% endcomment %}' + - 'When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results. {% comment %} https://github.com/github/admin-experience/issues/571 {% endcomment %}' diff --git a/lib/path-utils.js b/lib/path-utils.js index 02e75aab1d26..1dcf9b543304 100644 --- a/lib/path-utils.js +++ b/lib/path-utils.js @@ -71,11 +71,7 @@ function getPathWithLanguage (href, languageCode) { // remove the language from the given HREF // /articles/foo -> /en/articles/foo function getPathWithoutLanguage (href) { - const newHref = href.match(patterns.hasLanguageCode) - ? '/' + href.split('/').slice(2).join('/') - : href - - return slash(newHref) + return slash(href.replace(patterns.hasLanguageCode, '/')) } function getPathWithoutVersion (href) { diff --git a/tests/routing/enterprise-release-notes.js b/tests/routing/enterprise-release-notes.js index fb05e3186962..6a8f6c26b3fc 100644 --- a/tests/routing/enterprise-release-notes.js +++ b/tests/routing/enterprise-release-notes.js @@ -11,11 +11,14 @@ describe('enterprise release notes', () => { }) it('redirects to the release notes on enterprise.github.com if none are present for this version here', async () => { - const res = await get('/en/enterprise-server@2.21/admin/release-notes') + const res = await get('/en/enterprise-server@2.19/admin/release-notes') expect(res.statusCode).toBe(302) - expect(res.headers.location).toBe('https://enterprise.github.com/releases/2.21.0/notes') + expect(res.headers.location).toBe('https://enterprise.github.com/releases/2.19.0/notes') }) // We can't write this test until we have real release notes - it.todo('renders the release-notes layout if this version\'s release notes are in this repo') + it('renders the release-notes layout if this version\'s release notes are in this repo', async () => { + const res = await get('/en/enterprise-server@2.22/admin/release-notes') + expect(res.statusCode).toBe(200) + }) })