Merge pull request #23086 from github/repo-sync

repo sync

Author: Octomerger

data/release-notes/enterprise-server/3-3/16.yml

@@ -4,12 +4,13 @@ sections:
     - "**MEDIUM**: Updated [CommonMarker](https://github.com/gjtorikian/commonmarker) to address a scenario where parallel requests to the Markdown REST API could result in unbounded resource exhaustion. This vulnerability has been assigned [CVE-2022-39209](https://nvd.nist.gov/vuln/detail/CVE-2022-39209)."
     - "**MEDIUM**: Scoped user-to-server tokens from GitHub Apps could bypass authorization checks in GraphQL API requests when accessing non-repository resources. This vulnerability was reported via the [GitHub Bug Bounty Program](https://bounty.github.com/)."
     - "**MEDIUM**: Pull request preview links did not properly sanitize URLs, allowing a malicious user to embed dangerous links in the instances web UI. This vulnerability was reported via the [GitHub Bug Bounty program](https://bounty.github.com)."
-    - The [Create or update file contents API](/rest/repos/contents#create-or-update-file-contents) correctly enforces workflow scope. This vulnerability was reported via the [GitHub Bug Bounty program](https://bounty.github.com). 
+    - |
+      **MEDIUM**: An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed a repository-scoped token with read/write access to modify GitHub Actions workflow files without a workflow scope. The "[Create or Update file contents API](/rest/repos/contents#create-or-update-file-contents)" should enforce workflow scope. This vulnerability was reported via the [GitHub Bug Bounty program](https://bounty.github.com) and has been assigned [CVE-2022-46258](https://www.cve.org/CVERecord?id=CVE-2022-46258).
   bugs:
-    - Setting the maintenance mode with an IP Exception List would not persist across upgrades. 
-    - After configuration of Dependabot and alert digest emails, the instance would send digest emails to suspended users. 
-    - If a user configured a pre-receive hook for multiple repositories, the instances **Hooks** page would not always display the correct status for the hook. 
-    - Zombie processes no longer accumulate in the `gitrpcd` container. 
+    - Setting the maintenance mode with an IP Exception List would not persist across upgrades.
+    - After configuration of Dependabot and alert digest emails, the instance would send digest emails to suspended users.
+    - If a user configured a pre-receive hook for multiple repositories, the instances **Hooks** page would not always display the correct status for the hook.
+    - Zombie processes no longer accumulate in the `gitrpcd` container.
   known_issues:
     - After upgrading to {% data variables.product.prodname_ghe_server %} 3.3, {% data variables.product.prodname_actions %} may fail to start automatically. To resolve this issue, connect to the appliance via SSH and run the `ghe-actions-start` command.
     - On a freshly set up {% data variables.product.prodname_ghe_server %} instance without any users, an attacker could create the first admin user.

data/release-notes/enterprise-server/3-3/17.yml

@@ -4,7 +4,7 @@ sections:
     - |
       **HIGH**: A path traversal vulnerability was identified in GitHub Enterprise Server that allowed remote code execution when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the instance. This vulnerability was reported via the [GitHub Bug Bounty Program](https://bounty.github.com/) and has been assigned [CVE-2022-46256](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46256).
     - |
-      **HIGH**: An incorrect authorization vulnerability allowed a scoped user-to-server token to escalate to full admin access for a repository. An attacker would require an account with admin access to install a malicious GitHub App. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.7.0. This vulnerability was reported via the GitHub Bug Bounty program and has been assigned [CVE-2022-23741](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23741).  bugs:
+      **HIGH**: An incorrect authorization vulnerability allowed a scoped user-to-server token to escalate to full admin access for a repository. An attacker would require an account with admin access to install a malicious GitHub App. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.7.0. This vulnerability was reported via the GitHub Bug Bounty program and has been assigned [CVE-2022-23741](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23741).
   bugs:
     - Installation of GitHub Enterprise Server on the VMware ESXi hypervisor failed due to the generation of an OVA file with an invalid capacity value. 
     - When users performed an operation using the API, GitHub Enterprise Server enforced repository size quotas even when disabled globally.

data/release-notes/enterprise-server/3-4/11.yml

@@ -3,17 +3,18 @@ sections:
   security_fixes:
     - "**MEDIUM**: Updated [CommonMarker](https://github.com/gjtorikian/commonmarker) to address a scenario where parallel requests to the Markdown REST API could result in unbounded resource exhaustion. This vulnerability has been assigned [CVE-2022-39209](https://nvd.nist.gov/vuln/detail/CVE-2022-39209)."
     - "**MEDIUM**: Scoped user-to-server tokens from GitHub Apps could bypass authorization checks in GraphQL API requests when accessing non-repository resources. This vulnerability was reported via the [GitHub Bug Bounty Program](https://bounty.github.com/)."
-    - "**MEDIUM**: Pull request preview links did not properly sanitize URLs, allowing a malicious user to embed dangerous links in the instances web UI. This vulnerability was reported via the [GitHub Bug Bounty program](https://bounty.github.com)." 
-    - The [Create or update file contents API](/rest/repos/contents#create-or-update-file-contents) correctly enforces workflow scope. This vulnerability was reported via the [GitHub Bug Bounty program](https://bounty.github.com). 
+    - "**MEDIUM**: Pull request preview links did not properly sanitize URLs, allowing a malicious user to embed dangerous links in the instances web UI. This vulnerability was reported via the [GitHub Bug Bounty program](https://bounty.github.com)."
+    - |
+      **MEDIUM**: An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed a repository-scoped token with read/write access to modify GitHub Actions workflow files without a workflow scope. The "[Create or Update file contents API](/rest/repos/contents#create-or-update-file-contents)" should enforce workflow scope. This vulnerability was reported via the [GitHub Bug Bounty program](https://bounty.github.com) and has been assigned [CVE-2022-46258](https://www.cve.org/CVERecord?id=CVE-2022-46258).
   bugs:
-    - If GitHub Actions was configured with S3 blob storage for the instance, content like logs and artifacts from deleted or expired workflow runs would remain in blob storage indefinitely. The instance will delete this content automatically the next time a regular background cleanup job runs. 
-    - Setting the maintenance mode with an IP Exception List would not persist across upgrades. 
-    - GitHub Pages builds could time out on instances in AWS that are configured for high availability. 
-    - After configuration of Dependabot and alert digest emails, the instance would send digest emails to suspended users. 
-    - If a user configured a pre-receive hook for multiple repositories, the instances **Hooks** page would not always display the correct status for the hook. 
-    - In some cases, users could not merge a pull request due to unexpected status checks. 
-    - After running migrations for the GitHub Enterprise Importer on an instance configured for high availability, replication of migration storage assets would not catch up. 
-    - Zombie processes no longer accumulate in the `gitrpcd` container. 
+    - If GitHub Actions was configured with S3 blob storage for the instance, content like logs and artifacts from deleted or expired workflow runs would remain in blob storage indefinitely. The instance will delete this content automatically the next time a regular background cleanup job runs.
+    - Setting the maintenance mode with an IP Exception List would not persist across upgrades.
+    - GitHub Pages builds could time out on instances in AWS that are configured for high availability.
+    - After configuration of Dependabot and alert digest emails, the instance would send digest emails to suspended users.
+    - If a user configured a pre-receive hook for multiple repositories, the instances **Hooks** page would not always display the correct status for the hook.
+    - In some cases, users could not merge a pull request due to unexpected status checks.
+    - After running migrations for the GitHub Enterprise Importer on an instance configured for high availability, replication of migration storage assets would not catch up.
+    - Zombie processes no longer accumulate in the `gitrpcd` container.
   known_issues:
     - On a freshly set up {% data variables.product.prodname_ghe_server %} instance without any users, an attacker could create the first admin user.
     - Custom firewall rules are removed during the upgrade process.

data/release-notes/enterprise-server/3-4/12.yml

@@ -4,7 +4,7 @@ sections:
     - |
       **HIGH**: A path traversal vulnerability was identified in GitHub Enterprise Server that allowed remote code execution when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the instance. This vulnerability was reported via the [GitHub Bug Bounty Program](https://bounty.github.com/) and has been assigned [CVE-2022-46256](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46256).
     - |
-      **HIGH**: An incorrect authorization vulnerability allowed a scoped user-to-server token to escalate to full admin access for a repository. An attacker would require an account with admin access to install a malicious GitHub App. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.7.0. This vulnerability was reported via the GitHub Bug Bounty program and has been assigned [CVE-2022-23741](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23741).  bugs:
+      **HIGH**: An incorrect authorization vulnerability allowed a scoped user-to-server token to escalate to full admin access for a repository. An attacker would require an account with admin access to install a malicious GitHub App. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.7.0. This vulnerability was reported via the GitHub Bug Bounty program and has been assigned [CVE-2022-23741](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23741).
   bugs:
     - When a site administrator ran the `ghe-repl-sync-ca-certificates` command from an instances primary node via the administrative shell (SSH), the command only replicated CA certificates from the instances primary node to a single replica node. The command did not replicate the certificates to all available replica nodes. 
     - Installation of GitHub Enterprise Server on the VMware ESXi hypervisor failed due to the generation of an OVA file with an invalid capacity value. 

data/release-notes/enterprise-server/3-5/8.yml

@@ -4,18 +4,19 @@ sections:
     - "**MEDIUM**: Updated [CommonMarker](https://github.com/gjtorikian/commonmarker) to address a scenario where parallel requests to the Markdown REST API could result in unbounded resource exhaustion. This vulnerability has been assigned [CVE-2022-39209](https://nvd.nist.gov/vuln/detail/CVE-2022-39209)."
     - "**MEDIUM**: Scoped user-to-server tokens from GitHub Apps could bypass authorization checks in GraphQL API requests when accessing non-repository resources. This vulnerability was reported via the [GitHub Bug Bounty Program](https://bounty.github.com/)."
     - "**MEDIUM**: Pull request preview links did not properly sanitize URLs, allowing a malicious user to embed dangerous links in the instances web UI. This vulnerability was reported via the [GitHub Bug Bounty program](https://bounty.github.com)."
-    - The [Create or update file contents API](/rest/repos/contents#create-or-update-file-contents) correctly enforces workflow scope. This vulnerability was reported via the [GitHub Bug Bounty program](https://bounty.github.com).
+    - |
+      **MEDIUM**: An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed a repository-scoped token with read/write access to modify GitHub Actions workflow files without a workflow scope. The "[Create or Update file contents API](/rest/repos/contents#create-or-update-file-contents)" should enforce workflow scope. This vulnerability was reported via the [GitHub Bug Bounty program](https://bounty.github.com) and has been assigned [CVE-2022-46258](https://www.cve.org/CVERecord?id=CVE-2022-46258).
   bugs:
-    - Setting the maintenance mode with an IP Exception List would not persist across upgrades. 
-    - GitHub Pages builds could time out on instances in AWS that are configured for high availability. 
-    - After configuration of Dependabot and alert digest emails, the instance would send digest emails to suspended users. 
-    - The audit log timestamp for Dependabot alert events returned the creation date of the alert instead of the timestamp when a user took action on the alert. 
-    - When accessing an instances JavaScript resources from behind a proxy, the browser displayed Cross-Origin Resource Sharing (CORS) errors. 
-    - If a user named a status check with leading or trailing spaces, the instance created a duplicate check if another check existed with the same name and no leading or trailing spaces. 
-    - If a user configured a pre-receive hook for multiple repositories, the instances **Hooks** page would not always display the correct status for the hook. 
-    - When an enterprise owner impersonated a user and tried to install a GitHub App, the button to confirm the installation was disabled and could not be clicked. 
-    - After running migrations for the GitHub Enterprise Importer on an instance configured for high availability, replication of migration storage assets would not catch up. 
-    - Zombie processes no longer accumulate in the `gitrpcd` container. 
+    - Setting the maintenance mode with an IP Exception List would not persist across upgrades.
+    - GitHub Pages builds could time out on instances in AWS that are configured for high availability.
+    - After configuration of Dependabot and alert digest emails, the instance would send digest emails to suspended users.
+    - The audit log timestamp for Dependabot alert events returned the creation date of the alert instead of the timestamp when a user took action on the alert.
+    - When accessing an instances JavaScript resources from behind a proxy, the browser displayed Cross-Origin Resource Sharing (CORS) errors.
+    - If a user named a status check with leading or trailing spaces, the instance created a duplicate check if another check existed with the same name and no leading or trailing spaces.
+    - If a user configured a pre-receive hook for multiple repositories, the instances **Hooks** page would not always display the correct status for the hook.
+    - When an enterprise owner impersonated a user and tried to install a GitHub App, the button to confirm the installation was disabled and could not be clicked.
+    - After running migrations for the GitHub Enterprise Importer on an instance configured for high availability, replication of migration storage assets would not catch up.
+    - Zombie processes no longer accumulate in the `gitrpcd` container.
   known_issues:
     - On a freshly set up {% data variables.product.prodname_ghe_server %} instance without any users, an attacker could create the first admin user.
     - Custom firewall rules are removed during the upgrade process.

data/release-notes/enterprise-server/3-5/9.yml

@@ -4,7 +4,7 @@ sections:
     - |
       **HIGH**: A path traversal vulnerability was identified in GitHub Enterprise Server that allowed remote code execution when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the instance. This vulnerability was reported via the [GitHub Bug Bounty Program](https://bounty.github.com/) and has been assigned [CVE-2022-46256](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46256).
     - |
-      **HIGH**: An incorrect authorization vulnerability allowed a scoped user-to-server token to escalate to full admin access for a repository. An attacker would require an account with admin access to install a malicious GitHub App. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.7.0. This vulnerability was reported via the GitHub Bug Bounty program and has been assigned [CVE-2022-23741](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23741).  bugs:
+      **HIGH**: An incorrect authorization vulnerability allowed a scoped user-to-server token to escalate to full admin access for a repository. An attacker would require an account with admin access to install a malicious GitHub App. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.7.0. This vulnerability was reported via the GitHub Bug Bounty program and has been assigned [CVE-2022-23741](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23741).
   bugs:
     - If a GitHub Actions dependency uses a pinned SHA version, Dependabot will no longer mark the dependency as vulnerable. 
     - When a site administrator ran the `ghe-repl-sync-ca-certificates` command from an instances primary node via the administrative shell (SSH), the command only replicated CA certificates from the instances primary node to a single replica node. The command did not replicate the certificates to all available replica nodes.