diff --git a/content/code-security/codeql-cli/codeql-cli-manual/database-analyze.md b/content/code-security/codeql-cli/codeql-cli-manual/database-analyze.md index 72ae274f9c9e..94e379897df9 100644 --- a/content/code-security/codeql-cli/codeql-cli-manual/database-analyze.md +++ b/content/code-security/codeql-cli/codeql-cli-manual/database-analyze.md @@ -256,7 +256,7 @@ Download any missing queries before analyzing. A list of threat models to enable or disable. -The argument is the name of a threat model, optionally preceeded by a +The argument is the name of a threat model, optionally preceded by a '!'. If no '!' is present, the named threat model and all of its descendants are enabled. If a '!' is present, the named threat model and all of its descendants are disabled. @@ -400,7 +400,13 @@ expense of making it much less human readable. #### `-M, --ram=` -Set total amount of RAM the query evaluator should be allowed to use. +The query evaluator will try hard to keep its total memory footprint +below this value. (However, for large databases it is possible that the +threshold may be broken by file-backed memory maps, which can be swapped +to disk in case of memory pressure). + +The value should be at least 2048 MB; smaller values will be +transparently rounded up. ### Options to control QL compilation diff --git a/content/code-security/codeql-cli/codeql-cli-manual/database-bundle.md b/content/code-security/codeql-cli/codeql-cli-manual/database-bundle.md index dbe15ee0e224..e4adb5d30923 100644 --- a/content/code-security/codeql-cli/codeql-cli-manual/database-bundle.md +++ b/content/code-security/codeql-cli/codeql-cli-manual/database-bundle.md @@ -48,6 +48,12 @@ that results, logs, TRAP, or similar should be included. \[Mandatory] The output file, typically with the extension ".zip". +#### `--include-diagnostics` + +Include diagnostics in the bundle. + +Available since `v2.16.0`. + #### `--include-results` Include any precomputed query results in the bundle. diff --git a/content/code-security/codeql-cli/codeql-cli-manual/database-run-queries.md b/content/code-security/codeql-cli/codeql-cli-manual/database-run-queries.md index 4d596a35147f..0f664e47b2f4 100644 --- a/content/code-security/codeql-cli/codeql-cli-manual/database-run-queries.md +++ b/content/code-security/codeql-cli/codeql-cli-manual/database-run-queries.md @@ -105,7 +105,7 @@ during database creation from a Code Scanning configuration file. A list of threat models to enable or disable. -The argument is the name of a threat model, optionally preceeded by a +The argument is the name of a threat model, optionally preceded by a '!'. If no '!' is present, the named threat model and all of its descendants are enabled. If a '!' is present, the named threat model and all of its descendants are disabled. @@ -249,7 +249,13 @@ expense of making it much less human readable. #### `-M, --ram=` -Set total amount of RAM the query evaluator should be allowed to use. +The query evaluator will try hard to keep its total memory footprint +below this value. (However, for large databases it is possible that the +threshold may be broken by file-backed memory maps, which can be swapped +to disk in case of memory pressure). + +The value should be at least 2048 MB; smaller values will be +transparently rounded up. ### Options to control QL compilation diff --git a/content/code-security/codeql-cli/codeql-cli-manual/database-upgrade.md b/content/code-security/codeql-cli/codeql-cli-manual/database-upgrade.md index e5500ea4ec81..bca0a85e6a2f 100644 --- a/content/code-security/codeql-cli/codeql-cli-manual/database-upgrade.md +++ b/content/code-security/codeql-cli/codeql-cli-manual/database-upgrade.md @@ -216,7 +216,13 @@ expense of making it much less human readable. #### `-M, --ram=` -Set total amount of RAM the query evaluator should be allowed to use. +The query evaluator will try hard to keep its total memory footprint +below this value. (However, for large databases it is possible that the +threshold may be broken by file-backed memory maps, which can be swapped +to disk in case of memory pressure). + +The value should be at least 2048 MB; smaller values will be +transparently rounded up. ### Common options diff --git a/content/code-security/codeql-cli/codeql-cli-manual/dataset-upgrade.md b/content/code-security/codeql-cli/codeql-cli-manual/dataset-upgrade.md index 36d7d58b309c..6107ae341def 100644 --- a/content/code-security/codeql-cli/codeql-cli-manual/dataset-upgrade.md +++ b/content/code-security/codeql-cli/codeql-cli-manual/dataset-upgrade.md @@ -212,7 +212,13 @@ expense of making it much less human readable. #### `-M, --ram=` -Set total amount of RAM the query evaluator should be allowed to use. +The query evaluator will try hard to keep its total memory footprint +below this value. (However, for large databases it is possible that the +threshold may be broken by file-backed memory maps, which can be swapped +to disk in case of memory pressure). + +The value should be at least 2048 MB; smaller values will be +transparently rounded up. ### Common options diff --git a/content/code-security/codeql-cli/codeql-cli-manual/execute-queries.md b/content/code-security/codeql-cli/codeql-cli-manual/execute-queries.md index b4f866083cae..f75c8d7044b7 100644 --- a/content/code-security/codeql-cli/codeql-cli-manual/execute-queries.md +++ b/content/code-security/codeql-cli/codeql-cli-manual/execute-queries.md @@ -88,7 +88,7 @@ stored in the output location. A list of threat models to enable or disable. -The argument is the name of a threat model, optionally preceeded by a +The argument is the name of a threat model, optionally preceded by a '!'. If no '!' is present, the named threat model and all of its descendants are enabled. If a '!' is present, the named threat model and all of its descendants are disabled. diff --git a/content/code-security/codeql-cli/codeql-cli-manual/generate-extensible-predicate-metadata.md b/content/code-security/codeql-cli/codeql-cli-manual/generate-extensible-predicate-metadata.md index 708bd5b1ed22..24adde2de760 100644 --- a/content/code-security/codeql-cli/codeql-cli-manual/generate-extensible-predicate-metadata.md +++ b/content/code-security/codeql-cli/codeql-cli-manual/generate-extensible-predicate-metadata.md @@ -29,8 +29,8 @@ codeql generate extensible-predicate-metadata ... -- ## Description -\[Experimental] \[Deep plumbing] Report the extensible predicates -found in the given pack. +\[Deep plumbing] Report the extensible predicates found in the given +pack. ## Options diff --git a/content/code-security/codeql-cli/codeql-cli-manual/github-upload-results.md b/content/code-security/codeql-cli/codeql-cli-manual/github-upload-results.md index 48215a834db3..f8bd2913c27c 100644 --- a/content/code-security/codeql-cli/codeql-cli-manual/github-upload-results.md +++ b/content/code-security/codeql-cli/codeql-cli-manual/github-upload-results.md @@ -49,9 +49,9 @@ This token must have the `security_events` scope. \[Mandatory] Path to the SARIF file to upload. This should be the output of [codeql database analyze](/code-security/codeql-cli/codeql-cli-manual/database-analyze) (or [codeql database interpret-results](/code-security/codeql-cli/codeql-cli-manual/database-interpret-results)) with `--format sarif-latest` for upload to github.com or -GitHub AE, or the appropriate supported format tag for GitHub Enterprise -Server instances (see [AUTOTITLE](/enterprise-server@latest/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning) -for SARIF versions supported by your release). +the appropriate supported format tag for GitHub Enterprise Server +instances (see [AUTOTITLE](/enterprise-server@latest/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning) for +SARIF versions supported by your release). #### `-r, --repository=` diff --git a/content/code-security/codeql-cli/codeql-cli-manual/pack-add.md b/content/code-security/codeql-cli/codeql-cli-manual/pack-add.md index 414df08c49e2..dd24a3687b32 100644 --- a/content/code-security/codeql-cli/codeql-cli-manual/pack-add.md +++ b/content/code-security/codeql-cli/codeql-cli-manual/pack-add.md @@ -32,8 +32,8 @@ codeql pack add ... -- ... ## Description -\[Experimental] Adds a list of QL library packs with optional version -ranges as dependencies of the current package, and then installs them. +Adds a list of QL library packs with optional version ranges as +dependencies of the current package, and then installs them. This command modifies the qlpack.yml file of the current package. Formatting and comments will be removed. diff --git a/content/code-security/codeql-cli/codeql-cli-manual/pack-bundle.md b/content/code-security/codeql-cli/codeql-cli-manual/pack-bundle.md index dd2d183731cd..c87187075f17 100644 --- a/content/code-security/codeql-cli/codeql-cli-manual/pack-bundle.md +++ b/content/code-security/codeql-cli/codeql-cli-manual/pack-bundle.md @@ -30,7 +30,7 @@ codeql pack bundle [--output=] [--threads=] [--ram=] ... -- ## Description -\[Experimental] Clean install dependencies for this pack, verifying -that the existing lock file is up to date. +Clean install dependencies for this pack, verifying that the existing +lock file is up to date. This command installs the dependencies of the pack, using the versions specified in the codeql-pack.lock.yml file. If any of the versions diff --git a/content/code-security/codeql-cli/codeql-cli-manual/pack-create.md b/content/code-security/codeql-cli/codeql-cli-manual/pack-create.md index 31b215663446..2a0198979f9c 100644 --- a/content/code-security/codeql-cli/codeql-cli-manual/pack-create.md +++ b/content/code-security/codeql-cli/codeql-cli-manual/pack-create.md @@ -32,8 +32,7 @@ codeql pack create [--output=] [--threads=] [--ram=] . ## Description -\[Experimental] \[Plumbing] Builds the contents of a QL package from -source code. +\[Plumbing] Builds the contents of a QL package from source code. This command builds the complete contents of a QL package, including the original source code, library dependencies, compiled queries, and diff --git a/content/code-security/codeql-cli/codeql-cli-manual/pack-download.md b/content/code-security/codeql-cli/codeql-cli-manual/pack-download.md index 29c7d6a37630..5a5c2a6706e0 100644 --- a/content/code-security/codeql-cli/codeql-cli-manual/pack-download.md +++ b/content/code-security/codeql-cli/codeql-cli-manual/pack-download.md @@ -33,9 +33,9 @@ codeql pack download [--dir=] [--force] ... -- ] [--extractor=] ... -- ... -- ## Description -\[Experimental] Install dependencies for this pack. +Install dependencies for this pack. This command installs the dependencies of the pack. If a codeql-pack.lock.yml exists, the versions specified in that lock file diff --git a/content/code-security/codeql-cli/codeql-cli-manual/pack-ls.md b/content/code-security/codeql-cli/codeql-cli-manual/pack-ls.md index ab93e9bf5b68..15943e205575 100644 --- a/content/code-security/codeql-cli/codeql-cli-manual/pack-ls.md +++ b/content/code-security/codeql-cli/codeql-cli-manual/pack-ls.md @@ -33,9 +33,8 @@ codeql pack ls ... -- ## Description -\[Experimental] \[Deep plumbing] List the CodeQL packages rooted at -this directory. This directory must contain a qlpack.yml or -.codeqlmanifest.json file. +\[Deep plumbing] List the CodeQL packages rooted at this directory. +This directory must contain a qlpack.yml or .codeqlmanifest.json file. Available since `v2.7.1`. diff --git a/content/code-security/codeql-cli/codeql-cli-manual/pack-packlist.md b/content/code-security/codeql-cli/codeql-cli-manual/pack-packlist.md index f7cd63b26db3..884ac9a4a559 100644 --- a/content/code-security/codeql-cli/codeql-cli-manual/pack-packlist.md +++ b/content/code-security/codeql-cli/codeql-cli-manual/pack-packlist.md @@ -32,8 +32,8 @@ codeql pack packlist ... -- ## Description -\[Experimental] \[Plumbing] Compute the set of files to be included in -a QL query pack or library pack. +\[Plumbing] Compute the set of files to be included in a QL query pack +or library pack. This command determines the set of files to be included in the pack based on the patterns specified in any `.gitignore` files present in the diff --git a/content/code-security/codeql-cli/codeql-cli-manual/pack-publish.md b/content/code-security/codeql-cli/codeql-cli-manual/pack-publish.md index 464e323062e5..3f1eddb3a8c5 100644 --- a/content/code-security/codeql-cli/codeql-cli-manual/pack-publish.md +++ b/content/code-security/codeql-cli/codeql-cli-manual/pack-publish.md @@ -30,7 +30,7 @@ codeql pack publish [--dry-run] [--threads=] [--ram=] [--pack= ## Description -\[Experimental] Publishes a QL library pack to a package registry. +Publishes a QL library pack to a package registry. This command publishes a pack to a package registry. Before publishing, the pack is first compiled (if necessary) and bundled. diff --git a/content/code-security/codeql-cli/codeql-cli-manual/pack-resolve-dependencies.md b/content/code-security/codeql-cli/codeql-cli-manual/pack-resolve-dependencies.md index ee0ddb664cb0..b04de5e6b836 100644 --- a/content/code-security/codeql-cli/codeql-cli-manual/pack-resolve-dependencies.md +++ b/content/code-security/codeql-cli/codeql-cli-manual/pack-resolve-dependencies.md @@ -32,8 +32,7 @@ codeql pack resolve-dependencies ... -- ## Description -\[Experimental] \[Plumbing] Compute the set of required dependencies -for this QL pack. +\[Plumbing] Compute the set of required dependencies for this QL pack. This command searches the configured registries for required dependencies and returns the list of resolved dependencies. diff --git a/content/code-security/codeql-cli/codeql-cli-manual/pack-upgrade.md b/content/code-security/codeql-cli/codeql-cli-manual/pack-upgrade.md index ced9a6d01396..cea360db5a5c 100644 --- a/content/code-security/codeql-cli/codeql-cli-manual/pack-upgrade.md +++ b/content/code-security/codeql-cli/codeql-cli-manual/pack-upgrade.md @@ -32,8 +32,7 @@ codeql pack upgrade [--force] ... -- ## Description -\[Experimental] Update the dependencies for this pack to the latest -available versions. +Update the dependencies for this pack to the latest available versions. This command installs the latest compatible version of each dependency of the pack, updating the lock file with the newly acquired versions. diff --git a/content/code-security/codeql-cli/codeql-cli-manual/query-run.md b/content/code-security/codeql-cli/codeql-cli-manual/query-run.md index b1f275347554..304ef3778715 100644 --- a/content/code-security/codeql-cli/codeql-cli-manual/query-run.md +++ b/content/code-security/codeql-cli/codeql-cli-manual/query-run.md @@ -195,7 +195,13 @@ expense of making it much less human readable. #### `-M, --ram=` -Set total amount of RAM the query evaluator should be allowed to use. +The query evaluator will try hard to keep its total memory footprint +below this value. (However, for large databases it is possible that the +threshold may be broken by file-backed memory maps, which can be swapped +to disk in case of memory pressure). + +The value should be at least 2048 MB; smaller values will be +transparently rounded up. ### Options to control QL compilation diff --git a/content/code-security/codeql-cli/codeql-cli-manual/resolve-extensions-by-pack.md b/content/code-security/codeql-cli/codeql-cli-manual/resolve-extensions-by-pack.md index aeb13f324b44..96980b569732 100644 --- a/content/code-security/codeql-cli/codeql-cli-manual/resolve-extensions-by-pack.md +++ b/content/code-security/codeql-cli/codeql-cli-manual/resolve-extensions-by-pack.md @@ -30,9 +30,8 @@ codeql resolve extensions-by-pack ... -- ... ## Description -\[Experimental] \[Deep plumbing] Determine accessible extensions for -the given paths to pack roots. This includes machine learning models and -data extensions. +\[Deep plumbing] Determine accessible extensions for the given paths to +pack roots. This includes machine learning models and data extensions. This plumbing command resolves the set of data extensions and GitHub-created machine learning models that are available to the paths @@ -91,7 +90,7 @@ value. A list of threat models to enable or disable. -The argument is the name of a threat model, optionally preceeded by a +The argument is the name of a threat model, optionally preceded by a '!'. If no '!' is present, the named threat model and all of its descendants are enabled. If a '!' is present, the named threat model and all of its descendants are disabled. diff --git a/content/code-security/codeql-cli/codeql-cli-manual/resolve-extensions.md b/content/code-security/codeql-cli/codeql-cli-manual/resolve-extensions.md index 9d8b3374da82..25865e43ceb7 100644 --- a/content/code-security/codeql-cli/codeql-cli-manual/resolve-extensions.md +++ b/content/code-security/codeql-cli/codeql-cli-manual/resolve-extensions.md @@ -32,8 +32,8 @@ codeql resolve extensions ... -- ... ## Description -\[Experimental] \[Deep plumbing] Determine accessible extensions. This -includes machine learning models and data extensions. +\[Deep plumbing] Determine accessible extensions. This includes machine +learning models and data extensions. This plumbing command resolves the set of data extensions and GitHub-created machine learning models that are available to the query @@ -110,7 +110,7 @@ value. A list of threat models to enable or disable. -The argument is the name of a threat model, optionally preceeded by a +The argument is the name of a threat model, optionally preceded by a '!'. If no '!' is present, the named threat model and all of its descendants are enabled. If a '!' is present, the named threat model and all of its descendants are disabled. diff --git a/content/code-security/codeql-cli/codeql-cli-manual/resolve-ml-models.md b/content/code-security/codeql-cli/codeql-cli-manual/resolve-ml-models.md index eb2895e5f2b1..e49b056717b4 100644 --- a/content/code-security/codeql-cli/codeql-cli-manual/resolve-ml-models.md +++ b/content/code-security/codeql-cli/codeql-cli-manual/resolve-ml-models.md @@ -32,8 +32,8 @@ codeql resolve ml-models ... -- ... ## Description -\[Deprecated] \[Experimental] \[Deep plumbing] Determine accessible -machine learning models. +\[Deprecated] \[Deep plumbing] Determine accessible machine learning +models. This plumbing command is deprecated. Previously it resolved the set of GitHub-created machine learning models that were available to the query diff --git a/content/code-security/codeql-cli/codeql-cli-manual/resolve-ram.md b/content/code-security/codeql-cli/codeql-cli-manual/resolve-ram.md index 489653ae6c0a..5c635b1a33cc 100644 --- a/content/code-security/codeql-cli/codeql-cli-manual/resolve-ram.md +++ b/content/code-security/codeql-cli/codeql-cli-manual/resolve-ram.md @@ -57,7 +57,20 @@ Select output format. Choices include: #### `-M, --ram=` -Set total amount of RAM the query evaluator should be allowed to use. +The query evaluator will try hard to keep its total memory footprint +below this value. (However, for large databases it is possible that the +threshold may be broken by file-backed memory maps, which can be swapped +to disk in case of memory pressure). + +The value should be at least 2048 MB; smaller values will be +transparently rounded up. + +#### `--dataset=` + +\[Advanced] Tune the RAM settings appropriately for querying the given +dataset, taking into account components of RAM usage that scale with the +size of the database. If this is not given, a generic default size will +be assumed. ### Common options diff --git a/data/release-notes/enterprise-server/3-10/5.yml b/data/release-notes/enterprise-server/3-10/5.yml new file mode 100644 index 000000000000..9942e67ad580 --- /dev/null +++ b/data/release-notes/enterprise-server/3-10/5.yml @@ -0,0 +1,68 @@ +date: '2024-01-16' +intro: | + {% warning %} + + **Warning**: A change to MySQL in GitHub Enterprise Server 3.9 and later may impact the performance of your instance. Before you upgrade, make sure you've read the "[Known issues](#3.10.5-known-issues)" section of these release notes. + + {% endwarning %} +sections: + security_fixes: + - | + **HIGH**: An attacker with access to a Management Console user account with the editor role could escalate privileges through a command injection vulnerability in the Management Console. GitHub has requested CVE ID [CVE-2024-0507](https://www.cve.org/cverecord?id=CVE-2024-0507) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). + - | + **HIGH**: An improper authentication vulnerability was identified in GitHub Enterprise Server that allowed a bypass of [Private Mode](https://docs.github.com/en/enterprise-server@3.9/admin/configuration/hardening-security-for-your-enterprise/enabling-private-mode) by using a specially crafted API request. Private Mode is the mechanism that enforces authentication for publicly-scoped resources and this vulnerability would allow unauthenticated attackers to gain access to various types of resources set as public within the instance. To exploit this vulnerability, an attacker would need network access to the GitHub Enterprise Server instance configured in Private Mode. This vulnerability was reported via the GitHub Bug Bounty program. This vulnerability was reported via the [GitHub Bug Bounty](https://bounty.github.com/) program and assigned [CVE-2023-6847](https://www.cve.org/cverecord?id=CVE-2023-6847). + - | + **HIGH**: An attacker could leverage an unsafe reflection vulnerability in GitHub Enterprise Server (GHES) that could lead to reflection injection. This vulnerability could lead to the execution of user-controlled methods and remote code execution. To exploit this bug, an actor would need to be logged into an account on the GHES instance with the [organization owner role](https://docs.github.com/en/enterprise-server@latest/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization#organization-owners). GitHub has requested CVE ID [CVE-2024-0200](https://docs.github.com/en) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). + - | + **MEDIUM**: An incorrect authorization vulnerability was identified that allowed issue comments to be read with an improperly scoped token. This vulnerability was reported via the [GitHub Bug Bounty Program](https://bounty.github.com/) and has been assigned [CVE-2023-51380](https://www.cve.org/CVERecord?id=CVE-2023-51380). + - | + Packages have been updated to the latest security versions. + bugs: + - Support for authenticating to GitHub Enterprise Server using GitHub CLI OAuth App with a device code was unintentionally disabled. + - During periods of high load, users would see intermittent interruptions to services when upstream services failed internal health checks. + - On an instance in a high availability configuration, site administrators using the Manage GitHub Enterprise Server API may have seen a status of `UNKNOWN` for the MSSQL service. + - On an instance with GitHub Actions enabled, some maintenance tasks could fail due to incomplete upgrade steps during previous upgrades to new releases of GitHub Enterprise Server. + - Deleting a repository would enqueue unnecessary background jobs that would never complete. + - When creating a new custom pattern for secret scanning, the "More options" section of the custom pattern form automatically collapsed when a user entered an invalid regex in the post processing expressions (before/after secret match or additional secret requirements). + - On an instance with a GitHub Advanced Security license and secret scanning enabled, users could experience a `500` error when viewing a secret scanning alert page in cases where the alerted commits belonged to the user and one or more commits could not be found. + - Members of an enterprise were incorrectly allowed access to the REST API endpoints for Enterprise licensing. + - On an instance that uses SAML for authentication, an upgrade from GitHub Enterprise Server 3.7 to 3.9 could result in user login failures due to an outdated gem dependency. + changes: + - To avoid leaking secrets, the logging of all parameters is disabled for Management Console events in enterprise audit logs. + - More detailed information is logged when a GitHub Enterprise Server upgrade failed due to missing database encryption keys. + - The branch protection setting to require PR approval of the most recent reviewable push is included in exports from `ghe-migrator` or the Organization Migrations API. + known_issues: + - | + Custom firewall rules are removed during the upgrade process. + - | + During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start. + - | + If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see "[AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)." + - | + If an instance is configured to forward logs to a target server with TLS enabled, certificate authority (CA) bundles that a site administrator uploads using `ghe-ssl-ca-certificate-install` are not respected, and connections to the server fail. + - | + The `mbind: Operation not permitted` error in the `/var/log/mysql/mysql.err` file can be ignored. MySQL 8 does not gracefully handle when the `CAP_SYS_NICE` capability isn't required, and outputs an error instead of a warning. + - | + {% data reusables.release-notes.upgrade-to-3-9-or-to-3-10-mysql-cannot-start-up %} + - | + {% data reusables.release-notes.upgrade-to-3-9-or-to-3-10-io-utilization-increase %} + - | + {% data reusables.release-notes.2023-08-mssql-replication-known-issue %} + - | + {% data reusables.release-notes.2023-09-config-apply-timeout-hookshot-go-replicas %} + - | + After an administrator enables maintenance mode from the instance's Management Console UI using Firefox, the administrator is redirected to the Settings page, but maintenance mode is not enabled. To work around this issue, use a different browser. + - | + On an instance hosted in AWS, system time may lose synchronization with Amazon's servers after an administrator reboots the instance. + - | + On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1. + - | + {% data reusables.release-notes.2023-10-git-push-made-but-not-registered %} + - | + {% data reusables.release-notes.2023-10-actions-upgrade-bug %} + - | + {% data reusables.release-notes.large-adoc-files-issue %} + - | + Restoring backups with `ghe-restore` on a GHES cluster will exit prematurely if `redis` has not restarted properly. + - | + {% data reusables.release-notes.2024-01-haproxy-upgrade-causing-increased-errors %} diff --git a/data/release-notes/enterprise-server/3-11/3.yml b/data/release-notes/enterprise-server/3-11/3.yml new file mode 100644 index 000000000000..477bb6c349ef --- /dev/null +++ b/data/release-notes/enterprise-server/3-11/3.yml @@ -0,0 +1,52 @@ +date: '2024-01-16' +sections: + security_fixes: + - | + **HIGH**: An attacker with access to a Management Console user account with the editor role could escalate privileges through a command injection vulnerability in the Management Console. GitHub has requested CVE ID [CVE-2024-0507](https://www.cve.org/cverecord?id=CVE-2024-0507) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). + - | + **HIGH**: An attacker could leverage an unsafe reflection vulnerability in GitHub Enterprise Server (GHES) that could lead to reflection injection. This vulnerability could lead to the execution of user-controlled methods and remote code execution. To exploit this bug, an actor would need to be logged into an account on the GHES instance with the [organization owner role](https://docs.github.com/en/enterprise-server@latest/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization#organization-owners). GitHub has requested CVE ID [CVE-2024-0200](https://docs.github.com/en) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). + - | + Packages have been updated to the latest security versions. + bugs: + - Support for authenticating to GitHub Enterprise Server using GitHub CLI OAuth App with a device code was unintentionally disabled. + - During periods of high load, users would see intermittent interruptions to services when upstream services failed internal health checks. + - On an instance in a high availability configuration, site administrators using the Manage GitHub Enterprise Server API may have seen a status of `UNKNOWN` for the MSSQL service. + - Hotpatch upgrades from GitHub Enterprise Server version `3.11.0` to `3.11.1` resulted in the instance losing network connectivity after a reboot. + - On an instance with GitHub Actions enabled, some maintenance tasks could fail due to incomplete upgrade steps during previous upgrades to new releases of GitHub Enterprise Server. + - Deleting a repository would enqueue unnecessary background jobs that would never complete. + - When creating a new custom pattern for secret scanning, the "More options" section of the custom pattern form automatically collapsed when a user entered an invalid regex in the post processing expressions (before/after secret match or additional secret requirements). + - On an instance with a GitHub Advanced Security license and secret scanning enabled, users could experience a `500` error when viewing a secret scanning alert page in cases where the alerted commits belonged to the user and one or more commits could not be found. + - Members of an enterprise were incorrectly allowed access to the REST API endpoints for Enterprise licensing. + - On an instance that uses SAML for authentication, an upgrade from GitHub Enterprise Server 3.7 to 3.9 could result in user login failures due to an outdated gem dependency. + - Under rare circumstances, a repository could become unavailable due to a temporary file being left behind after a Git process was unexpectedly interrupted (for example, due to a power outage). + - On an instance with GitHub Advanced Security enabled, a suspended user would consume a license for GitHub Advanced Security. + changes: + - To avoid leaking secrets, the logging of all parameters is disabled for Management Console events in enterprise audit logs. + - The branch protection setting to require PR approval of the most recent reviewable push is included in exports from `ghe-migrator` or the Organization Migrations API. + known_issues: + - | + Custom firewall rules are removed during the upgrade process. + - | + During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start. + - | + If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see "[AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)." + - | + If an instance is configured to forward logs to a target server with TLS enabled, certificate authority (CA) bundles that a site administrator uploads using `ghe-ssl-ca-certificate-install` are not respected, and connections to the server fail. + - | + The `mbind: Operation not permitted` error in the `/var/log/mysql/mysql.err` file can be ignored. MySQL 8 does not gracefully handle when the `CAP_SYS_NICE` capability isn't required, and outputs an error instead of a warning. + - | + On an instance hosted in AWS, system time may lose synchronization with Amazon's servers after an administrator reboots the instance. + - | + On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1. + - | + {% data reusables.release-notes.2023-10-git-push-made-but-not-registered %} + - | + {% data reusables.release-notes.large-adoc-files-issue %} + - | + {% data reusables.release-notes.2023-11-cluster-ha-failover-git-push-failure %} + - | + Restoring backups with `ghe-restore` on a GHES cluster will exit prematurely if `redis` has not restarted properly. + - | + {% data reusables.release-notes.2024-01-haproxy-upgrade-causing-increased-errors %} + - | + Pre-receive hooks which utilize `git rev-list` fail with an `fatal: Invalid revision range` error message. diff --git a/data/release-notes/enterprise-server/3-8/13.yml b/data/release-notes/enterprise-server/3-8/13.yml new file mode 100644 index 000000000000..e990ed5cf6c9 --- /dev/null +++ b/data/release-notes/enterprise-server/3-8/13.yml @@ -0,0 +1,43 @@ +date: '2024-01-16' +sections: + security_fixes: + - | + **HIGH**: An attacker with access to a Management Console user account with the editor role could escalate privileges through a command injection vulnerability in the Management Console. GitHub has requested CVE ID [CVE-2024-0507](https://www.cve.org/cverecord?id=CVE-2024-0507) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). + - | + **HIGH**: An attacker could leverage an unsafe reflection vulnerability in GitHub Enterprise Server (GHES) that could lead to reflection injection. This vulnerability could lead to the execution of user-controlled methods and remote code execution. To exploit this bug, an actor would need to be logged into an account on the GHES instance with the [organization owner role](https://docs.github.com/en/enterprise-server@latest/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization#organization-owners). GitHub has requested CVE ID [CVE-2024-0200](https://docs.github.com/en) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). + - | + **MEDIUM**: An incorrect authorization vulnerability was identified that allowed issue comments to be read with an improperly scoped token. This vulnerability was reported via the [GitHub Bug Bounty Program](https://bounty.github.com/) and has been assigned [CVE-2023-51380](https://www.cve.org/CVERecord?id=CVE-2023-51380). + - | + Packages have been updated to the latest security versions. + bugs: + - During periods of high load, users would see intermittent interruptions to services when upstream services failed internal health checks. + - When creating a new custom pattern for secret scanning, the "More options" section of the custom pattern form automatically collapsed when a user entered an invalid regex in the post processing expressions (before/after secret match or additional secret requirements). + - On an instance with a GitHub Advanced Security license and secret scanning enabled, users could experience a `500` error when viewing a secret scanning alert page in cases where the alerted commits belonged to the user and one or more commits could not be found. + - Members of an enterprise were incorrectly allowed access to the REST API endpoints for Enterprise licensing. + changes: + - The branch protection setting to require PR approval of the most recent reviewable push is included in exports from `ghe-migrator` or the Organization Migrations API. + known_issues: + - | + Custom firewall rules are removed during the upgrade process. + - | + During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start. + - | + If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see "[AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)." + - | + If an instance is configured to forward logs to a target server with TLS enabled, certificate authority (CA) bundles that a site administrator uploads using `ghe-ssl-ca-certificate-install` are not respected, and connections to the server fail. + - | + When running `ghe-config-apply`, the process may stall with the message `Deployment is running pending automatic promotion`. + - | + {% data reusables.release-notes.mermaid-rendering-known-issue %} + - | + {% data reusables.release-notes.2023-08-mssql-replication-known-issue %} + - | + On an instance hosted in AWS, system time may lose synchronization with Amazon's servers after an administrator reboots the instance. + - | + On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1. + - | + {% data reusables.release-notes.2023-10-git-push-made-but-not-registered %} + - | + Restoring backups with `ghe-restore` on a GHES cluster will exit prematurely if `redis` has not restarted properly. + - | + {% data reusables.release-notes.2024-01-haproxy-upgrade-causing-increased-errors %} diff --git a/data/release-notes/enterprise-server/3-9/8.yml b/data/release-notes/enterprise-server/3-9/8.yml new file mode 100644 index 000000000000..edfe21ac2bf0 --- /dev/null +++ b/data/release-notes/enterprise-server/3-9/8.yml @@ -0,0 +1,67 @@ +date: '2024-01-16' +intro: | + {% warning %} + + **Warning**: A change to MySQL in GitHub Enterprise Server 3.9 and later may impact the performance of your instance. Before you upgrade, make sure you've read the "[Known issues](#3.9.8-known-issues)" section of these release notes. + + {% endwarning %} +sections: + security_fixes: + - | + **HIGH**: An attacker with access to a Management Console user account with the editor role could escalate privileges through a command injection vulnerability in the Management Console. GitHub has requested CVE ID [CVE-2024-0507](https://www.cve.org/cverecord?id=CVE-2024-0507) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). + - | + **HIGH**: An improper authentication vulnerability was identified in GitHub Enterprise Server that allowed a bypass of [Private Mode](https://docs.github.com/en/enterprise-server@3.9/admin/configuration/hardening-security-for-your-enterprise/enabling-private-mode) by using a specially crafted API request. Private Mode is the mechanism that enforces authentication for publicly-scoped resources and this vulnerability would allow unauthenticated attackers to gain access to various types of resources set as public within the instance. To exploit this vulnerability, an attacker would need network access to the GitHub Enterprise Server instance configured in Private Mode. This vulnerability was reported via the GitHub Bug Bounty program. This vulnerability was reported via the [GitHub Bug Bounty](https://bounty.github.com/) program and assigned [CVE-2023-6847](https://www.cve.org/cverecord?id=CVE-2023-6847). + - | + **HIGH**: An attacker could leverage an unsafe reflection vulnerability in GitHub Enterprise Server (GHES) that could lead to reflection injection. This vulnerability could lead to the execution of user-controlled methods and remote code execution. To exploit this bug, an actor would need to be logged into an account on the GHES instance with the [organization owner role](https://docs.github.com/en/enterprise-server@latest/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization#organization-owners). GitHub has requested CVE ID [CVE-2024-0200](https://docs.github.com/en) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). + - | + **MEDIUM**: An incorrect authorization vulnerability was identified that allowed issue comments to be read with an improperly scoped token. This vulnerability was reported via the [GitHub Bug Bounty Program](https://bounty.github.com/) and has been assigned [CVE-2023-51380](https://www.cve.org/CVERecord?id=CVE-2023-51380). + - | + Packages have been updated to the latest security versions. + bugs: + - Support for authenticating to GitHub Enterprise Server using GitHub CLI OAuth App with a device code was unintentionally disabled. + - During periods of high load, users would see intermittent interruptions to services when upstream services failed internal health checks. + - On an instance with GitHub Actions enabled, some maintenance tasks could fail due to incomplete upgrade steps during previous upgrades to new releases of GitHub Enterprise Server. + - Deleting a repository would enqueue unnecessary background jobs that would never complete. + - When creating a new custom pattern for secret scanning, the "More options" section of the custom pattern form automatically collapsed when a user entered an invalid regex in the post processing expressions (before/after secret match or additional secret requirements). + - On an instance with a GitHub Advanced Security license and secret scanning enabled, users could experience a `500` error when viewing a secret scanning alert page in cases where the alerted commits belonged to the user and one or more commits could not be found. + - Members of an enterprise were incorrectly allowed access to the REST API endpoints for Enterprise licensing. + - On an instance that uses SAML for authentication, an upgrade from GitHub Enterprise Server 3.7 to 3.9 could result in user login failures due to an outdated gem dependency. + changes: + - To avoid leaking secrets, the logging of all parameters is disabled for Management Console events in enterprise audit logs. + - More detailed information is logged when a GitHub Enterprise Server upgrade failed due to missing database encryption keys. + - The branch protection setting to require PR approval of the most recent reviewable push is included in exports from `ghe-migrator` or the Organization Migrations API. + known_issues: + - | + Custom firewall rules are removed during the upgrade process. + - | + During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start. + - | + If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see "[AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)." + - | + If an instance is configured to forward logs to a target server with TLS enabled, certificate authority (CA) bundles that a site administrator uploads using `ghe-ssl-ca-certificate-install` are not respected, and connections to the server fail. + - | + When running `ghe-config-apply`, the process may stall with the message `Deployment is running pending automatic promotion`. + - | + The `mbind: Operation not permitted` error in the `/var/log/mysql/mysql.err` file can be ignored. MySQL 8 does not gracefully handle when the `CAP_SYS_NICE` capability isn't required, and outputs an error instead of a warning. + - | + When enabling CodeQL via default setup [at scale](/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-at-scale), some checks related to GitHub Actions are omitted, potentially preventing the process from completing. + - | + {% data reusables.release-notes.upgrade-to-3-9-or-to-3-10-mysql-cannot-start-up %} + - | + {% data reusables.release-notes.upgrade-to-3-9-or-to-3-10-io-utilization-increase %} + - | + {% data reusables.release-notes.2023-08-mssql-replication-known-issue %} + - | + {% data reusables.release-notes.2023-09-config-apply-timeout-hookshot-go-replicas %} + - | + On an instance hosted in AWS, system time may lose synchronization with Amazon's servers after an administrator reboots the instance. + - | + On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1. + - | + {% data reusables.release-notes.2023-10-git-push-made-but-not-registered %} + - | + {% data reusables.release-notes.2023-10-actions-upgrade-bug %} + - | + Restoring backups with `ghe-restore` on a GHES cluster will exit prematurely if `redis` has not restarted properly. + - | + {% data reusables.release-notes.2024-01-haproxy-upgrade-causing-increased-errors %} diff --git a/data/reusables/code-scanning/codeql-query-tables/cpp.md b/data/reusables/code-scanning/codeql-query-tables/cpp.md index db106e82ef99..33e34c0cf82e 100644 --- a/data/reusables/code-scanning/codeql-query-tables/cpp.md +++ b/data/reusables/code-scanning/codeql-query-tables/cpp.md @@ -27,6 +27,7 @@ | [File opened with O_CREAT flag but without mode argument](https://codeql.github.com/codeql-query-help/cpp/cpp-open-call-with-mode-argument/) | 732 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | | [Incorrect 'not' operator usage](https://codeql.github.com/codeql-query-help/cpp/cpp-incorrect-not-operator-usage/) | 480 | {% octicon "x" aria-label="Not included" %} | {% octicon "check" aria-label="Included" %} | | [Incorrect allocation-error handling](https://codeql.github.com/codeql-query-help/cpp/cpp-incorrect-allocation-error-handling/) | 570, 252, 755 | {% octicon "x" aria-label="Not included" %} | {% octicon "check" aria-label="Included" %} | +| [Incorrect return-value check for a 'scanf'-like function](https://codeql.github.com/codeql-query-help/cpp/cpp-incorrectly-checked-scanf/) | 253 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | | [Invalid pointer dereference](https://codeql.github.com/codeql-query-help/cpp/cpp-invalid-pointer-deref/) | 119, 125, 193, 787 | {% octicon "x" aria-label="Not included" %} | {% octicon "check" aria-label="Included" %} | | [Likely overrunning write](https://codeql.github.com/codeql-query-help/cpp/cpp-very-likely-overrunning-write/) | 120, 787, 805 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | | [Mismatching new/free or malloc/delete](https://codeql.github.com/codeql-query-help/cpp/cpp-new-free-mismatch/) | 401 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | @@ -80,6 +81,7 @@ | [Use of expired stack-address](https://codeql.github.com/codeql-query-help/cpp/cpp-using-expired-stack-address/) | 825 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | | [Use of potentially dangerous function](https://codeql.github.com/codeql-query-help/cpp/cpp-potentially-dangerous-function/) | 676 | {% octicon "x" aria-label="Not included" %} | {% octicon "check" aria-label="Included" %} | | [Use of string after lifetime ends](https://codeql.github.com/codeql-query-help/cpp/cpp-use-of-string-after-lifetime-ends/) | 416, 664 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | +| [Use of unique pointer after lifetime ends](https://codeql.github.com/codeql-query-help/cpp/cpp-use-of-unique-pointer-after-lifetime-ends/) | 416, 664 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | | [Wrong type of arguments to formatting function](https://codeql.github.com/codeql-query-help/cpp/cpp-wrong-type-format-argument/) | 686 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | | [XML external entity expansion](https://codeql.github.com/codeql-query-help/cpp/cpp-external-entity-expansion/) | 611 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | diff --git a/data/reusables/code-scanning/codeql-query-tables/java.md b/data/reusables/code-scanning/codeql-query-tables/java.md index dfbcaf7a2922..b35024a3bd04 100644 --- a/data/reusables/code-scanning/codeql-query-tables/java.md +++ b/data/reusables/code-scanning/codeql-query-tables/java.md @@ -51,6 +51,7 @@ | [Insecure Bean Validation](https://codeql.github.com/codeql-query-help/java/java-insecure-bean-validation/) | 094 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | | [Insecure JavaMail SSL Configuration](https://codeql.github.com/codeql-query-help/java/java-insecure-smtp-ssl/) | 297 | {% octicon "x" aria-label="Not included" %} | {% octicon "check" aria-label="Included" %} | | [Insecure LDAP authentication](https://codeql.github.com/codeql-query-help/java/java-insecure-ldap-auth/) | 522, 319 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | +| [Insecure randomness](https://codeql.github.com/codeql-query-help/java/java-insecure-randomness/) | 330, 338 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | | [Insertion of sensitive information into log files](https://codeql.github.com/codeql-query-help/java/java-sensitive-log/) | 532 | {% octicon "x" aria-label="Not included" %} | {% octicon "check" aria-label="Included" %} | | [Intent URI permission manipulation](https://codeql.github.com/codeql-query-help/java/java-android-intent-uri-permission-manipulation/) | 266, 926 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | | [JNDI lookup with user-controlled name](https://codeql.github.com/codeql-query-help/java/java-jndi-injection/) | 074 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} |