From f04a40f2ec8384bd3778f8ce14a50930de67d9c5 Mon Sep 17 00:00:00 2001 From: Cory Calahan Date: Thu, 17 Apr 2025 14:15:03 -0700 Subject: [PATCH 1/3] Update scope of support regarding preview features (#55095) Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Sarita Iyer <66540150+saritai@users.noreply.github.com> --- data/reusables/support/scope-of-support.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/reusables/support/scope-of-support.md b/data/reusables/support/scope-of-support.md index 98b543fa761b..d397d9607897 100644 --- a/data/reusables/support/scope-of-support.md +++ b/data/reusables/support/scope-of-support.md @@ -10,7 +10,7 @@ If your support request is outside of the scope of what our team can help you wi * Cloud provider configurations, such as virtual network setup, custom firewall, or proxy rules * Container orchestration, such as Kubernetes setup, or networking * Detailed assistance with workflows and data management -* {% data variables.release-phases.public_preview_caps %} features. Support for {% data variables.release-phases.public_preview %} features is out of {% data variables.contact.github_support %}'s scope. {% ifversion ghec or ghes %}For support with {% data variables.release-phases.public_preview %} features, you can contact your account manager on {% data variables.contact.contact_enterprise_sales %}.{% endif %} +* Preview features. {% data variables.release-phases.public_preview_caps %} and {% data variables.release-phases.private_preview %} features are out of {% data variables.contact.github_support %}'s scope. {% ifversion ghec or ghes %}For support with {% data variables.release-phases.public_preview %} features, you can contact your account manager on {% data variables.contact.contact_enterprise_sales %}. For support with {% data variables.release-phases.private_preview %} features, contact the group provided during the {% data variables.release-phases.private_preview %}'s onboarding session, or your account manager on {% data variables.contact.contact_enterprise_sales %}.{% endif %} For detailed assistance with workflows and data management, consult [GitHub Expert Services](https://github.com/services/), which offer specialized support to help you optimize your use of the platform. From 498b29ec2074beac8e9326019aee62ccb64bc6e9 Mon Sep 17 00:00:00 2001 From: Jaryl Date: Thu, 17 Apr 2025 16:26:19 -0500 Subject: [PATCH 2/3] Updated GitHub Models rate limit table (#55327) Co-authored-by: Siara <108543037+SiaraMist@users.noreply.github.com> --- .../github-models/prototyping-with-ai-models.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/content/github-models/prototyping-with-ai-models.md b/content/github-models/prototyping-with-ai-models.md index 833363809fc9..2acb4e77e576 100644 --- a/content/github-models/prototyping-with-ai-models.md +++ b/content/github-models/prototyping-with-ai-models.md @@ -255,26 +255,26 @@ Low, high, and embedding models have different rate limits. To see which type of 1 - Azure OpenAI o1-mini + Azure OpenAI o1 and o3 Requests per minute Not applicable + 1 + 2 2 - 3 - 3 Requests per day Not applicable + 8 + 10 12 - 15 - 20 Tokens per request Not applicable 4000 in, 4000 out 4000 in, 4000 out - 4000 in, 4000 out + 4000 in, 8000 out Concurrent requests @@ -284,7 +284,7 @@ Low, high, and embedding models have different rate limits. To see which type of 1 - Azure OpenAI o3-mini + Azure OpenAI o1-mini, o3-mini, and o4-mini Requests per minute Not applicable 2 @@ -313,7 +313,7 @@ Low, high, and embedding models have different rate limits. To see which type of 1 - DeepSeek-R1 + DeepSeek-R1 and MAI-DS-R1 Requests per minute 1 1 From 92fb340b5bfd11a405d2070f87ec5d52c3378f56 Mon Sep 17 00:00:00 2001 From: "release-controller[bot]" <110195724+release-controller[bot]@users.noreply.github.com> Date: Thu, 17 Apr 2025 15:20:53 -0700 Subject: [PATCH 3/3] Patch release notes for GitHub Enterprise Server (#55292) Co-authored-by: Release-Controller Co-authored-by: Rachael Rose Renk <91027132+rachaelrenk@users.noreply.github.com> Co-authored-by: Sarah Schneider Co-authored-by: Sarah Schneider Co-authored-by: Alex Cyphus <983880+ACyphus@users.noreply.github.com> --- .../enterprise-server/3-13/14.yml | 44 ++++++++++ .../enterprise-server/3-14/11.yml | 64 +++++++++++++++ .../enterprise-server/3-15/2.yml | 2 +- .../enterprise-server/3-15/3.yml | 3 +- .../enterprise-server/3-15/6.yml | 62 ++++++++++++++ .../enterprise-server/3-16/2.yml | 80 +++++++++++++++++++ 6 files changed, 252 insertions(+), 3 deletions(-) create mode 100644 data/release-notes/enterprise-server/3-13/14.yml create mode 100644 data/release-notes/enterprise-server/3-14/11.yml create mode 100644 data/release-notes/enterprise-server/3-15/6.yml create mode 100644 data/release-notes/enterprise-server/3-16/2.yml diff --git a/data/release-notes/enterprise-server/3-13/14.yml b/data/release-notes/enterprise-server/3-13/14.yml new file mode 100644 index 000000000000..1600d11b414b --- /dev/null +++ b/data/release-notes/enterprise-server/3-13/14.yml @@ -0,0 +1,44 @@ +date: '2025-04-17' +sections: + security_fixes: + - | + **HIGH**: An attacker could execute arbitrary code, potentially leading to privilege escalation and system compromise, by exploiting the pre-receive hook functionality to bind to dynamically allocated ports that become temporarily available, such as during a hot patch upgrade. This vulnerability is only exploitable under specific operational conditions, such as during the hot patching process, and requires either site administrator permissions or a user with privileges to modify repositories containing pre-receive hooks. GitHub has requested CVE ID: [CVE-2025-3509](https://www.cve.org/cverecord?id=CVE-2025-3509) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). + - | + **MEDIUM:** An attacker could view private repository names, which the signed-in user is not authorized to see, in the GitHub Advanced Security Overview. This was due to a missing authorization check and occurred when filtering with _only_ `archived:`. GitHub has requested CVE ID [CVE-2025-3124](https://www.cve.org/CVERecord?id=CVE-2025-3124) for this vulnerability. + bugs: + - | + In the commit author filter dropdown on the commit history page for a repository, users could not search for a specific author (such as `foo`) if their search query had already returned a similar username (such as `foobar`). + - | + Various repository content API endpoints were unable to parse revisions containing invalid UTF-8 byte sequences, triggering `500 Internal Server Error` responses. + - | + The "Get allowed actions and reusable workflows" APIs for enterprises, organizations, and repositories did not include the `verified_allowed` response field. + changes: + - | + Upgrading using a hot patch package will fail if the Elasticsearch status is not green. To help prevent post-upgrade problems when the Elasticsearch status is red, usually in a high-availability configuration, a check has been added. + - | + Merging a pull request using the "Rebase and merge" option is now limited to 100 commits. If you have a pull request with more than 100 commits, you need to either create a merge commit, or squash and merge, or split the commits up into multiple pull requests. + known_issues: + - | + During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start. + - | + If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see "[AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)." + - | + On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1. + - | + For an instance in a cluster configuration and with GitHub Actions enabled, restoring a cluster from backup requires targeting the primary DB node. + - | + When following the steps for [Replacing the primary MySQL node](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-the-primary-mysql-node), step 14 (running `ghe-cluster-config-apply`) might fail with errors. If this occurs, re-running `ghe-cluster-config-apply` is expected to succeed. + - | + Running a config apply as part of the steps for [Replacing a node in an emergency](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-a-node-in-an-emergency) may fail with errors if the node being replaced is still reachable. If this occurs, shutdown the node and repeat the steps. + - | + {% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %} + - | + When restoring data originally backed up from a 3.13 or greater appliance version, the Elasticsearch indices need to be reindexed before some of the data will show up. This happens via a nightly scheduled job. It can also be forced by running `/usr/local/share/enterprise/ghe-es-search-repair`. + - | + When restoring from a backup snapshot, a large number of `mapper_parsing_exception` errors may be displayed. + - | + Services may respond with a `503` status due to an out of date `haproxy` configuration. This can usually be resolved with a `ghe-config-apply` run. + - | + After a restore, existing outside collaborators cannot be added to repositories in a new organization. This issue can be resolved by running `/usr/local/share/enterprise/ghe-es-search-repair` on the appliance. + - | + After a geo-replica is promoted to be a primary by running `ghe-repl-promote`, the actions workflow of a repository does not have any suggested workflows. diff --git a/data/release-notes/enterprise-server/3-14/11.yml b/data/release-notes/enterprise-server/3-14/11.yml new file mode 100644 index 000000000000..35652395b6d4 --- /dev/null +++ b/data/release-notes/enterprise-server/3-14/11.yml @@ -0,0 +1,64 @@ +date: '2025-04-17' +sections: + security_fixes: + - | + **HIGH**: An attacker could execute arbitrary code, potentially leading to privilege escalation and system compromise, by exploiting the pre-receive hook functionality to bind to dynamically allocated ports that become temporarily available, such as during a hot patch upgrade. This vulnerability is only exploitable under specific operational conditions, such as during the hot patching process, and requires either site administrator permissions or a user with privileges to modify repositories containing pre-receive hooks. GitHub has requested CVE ID: [CVE-2025-3509](https://www.cve.org/cverecord?id=CVE-2025-3509) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). + - | + **MEDIUM:** An attacker could view private repository names, which the signed-in user is not authorized to see, in the GitHub Advanced Security Overview. This was due to a missing authorization check and occurred when filtering with _only_ `archived:`. GitHub has requested CVE ID [CVE-2025-3124](https://www.cve.org/CVERecord?id=CVE-2025-3124) for this vulnerability. + bugs: + - | + When restarting babeld, most commonly as part of upgrades between 3.14.x point releases, the old and new babeld processes could have a port conflict resulting in the babeld service stopping unexpectedly minutes or hours later. + - | + Pruning unreachable Git objects on a single replica could cause increased CPU load due to many Git checksum recalculations. + - | + In the commit author filter dropdown on the commit history page for a repository, users could not search for a specific author (such as `foo`) if their search query had already returned a similar username (such as `foobar`). + - | + Various repository content API endpoints were unable to parse revisions containing invalid UTF-8 byte sequences, triggering `500 Internal Server Error` responses. + - | + The "Get allowed actions and reusable workflows" APIs for enterprises, organizations, and repositories did not include the `verified_allowed` response field. + changes: + - | + Upgrading using a hot patch package will fail if the Elasticsearch status is not green. To help prevent post-upgrade problems when the Elasticsearch status is red, usually in a high-availability configuration, a check has been added. + - | + Merging a pull request using the "Rebase and merge" option is now limited to 100 commits. If you have a pull request with more than 100 commits, you need to either create a merge commit, or squash and merge, or split the commits up into multiple pull requests. + - | + The `spokesctl info` and `spokesctl repos` commands now also show wikis that are part of a network. + known_issues: + - | + During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start. + - | + If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see "[AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)." + - | + On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1. + - | + {% data reusables.release-notes.large-adoc-files-issue %} + - | + Admin stats REST API endpoints may timeout on appliances with many users or repositories. Retrying the request until data is returned is advised. + - | + When following the steps for [Replacing the primary MySQL node](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-the-primary-mysql-node), step 14 (running `ghe-cluster-config-apply`) might fail with errors. If this occurs, re-running `ghe-cluster-config-apply` is expected to succeed. + - | + Running a config apply as part of the steps for [Replacing a node in an emergency](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-a-node-in-an-emergency) may fail with errors if the node being replaced is still reachable. If this occurs, shutdown the node and repeat the steps. + - | + {% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %} + - | + When restoring data originally backed up from a 3.13 or greater appliance version, the Elasticsearch indices need to be reindexed before some of the data will show up. This happens via a nightly scheduled job. It can also be forced by running `/usr/local/share/enterprise/ghe-es-search-repair`. + - | + An organization-level code scanning configuration page is displayed on instances that do not use GitHub Advanced Security or code scanning. + - | + When following the steps for [Replacing the primary MySQL node](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-the-primary-mysql-node), step 14 (running `ghe-cluster-config-apply`) might fail with errors. If this occurs, re-running `ghe-cluster-config-apply` is expected to succeed. + - | + In the header bar displayed to site administrators, some icons are not available. + - | + When enabling automatic update checks for the first time in the Management Console, the status is not dynamically reflected until the "Updates" page is reloaded. + - | + When restoring from a backup snapshot, a large number of `mapper_parsing_exception` errors may be displayed. + - | + Services may respond with a `503` status due to an out of date `haproxy` configuration. This can usually be resolved with a `ghe-config-apply` run. + - | + After a restore, existing outside collaborators cannot be added to repositories in a new organization. This issue can be resolved by running `/usr/local/share/enterprise/ghe-es-search-repair` on the appliance. + - | + After a geo-replica is promoted to be a primary by running `ghe-repl-promote`, the actions workflow of a repository does not have any suggested workflows. + - | + Repository Cache Replicas return `Repository not found` when changes have been pushed to the Primary instance that have not yet synchronized to the Cache Replica. This issue can also occur in all previous patches of this release. + - | + Unexpected elements may appear in the UI on the repo overview page for locked repositories. diff --git a/data/release-notes/enterprise-server/3-15/2.yml b/data/release-notes/enterprise-server/3-15/2.yml index f95f2c328073..bec87dd03d86 100644 --- a/data/release-notes/enterprise-server/3-15/2.yml +++ b/data/release-notes/enterprise-server/3-15/2.yml @@ -83,5 +83,5 @@ sections: errata: - | These release notes previously indicated as a known issue that on GitHub Enterprise Server 3.15.2, repositories originally imported using `ghe-migrator` will not correctly track Advanced Security contributions. - + The fix for this problem was already included in GitHub Enterprise Server [3.12](/admin/release-notes#3.12.0-bugs). [Updated: 2025-04-11] diff --git a/data/release-notes/enterprise-server/3-15/3.yml b/data/release-notes/enterprise-server/3-15/3.yml index efdbadc09c81..11829911bf4e 100644 --- a/data/release-notes/enterprise-server/3-15/3.yml +++ b/data/release-notes/enterprise-server/3-15/3.yml @@ -95,6 +95,5 @@ sections: The warning and known issues section have been updated to accurately reflect that instances installed on GCP will face issues while hotpatching to 3.15.3. Previously, the warning and known issue indicated that customers would face issues either while upgrading or hotpatching to version 3.15.3. [Updated: 2025-03-11] - | These release notes previously indicated as a known issue that on GitHub Enterprise Server 3.15.3, repositories originally imported using `ghe-migrator` will not correctly track Advanced Security contributions. - + The fix for this problem was already included in GitHub Enterprise Server [3.12](/admin/release-notes#3.12.0-bugs). [Updated: 2025-04-11] - \ No newline at end of file diff --git a/data/release-notes/enterprise-server/3-15/6.yml b/data/release-notes/enterprise-server/3-15/6.yml new file mode 100644 index 000000000000..5818e2fea987 --- /dev/null +++ b/data/release-notes/enterprise-server/3-15/6.yml @@ -0,0 +1,62 @@ +date: '2025-04-17' +sections: + security_fixes: + - | + **HIGH**: An attacker could execute arbitrary code, potentially leading to privilege escalation and system compromise, by exploiting the pre-receive hook functionality to bind to dynamically allocated ports that become temporarily available, such as during a hot patch upgrade. This vulnerability is only exploitable under specific operational conditions, such as during the hot patching process, and requires either site administrator permissions or a user with privileges to modify repositories containing pre-receive hooks. GitHub has requested CVE ID: [CVE-2025-3509](https://www.cve.org/cverecord?id=CVE-2025-3509) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). + - | + **MEDIUM:** An attacker could view private repository names, which the signed-in user is not authorized to see, in the GitHub Advanced Security Overview. This was due to a missing authorization check and occurred when filtering with _only_ `archived:`. GitHub has requested CVE ID [CVE-2025-3124](https://www.cve.org/CVERecord?id=CVE-2025-3124) for this vulnerability. + bugs: + - | + Pruning unreachable Git objects on a single replica could cause increased CPU load due to many Git checksum recalculations. + - | + In the commit author filter dropdown on the commit history page for a repository, users could not search for a specific author (such as `foo`) if their search query had already returned a similar username (such as `foobar`). + - | + Various repository content API endpoints were unable to parse revisions containing invalid UTF-8 byte sequences, triggering `500 Internal Server Error` responses. + - | + The "Get allowed actions and reusable workflows" APIs for enterprises, organizations, and repositories did not include the `verified_allowed` response field. + - | + Pull requests notifications in Slack and Teams integrations did not strikethrough in the UI when approved. + changes: + - | + Upgrading using a hot patch package will fail if the Elasticsearch status is not green. To help prevent post-upgrade problems when the Elasticsearch status is red, usually in a high-availability configuration, a check has been added. + - | + Merging a pull request using the "Rebase and merge" option is now limited to 100 commits. If you have a pull request with more than 100 commits, you need to either create a merge commit, or squash and merge, or split the commits up into multiple pull requests. + - | + The `spokesctl info` and `spokesctl repos` commands now also show wikis that are part of a network. + known_issues: + - | + During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start. + - | + If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see "[AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)." + - | + On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1. + - | + {% data reusables.release-notes.large-adoc-files-issue %} + - | + Admin stats REST API endpoints may timeout on appliances with many users or repositories. Retrying the request until data is returned is advised. + - | + When following the steps for [Replacing the primary MySQL node](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-the-primary-mysql-node), step 14 (running `ghe-cluster-config-apply`) might fail with errors. If this occurs, re-running `ghe-cluster-config-apply` is expected to succeed. + - | + Running a config apply as part of the steps for [Replacing a node in an emergency](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-a-node-in-an-emergency) may fail with errors if the node being replaced is still reachable. If this occurs, shutdown the node and repeat the steps. + - | + {% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %} + - | + When restoring data originally backed up from a 3.13 or greater appliance version, the Elasticsearch indices need to be reindexed before some of the data will show up. This happens via a nightly scheduled job. It can also be forced by running `/usr/local/share/enterprise/ghe-es-search-repair`. + - | + An organization-level code scanning configuration page is displayed on instances that do not use GitHub Advanced Security or code scanning. + - | + When following the steps for [Replacing the primary MySQL node](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-the-primary-mysql-node), step 14 (running `ghe-cluster-config-apply`) might fail with errors. If this occurs, re-running `ghe-cluster-config-apply` is expected to succeed. + - | + In the header bar displayed to site administrators, some icons are not available. + - | + When enabling automatic update checks for the first time in the Management Console, the status is not dynamically reflected until the "Updates" page is reloaded. + - | + When restoring from a backup snapshot, a large number of `mapper_parsing_exception` errors may be displayed. + - | + When initializing a new GHES cluster, nodes with the `consul-server` role should be added to the cluster before adding additional nodes. Adding all nodes simultaneously creates a race condition between nomad server registration and nomad client registration. + - | + Admins setting up cluster high availability (HA) may encounter a spokes error when running `ghe-cluster-repl-status` if a new organization and repositories are created before using the `ghe-cluster-repl-bootstrap` command. To avoid this issue, complete the cluster HA setup with `ghe-cluster-repl-bootstrap` before creating new organizations and repositories. + - | + After a restore, existing outside collaborators cannot be added to repositories in a new organization. This issue can be resolved by running `/usr/local/share/enterprise/ghe-es-search-repair` on the appliance. + - | + Repository Cache Replicas return `Repository not found` when changes have been pushed to the Primary instance that have not yet synchronized to the Cache Replica. This issue can also occur in all previous patches of this release. diff --git a/data/release-notes/enterprise-server/3-16/2.yml b/data/release-notes/enterprise-server/3-16/2.yml new file mode 100644 index 000000000000..4e6622e8b625 --- /dev/null +++ b/data/release-notes/enterprise-server/3-16/2.yml @@ -0,0 +1,80 @@ +date: '2025-04-17' +sections: + security_fixes: + - | + **HIGH**: An attacker could execute arbitrary code, potentially leading to privilege escalation and system compromise, by exploiting the pre-receive hook functionality to bind to dynamically allocated ports that become temporarily available, such as during a hot patch upgrade. This vulnerability is only exploitable under specific operational conditions, such as during the hot patching process, and requires either site administrator permissions or a user with privileges to modify repositories containing pre-receive hooks. GitHub has requested CVE ID: [CVE-2025-3509](https://www.cve.org/cverecord?id=CVE-2025-3509) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). + - | + **MEDIUM:** An attacker could view private repository names, which the signed-in user is not authorized to see, in the GitHub Advanced Security Overview. This was due to a missing authorization check and occurred when filtering with _only_ `archived:`. GitHub has requested CVE ID [CVE-2025-3124](https://www.cve.org/CVERecord?id=CVE-2025-3124) for this vulnerability. + - | + **HIGH**: An attacker could exploit an improper neutralization of input vulnerability in GitHub’s Markdown rendering to embed malicious HTML/CSS in math blocks `$$ .. $$`, which allowed cross-site scripting. Exploitation required access to the target GitHub Enterprise Server instance and privileged user interaction with the malicious elements. To mitigate this issue, GitHub has disallowed math blocks to be escaped early by dollar signs and improved math-rendered content by ensuring we escape non-wrapped content. GitHub has requested [CVE-2025-3246](https://www.cve.org/cverecord?id=CVE-2025-3246) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). + bugs: + - | + For instances in a high availability configuration, because there was no Nomad job for the `aqueduct-lite` service on replica nodes, generating a support bundle from the command line on a replica would result in the erroneous error `ERROR: Failed to get elastomer index build progress` being reported. + - | + In very large enterprises, customers who made multiple API requests to get Dependabot alerts for their enterprise encountered performance issues with the GitHub API. + - | + In the commit author filter dropdown on the commit history page for a repository, users could not search for a specific author (such as `foo`) if their search query had already returned a similar username (such as `foobar`). + - | + Pruning unreachable Git objects on a single replica could cause increased CPU load due to many Git checksum recalculations. + - | + Various repository content API endpoints were unable to parse revisions containing invalid UTF-8 byte sequences, triggering `500 Internal Server Error` responses. + - | + The "Get allowed actions and reusable workflows" APIs for enterprises, organizations, and repositories did not include the `verified_allowed` response field. + - | + Using the "Update a secret scanning alert" REST API endpoint (`PATCH /repos/{owner}/{repo}/secret-scanning/alerts/{alert_number}`) to change the resolution and resolution comment for a closed alert would return a `422` error. + - | + In some cases during an upgrade, GitHub Advanced Security migration `DelegatedBypassConfigurationNotNil` failed. + - | + On an instance with GitHub Advanced Security and code scanning enabled, existing code scanning alerts that referenced other code failed to load after an upgrade. + changes: + - | + Upgrading using a hot patch package will fail if the Elasticsearch status is not green. To help prevent post-upgrade problems when the Elasticsearch status is red, usually in a high-availability configuration, a check has been added. + - | + Merging a pull request using the "Rebase and merge" option is now limited to 100 commits. If you have a pull request with more than 100 commits, you need to either create a merge commit, squash and merge, or split the commits into multiple pull requests. + - | + The `spokesctl info` and `spokesctl repos` commands now also show wikis that are part of a network. + known_issues: + - | + Custom firewall rules are removed during the upgrade process. + - | + During the validation phase of a configuration run, a `No such object` error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start. + - | + If the root site administrator is locked out of the Management Console after failed login attempts, the account does not unlock automatically after the defined lockout time. Someone with administrative SSH access to the instance must unlock the account using the administrative shell. For more information, see "[AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console/troubleshooting-access-to-the-management-console#unlocking-the-root-site-administrator-account)." + - | + On an instance with the HTTP `X-Forwarded-For` header configured for use behind a load balancer, all client IP addresses in the instance's audit log erroneously appear as 127.0.0.1. + - | + {% data reusables.release-notes.large-adoc-files-issue %} + - | + Admin stats REST API endpoints may timeout on appliances with many users or repositories. Retrying the request until data is returned is advised. + - | + When following the steps for [Replacing the primary MySQL node](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-the-primary-mysql-node), step 14 (running `ghe-cluster-config-apply`) might fail with errors. If this occurs, re-running `ghe-cluster-config-apply` is expected to succeed. + - | + Running a config apply as part of the steps for [Replacing a node in an emergency](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-a-node-in-an-emergency) may fail with errors if the node being replaced is still reachable. If this occurs, shutdown the node and repeat the steps. + - | + {% data reusables.release-notes.2024-06-possible-frontend-5-minute-outage-during-hotpatch-upgrade %} + - | + When restoring data originally backed up from a 3.13 or greater appliance version, the Elasticsearch indices need to be reindexed before some of the data will show up. This happens via a nightly scheduled job. It can also be forced by running `/usr/local/share/enterprise/ghe-es-search-repair`. + - | + An organization-level code scanning configuration page is displayed on instances that do not use GitHub Advanced Security or code scanning. + - | + When following the steps for [Replacing the primary MySQL node](/admin/monitoring-managing-and-updating-your-instance/configuring-clustering/replacing-a-cluster-node#replacing-the-primary-mysql-node), step 14 (running `ghe-cluster-config-apply`) might fail with errors. If this occurs, re-running `ghe-cluster-config-apply` is expected to succeed. + - | + When enabling automatic update checks for the first time in the Management Console, the status is not dynamically reflected until the "Updates" page is reloaded. + - | + When restoring from a backup snapshot, a large number of `mapper_parsing_exception` errors may be displayed. + - | + When initializing a new GHES cluster, nodes with the `consul-server` role should be added to the cluster before adding additional nodes. Adding all nodes simultaneously creates a race condition between nomad server registration and nomad client registration. + - | + Admins setting up cluster high availability (HA) may encounter a spokes error when running `ghe-cluster-repl-status` if a new organization and repositories are created before using the `ghe-cluster-repl-bootstrap` command. To avoid this issue, complete the cluster HA setup with `ghe-cluster-repl-bootstrap` before creating new organizations and repositories. + - | + Some customers upgrading from 3.11.x or 3.12.x may experience a bug with the feature "Automatic update checks", filling the root disk with logs causing a system degradation. To prevent this, you can turn off the feature "[Enable automatic update check](/admin/upgrading-your-instance/preparing-to-upgrade/enabling-automatic-update-checks#enabling-automatic-update-checks)" in the management console. + - | + In a cluster, the host running restore requires access the storage nodes via their private IPs. + - | + On an instance hosted on Azure, commenting on an issue via email meant the comment was not added to the issue. + - | + After a restore, existing outside collaborators cannot be added to repositories in a new organization. This issue can be resolved by running `/usr/local/share/enterprise/ghe-es-search-repair` on the appliance. + - | + After a geo-replica is promoted to be a primary by running `ghe-repl-promote`, the actions workflow of a repository does not have any suggested workflows. + - | + Repository Cache Replicas return `Repository not found` when changes have been pushed to the Primary instance that have not yet synchronized to the Cache Replica. This issue can also occur in all previous patches of this release.