From d025160d0faaeecb43a9b33325c54b1dee7adce4 Mon Sep 17 00:00:00 2001 From: Mike Bailey Date: Tue, 15 Nov 2022 04:01:57 -0500 Subject: [PATCH] Security#5415 changelog additions (#32459) Co-authored-by: Matt Pollard Co-authored-by: Jules <19994093+jules-p@users.noreply.github.com> --- data/release-notes/enterprise-server/3-3/16.yml | 6 ++++++ data/release-notes/enterprise-server/3-4/11.yml | 6 ++++++ data/release-notes/enterprise-server/3-5/8.yml | 6 ++++++ data/release-notes/enterprise-server/3-6/4.yml | 6 ++++++ 4 files changed, 24 insertions(+) create mode 100644 data/release-notes/enterprise-server/3-3/16.yml create mode 100644 data/release-notes/enterprise-server/3-4/11.yml create mode 100644 data/release-notes/enterprise-server/3-5/8.yml create mode 100644 data/release-notes/enterprise-server/3-6/4.yml diff --git a/data/release-notes/enterprise-server/3-3/16.yml b/data/release-notes/enterprise-server/3-3/16.yml new file mode 100644 index 000000000000..86d2f89bed48 --- /dev/null +++ b/data/release-notes/enterprise-server/3-3/16.yml @@ -0,0 +1,6 @@ +date: '2022-12-06' + +sections: + security_fixes: + - | + **HIGH**: Added an extra check to harden against a path traversal bug that could lead to remote code execution in GitHub Pages builds on GitHub Enterprise Server. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This bug was originally reported via GitHub's Bug Bounty program and assigned [CVE-2021-22870](https://nvd.nist.gov/vuln/detail/CVE-2021-22870). diff --git a/data/release-notes/enterprise-server/3-4/11.yml b/data/release-notes/enterprise-server/3-4/11.yml new file mode 100644 index 000000000000..86d2f89bed48 --- /dev/null +++ b/data/release-notes/enterprise-server/3-4/11.yml @@ -0,0 +1,6 @@ +date: '2022-12-06' + +sections: + security_fixes: + - | + **HIGH**: Added an extra check to harden against a path traversal bug that could lead to remote code execution in GitHub Pages builds on GitHub Enterprise Server. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This bug was originally reported via GitHub's Bug Bounty program and assigned [CVE-2021-22870](https://nvd.nist.gov/vuln/detail/CVE-2021-22870). diff --git a/data/release-notes/enterprise-server/3-5/8.yml b/data/release-notes/enterprise-server/3-5/8.yml new file mode 100644 index 000000000000..86d2f89bed48 --- /dev/null +++ b/data/release-notes/enterprise-server/3-5/8.yml @@ -0,0 +1,6 @@ +date: '2022-12-06' + +sections: + security_fixes: + - | + **HIGH**: Added an extra check to harden against a path traversal bug that could lead to remote code execution in GitHub Pages builds on GitHub Enterprise Server. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This bug was originally reported via GitHub's Bug Bounty program and assigned [CVE-2021-22870](https://nvd.nist.gov/vuln/detail/CVE-2021-22870). diff --git a/data/release-notes/enterprise-server/3-6/4.yml b/data/release-notes/enterprise-server/3-6/4.yml new file mode 100644 index 000000000000..86d2f89bed48 --- /dev/null +++ b/data/release-notes/enterprise-server/3-6/4.yml @@ -0,0 +1,6 @@ +date: '2022-12-06' + +sections: + security_fixes: + - | + **HIGH**: Added an extra check to harden against a path traversal bug that could lead to remote code execution in GitHub Pages builds on GitHub Enterprise Server. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This bug was originally reported via GitHub's Bug Bounty program and assigned [CVE-2021-22870](https://nvd.nist.gov/vuln/detail/CVE-2021-22870).