From 98fd6223c93aa9e4230f8bad39a08f0e101ef81b Mon Sep 17 00:00:00 2001 From: Shilpa Kumari <82128924+shilpakum@users.noreply.github.com> Date: Tue, 11 Nov 2025 01:51:36 -0800 Subject: [PATCH 1/3] Update security fixes in release notes (#58439) Co-authored-by: mchammer01 <42146119+mchammer01@users.noreply.github.com> --- data/release-notes/enterprise-server/3-14/19.yml | 2 -- data/release-notes/enterprise-server/3-15/14.yml | 2 -- data/release-notes/enterprise-server/3-16/10.yml | 2 -- data/release-notes/enterprise-server/3-17/7.yml | 2 -- data/release-notes/enterprise-server/3-18/1.yml | 2 -- 5 files changed, 10 deletions(-) diff --git a/data/release-notes/enterprise-server/3-14/19.yml b/data/release-notes/enterprise-server/3-14/19.yml index 2fa2ac44e1c3..053051930c1a 100644 --- a/data/release-notes/enterprise-server/3-14/19.yml +++ b/data/release-notes/enterprise-server/3-14/19.yml @@ -3,8 +3,6 @@ sections: security_fixes: - | **CRITICAL:** Redis has been upgraded to version 6.2.20 to address CVE-2025-49844 (also known as RediShell). Administrators should apply this update promptly to mitigate potential security risks. - - | - **HIGH:** A privilege escalation vulnerability in GitHub Enterprise Server allowed an authenticated enterprise admin to gain root SSH access. The exploit used a symlink escape in pre-receive hook environments. An attacker could craft a malicious repository and environment to replace system binaries during hook cleanup. This allowed them to execute a payload that added their SSH key to the root user's authorized keys, granting root SSH access. The attacker needed enterprise admin privileges to exploit this vulnerability. This has been assigned CVE-2025-11578 and was reported through the GitHub Bug Bounty program. - | **HIGH:** An attacker could execute arbitrary code in the context of other users' browsers by supplying a malicious `label:` value that was injected into the DOM without proper sanitization. This could be triggered when a user visits a crafted Issues search URL, enabling session hijacking, account takeover, and recovery code exfiltration. GitHub has requested CVE ID [CVE-2025-11892](https://www.cve.org/cverecord?id=CVE-2025-11892) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). - | diff --git a/data/release-notes/enterprise-server/3-15/14.yml b/data/release-notes/enterprise-server/3-15/14.yml index 7e8b7ce52c6e..7b3cf404675f 100644 --- a/data/release-notes/enterprise-server/3-15/14.yml +++ b/data/release-notes/enterprise-server/3-15/14.yml @@ -3,8 +3,6 @@ sections: security_fixes: - | **CRITICAL:** Redis has been upgraded to version 6.2.20 to address CVE-2025-49844 (also known as RediShell). Administrators should apply this update promptly to mitigate potential security risks. - - | - **HIGH:** A privilege escalation vulnerability in GitHub Enterprise Server allowed an authenticated enterprise admin to gain root SSH access. The exploit used a symlink escape in pre-receive hook environments. An attacker could craft a malicious repository and environment to replace system binaries during hook cleanup. This allowed them to execute a payload that added their SSH key to the root user's authorized keys, granting root SSH access. The attacker needed enterprise admin privileges to exploit this vulnerability. This has been assigned CVE-2025-11578 and was reported through the GitHub Bug Bounty program. - | **HIGH:** An attacker could execute arbitrary code in the context of other users' browsers by supplying a malicious `label:` value that was injected into the DOM without proper sanitization. This could be triggered when a user visits a crafted Issues search URL, enabling session hijacking, account takeover, and recovery code exfiltration. GitHub has requested CVE ID [CVE-2025-11892](https://www.cve.org/cverecord?id=CVE-2025-11892) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). - | diff --git a/data/release-notes/enterprise-server/3-16/10.yml b/data/release-notes/enterprise-server/3-16/10.yml index 701c3cbfafc3..0544b5569c14 100644 --- a/data/release-notes/enterprise-server/3-16/10.yml +++ b/data/release-notes/enterprise-server/3-16/10.yml @@ -3,8 +3,6 @@ sections: security_fixes: - | **CRITICAL:** Redis has been upgraded to version 6.2.20 to address CVE-2025-49844 (also known as RediShell). Administrators should apply this update promptly to mitigate potential security risks. - - | - **HIGH:** A privilege escalation vulnerability in GitHub Enterprise Server allowed an authenticated enterprise admin to gain root SSH access. The exploit used a symlink escape in pre-receive hook environments. An attacker could craft a malicious repository and environment to replace system binaries during hook cleanup. This allowed them to execute a payload that added their SSH key to the root user's authorized keys, granting root SSH access. The attacker needed enterprise admin privileges to exploit this vulnerability. This has been assigned CVE-2025-11578 and was reported through the GitHub Bug Bounty program. - | **HIGH:** An attacker could execute arbitrary code in the context of other users' browsers by supplying a malicious `label:` value that was injected into the DOM without proper sanitization. This could be triggered when a user visits a crafted Issues search URL, enabling session hijacking, account takeover, and recovery code exfiltration. GitHub has requested CVE ID [CVE-2025-11892](https://www.cve.org/cverecord?id=CVE-2025-11892) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). - | diff --git a/data/release-notes/enterprise-server/3-17/7.yml b/data/release-notes/enterprise-server/3-17/7.yml index 3ed940e5fb20..ca274d4f3e80 100644 --- a/data/release-notes/enterprise-server/3-17/7.yml +++ b/data/release-notes/enterprise-server/3-17/7.yml @@ -3,8 +3,6 @@ sections: security_fixes: - | **CRITICAL:** Redis has been upgraded to version 6.2.20 to address CVE-2025-49844 (also known as RediShell). Administrators should apply this update promptly to mitigate potential security risks. - - | - **HIGH:** A privilege escalation vulnerability in GitHub Enterprise Server allowed an authenticated enterprise admin to gain root SSH access. The exploit used a symlink escape in pre-receive hook environments. An attacker could craft a malicious repository and environment to replace system binaries during hook cleanup. This allowed them to execute a payload that added their SSH key to the root user's authorized keys, granting root SSH access. The attacker needed enterprise admin privileges to exploit this vulnerability. This has been assigned CVE-2025-11578 and was reported through the GitHub Bug Bounty program. - | **HIGH:** An attacker could execute arbitrary code in the context of other users' browsers by supplying a malicious `label:` value that was injected into the DOM without proper sanitization. This could be triggered when a user visits a crafted Issues search URL, enabling session hijacking, account takeover, and recovery code exfiltration. GitHub has requested CVE ID [CVE-2025-11892](https://www.cve.org/cverecord?id=CVE-2025-11892) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). - | diff --git a/data/release-notes/enterprise-server/3-18/1.yml b/data/release-notes/enterprise-server/3-18/1.yml index fe55f4526551..112fab8c4cde 100644 --- a/data/release-notes/enterprise-server/3-18/1.yml +++ b/data/release-notes/enterprise-server/3-18/1.yml @@ -3,8 +3,6 @@ sections: security_fixes: - | **CRITICAL:** Redis has been upgraded to version 6.2.20 to address CVE-2025-49844 (also known as RediShell). Administrators should apply this update promptly to mitigate potential security risks. - - | - **HIGH:** A privilege escalation vulnerability in GitHub Enterprise Server allowed an authenticated enterprise admin to gain root SSH access. The exploit used a symlink escape in pre-receive hook environments. An attacker could craft a malicious repository and environment to replace system binaries during hook cleanup. This allowed them to execute a payload that added their SSH key to the root user's authorized keys, granting root SSH access. The attacker needed enterprise admin privileges to exploit this vulnerability. This has been assigned CVE-2025-11578 and was reported through the GitHub Bug Bounty program. - | **HIGH:** An attacker could execute arbitrary code in the context of other users' browsers by supplying a malicious `label:` value that was injected into the DOM without proper sanitization. This could be triggered when a user visits a crafted Issues search URL, enabling session hijacking, account takeover, and recovery code exfiltration. GitHub has requested CVE ID [CVE-2025-11892](https://www.cve.org/cverecord?id=CVE-2025-11892) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). - | From 25caa171676accda2b331919a05738dd41c3261d Mon Sep 17 00:00:00 2001 From: Courtney Webster <60238438+cwebster-99@users.noreply.github.com> Date: Tue, 11 Nov 2025 04:27:43 -0600 Subject: [PATCH 2/3] Updating VS Code MCP allow list support (#58409) Co-authored-by: Joe Clark <31087804+jc-clark@users.noreply.github.com> --- .../how-tos/administer-copilot/configure-mcp-server-access.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/copilot/how-tos/administer-copilot/configure-mcp-server-access.md b/content/copilot/how-tos/administer-copilot/configure-mcp-server-access.md index bf00998c76fa..b2a16db071b4 100644 --- a/content/copilot/how-tos/administer-copilot/configure-mcp-server-access.md +++ b/content/copilot/how-tos/administer-copilot/configure-mcp-server-access.md @@ -86,7 +86,7 @@ When an enterprise lets child organizations configure their own MCP policies, ea | Eclipse | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | | JetBrains | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | | {% data variables.product.prodname_vs %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} | -| {% data variables.product.prodname_vscode_shortname %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | +| {% data variables.product.prodname_vscode_shortname %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | | {% data variables.product.prodname_vscode_shortname %} Insiders | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | | Xcode | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | From 5615f677e696375636585e5eda5dccf18d2d7b68 Mon Sep 17 00:00:00 2001 From: Kensuke Nagae Date: Tue, 11 Nov 2025 20:28:56 +0900 Subject: [PATCH 3/3] Clarify draft PRs and autolink references unavailable in release notes (#58445) Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> --- data/release-notes/enterprise-server/3-14/17.yml | 2 +- data/release-notes/enterprise-server/3-15/12.yml | 2 +- data/release-notes/enterprise-server/3-16/8.yml | 2 +- data/release-notes/enterprise-server/3-17/5.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/data/release-notes/enterprise-server/3-14/17.yml b/data/release-notes/enterprise-server/3-14/17.yml index 8bc2d05017ee..951b432357fd 100644 --- a/data/release-notes/enterprise-server/3-14/17.yml +++ b/data/release-notes/enterprise-server/3-14/17.yml @@ -11,7 +11,7 @@ sections: - | After enabling GitHub Actions or performing an upgrade with GitHub Actions enabled, administrators experienced a delay of approximately 10 minutes longer than they should have due to a faulty connection check. This is fixed for future enablement and upgrades. - | - After upgrading to GHES 3.14.16, GHES 3.15.11, GHES 3.16.7, or GHES 3.17.4, administrators found that draft pull requests for private repositories were no longer available. + After upgrading to GHES 3.14.16, GHES 3.15.11, GHES 3.16.7, or GHES 3.17.4, administrators found that draft pull requests and autolink references for private repositories were no longer available. [Updated: 2025-11-11] changes: - | When administrators run the `ghe-support-bundle` command on an unconfigured node, the output clearly states that metadata collection was skipped, instead of producing misleading `curl` errors. This improves the clarity of support bundle diagnostics. diff --git a/data/release-notes/enterprise-server/3-15/12.yml b/data/release-notes/enterprise-server/3-15/12.yml index 09d015d99b4a..9437c6a31077 100644 --- a/data/release-notes/enterprise-server/3-15/12.yml +++ b/data/release-notes/enterprise-server/3-15/12.yml @@ -27,7 +27,7 @@ sections: - | Site administrators observed that uploading a license failed to restart GitHub services after upgrading GitHub Enterprise Server due to file permission issues in `/var/log/license-upgrade`. - | - After upgrading to GHES 3.15.11, GHES 3.16.7, or GHES 3.17.4, administrators found that draft pull requests for private repositories were no longer available. + After upgrading to GHES 3.15.11, GHES 3.16.7, or GHES 3.17.4, administrators found that draft pull requests and autolink references for private repositories were no longer available. [Updated: 2025-11-11] changes: - | When administrators run the `ghe-support-bundle` command on an unconfigured node, the output clearly states that metadata collection was skipped, instead of producing misleading `curl` errors. This improves the clarity of support bundle diagnostics. diff --git a/data/release-notes/enterprise-server/3-16/8.yml b/data/release-notes/enterprise-server/3-16/8.yml index 4bef2029d948..68149a886079 100644 --- a/data/release-notes/enterprise-server/3-16/8.yml +++ b/data/release-notes/enterprise-server/3-16/8.yml @@ -27,7 +27,7 @@ sections: - | Administrators debugging Elasticsearch index repairs previously did not see a "starting" log entry before a repair began, making it harder to track repair initiation in logs. - | - After upgrading to GHES 3.16.7, or GHES 3.17.4, administrators found that draft pull requests for private repositories were no longer available. + After upgrading to GHES 3.16.7, or GHES 3.17.4, administrators found that draft pull requests and autolink references for private repositories were no longer available. [Updated: 2025-11-11] - | Site administrators experienced crashes in MySQL when running data backfills, such as during database maintenance or upgrades. changes: diff --git a/data/release-notes/enterprise-server/3-17/5.yml b/data/release-notes/enterprise-server/3-17/5.yml index f2462e0cbfdb..c37f1458f97d 100644 --- a/data/release-notes/enterprise-server/3-17/5.yml +++ b/data/release-notes/enterprise-server/3-17/5.yml @@ -35,7 +35,7 @@ sections: - | Audit log entries for some Dependabot-related events were missing for administrators and security teams due to an outdated allowlist configuration. - | - After upgrading to GHES 3.17.4, administrators found that draft pull requests for private repositories were no longer available. + After upgrading to GHES 3.17.4, administrators found that draft pull requests and autolink references for private repositories were no longer available. [Updated: 2025-11-11] - | Site administrators experienced crashes in MySQL when running data backfills, such as during database maintenance or upgrades. changes: