Added CVE and bounty program link in the release notes (#61424)

shilpakum · isaacmbrown · web-flow · commit 245833117191 · 2026-05-27T09:52:00.000Z
Co-authored-by: Isaac Brown &lt;101839405+isaacmbrown@users.noreply.github.com&gt;
diff --git a/data/release-notes/enterprise-server/3-16/19.yml b/data/release-notes/enterprise-server/3-16/19.yml
@@ -8,7 +8,7 @@ sections:
     - |
       **HIGH**: An attacker with local access to the instance could escalate privileges to root by exploiting the Dirty Frag Linux kernel vulnerabilities in the IPsec ESP and RxRPC networking subsystems. GitHub has requested [CVE-2026-43284](https://ubuntu.com/security/CVE-2026-43284) and [CVE-2026-43500](https://ubuntu.com/security/CVE-2026-43500) for these vulnerabilities.
     - |
-      **HIGH**: An attacker could extract sensitive environment variables from a GitHub Enterprise Server instance through a timing side-channel attack against the security advisories package lookup feature. On instances with GitHub Packages enabled, the package URL endpoint did not validate the supplied package name, enabling a Server-Side Request Forgery (SSRF) to internal services. This required no authentication when private mode was disabled, or any authenticated user otherwise. To mitigate this issue, GitHub removed the affected endpoint from GitHub Enterprise Server. GitHub has requested CVE ID CVE-2026-8606 for this vulnerability, which was reported via the GitHub Bug Bounty program.
+      **HIGH**: An attacker could extract sensitive environment variables from a GitHub Enterprise Server instance through a timing side-channel attack against the security advisories package lookup feature. On instances with GitHub Packages enabled, the package URL endpoint did not validate the supplied package name, enabling a Server-Side Request Forgery (SSRF) to internal services. This required no authentication when private mode was disabled, or any authenticated user otherwise. To mitigate this issue, GitHub removed the affected endpoint from GitHub Enterprise Server. GitHub has requested CVE ID [CVE-2026-8606](https://www.cve.org/cverecord?id=CVE-2026-8606) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
     - |
       Packages have been updated to the latest security versions.
   bugs:
diff --git a/data/release-notes/enterprise-server/3-17/16.yml b/data/release-notes/enterprise-server/3-17/16.yml
@@ -8,7 +8,7 @@ sections:
     - |
       **HIGH**: An attacker with local access to the instance could escalate privileges to root by exploiting the Dirty Frag Linux kernel vulnerabilities in the IPsec ESP and RxRPC networking subsystems. GitHub has requested [CVE-2026-43284](https://ubuntu.com/security/CVE-2026-43284) and [CVE-2026-43500](https://ubuntu.com/security/CVE-2026-43500) for these vulnerabilities.
     - |
-      **HIGH**: An attacker could extract sensitive environment variables from a GitHub Enterprise Server instance through a timing side-channel attack against the security advisories package lookup feature. On instances with GitHub Packages enabled, the package URL endpoint did not validate the supplied package name, enabling a Server-Side Request Forgery (SSRF) to internal services. This required no authentication when private mode was disabled, or any authenticated user otherwise. To mitigate this issue, GitHub removed the affected endpoint from GitHub Enterprise Server. GitHub has requested CVE ID CVE-2026-8606 for this vulnerability, which was reported via the GitHub Bug Bounty program.
+      **HIGH**: An attacker could extract sensitive environment variables from a GitHub Enterprise Server instance through a timing side-channel attack against the security advisories package lookup feature. On instances with GitHub Packages enabled, the package URL endpoint did not validate the supplied package name, enabling a Server-Side Request Forgery (SSRF) to internal services. This required no authentication when private mode was disabled, or any authenticated user otherwise. To mitigate this issue, GitHub removed the affected endpoint from GitHub Enterprise Server. GitHub has requested CVE ID [CVE-2026-8606](https://www.cve.org/cverecord?id=CVE-2026-8606) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
     - |
       Packages have been updated to the latest security versions.
   bugs:
diff --git a/data/release-notes/enterprise-server/3-18/10.yml b/data/release-notes/enterprise-server/3-18/10.yml
@@ -8,7 +8,7 @@ sections:
     - |
       **HIGH**: An attacker with local access to the instance could escalate privileges to root by exploiting the Dirty Frag Linux kernel vulnerabilities in the IPsec ESP and RxRPC networking subsystems. GitHub has requested [CVE-2026-43284](https://ubuntu.com/security/CVE-2026-43284) and [CVE-2026-43500](https://ubuntu.com/security/CVE-2026-43500) for these vulnerabilities.
     - |
-      **HIGH**: An attacker could extract sensitive environment variables from a GitHub Enterprise Server instance through a timing side-channel attack against the security advisories package lookup feature. On instances with GitHub Packages enabled, the package URL endpoint did not validate the supplied package name, enabling a Server-Side Request Forgery (SSRF) to internal services. This required no authentication when private mode was disabled, or any authenticated user otherwise. To mitigate this issue, GitHub removed the affected endpoint from GitHub Enterprise Server. GitHub has requested CVE ID CVE-2026-8606 for this vulnerability, which was reported via the GitHub Bug Bounty program.
+      **HIGH**: An attacker could extract sensitive environment variables from a GitHub Enterprise Server instance through a timing side-channel attack against the security advisories package lookup feature. On instances with GitHub Packages enabled, the package URL endpoint did not validate the supplied package name, enabling a Server-Side Request Forgery (SSRF) to internal services. This required no authentication when private mode was disabled, or any authenticated user otherwise. To mitigate this issue, GitHub removed the affected endpoint from GitHub Enterprise Server. GitHub has requested CVE ID [CVE-2026-8606](https://www.cve.org/cverecord?id=CVE-2026-8606) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
     - |
       Packages have been updated to the latest security versions.
   bugs:
diff --git a/data/release-notes/enterprise-server/3-19/7.yml b/data/release-notes/enterprise-server/3-19/7.yml
@@ -8,7 +8,7 @@ sections:
     - |
       **HIGH**: An attacker with local access to the instance could escalate privileges to root by exploiting the Dirty Frag Linux kernel vulnerabilities in the IPsec ESP and RxRPC networking subsystems. GitHub has requested [CVE-2026-43284](https://ubuntu.com/security/CVE-2026-43284) and [CVE-2026-43500](https://ubuntu.com/security/CVE-2026-43500) for these vulnerabilities.
     - |
-      **HIGH**: An attacker could extract sensitive environment variables from a GitHub Enterprise Server instance through a timing side-channel attack against the security advisories package lookup feature. On instances with GitHub Packages enabled, the package URL endpoint did not validate the supplied package name, enabling a Server-Side Request Forgery (SSRF) to internal services. This required no authentication when private mode was disabled, or any authenticated user otherwise. To mitigate this issue, GitHub removed the affected endpoint from GitHub Enterprise Server. GitHub has requested CVE ID CVE-2026-8606 for this vulnerability, which was reported via the GitHub Bug Bounty program.
+      **HIGH**: An attacker could extract sensitive environment variables from a GitHub Enterprise Server instance through a timing side-channel attack against the security advisories package lookup feature. On instances with GitHub Packages enabled, the package URL endpoint did not validate the supplied package name, enabling a Server-Side Request Forgery (SSRF) to internal services. This required no authentication when private mode was disabled, or any authenticated user otherwise. To mitigate this issue, GitHub removed the affected endpoint from GitHub Enterprise Server. GitHub has requested CVE ID [CVE-2026-8606](https://www.cve.org/cverecord?id=CVE-2026-8606) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
     - |
       Packages have been updated to the latest security versions.
   bugs:
diff --git a/data/release-notes/enterprise-server/3-20/3.yml b/data/release-notes/enterprise-server/3-20/3.yml
@@ -8,7 +8,7 @@ sections:
     - |
       **HIGH**: An attacker with local access to the instance could escalate privileges to root by exploiting the Dirty Frag Linux kernel vulnerabilities in the IPsec ESP and RxRPC networking subsystems. GitHub has requested [CVE-2026-43284](https://ubuntu.com/security/CVE-2026-43284) and [CVE-2026-43500](https://ubuntu.com/security/CVE-2026-43500) for these vulnerabilities.
     - |
-      **HIGH**: An attacker could extract sensitive environment variables from a GitHub Enterprise Server instance through a timing side-channel attack against the security advisories package lookup feature. On instances with GitHub Packages enabled, the package URL endpoint did not validate the supplied package name, enabling a Server-Side Request Forgery (SSRF) to internal services. This required no authentication when private mode was disabled, or any authenticated user otherwise. To mitigate this issue, GitHub removed the affected endpoint from GitHub Enterprise Server. GitHub has requested CVE ID CVE-2026-8606 for this vulnerability, which was reported via the GitHub Bug Bounty program.
+      **HIGH**: An attacker could extract sensitive environment variables from a GitHub Enterprise Server instance through a timing side-channel attack against the security advisories package lookup feature. On instances with GitHub Packages enabled, the package URL endpoint did not validate the supplied package name, enabling a Server-Side Request Forgery (SSRF) to internal services. This required no authentication when private mode was disabled, or any authenticated user otherwise. To mitigate this issue, GitHub removed the affected endpoint from GitHub Enterprise Server. GitHub has requested CVE ID [CVE-2026-8606](https://www.cve.org/cverecord?id=CVE-2026-8606) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
     - |
       Packages have been updated to the latest security versions.
   bugs:
