GitHub Upgrade – 2.16.4

The 2.16.4 update is a critical security update, targeting a CVE in the rails application that allows specially crafted requests to read arbitrary files from the server. 

Due to the important nature of this patch, we are applying the upgrade off-schedule at the end of the day. We apologize for the inconvenience. 

Notable Bug Fixes

  • CRITICAL issue was identified in Rails that allows an attacker to send a specially crafted request that could allow arbitrary files to be read and the file content to be disclosed.
  • In rare circumstances, a race condition could lead to repository data loss if an automated background maintenance job was triggered during a configuration update.
  • Files couldn’t be deleted via the web editor.
  • A race condition during git operations sometimes caused the default branch to be assigned incorrectly.

We will be applying the patch at 5:00 PM EST on March 13.