GitHub Upgrade – 2.17.5/2.17.6

The 2.17.5 update is a small update, targeting a few minor bugs and security patches. None of the bug fixes affect our deployment of GitHub.

The 2.17.6 update is a medium update, targeting a few minor bugs and high level security patches. The patch also reduces the amount of memory used by the appliance, which is nice.

Security Fixes

  • An attacker could inject potentially malicious options into Git sub-commands when executed on the server. This could allow an attacker to truncate existing files on the server or execute other unintended functionality of affected Git sub-commands. To exploit this vulnerability, an attacker would need permission to create a branch within a repository on the GitHub Enterprise Server instance. This vulnerability was reported through the GitHub Security Bug Bounty program.
  • GitHub App permissions could be incorrectly set by the user.
  • Packages have been updated to the latest security versions.

Notable Bug Fixes

  • The database wouldn’t automatically reconnect, which caused dependency graphs not to show on repositories.
  • When creating an organization, name availability check wouldn’t correctly display its URL.
  • GitHub Enterprise Server was incorrectly using as the sender of notification emails in certain circumstances.
  • GitHub app managers were able to access and manage applications for the organization after being removed from it.
  • Comparing OAuth Access Tokens returned 404 Not Found error.
  • Deleting a repository and its projects could delete other owned or accessible projects.

We will be applying the patch at 5:00 PM EST on Aug 16th.