The 2.17.5 update is a small update, targeting a few minor bugs and security patches. None of the bug fixes affect our deployment of GitHub.
The 2.17.6 update is a medium update, targeting a few minor bugs and high level security patches. The patch also reduces the amount of memory used by the appliance, which is nice.
- An attacker could inject potentially malicious options into Git sub-commands when executed on the server. This could allow an attacker to truncate existing files on the server or execute other unintended functionality of affected Git sub-commands. To exploit this vulnerability, an attacker would need permission to create a branch within a repository on the GitHub Enterprise Server instance. This vulnerability was reported through the GitHub Security Bug Bounty program.
- GitHub App permissions could be incorrectly set by the user.
- Packages have been updated to the latest security versions.
Notable Bug Fixes
- The database wouldn’t automatically reconnect, which caused dependency graphs not to show on repositories.
- When creating an organization, name availability check wouldn’t correctly display its URL.
- GitHub Enterprise Server was incorrectly using
firstname.lastname@example.org the sender of notification emails in certain circumstances.
- GitHub app managers were able to access and manage applications for the organization after being removed from it.
- Comparing OAuth Access Tokens returned 404 Not Found error.
- Deleting a repository and its projects could delete other owned or accessible projects.
We will be applying the patch at 5:00 PM EST on Aug 16th.