GitHub Upgrade – 2.21.4

The 2.21.4 update is a security update, fixing a few critical security issues. Since it is a critical security patch, we are applying the patch off-schedule as soon as possible. There are issues with the patch, so GitHub has pulled the download and is working to fix the issues. We will be updating as soon as the patch issues are fixed by GitHub.

Security Fixes

  • CRITICAL: A remote code execution vulnerability was identified in GitHub Pages that could allow an attacker to execute commands as part building a GitHub Pages site. This issue was due to an outdated and vulnerable dependency used in the Pages build process. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server. To mitigate this vulnerability, Kramdown has been updated to address CVE-2020-14001.
  • HIGH: High: An attacker could inject a malicious argument into a Git sub-command when executed on GitHub Enterprise Server. This could allow an attacker to overwrite arbitrary files with partially user-controlled content and potentially execute arbitrary commands on the GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need permission to access repositories within the GHES instance. However, due to other protections in place, we could not identify a way to actively exploit this vulnerability. This vulnerability was reported through the GitHub Security Bug Bounty program.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • The service memory allocation calculation could allocate an incorrect or unbounded memory allocation to a service resulting in poor system performance.
  • The error message for invalid authentication with a password via Git command line didn’t populate the URL linking to adding the appropriate token or SSH key.
  • Creating an issue on a user repository using the Issue Template feature could fail with an Internal Server Error.
  • Visiting the Explore section failed with a 500 Internal Server error.
  • GitHub Connect was using a deprecated API endpoint.
  • The 404 page contained contact and status links in the footer.

We will be applying the patch at 5:00 PM EST on August 12th.