The 2.22.3 patch includes a handful of security patches. Note that the Enterprise notes include mention of changes to GitHub Actions, which is not yet available in our Enterprise instance. More details on that will be coming soon
Security Fixes
- MEDIUM: High CPU usage could be triggered by a specially crafted request to the SVN bridge resulting in Denial of Service (DoS).
- LOW: Incorrect token validation resulted in a reduced entropy for matching tokens during authentication. Analysis shows that in practice there’s no significant security risk here.
- Packages have been updated to the latest security versions.
Bug Fixes
- Editing issues templates with filenames containing non-ASCII characters would fail with a “500 Internal Server Error”.
- A metric gathering method for background jobs increased CPU utilization. (updated 2020-11-03)
We will be applying the patch on November 9th at 5:00 PM EST.
See the complete upgrade notes at GitHub Enterprise: https://enterprise.github.com/releases//2.22.3/notes