This is a high security fix patch to address a vulnerability concerning GitHub Pages. Some additional bug fixes and improvements are included.
Security Fixes:
- HIGH: A path traversal vulnerability was identified in GitHub Enterprise Server that could be exploited when building a GitHub Pages site. User-controlled configuration options used by GitHub Pages were not sufficiently restricted and made it possible to read files on the GitHub Enterprise Server instance.
Bug Fixes:
- The job that purged stale archived repositories could fail to make progress if some of those repositories were protected from deletion by legal holds.
- Background jobs were being queued to the
spamqueue which were not being processed. - The preferred merge method would be reset when retrying after a failed PR merge.
- Git pushes could result in a 500 Internal Server Error during the user reconciliation process on instances using LDAP authentication mode.
- After upgrading from 3.0.x to 3.1.x, in some cases GitHub Actions would fail with an error:
An unexpected error occurred when executing this workflow.
Changes:
- Improved the efficiency of config apply by skipping IP allow firewall rules that had not changed, which saved significant time on large clusters.
We will be applying the patch on July 15th at 5:00 PM EST.
See the complete upgrade notes at GitHub Enterprise: https://docs.github.com/en/enterprise-server@3.1/admin/release-notes#3.1.3