3.2.3 addresses a security issue and bug fixes related to the 3.2.0 release, but otherwise includes no significant changes.
Some non-University related changes were omitted from this changelog.
Security Fixes:
- A path traversal vulnerability was identified in GitHub Pages builds on GitHub Enterprise Server that could allow an attacker to read system files. To exploit this vulnerability, an attacker needed permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.3, and was fixed in versions 3.0.19, 3.1.11, and 3.2.3. This vulnerability was reported through the GitHub Bug Bounty program and has been assigned CVE-2021-22870.
- Packages have been updated to the latest security versions.
Bug Fixes:
- When a new tag was created, the push webhook payload did not display a correct
head_commitobject. Now, when a new tag is created, the push webhook payload now always includes ahead_commitobject that contains the data of the commit that the new tag points to. As a result, thehead_commitobject will always contain the commit data of the payload’saftercommit. - A repository’s releases page would return a 500 error when viewing releases.
- Users were not warned about potentially dangerous bidirectional unicode characters when viewing files. For more information, see “Warning about bidirectional Unicode text” in the GitHub Blog.
- Hookshot Go sent distribution type metrics that Collectd could not handle, which caused a ballooning of parsing errors.
- Public repositories displayed unexpected results from secret scanning with a type of
Unknown Token.
We will be applying the patch on November 11 at 5:30 PM EST
See the complete upgrade notes at GitHub Enterprise: https://docs.github.com/en/enterprise-server@3.2/admin/release-notes#3.2.3