3.2.3 addresses a security issue and bug fixes related to the 3.2.0 release, but otherwise includes no significant changes.
Some non-University related changes were omitted from this changelog.
- A path traversal vulnerability was identified in GitHub Pages builds on GitHub Enterprise Server that could allow an attacker to read system files. To exploit this vulnerability, an attacker needed permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.3, and was fixed in versions 3.0.19, 3.1.11, and 3.2.3. This vulnerability was reported through the GitHub Bug Bounty program and has been assigned CVE-2021-22870.
- Packages have been updated to the latest security versions.
- When a new tag was created, the push webhook payload did not display a correct
head_commitobject. Now, when a new tag is created, the push webhook payload now always includes a
head_commitobject that contains the data of the commit that the new tag points to. As a result, the
head_commitobject will always contain the commit data of the payload’s
- A repository’s releases page would return a 500 error when viewing releases.
- Users were not warned about potentially dangerous bidirectional unicode characters when viewing files. For more information, see “Warning about bidirectional Unicode text” in the GitHub Blog.
- Hookshot Go sent distribution type metrics that Collectd could not handle, which caused a ballooning of parsing errors.
- Public repositories displayed unexpected results from secret scanning with a type of
We will be applying the patch on November 11 at 5:30 PM EST
See the complete upgrade notes at GitHub Enterprise: https://firstname.lastname@example.org/admin/release-notes#3.2.3