This upgrade brings a security fix for log4j with 3.2.6 and a few bug fixes with 3.2.5.
- A remote code execution vulnerability in the Log4j library, identified as CVE-2021-44228, affected all versions of GitHub Enterprise Server prior to 3.3.1. The Log4j library is used in an open source service running on the GitHub Enterprise Server instance. This vulnerability was fixed in GitHub Enterprise Server versions 3.0.22, 3.1.14, 3.2.6, and 3.3.1. For more information, please see this post on the GitHub Blog
- Support bundles could include sensitive files if they met a specific set of conditions.
- GraphQL requests did not set the GITHUB_USER_IP variable in pre-receive hook environments.
We will be applying the patch on December 14th at 5:30 PM EST.
See the complete upgrade notes at GitHub Enterprise: https://firstname.lastname@example.org/admin/release-notes#3.2.6