This upgrade includes the 3.3.5 security patch, as well as the prior two patches: 3.3.3 and 3.3.4
Note that this is an off-schedule upgrade to apply a high level security patch.
- HIGH: An integer overflow vulnerability was identified in GitHub’s markdown parser that could potentially lead to information leaks and RCE. This vulnerability was reported through the GitHub Bug Bounty program by Felix Wilhelm of Google’s Project Zero and has been assigned CVE-2022-24724.
- It was possible for a user to register a user or organization named “saml”.
- Packages have been updated to the latest security versions.
- OAuth Applications created after September 1st, 2020 were not able to use the Check an Authorization API endpoint.
- A number of select menus across the site rendered incorrectly and were not functional.
- Pages would become unavailable following a MySQL secret rotation until
nginxwas manually restarted.
- Webhook table cleanup jobs could run simultaneously, causing resource contention and increasing job run time.
- The ability to limit email-based notifications to users with emails on a verified or approved domain did not work correctly.
The update will be applied Friday March 4th , 2022 at 5:30PM.
See the complete upgrade notes at GitHub Enterprise: