Upgrades

GitHub Upgrade – 3.5.4

By dcdeaton

This upgrade consists of primarily security fixes addressing CVE-2022-34169 and a bug identified in the GitHub Bug Bounty Program.

The GitHub Service Team will apply the upgrade at 5:00 PM EST on Wednesday, August 17th 2022.

Security Fixes

  • CRITICAL: GitHub Enterprise Server’s Elasticsearch container used a version of OpenJDK 8 that was vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. The vulnerability is tracked as CVE-2022-34169.
  • HIGH: Previously installed apps on user accounts were automatically granted permission to access an organization on scoped access tokens after the user account was transformed into an organization account. This vulnerability was reported via the GitHub Bug Bounty program.
  • Fixes the overlap of floating UI elements on the Pull Request Files tab that was introduced in a previous change.
  • When a custom dormancy threshold was set for the instance, suspending all dormant users did not reliably respect the threshold. For more information about dormancy, see “Managing dormant users.”
  • When calculating committers for GitHub Advanced Security, it was not possible to specify individual repositories. For more information, see “Site admin dashboard.”
  • The script for migration to internal repositories failed to convert the visibility for public repositories to internal or private. For more information about the migration, see “Migrating to internal repositories.”
  • Detection of GitHub Actions workflow files for the dependency graph was unavailable in GitHub Enterprise Server 3.5.0, 3.5.1, 3.5.2, and 3.5.3, but is now available in 3.5.4. For more information, see “About the dependency graph.”
  • The ability to reopen dismissed Dependabot alerts was unavailable in GitHub Enterprise Server 3.5.0, 3.5.1, 3.5.2, and 3.5.3, but is now available in 3.5.4. For more information, see “Viewing and updating Dependabot alerts.”
  • The ability to always suggest updates from the base branch to a pull request’s HEAD was unavailable in GitHub Enterprise Server 3.5.0, 3.5.1, 3.5.2, and 3.5.3, but is now available in 3.5.4. For more information, see “Managing suggestions to update pull request branches.”
  • The light high contrast theme was unavailable in GitHub Enterprise Server 3.5.0, 3.5.1, 3.5.2, and 3.5.3, but is now available in 3.5.4. For more information, see “Managing your theme settings.”

Changelog is not exhaustive. A full list of changes included in this hotpatch can be found here: https://docs.github.com/en/enterprise-server@3.5/admin/release-notes#3.5.4