This patch features a number of bugfixes, including some security fixes.
The GitHub Service Team will apply the upgrade at 5:00 PM EST on Monday, September 26th 2022.
The full changelog can be found in the GitHub Enterprise Release Notes.
Security Fixes
- HIGH: A GitHub App could use a scoped user-to-server token to bypass user authorization logic and escalate privileges.
- LOW: Granting a user the ability to bypass branch protections no longer allows the user to bypass the requirement for signature verification.
- Packages have been updated to the latest security versions.
Bug Fixes
- Git clones or fetches over SSH could experience data corruption for transfers over 1GB in size.
- After successful configuration of Dependabot and alert digest emails, the instance would not send digest emails.
- Manually disabled GitHub Actions workflows in a repository were re-enabled if the repository received a push containing more than 2048 commits, or if the repository’s default branch changed.
- When viewing a pull request’s diff for a large file with many lines between changes, it was not possible to expand the view to display all of the changes.
- If branch protections were enabled, the
GITHUB_REF_PROTECTEDenvironment variable andgithub.ref_protectedcontexts for GitHub Actions workflow runs were incorrectly set asfalse.