GitHub Upgrade – 3.6.2

This patch features a number of bugfixes, including some security fixes.

The GitHub Service Team will apply the upgrade at 5:00 PM EST on Monday, September 26th 2022.

The full changelog can be found in the GitHub Enterprise Release Notes.

Security Fixes

  • HIGH: A GitHub App could use a scoped user-to-server token to bypass user authorization logic and escalate privileges.
  • LOW: Granting a user the ability to bypass branch protections no longer allows the user to bypass the requirement for signature verification.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • Git clones or fetches over SSH could experience data corruption for transfers over 1GB in size.
  • After successful configuration of Dependabot and alert digest emails, the instance would not send digest emails.
  • Manually disabled GitHub Actions workflows in a repository were re-enabled if the repository received a push containing more than 2048 commits, or if the repository’s default branch changed.
  • When viewing a pull request’s diff for a large file with many lines between changes, it was not possible to expand the view to display all of the changes.
  • If branch protections were enabled, the GITHUB_REF_PROTECTED environment variable and github.ref_protected contexts for GitHub Actions workflow runs were incorrectly set as false.