GitHub Upgrade – 3.6.3/3.6.4

This upgrade includes both the 3.6.3 and 3.6.4 updates

Due to the high security fixes in this patch, this patch is scheduled for upgrade as soon as possible.

The GitHub Service Team will apply the upgrade at 8:00 PM EST on Wednesday, November 23rd 2022.

The full changelog can be found in the GitHub Enterprise Release Notes.

Security Fixes

  • HIGH: Updated dependencies for the Management Console to the latest patch versions, which addresses security vulnerabilities including CVE-2022-30123 and CVE-2022-29181.
  • HIGH: Added checks to address an improper cache key vulnerability that allowed an unauthorized actor to access private repository files through a public repository. This vulnerability has been assigned CVE-2022-23738.
  • MEDIUM: Updated CommonMarker to address a scenario where parallel requests to the Markdown REST API could result in unbounded resource exhaustion. This vulnerability has been assigned CVE-2022-39209.
  • MEDIUM: Updated Redis to 5.0.14 to address CVE-2021-32672 and CVE-2021-32762.
  • MEDIUM: Updated GitHub Actions runners to fix a bug that allowed environment variables in GitHub Actions jobs to escape the context of the variable and modify the invocation of docker commands directly. For more information, see the Actions Runner security advisory.
  • LOW: Due to a CSRF vulnerability, a GET request to the instance’s site/toggle_site_admin_and_employee_status endpoint could toggle a user’s site administrator status unknowingly.
  • HIGH: Added an extra check to harden against a path traversal bug that could lead to remote code execution in GitHub Pages builds on a GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the instance. This bug was originally reported via GitHubs Bug Bounty program and assigned CVE-2021-22870.
  • MEDIUM: Updated CommonMarker to address a scenario where parallel requests to the Markdown REST API could result in unbounded resource exhaustion. This vulnerability has been assigned CVE-2022-39209.
  • MEDIUM: Scoped user-to-server tokens from GitHub Apps could bypass authorization checks in GraphQL API requests when accessing non-repository resources. This vulnerability was reported via the GitHub Bug Bounty Program.
  • MEDIUM: Pull request preview links did not properly sanitize URLs, allowing a malicious user to embed dangerous links in the instances web UI. This vulnerability was reported via the GitHub Bug Bounty program.
  • The Create or update file contents API correctly enforces workflow scope. This vulnerability was reported via the GitHub Bug Bounty program.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • When a user accessed a renamed repository using Git, the hostname in the Git output incorrectly indicated GitHub.com instead of the instance’s hostname.
  • When a user visited links to view history or suggest an improvement to the GitHub Advisory Database, the URLs were incorrect, resulting in a 404 error.
  • If a user installed a GitHub App for the user account and then converted the account into an organization, the app was not granted organization permissions.
  • If a GitHub Actions dependency uses a pinned SHA version, Dependabot will no longer mark the dependency as vulnerable.
  • After configuration of Dependabot and alert digest emails, the instance would send digest emails to suspended users.
  • The audit log timestamp for Dependabot alert events returned the creation date of the alert instead of the timestamp when a user took action on the alert.
  • If a user named a status check with leading or trailing spaces, the instance created a duplicate check if another check existed with the same name and no leading or trailing spaces.
  • If a user configured a pre-receive hook for multiple repositories, the instances Hooks page would not always display the correct status for the hook.
  • In some cases, an instance could replace an active repository with a deleted repository.
  • Zombie processes no longer accumulate in the gitrpcd container.