Due to the high security fixes in this patch, this patch is scheduled for upgrade as soon as possible.
The GitHub Service Team will apply the upgrade at 5:00 PM EST on Wednesday, December 14th 2022.
The full changelog can be found in the GitHub Enterprise Release Notes.
Security Fixes
- HIGH: A path traversal vulnerability was identified in GitHub Enterprise Server that allowed remote code execution when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the instance. This vulnerability was reported via the GitHub Bug Bounty Program and has been assigned CVE-2022-46256.
Bug Fixes
- When users performed an operation using the API, GitHub Enterprise Server enforced repository size quotas even when disabled globally.
- In some cases, searches via the API returned a
500error. - Adding a collaborator to a user-owned fork of a private, organization-owned repository with triage, maintain, or custom access resulted in a
500error. - In some cases, the page for setting up code scanning would erroneously report that GitHub Actions was not configured for the instance.
- Dismissing a Dependabot alert that contained certain characters could result in a
400error. - After a user’s account was deleted from the instance, image attachments that the user uploaded in comments were no longer visible in the web interface.
- Fixes a bug in which a GHES log file could get filled very quickly and cause the root drive to run out of free space.
- When viewing code scanning results for Ruby, an erroneous beta label appeared.
Changes
- After an enterprise owner enables Dependabot alerts, GitHub Enterprise Server enqueues the synchronization of advisory data to ensure hourly updates from GitHub.com.
- A user’s list of recently accessed repositories no longer includes deleted repositories.