Today, Feb 17th beginning at 5:00 PM EST, we will be taking the github.ncsu.edu service offline for an upgrade to GitHub Enterprise 3.7.6. This is an emergency upgrade to apply high security fixes that address two CVEs found in the previous patch.
Security Fixes
- HIGH: Updated Git to include fixes from 2.39.2, which address CVE-2023-22490 and CVE-2023-23946.
- HIGH: A path traversal vulnerability was identified in GitHub Enterprise Server that allowed arbitrary file reading when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the instance. This vulnerability was reported via the GitHub Bug Bounty Program.
- Packages have been updated to the latest security versions.
Changes
- After the Dependency submission REST API receives a submission with one or more dependencies without a version, the dependency graph will now correctly report this fact.
Bug Fixes
- When using a VPC endpoint URL as an AWS S3 URL for GitHub Packages, publication and installation of packages failed.
See GitHub Enterprise Release Notes for an exhaustive list of the included changes, including those omitted here for brevity.