GitHub Upgrade – 3.7.8

On Friday, March 24th beginning at 5:00 PM EST, we will be taking the service offline for an emergency upgrade to GitHub Enterprise 3.7.8. This patch includes several fixes to address reported CVEs.

The upgrade is expected to take no more than an hour to complete.

Security fixes

  • HIGH: Updated Git to include fixes from 2.39.2, which address CVE-2023-22490 and CVE-2023-23946.
  • HIGH: A path traversal vulnerability was identified in GitHub Enterprise Server that allowed arbitrary file reading when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the instance. This vulnerability was reported via the GitHub Bug Bounty Program.

Bug fixes

  • On an instance with GitHub Actions enabled, nested calls to reusable workflows within a reusable workflow job with a matrix correctly evaluate contexts within expressions, like strategy: ${{ inputs.strategies }}.
  • After a user imported a repository with push protection enabled, the repository was not immediately visible in the security overviews “Security Coverage” view.
  • Responses from the /repositories REST API endpoint erroneously included deleted repositories.
  • If a repository contained a CODEOWNERS file with check annotations, pull requests “Files changed” tab returned a 500 error and displayed “Oops, something went wrong” in the “Unchanged files with check annotations” section.
  • On an instance with GitHub Actions enabled, if a user manually triggered a workflow using the REST API but did not specify values for optional booleans, the API failed to validate the request and returned a 422 error.

Some changes have been excluded from this changelog due to their relevance with the NC State GitHub Enterprise instance. A full changelog can be found in the GitHub Enterprise Release Notes.