On Monday, November 6 at 5PM, we will take the GitHub service offline to apply an update to address a security vulnerability announced by the GitHub Enterprise team. During this time, no one will be able to access the web interface or via git client.
Any questions regarding this upgrade should be directed to github@help.ncsu.edu. We have allowed two hours to complete this upgrade, but if this changes, we will update the service on the IT Service Portal, which you can follow.
Some changes have been omitted due to their relevance to our GHE instance, but a complete changelog can be found on GitHub Enterprise’s Release Notes.
Security fixes
- HIGH: Due to an incorrect permission assignment for some configuration files, an attacker with access to a local operating system user account could read MySQL connection details including the MySQL password. GitHub has requested CVE ID CVE-2023-23767 for this vulnerability.
- Packages have been updated to the latest security versions.
Bug fixes
- Authentication of programmatic access tokens did not fully validate the status of token’s users, which allowed token authentication requests to succeed even if the associated user was not allowed to make such requests. This issue is unrelated to validation of token scope.
- On an instance with a GitHub Advanced Security license, repositories within organizations created using the
+
dropdown menu did not have GitHub Advanced Security features enabled automatically, even if the features should have been enabled. - On an instance with a GitHub Advanced Security license and secret scanning enabled, dry runs sometimes incorrectly reported no results for custom patterns.
Changes
- As a security measure, GitHub Pages does not build sites that contain symbolic links except when using custom GitHub Actions workflows. This change strengthens GitHub Pages’s symbolic link detection.