Upgrades

GitHub Upgrade – 3.11.3

By dcdeaton

On Monday, January 22nd at 5:00 PM EST, the GitHub Service Team will be taking the NC State GitHub Enterprise service offline for an upgrade to version 3.11.3.

During the outage no one will be able to login or interact with the service in any way. We do not expect the upgrade to take more than the scheduled period. In the event that more time is needed, we will update this status.

This changelog is not exhaustive. To view a complete list of changes in this upgrade, please see the GitHub Enterprise 3.11 release notes.

Features

  • Authentication
  • Audit logs
  • Dependabot
    • For developers who manage Node.js dependencies using the pnpm package manager, pnpm is fully supported by dependency graph, Dependabot alerts, and Dependabot security updates. For more information about securing your supply chain with Dependabot, see “Keeping your supply chain secure with Dependabot.”
    • Developers can enforce policies related to vulnerabilities and licenses in pull requests for complex ecosystems with transitive dependencies like Gradle and Scala. Dependency review supports dependencies from the dependency submission API. For more information, see the following articles.
    • To control how Dependabot structures pull requests and improve mergeability, users can implement flexible grouping options in dependabot.yml. You can also control Dependabot’s behavior for groups using comment commands. For more information, see “Configuration options for the dependabot.yml file” and “Managing pull requests for dependency updates.”
    • Dependabot can open pull requests for Swift and Gradle dependencies.
      • Users can also configure scheduled updates for Swift dependencies using dependabot.yml.
      • If users have used the REST API for dependency submission to upload Gradle dependencies to the dependency graph and receive Dependabot alerts for those dependencies, Dependabot will try to open a pull request to resolve security updates enabled for the repository.
      For more information, see “Configuring Dependabot security updates.”
    • Responses from REST API endpoints for repositories display whether Dependabot security updates are enabled or disabled. Users can also enable or disable security updates for a repository using the REST API. For more information, see “Repositories” in the REST API documentation.
  • Code security
    • To assess risks to code security and ensure adoption of features to improve code security, the “Security risk” and “Security coverage” pages for organizations and the entire instance are generally available. Additionally, the alert-centric pages for Dependabot, code scanning, and secret scanning are also now generally available. For more information, see “Assessing your code security risk” and “Assessing adoption of code security features.”
    • Users can take advantage of the GitHub Advisory Database using the REST API. The Advisory Database is a free, open-source list of actionable security advisories and CVEs. API responses include machine-readable mappings to the ecosystem, package name, and affected versions of impacted software. For more information, see “Global security advisories” in the REST API documentation.
  • GitHub Actions
    • To better navigate, trace, understand, and monitor deployments, users can view and track the full history of deployments in a repository or filter across environments. For more information, see “Viewing deployment history.”
    • Users can improve the security of deployment environments by configuring a branch protection policy to only allow specific branches to deploy to an environment. Additionally, the following security improvements apply to environments.
      • GitHub Enterprise Server blocks runs triggered from forks with branch names that match the protected branch’s name.
      • Tags with the same name as a protected branch cannot deploy to the environments with a branch protection configuration.
      For more information, see “Using environments for deployment.”
    • On an instance with GitHub Actions enabled and a configuration for deployment environments, administrators for environments can improve the security of deployments by enforcing a review by someone other than the person who triggered the run. This option prevents required reviewers from self-reviewing to trigger workflows. For more information, see “Using environments for deployment.”
  • Organizations
    • Organization owners can signal that an organization is no longer actively maintained by archiving the organization. For more information, see “Archiving an organization.”
  • Repositories
    • Users can govern protections for branches and tags in a repository using repository rules. To govern the protections for all of an organization’s repositories, users can also enable rulesets for an organization. Contributors to a repository can see which rules apply via the web interface, Git, or the GitHub CLI. For more information, see “About rulesets.”
    • Users can create new repositories with predefined attributes using query parameters. For example, a user can create a URL that prepopulates information about the repository like the name, description, visibility, and more. For more information, see “Creating a new repository.”
    • Users can more easily understand changes to a repository using the activity view. For more information, see “Using the activity view to see changes to a repository.”
  • Issues
    • Users can automatically add a new issue to projects using a custom issue form by defining projects in the issue template. For more information, see “Syntax for issue forms.”
  • Projects
    • Users can review items in a project view broken down by a certain field value. For more information, see “Customizing the table layout.”
    • Users can create charts to visualize current project items, or visualize project items over time. For more information, see “About insights for Projects.”
  • Accessibility
    • To improve the visibility of links with blocks of text in the web interface for GitHub Enterprise Server, users can apply underline styling. For more information, see “Managing accessibility settings.”

Changes

  • On an instance that uses built-in authentication or LDAP, if two-factor authentication (2FA) is configured for an organization, a user could use a TOTP code multiple times within the code’s window of validity during authentication or when entering sudo mode for sensitive actions. To improve security, this reuse is no longer allowed. External systems with a scripted login flow across multiple parallel jobs may stop working as a result of this change.For more information about 2FA, see the following articles.
  • On an instance with Dependabot enabled, due to misconfiguration or incompatible versions, Dependabot jobs for a repository can fail. After 30 failed runs, subsequent scheduled jobs will fail immediately until you trigger a check for updates from the dependency graph, or until you update a manifest file. Jobs for Dependabot security updates will still trigger normally.
  • On an instance with Dependabot enabled, the following improvements apply to the repository view for dependency graph, available from the repository’s “Insights” tab.
    • Users can search by package name from a paginated list of all dependencies.Dependency licenses are displayed.Dependabot alerts appear for dependencies, sorted by severity, and link to the Dependabot alerts and the Dependabot update pull request where applicable.
    For more information about the dependency graph, see “About the dependency graph.”
  • On an instance with GitHub Actions enabled, workflows that use Node.js 12 will log a warning. Node.js 12 has been end-of-life since April 2022.
  • On an instance with GitHub Actions enabled and runners using GitHub Actions Runner 2.309.0 or later, users can no longer use GITHUB_ENV to set the NODE_OPTIONS environment variable in workflows. Workflows that set NODE_OPTIONS as an environment variable will now log the following error. For more information, see “Workflow commands for GitHub Actions” and the v2.309.0 release in the actions/runner repository on GitHub.com.Can't store NODE_OPTIONS output parameter using '$GITHUB_ENV' command.
  • Users can quickly take action on multiple items in a group, or the group itself, using the ••• button in a table, board, or roadmap.
  • Users can break out items in a project by workstreams, team members, priorities, or other groupings using a swimlane view. For more information, see “Customizing the board layout.”
  • Users can view view the template used to create a project from a project’s settings.
  • When scrolling through a project, group headers are now sticky.
  • The colors for single-select fields in a project have been updated, so users see the same colors within the field picker and within project views.
  • Users create can create issues in a project view that’s grouped by repository in the board layout by clicking “Create new issue”, or by starting to type the issue’s title.

Deprecations

Security fixes

  • HIGH: An attacker with access to a Management Console user account with the editor role could escalate privileges through a command injection vulnerability in the Management Console. GitHub has requested CVE ID CVE-2024-0507 for this vulnerability, which was reported via the GitHub Bug Bounty program.
  • HIGH: An attacker could leverage an unsafe reflection vulnerability in GitHub Enterprise Server (GHES) that could lead to reflection injection. This vulnerability could lead to the execution of user-controlled methods and remote code execution. To exploit this bug, an actor would need to be logged into an account on the GHES instance with the organization owner role. GitHub has requested CVE ID CVE-2024-0200 for this vulnerability, which was reported via the GitHub Bug Bounty program.
  • Packages have been updated to the latest security versions.
  • HIGH: An improper authentication vulnerability was identified in GitHub Enterprise Server that allowed a bypass of private mode by using a specially crafted API request. Private mode is the mechanism that enforces authentication for publicly-scoped resources. For more information, see “Enabling private mode.”This vulnerability would allow unauthenticated attackers to gain access to various types of resources set as public on the instance. To exploit this vulnerability, an attacker would need network access to the GitHub Enterprise Server instance configured in private mode. This vulnerability was reported via the GitHub Bug Bounty program and assigned CVE-2023-6847.
  • HIGH: A path traversal vulnerability was identified in GitHub Enterprise Server that allowed arbitrary file reading when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability was reported via the GitHub Bug Bounty program and assigned CVE-2023-46645.
  • MEDIUM: An attacker could maintain admin access via a race condition when an organization was converted from a user. GitHub has requested CVE ID CVE-2023-46649 for this vulnerability, which was reported via the GitHub Bug Bounty program.
  • MEDIUM: An insertion of sensitive information into log file in the audit log in GitHub Enterprise Server was identified that that could allow an attacker to gain access to the Management Console. To exploit this, an attacker would need access to the log files for the GitHub Enterprise Server instance, a backup archive created with GitHub Enterprise Server Backup Utilities, or a service which received streamed logs. GitHub has requested CVE ID CVE-2023-6802 for this vulnerability.
  • MEDIUM: A race condition in GitHub Enterprise Server allowed an outside collaborator to be added while a repository is being transferred. GitHub has requested CVE ID CVE-2023-6803 for this vulnerability, which was reported via the GitHub Bug Bounty program.
  • MEDIUM: Due to an insufficient entropy vulnerability, an attacker could brute force a user invitation to the Management Console. To exploit this vulnerability, an attacker would have needed knowledge that a user invitation was pending. This vulnerability was reported via the GitHub Bug Bounty program and assigned CVE-2023-46648.
  • MEDIUM: An insertion of sensitive information into log file vulnerability was identified in the log files for a GitHub Enterprise Server backend service that could permit an adversary in the middle attack when combined with other phishing techniques. To exploit this, an attacker would need access to the log files for the GitHub Enterprise Server instance, a backup archive created with GitHub Enterprise Server Backup Utilities, or a service which received streamed logs. GitHub has requested CVE ID CVE-2023-6746 for this vulnerability.
  • MEDIUM: An attacker could maintain admin access to a transferred repository in a race condition by making a GraphQL mutation to alter repository permissions during the transfer. GitHub has requested CVE ID CVE-2023-6690 for this vulnerability, which reported via the GitHub Bug Bounty program.
  • MEDIUM: Improper privilege management allowed arbitrary workflows to be committed and run using an improperly scoped personal access token. To exploit this, a workflow must have already existed in the target repository. GitHub has requested CVE ID CVE-2023-6804 for this vulnerability, which was reported via the GitHub Bug Bounty program.
  • MEDIUM: An incorrect authorization vulnerability was identified that allowed issue comments to be updated with an improperly scoped token. This vulnerability did not allow unauthorized access to any repository content as it also required contents.write and issues.read permissions. This vulnerability was reported via the GitHub Bug Bounty Program and has been assigned CVE-2023-51379.
  • MEDIUM: An incorrect authorization vulnerability was identified that allowed issue comments to be read with an improperly scoped token. This vulnerability was reported via the GitHub Bug Bounty Program and has been assigned CVE-2023-51380.
  • LOW: To render interactive maps in an instance’s web UI using Azure Maps, GitHub Enterprise Server has migrated from use of an unsecure Azure Maps API token to a more secure access token provided by role-based access control (RBAC) in Entra ID. After upgrading to this release, to re-enable interactive maps, an administrator must reconfigure authentication to Azure Maps in the Management Console. For more information, see “Configuring interactive maps.”
  • To address scenarios that could lead to denial of service, HAProxy has been upgraded to version 2.8.4.

Bug fixes

  • Support for authenticating to GitHub Enterprise Server using GitHub CLI OAuth App with a device code was unintentionally disabled.
  • During periods of high load, users would see intermittent interruptions to services when upstream services failed internal health checks.
  • On an instance with GitHub Actions enabled, some maintenance tasks could fail due to incomplete upgrade steps during previous upgrades to new releases of GitHub Enterprise Server.
  • Deleting a repository would enqueue unnecessary background jobs that would never complete.
  • When creating a new custom pattern for secret scanning, the “More options” section of the custom pattern form automatically collapsed when a user entered an invalid regex in the post processing expressions (before/after secret match or additional secret requirements).
  • On an instance with a GitHub Advanced Security license and secret scanning enabled, users could experience a 500 error when viewing a secret scanning alert page in cases where the alerted commits belonged to the user and one or more commits could not be found.
  • Members of an enterprise were incorrectly allowed access to the REST API endpoints for Enterprise licensing.
  • Under rare circumstances, a repository could become unavailable due to a temporary file being left behind after a Git process was unexpectedly interrupted (for example, due to a power outage).
  • On an instance with GitHub Advanced Security enabled, a suspended user would consume a license for GitHub Advanced Security.
  • In rare cases, on an instance with GitHub Actions enabled, a failed check on a deleted repository could cause upgrades to a new version of GitHub Enterprise Server to fail.
  • In some cases, when an administrator uploaded a custom TLS certificate, the certificate was not correctly installed on the instance.
  • On an instance with GitHub Actions enabled, an issue with GH_TOKEN sometimes prevented GitHub Pages sites from building successfully in workflows.
  • A user in the process of being converted into an organization could be added as a collaborator on a repository. This resulted in the new organizations owners unexpectedly receiving access to the repository.
  • On an instance with a GitHub Advanced Security license and secret scanning enabled, dry runs sometimes incorrectly reported no results for custom patterns.
  • On an instance with a GitHub Advanced Security license and secret scanning enabled, webhooks for alert locations did not contain information about push protection bypasses.

Changes

  • To avoid leaking secrets, the logging of all parameters is disabled for Management Console events in enterprise audit logs.
  • The branch protection setting to require PR approval of the most recent reviewable push is included in exports from ghe-migrator or the Organization Migrations API.
  • On an instance with Dependabot updates enabled, Dependabot relies on the node installation provided by the actions runner instead of dynamically downloading.