Upgrades

GitHub Upgrade – 3.12.7

By Chris Deaton

On Monday, July 22 beginning at 5:00 PM EDT, we will be taking the github.ncsu.edu service offline for an upgrade. During the outage no one will be able to login or interact with the service in any way.We do not expect the upgrade to take more than the scheduled period. In the event that more time is needed, we will update this status.

If you have any questions or concerns, please contact the NC State Help Desk via the NC State Service Portal at help.ncsu.edu or help@ncsu.edu.

Security fixes

  • HIGH: An attacker could cause unbounded resource exhaustion on the instance by sending a large payload to the Git server. To mitigate this issue, GitHub has limited the count of “have” and “want” lines for Git read operations. GitHub has requested CVE ID CVE-2024-5795 for this vulnerability, which was reported via the GitHub Bug Bounty program.
  • MEDIUM: An improper privilege management vulnerability allowed users to migrate private repositories without having appropriate scopes defined on the related personal access token. GitHub has requested CVE ID CVE-2024-5566 for this vulnerability, which was reported via the GitHub Bug Bounty program.
  • MEDIUM: An attacker could have unauthorized access in a public repository using a suspended GitHub App via a scoped user access token. This was only exploitable in public repositories while private repositories were not impacted. GitHub has requested CVE ID CVE-2024-5816 for this vulnerability, which was reported via the GitHub Bug Bounty program.
  • MEDIUM: An attacker could execute a Cross Site Request Forgery (CSRF) attack to perform write operations on a victim-owned repository in GitHub Enterprise Server by exploiting incorrect request types. A mitigating factor is that the attacker has to be a trusted user and the victim has to visit a tag in the attacker’s fork of their own repository. GitHub has requested CVE ID CVE-2024-5815 for this vulnerability, which was reported via the GitHub Bug Bounty program.
  • MEDIUM: An attacker could disclose the name of a private repository on the GitHub Enterprise Server appliance when the private repository has a deploy key associated to it. GitHub has requested CVE ID CVE-2024-6395 for this vulnerability, which was reported via the GitHub Bug Bounty program.
  • LOW: Instance administrators could see fine-grained personal access tokens in plaintext in the babeld and gitauth logs.
  • LOW: An attacker with read access to a project could use the REST API to view a list of all members in an organization, including members who had made their membership private. This vulnerability was reported via the GitHub Bug Bounty program.
  • LOW: An attacker could include MathJax syntax in Markdown to bypass GitHubs normal restrictions on CSS properties in Markdown. This vulnerability was reported via the GitHub Bug Bounty program.
  • MEDIUM: An attacker could disclose sensitive information from a private repository exploiting organization ruleset features. This attack required an organization member to explicitly change the visibility of a dependent repository from private to public. GitHub has requested CVE ID CVE-2024-6336 for this vulnerability, which was reported via the GitHub Bug Bounty program.
  • MEDIUM: An attacker could have unauthorized read access to issue content inside an internal repository via GitHub projects. This attack required attacker access to the corresponding project board. GitHub has requested CVE ID CVE-2024-5817 for this vulnerability, which was reported via the GitHub Bug Bounty program.
  • Packages have been updated to the latest security versions.

Bug fixes

  • Establishing a new GitHub Connect connection could fail with a 500 error.
  • When a user used the REST API endpoints that returned secret scanning alerts at the repository or organization level with non-cursor-based pagination (for example, without before or after query parameters), the REST API endpoints for secret scanning returned incorrect Link headers.
  • On certain branch names, the branch info bar was causing frozen string errors.
  • After navigating to a discussion, the link underline for the Discussions tab in the GitHub UI incorrectly appeared under the Settings tab heading.
  • Enterprise owners managed by an identity provider were asked to authenticate within GitHub when performing privileged actions.
  • In some cases, on the “Files” tab of a pull request, a comment on the first line did not render.
  • Some organizations were not recognized as part of an instance’s enterprise account.
  • Some users would encounter an error when navigating to their personal security settings page at https://HOSTNAME/settings/security.
  • In the sidebar menu that is displayed when a user clicks their profile picture, users who are not enterprise owners saw an “Enterprise settings” option, linking to the main page of an enterprise. This option is now labeled “Your enterprise”.
  • On the “Code scanning” page of a repository, the branch filter did not correctly display all branches.
  • When including a .gitignore or README.md file on repository creation failed due to a ruleset or pre-receive hook, no error message displayed.
  • On some instances, users were unable to save historical insights charts for Projects.
  • The setting to enable or view non-provider patterns was not available for public repositories.
  • Users viewing the alerts index page experienced inconsistencies in rendering the closed alert state.
  • Organizations named “C” were incorrectly routed to the GitHub Enterprise Server contact page instead of their organization page.
  • When servers responded with unsupported characters, webhook deliveries were not displayed in the UI.
  • Chat integrations required frequent reauthentication, as a result of new app installations overwriting previous ones.

Changes

  • The timeout for requests made to the REST API endpoints for secret scanning has been extended.
  • A more specific error message is shown when a non-provisioned user tried to sign in to an instance with SCIM enabled.
  • When a user changes a repository’s visibility to public, the user is now warned that previous Actions history and logs will become public as well.
  • A more specific error message is shown when a deprovisioned user attempts signing into an instance with SCIM enabled.
  • The system logs provide more context for authentication failures related to multi-factor authentication.
  • To avoid excessive log volume and associated disk pressure, requests for GetCacheKey are no longer logged. Previously, the high frequency of these requests caused significant log accumulation.