On Monday, August 26th beginning at 5:00 PM EDT, we will be taking the github.ncsu.edu service offline for an upgrade. During the outage no one will be able to login or interact with the service in any way. We do not expect the upgrade to take more than the scheduled period. In the event that more time is needed, we will update the status on the NC State Service Portal.
If you have any questions or concerns, please contact the NC State Help Desk via the NC State Service Portal at help.ncsu.edu or help@ncsu.edu.
Please note this list of changes is not exhaustive. A full list can be found on the GitHub Enterprise 3.13 Release Notes.
Features
- Users can view the app state of gists, networks, and wikis in the
spokesctl infooutput, enhancing visibility into the status of these elements. Additionally,spokesctl checkcan diagnose and, in most cases, fix empty repository networks, improving network management.
Security fixes
- CRITICAL: On GitHub Enterprise Server instances that use SAML single sign-on (SSO) authentication with specific IdPs utilizing publicly exposed signed federation metadata XML, an attacker could forge a SAML response to provision and/or gain access to a user account with site administrator privileges. GitHub has requested CVE ID CVE-2024-6800 for this vulnerability, which was reported via the GitHub Bug Bounty program.
- MEDIUM: An attacker could update the
title,assignees, andlabelsof any issue inside a public repository. This was only exploitable inside a public repository, and private/internal repositories were not affected. GitHub has requested CVE ID CVE-2024-7711 for this vulnerability, which was reported via the GitHub Bug Bounty program. - MEDIUM: An attacker could disclose the issue contents from a private repository using a GitHub App with only
contents: readandpull requests: writepermissions. This was only exploitable via user access token, and installation access tokens were not impacted. GitHub has requested CVE ID CVE-2024-6337 for this vulnerability, which was reported via the GitHub Bug Bounty program. - Packages have been updated to the latest security versions.
Bug fixes
- During support bundle generation or when running
ghe-diagnostics, filesystem usage for the Elasticsearch data directory was not be included. - Site administrators could not switch maintenance mode directly from “scheduled” to “on,” or vice versa.
- Some users were unable to delete project views.
- On the repository settings page for GitHub Pages, users saw an option to upgrade to GitHub Enterprise to use GitHub Pages with private visibility.
- When importing using
ghe-migrator, team URLs containing dots were imported as-is, leading to 404s when attempting to view the imported teams. Dots in imported team URLs are now escaped to dashes. - In the file tree on the “Files changed” tab of a pull request, users could not collapse or expand directories.
- On an instance with subdomain isolation enabled, images served from a subdomain or external source did not render correctly in issues opened in the Projects side panel.
- Running
go getfor a Golang repository with a directory structure that overlaps with GitHub UI routes failed - The wrong help link was displayed when push protection blocked a secret from the CLI.
- Embedded images in wiki pages were broken.
- For repositories with issues disabled, issue links were redirected to pull requests.
- In custom pre-receive hooks, the paths stored in environment variables that allow for newly pushed objects to be in a quarantine directory could be incorrectly interpreted as relative to a worktree instead of the Git directory, causing certain commands to fail to read from the repository. The variables now use absolute paths.
- A corrupted entry in the Git audit log could cause out of memory errors.
- Fixes and improvements for the git core module.
Changes
- Users can set their styling preference for link underlines in the web interface, on their “Accessibility” settings page.
- Audit log events related to audit log streaming are available in the enterprise audit log page, and via audit log streaming.