CVE-2023-23764: Release notes - GitHub Enterprise Server 3.7 Docs

3.7.8: Security fixes

• HIGH: Addressed an improper authentication vulnerability that allowed an unauthorized actor to modify other users’ secret gists by authenticating through an SSH certificate authority. This vulnerability was reported via the GitHub Bug Bounty Program and has been assigned CVE-2023-23761. [Updated: 2023-04-07]

• MEDIUM: Addressed an incorrect comparison vulnerability that allowed commit smuggling by displaying an incorrect diff. This vulnerability was reported via the GitHub Bug Bounty Program and has been assigned CVE-2023-23762. [Updated: 2023-04-07]

3.7.8: Bug fixes

• On an instance with GitHub Actions enabled, nested calls to reusable workflows within a reusable workflow job with a matrix correctly evaluate contexts within expressions, like strategy: ${{ inputs.strategies }}.

• On an instance in a high availability configuration, a git push operation could fail if GitHub Enterprise Server was simultaneously creating the repository on a replica node.

• In the Management Console’s monitor dashboard, the Cached Requests and Served Requests graphs, which are retrieved by the git fetch catching command, did not display metrics for the instance.

• After a site administrator exempted the @github-actions[bot] user from rate limiting by using the ghe-config app.github.rate-limiting-exempt-users "github-actions[bot]" command, running ghe-config-check caused a Validation is-valid-characterset failed warning to appear.

• GitHub Actions (actions) and Microsoft SQL (mssql) did not appear in the list of processes within the instances monitor dashboard.

• In some cases, graphs on the Management Console’s monitor dashboard failed to render.

• On an instance in a high availability configuration, if an administrator tore down replication from a replica node using ghe-repl-teardown immediately after running ghe-repl-setup, but before ghe-repl-start, an error indicated that the script cannot launch /usr/local/bin/ghe-single-config-apply - run is locked. ghe-repl-teardown now displays an informational alert and continues the teardown.

• After an administrator used the /setup/api/start REST API endpoint to upload a license, the configuration run failed with a Connection refused error during the migrations phase.

• On an instance in a cluster configuration, when a site administrator set maintenance mode using ghe-maintenance -s, a Permission denied error appeared when the utility tried to access /data/user/common/cluster.conf.

• During configuration of high availability, if a site administrator interrupted the ghe-repl-start utility, the utility erroneously reported that replication was configured, and the instance would not perform expected clean-up operations.

• On instances configured to use the private beta of SCIM for GitHub Enterprise Server, users’ authentication with SSH keys and personal access tokens failed due to an erroneous requirement for authorization.

• After a user imported a repository with push protection enabled, the repository was not immediately visible in the security overview’s “Security Coverage” view.

• Responses from the /repositories REST API endpoint erroneously included deleted repositories.

• When a site administrator used ghe-migrator to migrate data to GitHub Enterprise Server, in some cases, nested team relationships would not persist after teams were imported.

• If a repository contained a CODEOWNERS file with check annotations, pull requests “Files changed” tab returned a 500 error and displayed “Oops, something went wrong” in the “Unchanged files with check annotations” section.

• On an instance with GitHub Actions enabled, if a user manually triggered a workflow using the REST API but did not specify values for optional booleans, the API failed to validate the request and returned a 422 error.

• The CSV reports for all users and all active users, available from the site admin dashboard, did not consider recent access using SSH or personal access tokens.

• In some cases on an instance with multiple nodes, GitHub Enterprise Server erroneously stopped writing to replica fileservers, causing repository data to fall out of sync.

• GitHub Enterprise Server published distribution metrics that cannot be processed by collectd. The metrics included pre_receive.lfsintegrity.dist.referenced_oids, pre_receive.lfsintegrity.dist.unknown_oids, and git.hooks.runtime.

• On an instance with a GitHub Advanced Security license, if code scanning had been used while running GitHub Enterprise Server 3.4 or earlier, a subsequent upgrade from 3.5 to 3.6 or 3.7 could fail when attempting to add a unique index to a database table.

• An enterprise owner could not enable two-factor authentication (2FA) for an instance if any enterprise owners had not enabled 2FA for their user accounts. [Updated: 2023-04-17]

• On an instance with GitHub Packages enabled, after users pushed to the Container registry, the instance erroneously responded with a 429 Too Many Requests error in cases when the instance could accommodate the request. The limits have been raised, and users should receive this message less often. [Updated: 2023-05-30]

3.7.8: Changes

• When the dependency submission API received a submission with one or more dependencies without a version, the dependency graph will now correctly report this fact.

• To avoid a failure during a configuration run on a cluster, validation of cluster.conf with the ghe-cluster-config-check utility ensures that the consul-datacenter field for each node matches the top-level primary-datacenter field.

• On an instance in a cluster configuration, when a site administrator sets maintenance mode on a single cluster node using ghe-maintenance -s, the utility warns the administrator to use ghe-cluster-maintenance -s to set maintenance mode on all of the clusters nodes. For more information, see “Enabling and scheduling maintenance mode.”

• When a site administrator configures an outbound web proxy server for GitHub Enterprise Server, the instance now validates top-level domains (TLDs) excluded from the proxy configuration. By default, you can exclude public TLDs that the IANA specifies. Site administrators can specify a list of unregistered TLDs to exclude using ghe-config. The . prefix is required for any public TLDs. For example, .example.com is valid, but example.com is invalid. For more information, see “Configuring an outbound web proxy server.”

• To avoid intermittent issues with the success of Git operations on an instance with multiple nodes, GitHub Enterprise Server checks the status of the MySQL container before attempting a SQL query. The timeout duration has also been reduced.

• The default path for output from ghe-saml-mapping-csv -d is /data/user/tmp instead of /tmp. For more information, see “Command-line utilities.”

3.7.8: Known issues

• After restoration of a backup created using GitHub Enterprise Server Backup Utilities 3.7.0, users may not be able to sign into the instance. For more information, see “Known issues with backups for your instance.” [Updated: 2023-06-29]

• On a freshly set up GitHub Enterprise Server instance without any users, an attacker could create the first admin user.

• Custom firewall rules are removed during the upgrade process.

• The GitHub Packages npm registry no longer returns a time value in metadata responses. This was done to allow for substantial performance improvements. We continue to have all the data necessary to return a time value as part of the metadata response and will resume returning this value in the future once we have solved the existing performance issues.

• Instances experiencing a high sustained number of concurrent Git requests may experience performance issues. If you suspect that this issue is affecting your instance, contact GitHub Support. For more information, see “Creating a support ticket.” [Updated: 2022-12-07]

• In a repository’s settings, enabling the option to allow users with read access to create discussions does not enable this functionality.

• Following an upgrade to GitHub Enterprise Server 3.6 or later, existing inconsistencies in a repository such as broken refs or missing objects, may now be reported as errors like invalid sha1 pointer 0000000000000000000000000000000000000000, Zero-length loose reference file, or Zero-length loose object file. Previously, these indicators of repository corruption may have been silently ignored. GitHub Enterprise Server now uses an updated Git version with more diligent error reporting enabled. For more information, see this upstream commit in the Git project.

  If you suspect a problem like this exists in one of your repositories, contact GitHub Enterprise Support for assistance.

• During the validation phase of a configuration run, a No such object error may occur for the Notebook and Viewscreen services. This error can be ignored as the services should still correctly start.

• An upgrade to GitHub Enterprise Server 3.6 or 3.7 from 3.5 or earlier may be long running if a large number of deleted repositories exist. Deleted repositories are purged automatically after 90 days, but for a faster upgrade they can be purged manually. If you suspect you have thousands of recently deleted repositories, and you are concerned about a long running upgrade, contact GitHub Enterprise Support for assistance purging deleted repositories. [Updated: 2023-05-09]