GitHub has announced the release of Enterprise Server 3.13.3, which addresses several important security vulnerabilities, alongside various bug fixes and feature enhancements. This update focuses particularly on enhancing the security of GitHub Enterprise Server instances.
Key Security Fixes
- Critical Vulnerability – CVE-2024-6800:
- This vulnerability affects instances that utilize SAML single sign-on (SSO) with specific Identity Providers (IdPs). Discovered through GitHub’s Bug Bounty program, it could allow attackers to forge a SAML response. This exploitation could potentially give unauthorized users access to accounts with site administrator privileges, making it a critical security concern.
- Medium-Severity Vulnerabilities:
- CVE-2024-7711: This vulnerability enabled attackers to modify the titles, assignees, and labels of issues in public repositories. Notably, private and internal repositories were not impacted by this vulnerability.
- CVE-2024-6337: This issue allowed the exposure of issue content from private repositories through a GitHub App that had specific read and write permissions. However, it required a user access token to exploit, and it did not affect installation access tokens.
Additional Enhancements in Version 3.13.3
- Enhanced Visibility: Users will now have better visibility into the state of gists, networks, and wikis. The addition of app state information within the
spokesctl infooutput provides deeper insights, and thespokesctl checkcommand can diagnose and often fix issues related to empty repository networks. - Improved Stability and Performance: The update includes numerous bug fixes targeting hotpatching issues, configuration updates, and database migrations, leading to overall improvements in system stability and performance.
- Usability Improvements:
- Administrators can now exercise more granular control over the maximum object size within repositories.
- Users have the option to customize their link underline styling preferences within accessibility settings, enhancing the user experience.
Known Issues
While this update enhances security and usability, GitHub has acknowledged several known issues in the official release notes, including:
- Potential errors during configuration runs.
- Problems related to audit log data migration.
- Increased memory utilization in certain scenarios.
Conclusion
The release of GitHub Enterprise Server 3.13.3 is crucial for maintaining the security and stability of enterprise environments. Users are encouraged to apply this update promptly to safeguard against the identified vulnerabilities, particularly the critical SAML SSO flaw, and to take advantage of the enhanced features and improvements. For further details and a complete list of changes, users can refer to the official GitHub release notes.