GitHub Enterprise - Upgrade Changelog

GitHub Enterprise – 3.14.19

Please note this list of changes is not exhaustive, but has been curated to changes which affect users of the NC State GitHub service.

This encompasses the full set of changes between 3.14.4-3.14.19.

A full list of changes can be found on the official GitHub Enterprise 3.14 Release Notes.

Security fixes

CRITICAL: Redis has been upgraded to version 6.2.20 to address CVE-2025-49844 (also known as RediShell).
HIGH: A privilege escalation vulnerability in GitHub Enterprise Server allowed an authenticated enterprise admin to gain root SSH access.
HIGH: An attacker could execute arbitrary code in the context of other users' browsers.
HIGH: An improper access control vulnerability was identified in GitHub Enterprise Server that allowed users with access to any repository to retrieve limited code content from another repository by creating a diff between the repositories.
MEDIUM: An attacker could inject HTML in the instances web UI because the web commit dialog did not properly sanitize repository rule violation messages.
MEDIUM: An attacker could view private repository names, which the signed-in user is not authorized to see, in the GitHub Advanced Security Overview.
HIGH: An attacker could access environment variables in the debug artifacts uploaded by the CodeQL action after a failed code scanning workflow run.
Packages have been updated to the latest security versions.

Bug fixes

Users sometimes received a JSON response instead of a web page when clicking "Back" after viewing files in raw format.
Pull requests were blocked from merging due to unhandled merge attempt timeouts.
Pull requests were temporarily blocked from merging due to delayed purging of failed background jobs.Organization owners had no audit log events to track organization announcements displayed on banners in the UI.
Ephemeral runner registrations for GitHub Actions were not fully cleaned up after deletion.
Images embedded in Markdown tables did not display correctly.
Deleted discussions could potentially prevent a repository from being exported using the export API or ghe-migrator.
Actions workflows were not able to access up to 1,000 organization variables when the total size of all variables was under 10 MB.
Fetches from repository caches returned a "Repository not found" error when the cache is out of sync.
Pruning unreachable Git objects on a single replica could cause increased CPU load due to many Git checksum recalculations.
In the commit author filter dropdown on the commit history page for a repository, users could not search for a specific author (such as foo) if their search query had already returned a similar username (such as foobar).
Various repository content API endpoints were unable to parse revisions containing invalid UTF-8 byte sequences, triggering 500 Internal Server Error responses.
An issue with the webhook delivery system could cause missing commits on pull requests and stop GitHub Actions workflows from running reliably on certain triggers. A database replication delay in the webhook delivery system has been removed.
When users requested large amounts of data from certain API endpoints, such as List organization repositories, they sometimes received a 500 error.
Team avatars and descriptions did not always appear on the team's page.
In some cases, a file in the code view would appear as JSON instead of HTML.
The relative date for commits was sometimes incorrectly displayed in the web UI.
Users who had authenticated to multiple accounts, then logged out of one account, were unable to switch to a different account on the platform.
Certain search terms for repositories and wikis did not return all valid results.
The view for a repository's "top contributors" failed to render when when it received invalid parameters.
When adding bypass permissions to a ruleset, the dropdown menu failed to load if one of the suggested actors was an invalid integration.
Attempting to access the code security settings page for a non-existent enterprise returned a 500 error instead of a 404 error.
Performing a browser back navigation to a pull request now displays up-to-date status checks.
Embedded images in wiki pages were broken.

Changes

Merging a pull request using the "Rebase and merge" option is now limited to 100 commits. If you have a pull request with more than 100 commits, you can create a merge commit, or squash and merge, or split the commits into multiple pull requests.
Removes the minimum date for the new commit filter bar.