Release notes for the 2.12 series

Security Fixes

• Packages have been updated to the latest security versions.

Known Issues

• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
• Pull request review comments migrated with ghe-migrator are displayed in the wrong order.

Upcoming deprecation of GitHub Enterprise 2.12

GitHub Enterprise 2.12 will be deprecated as of December 12, 2018. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.

Thanks!

The GitHub Team

Security Fixes

• CVE-2018-16471 was addressed by updating Rack.
• Packages have been updated to the latest security versions.

Bug Fixes

• A stale temporary file could prevent an object managed by the Alambic service, which handles binary data such as avatars and image attachments, from syncing to HA or cluster replica nodes.
• Attempting to save settings in the Management Console incorrectly raised a validation error when an already saved TLS certificate or private key contains bag attributes.
• /var/log/error was not automatically rotated with logrotate and could sometimes use too much disk space.

Known Issues

• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
• Pull request review comments migrated with ghe-migrator are displayed in the wrong order.
• Git LFS, release and issue assets, user profile images, webhooks, or Subversion access may be unavailable if an appliance is restarted after applying the 2.12.5 or greater hotpatch—if this occurs, please contact Enterprise Support for assistance.

Upcoming deprecation of GitHub Enterprise 2.12

GitHub Enterprise 2.12 will be deprecated as of December 12, 2018. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.

Thanks!

The GitHub Team

Security Fixes

• Packages have been updated to the latest security versions.

Bug Fixes

• Checking the replication status on a replica during a reboot of the primary could prevent replication for Git pre-receive hooks.

Known Issues

• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
• Pull request review comments migrated with ghe-migrator are displayed in the wrong order.
• Git LFS, release and issue assets, user profile images, webhooks, or Subversion access may be unavailable if an appliance is restarted after applying the 2.12.5 or greater hotpatch—if this occurs, please contact Enterprise Support for assistance.

Upcoming deprecation of GitHub Enterprise 2.12

GitHub Enterprise 2.12 will be deprecated as of December 12, 2018. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.

Thanks!

The GitHub Team

Security Fixes

• The version string presented when using Git over SSH was misleading, causing security scanners to incorrectly report GitHub as vulnerable.
• Packages have been updated to the latest security versions.

Bug Fixes

• All non-root connections to the cloud provider metadata IP address (169.254.169.254) were blocked, preventing Google Cloud load balancer health checks from working correctly.
• Installing a hotpatch when replication is not setup displayed a harmless error message: grep: /etc/github/repl-state: No such file or directory.
• Rate limiting was enforced when adding members to organizations.

Known Issues

• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
• Pull request review comments migrated with ghe-migrator are displayed in the wrong order.
• Git LFS, release and issue assets, user profile images, webhooks, or Subversion access may be unavailable if an appliance is restarted after applying the 2.12.5 or greater hotpatch—if this occurs, please contact Enterprise Support for assistance.

Thanks!

The GitHub Team

Security Fixes

• The git package has been updated to detect malicious Git submodules that could be used to exploit CVE-2018-17456.
• Packages have been updated to the latest security versions.

Bug Fixes

• The access control list (ACL) of configuration files transferred to replica nodes could be lost when configuring High Availability replication.
• Pull request review requests weren't satisfied if a member of a subteam completed the review.

Changes

• The osqueryi utility has been added to the GitHub Enterprise environment.
• GitHub Enterprise is now available in Azure Government. (updated 2018-10-18)

Known Issues

• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
• Pull request review comments migrated with ghe-migrator are displayed in the wrong order.
• Git LFS, release and issue assets, user profile images, webhooks, or Subversion access may be unavailable if an appliance is restarted after applying the 2.12.5 or greater hotpatch—if this occurs, please contact Enterprise Support for assistance.

Thanks!

The GitHub Team

Security Fixes

• CRITICAL: A file path traversal vulnerability in the jekyll-remote-theme gem of GitHub Pages could allow users to display the content of local files.

Bug Fixes

• GitHub Enterprise API responses would not be compressed when requested with gzip encoding.
• Webhooks could fail to be delivered if the compressed payload was greater than 1 MB.
• Upgrades could fail with Connection timed out if the hookshot service was unable to run migrations due to a firewall update that ran out of order.
• Repository replication records may be created inconsistently, resulting in unreported replication failures. This type of replication failure is now reported in ghe-repl-status.
• ghe-repl-setup allowed re-adding the same node as a replica.
• Using Safari, administrators were unable to schedule a future hotpatch upgrade from the Management Console due to an incompatible date parse.
• ghe-config-check would hang if run without any arguments.
• hookshot logs weren't purged properly in Elasticsearch and could consume large amounts of disk space.
• Migrations with ghe-migrator could fail to complete trying to add the same label to an issue.

Known Issues

• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
• Pull request review comments migrated with ghe-migrator are displayed in the wrong order.
• Git LFS, release and issue assets, user profile images, webhooks, or Subversion access may be unavailable if an appliance is restarted after applying the 2.12.5 or greater hotpatch—if this occurs, please contact Enterprise Support for assistance.

Thanks!

The GitHub Team

Security Fixes

• LOW: A malicious user could execute a 'tab-nabbing' attack by exploiting window.opener when linking from GitHub Enterprise hosted Markdown content.
• Packages have been updated to the latest security versions.

Bug Fixes

• Promoting a replica could take an excessive amount of time in a multi-replica environment.
• Self-signed TLS certificates would fail to generate on Azure instances.
• Tags created through a release contained incomplete reflog data
• Organizations could be incorrectly suspended via the Suspend User REST API.
• Email visibility could be incorrectly toggled via the REST API.
• Fixes an issue where rate limits on raw and archive endpoints were left enabled even when configured to be disabled.
• Users can no longer accidentally upload revoked PGP keys.
• Users can no longer accidentally upload their private PGP keys.

Changes

• Optimise Elasticsearch backup process by preferring local copies of indices.

Known Issues

• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
• Pull request review comments migrated with ghe-migrator are displayed in the wrong order.
• Git LFS, release and issue assets, user profile images, webhooks, or Subversion access may be unavailable if an appliance is restarted after applying the 2.12.5 or greater hotpatch—if this occurs, please contact Enterprise Support for assistance.

Thanks!

The GitHub Team

A file path traversal vulnerability in GitHub Enterprise

A CRITICAL issue was identified that allows an attacker with repository write access to create Pages sites that can display the content of system files. This could used to further escalate the vulnerability to execute arbitrary commands on the GitHub Enterprise appliance.

The affected supported versions are:

• 2.12.0 - 2.12.17
• 2.13.0 - 2.13.9
• 2.14.0 - 2.14.3

GitHub Enterprise 2.11 is not vulnerable.

We strongly recommend upgrading your GitHub Enterprise appliance to the latest patch release in your series, GitHub Enterprise 2.12.18, 2.13.10, 2.14.4, or greater.

Security Fixes

• CRITICAL: A file path traversal vulnerability in GitHub Pages could allow users to display the content of local files.
• MEDIUM: Access may have been inadvertently granted to internal IP addresses of GitHub Enterprise. The fix removed any access grants via an IP address.
• LOW: A malicious user could execute a 'tab-nabbing' attack by exploiting window.opener when linking from GitHub Enterprise hosted Markdown content.
• Packages have been updated to the latest security versions.

Bug Fixes

• Deleting an SNMPv3 user via ghe-snmpv3-remove-user did not remove all account data, preventing administrators from updating the password for the SNMPv3 user.
• Terminating the ghe-set-password command could result in unexpected shell behavior.
• Messages sent from the email service hook failed due to a recent security update.
• Adding a new integration failed if the license seat limit was reached.

Changes

• Admins can see which repositories are using GitHub Services with ghe-legacy-github-services-report.

Known Issues

• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
• Pull request review comments migrated with ghe-migrator are displayed in the wrong order.
• Git LFS, release and issue assets, user profile images, webhooks, or Subversion access may be unavailable if an appliance is restarted after applying the 2.12.5 or greater hotpatch—if this occurs, please contact Enterprise Support for assistance.

Thanks!

The GitHub Team

Remote code execution with server side request forgery in GitHub Enterprise

A CRITICAL issue was identified that allows an attacker with repository admin or owner privileges to execute arbitrary commands on the appliance.

The affected supported versions are:

• 2.11.0 - 2.11.23
• 2.12.0 - 2.12.16
• 2.13.0 - 2.13.8
• 2.14.0 - 2.14.2

Errata: A file path traversal vulnerability in GitHub Enterprise

GitHub Enterprise 2.14.3, 2.13.9, and 2.12.17 were not patched properly and are still vulnerable to the file path traversal vulnerability. GitHub Enterprise 2.14.4, 2.13.10, and 2.12.18 will ship next week to address this vulnerability. As a manual workaround, you can disable Pages on the GitHub Enterprise environment. (updated 2018-08-23)

A CRITICAL issue was identified that allows an attacker with repository write access to create Pages sites that can display the content of system files. This could used to further escalate the vulnerability to execute arbitrary commands on the GitHub Enterprise appliance.

The affected supported versions are:

• 2.12.0 - 2.12.16 2.12.17
• 2.13.0 - 2.13.8 2.13.9
• 2.14.0 - 2.14.2 2.14.3

GitHub Enterprise 2.11 is not vulnerable.

Next steps

We strongly recommend upgrading your GitHub Enterprise appliance to the latest patch release in your series, GitHub Enterprise 2.12.17, 2.13.9 or 2.14.3.

Due to a change in the implementation on GitHub Enterprise 2.12 and later, it is not possible to apply the same fix to GitHub Enterprise 2.11 for the remote code execution vulnerability. We strongly recommend upgrading GitHub Enterprise 2.11 to 2.12 or newer.

Security Fixes

• CRITICAL: An attacker with repository admin or owner privileges could execute arbitrary commands on the appliance.
• CRITICAL: A file path traversal vulnerability in GitHub Pages could allow users to display the content of local files. (updated 2018-08-23)
• Packages have been updated to the latest security versions.

Bug Fixes

• Harmless 'Cannot add dependency job for unit cloud-config.service, ignoring' messages we reported to syslog when booting non-cloud based appliances.
• MySQL procedures executed when MySQL starts could fail if tables don't exist yet. This could prevent MySQL replication from starting in cluster and high availability environments.
• Hotpatching on Azure would fail due to a package conflict between waagent and walinuxagent.
• The public pages for GitHub Apps responded with a 500 Internal Server Error on some installations that use SAML or CAS for authentication.
• The ghe-org-admin-promote command-line utility would fail when attempting to promote a user without two-factor-authentication enabled as an admin of an org where two-factor authentication is required.
• New repository maintenance jobs would attempt to start whilst another maintenance job was still running on very large repositories.

Changes

• User-Agent has been added to Access-Control-Allow-Headers to support API clients which follow the Fetch specification.

Known Issues

• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
• Pull request review comments migrated with ghe-migrator are displayed in the wrong order.
• Git LFS, release and issue assets, user profile images, webhooks, or Subversion access may be unavailable if an appliance is restarted after applying the 2.12.5 or greater hotpatch—if this occurs, please contact Enterprise Support for assistance.

Errata

• GitHub Enterprise 2.12.17 was not patched properly and is still vulnerable to the file path traversal vulnerability. (updated 2018-08-23)

Thanks!

The GitHub Team

Security Fixes

• Packages have been updated to the latest security versions.

Bug Fixes

• The compare page could fail to load if a user of a fork of the repository has been deleted.
• Redundant routes were created for archived gists when restoring to a cluster environment. This prevented archived gists from being unarchived.
• When a commit comment is left on a file with non-ascii characters in the path, the pull request page could return 503.

Changes

• The connect timeout has been increased to allow up to four retries during a cluster restore.

Known Issues

• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
• Pull request review comments migrated with ghe-migrator are displayed in the wrong order.
• Git LFS, release and issue assets, user profile images, webhooks, or Subversion access may be unavailable if an appliance is restarted after applying the 2.12.5 or greater hotpatch—if this occurs, please contact Enterprise Support for assistance.

Thanks!

The GitHub Team

Security Fixes

• Packages have been updated to the latest security versions.

Bug Fixes

• The "Files Changed" view failed to display all changes when the difference contained a type change and the difference was too large.

Changes

• GitHub Apps have been updated to allow archiving repositories.

Known Issues

• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
• GitHub Enterprise clustering can not be configured without https.
• Pull request review comments migrated with ghe-migrator are displayed in the wrong order.
• Git LFS, release and issue assets, user profile images, webhooks, or Subversion access may be unavailable if an appliance is restarted after applying the 2.12.5 or greater hotpatch—if this occurs, please contact Enterprise Support for assistance.

Errata

• HTTPS is now a requirement of GitHub Enterprise clustering. (updated 2018-08-13)

Thanks!

The GitHub Team

Security Fixes

• MEDIUM: Environment variables passed to pre-receive hook scripts were not properly escaped.
• LOW: It was possible to start a shell from the network configuration settings screen available on a virtual console.
• LOW: Filtering of parameters in log files was changed from a blacklist of fields to a whitelist. This ensures that less values are logged and in the future no values are accidentally logged.
• LOW: The body of API requests containing sensitive data was written to log files on the appliance. The request body is now only logged for debugging purposes and sensitive data is scrubbed before being logged.
• Packages have been updated to the latest security versions.

Bug Fixes

• Parallel uploads of the same Git LFS object could fail but still be reported as successful.
• A hotpatch could be applied to the appliance whilst a configuration run was in progress. This could lead to inconsistencies and unexpected behaviour.
• The LDAP users page at /stafftools/users/ldap had layout and accessibility issues.
• The Fork button was enabled for repositories in cases where a repository could not be forked anywhere.
• Including the port in the Host header when requesting a Pages site would return a 404 error.

Known Issues

• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
• GitHub Enterprise clustering can not be configured without https.
• Pull request review comments migrated with ghe-migrator are displayed in the wrong order.
• Git LFS, release and issue assets, user profile images, webhooks, or Subversion access may be unavailable if an appliance is restarted after applying the 2.12.5 or greater hotpatch—if this occurs, please contact Enterprise Support for assistance.

Errata

• HTTPS is now a requirement of GitHub Enterprise clustering. (updated 2018-08-13)

Thanks!

The GitHub Team

Security Fixes

• Packages have been updated to the latest security versions.

Bug Fixes

• Pre-receive hooks would fail if the pre-receive environment lacked a /etc directory.
• Active git processes were not displayed on the Management Console's maintenance page
• Nameid-format matching on SAML response is too strict when value is "unspecified", which can cause an error with the "Another user already owns the account." message if the IdP changes NameID. (updated 2018-06-25)

Known Issues

• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
• GitHub Enterprise clustering can not be configured without https.
• Pull request review comments migrated with ghe-migrator are displayed in the wrong order.
• Git LFS, release and issue assets, user profile images, webhooks, or Subversion access may be unavailable if an appliance is restarted after applying the 2.12.5 or greater hotpatch—if this occurs, please contact Enterprise Support for assistance.

Thanks!

The GitHub Team

Git client vulnerabilities

A number of critical Git security vulnerabilities were recently announced that affect all versions of the official Git client.

We strongly recommend that you ensure that all users update their Git clients, in addition to upgrading to this GitHub Enterprise release.

More details on these vulnerabilities can be found in the official announcement, and the associated CVEs, CVE-2018-11233 and CVE-2018-11235.

Security Fixes

• CRITICAL There was a remote code execution vulnerability that leveraged CVE-2018-11235 during the Pages build process. The Git package has been updated to address the vulnerability in the Pages build process. This fix is also available in GitHub Enterprise 2.12.10 and 2.12.11.
• GitHub will block pushing malicious Git submodules that could be used to exploit Git clients vulnerable to CVE-2018-11235.

Bug Fixes

• Elasticsearch metrics in the management console metrics dashboards have been fixed.
• Enable marking one search index as primary when there are multiple primary Elasticsearch indexes listed.

Known Issues

• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
• GitHub Enterprise clustering can not be configured without https.
• Pull request review comments migrated with ghe-migrator are displayed in the wrong order.
• Git LFS, release and issue assets, user profile images, webhooks, or Subversion access may be unavailable if an appliance is restarted after applying the 2.12.5 or greater hotpatch—if this occurs, please contact Enterprise Support for assistance.
• Nameid-format matching on SAML response is too strict when value is "unspecified", which can cause an error with the "Another user already owns the account." message if the IdP changes NameID. (updated 2018-06-25)

Thanks!

The GitHub Team

Git client vulnerabilities

A number of critical Git security vulnerabilities were recently announced that affect all versions of the official Git client.

We strongly recommend that you ensure that all users update their Git clients, in addition to upgrading to this GitHub Enterprise release.

More details on these vulnerabilities can be found in the official announcement, and the associated CVEs, CVE-2018-11233 and CVE-2018-11235. (updated 2018-05-30)

Security Fixes

• CRITICAL There was a remote code execution vulnerability that leveraged CVE-2018-11235 during the Pages build process. The Git package has been updated to address the vulnerability in the Pages build process. This fix is also available in GitHub Enterprise 2.12.10. (updated 2018-05-30)
• Packages have been updated to the latest security versions.

Bug Fixes

• Maintenance mode could be unset while a configuration run was in progress.
• A background job that purges deleted storage objects could cause backups to fail if run whilst a backup was in progress.
• Restoring a backup to an unconfigured GitHub Enterprise appliance could fail to restore Pages data with a "could not find 3 online voting fileservers" error.
• Updating branch protections from the API ignored the restricted teams parameter.
• Viewing a pull request reviewed by a member of a team that has been deleted could fail with a "500 Internal Server Error".
• Exporting a repository didn't include project boards.

Known Issues

• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
• GitHub Enterprise clustering can not be configured without https.
• Pull request review comments migrated with ghe-migrator are displayed in the wrong order.
• Git LFS, release and issue assets, user profile images, webhooks, or Subversion access may be unavailable if an appliance is restarted after applying the 2.12.5 or greater hotpatch—if this occurs, please contact Enterprise Support for assistance.
• Nameid-format matching on SAML response is too strict when value is "unspecified", which can cause an error with the "Another user already owns the account." message if the IdP changes NameID. (updated 2018-06-25)

Thanks!

The GitHub Team

Security Fixes

• CRITICAL There was a remote code execution vulnerability that leveraged CVE-2018-11235 during the Pages build process. The Git package has been updated to address the vulnerability in the Pages build process. (updated 2018-05-30)
• Packages have been updated to the latest security versions.

Bug Fixes

• When booted into recovery mode, using ghe-set-password to reset the Management Console password would fail unless the haproxy-internal-proxy service was manually started.
• collectd.log contained superfluous Elasticsearch plugin warnings.
• ghe-migrator failed to import a GitHub.com migration archive when a pull request's requested reviewer was not a member of the organization.
• Commits pushed to a closed pull request were not included when fetching the pull request's tracking branch.
• API returned an incorrect response code when adding organization team members to a repository.
• The repository collaborator API ignored the permission parameter and always invited users with push permissions.

Changes

• Our unified Git proxy, babeld, now uses the BoringSSL cryptographic library to avoid lock contention issues in Git over SSH connections, which may have been encountered on large and busy appliances.

Known Issues

• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
• GitHub Enterprise clustering can not be configured without https.
• Pull request review comments migrated with ghe-migrator are displayed in the wrong order.
• Git LFS, release and issue assets, user profile images, webhooks, or Subversion access may be unavailable if an appliance is restarted after applying the 2.12.5 or greater hotpatch—if this occurs, please contact Enterprise Support for assistance.
• On a repository that's been locked for migration using ghe-migrator, project boards are not exported.
• Nameid-format matching on SAML response is too strict when value is "unspecified", which can cause an error with the "Another user already owns the account." message if the IdP changes NameID. (updated 2018-06-25)

Thanks!

The GitHub Team

Security Fixes

• LOW: Changed how certain types of exceptions are handled to prevent sensitive user data from being written to log files.

Bug Fixes

• Resetting the self signed certificate, either manually or as a result of a hostname or IP change, would fail.
• Duplicate object identifier (OID) entries were returned for the mounted partitions.
• Updates the support of automatically-managed TLS certificates from Let's Encrypt to request a single-domain certificate when Subdomain Isolation is disabled, and a multi-domain (SAN) certificate when Subdomain Isolation is enabled. A GitHub Enterprise installation will no longer require a wildcard DNS record to use this feature when Subdomain Isolation is disabled.
• Corrects calculation of hour and day of month for the crontab entry supporting renewals of automatically-managed ACME (Let's Encrypt) TLS certificates.
• Users may be unable to sign in to GitHub Enterprise via a private GitHub Pages site if subdomain isolation is enabled.
• ghe-migrator failed when the user was not a member of the organization at the time of export.
• Pages builds failed when TLS is disabled.

Changes

• Disabled redundant UDP listener in memcached.
• The appliance's UUID has been added to the replication overview page.
• Updated ESX image guest identifier to other26xLinux64Guest, which allows provisioning 65-128 virtual CPU cores on VMWare.
• The footer has been updated to display current version of GitHub Enterprise.

Known Issues

• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
• GitHub Enterprise clustering can not be configured without https.
• Pull request review comments migrated with ghe-migrator are displayed in the wrong order.
• Git LFS, release and issue assets, user profile images, webhooks, or Subversion access may be unavailable if an appliance is restarted after applying the 2.12.5 or greater hotpatch—if this occurs, please contact Enterprise Support for assistance.
• On a repository that's been locked for migration using ghe-migrator, project boards are not exported. (updated 2018-05-07)
• Nameid-format matching on SAML response is too strict when value is "unspecified", which can cause an error with the "Another user already owns the account." message if the IdP changes NameID. (updated 2018-06-25)

Thanks!

The GitHub Team

Security Fixes

• LOW: It was identified internally that the existence of private repositories could be determined due to the differing error messages of some REST API endpoints. These error messages have been updated to be consistent regardless of a user’s authorization to the repository. No information except for the existence of a private repository would have been exposed due to this issue.

Bug Fixes

• Upgrades to later feature releases were blocked if the new patch release number is lower than the current one.
• Wiki footer options were not shown for read-only users.

Known Issues

• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
• GitHub Enterprise clustering can not be configured without https.
• Pull request review comments migrated with ghe-migrator are displayed in the wrong order.
• Git LFS, release and issue assets, user profile images, webhooks, or Subversion access may be unavailable if an appliance is restarted after applying the 2.12.5 or greater hotpatch—if this occurs, please contact Enterprise Support for assistance.
• Pages builds fail when TLS is disabled. (updated 2018-04-03)
• On a repository that's been locked for migration using ghe-migrator, project boards are not exported. (updated 2018-05-07)
• Nameid-format matching on SAML response is too strict when value is "unspecified", which can cause an error with the "Another user already owns the account." message if the IdP changes NameID. (updated 2018-06-25)

Thanks!

The GitHub Team

Security Fixes

• Packages have been updated to the latest security versions.

Bug Fixes

• An appliance could not be successfully deployed on Google Cloud Platform without allocating a public IP address.
• Snapshots taken using the Backup Utilities from a GitHub Enterprise cluster will connect to the MySQL master node to allow transfer of SQL data via a unix domain socket instead of TCP.
• When creating a custom pre-receive hook environment, the operation would fail if the specified URL requested redirection.
• Upgrades with a package from an earlier release were not prevented.
• Some services would fail to restart after applying a hotpatch.
• The documentation_url field in some GraphQL API v4 responses referred to the REST API v3 documentation rather than the GraphQL API v4 documentation.
• Adding members via the new organization page did not display added users.
• Archived gists were not restored in cluster environments.
• The Get repository contents API endpoint incorrectly returned a 403 Forbidden response for some Git LFS-tracked files.
• Milestones retrieved using the REST API were not sorted as documented by default.
• "You signed out in another tab or window. Reload to refresh your session" message was being shown to some Firefox users.
• Pull Request would not merge if it touches file(s) the author owns requiring reviews from code owners.
• Pull request reviewer usernames were not updated if a reviewer was mapped to a different username when migrating repositories using ghe-migrator.

Changes

• Entries recorded in the resqued.log file weren't included when forwarding logs to an external server. Customers monitoring the github_resque tag will need to switch to github_resqued instead.
• Added the ability to add multiple repositories to an export at once using a text file that lists the repository URLs.

Known Issues

• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
• GitHub Enterprise clustering can not be configured without https.
• Pull request review comments migrated with ghe-migrator are displayed in the wrong order.
• Git LFS, release and issue assets, user profile images, webhooks, or Subversion access may be unavailable if an appliance is restarted after applying the 2.12.5 or greater hotpatch—if this occurs, please contact Enterprise Support for assistance. (updated 2018-03-19)
• Pages builds fail when TLS is disabled. (updated 2018-04-03)
• On a repository that's been locked for migration using ghe-migrator, project boards are not exported. (updated 2018-05-07)
• Nameid-format matching on SAML response is too strict when value is "unspecified", which can cause an error with the "Another user already owns the account." message if the IdP changes NameID. (updated 2018-06-25)

Thanks!

The GitHub Team

Security Fixes

• LOW: Tokens were contained in extended support bundles when they were used in GET requests as a URL parameter.
• Packages were updated to their latest patch versions.

Bug Fixes

• RRD files used to store metrics that are no longer collected were never deleted, wasting space on the root file system.
• Webhook delivery could fail in a clustering environment when one of the web-server nodes was unavailable and not explicitly marked as offline.
• SVG files referenced using a relative path in a README were not shown.
• Trial CloudFormation template updated to use current version of AWS instances. As part of this update, this trial template will no longer work within the EC2 Classic network type.
• Failed to upgrade a replica to the same version on a newly partitioned root disk.
• Deleting a search index didn't delete all associated metadata, which were then incorrectly reused if a new search index was created. This caused search index repair jobs to be reported as finished in the site admin when they were not.
• The comment count in the "Conversation" tab of a pull request migrated with ghe-migrator can be wrong.
• LFS objects could fail to be cloned after a successful upload.
• GitHub Apps silently fail to be created when the name contains an underscore.
• Trying to delete an App's avatar in settings/apps/[app-name] caused an error and didn't delete the avatar.
• Installations failed to be removed while transferring repository ownership.
• Collaborators added through the API were incorrectly sent invitations.

Changes

• ghe-repl-status could show an inaccurate count when Alambic replication was behind.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
• GitHub Enterprise clustering can not be configured without https.
• Pull request review comments migrated with ghe-migrator are displayed in the wrong order.
• Git LFS, release and issue assets, user profile images, webhooks, or Subversion access may be unavailable if an appliance is restarted after applying the 2.12.5 or greater hotpatch—if this occurs, please contact Enterprise Support for assistance. (updated 2018-03-19)
• Pull request reviewer usernames were not updated if a reviewer was mapped to a different username when migrating repositories using ghe-migrator. (updated 2018-04-12)
• On a repository that's been locked for migration using ghe-migrator, project boards are not exported. (updated 2018-05-07)
• Nameid-format matching on SAML response is too strict when value is "unspecified", which can cause an error with the "Another user already owns the account." message if the IdP changes NameID. (updated 2018-06-25)

Thanks!

The GitHub Team

Security Fixes

• Packages have been updated to the latest security versions.

Bug Fixes

• The directory hierarchy was not retained when uploading a directory of files to a repository using drag & drop.
• MySQL backups could fail with mysqldump: Error 2013: Lost connection to MySQL server during query when dumping table error.
• An incorrect merge commit SHA could be returned for pull requests merged through the API.
• Multiple attempts may have been required to resolve a merge conflict using the conflict resolution web interface.
• The incomplete preview Community Profile API endpoint was enabled on GitHub Enterprise.
• Pull request reviewers were not migrated when migrating repositories using ghe-migrator.
• The pull request assignee event was duplicated on repositories migrated using ghe-migrator.
• The pull request review request had users reversed, after migration with ghe-migrator.
• Granting push permissions on a protected branch to a child team could fail with a 500 internal server error when submitting the form.
• Archived repositories could not be forked via the REST API.
• Querying the status of storage objects using in high availability and cluster environments has been optimized for improved performance.
• Git references, such as tags or branch names, with a high number of transitions from letter to numbers and back again, could result in a background worker crashing causing some webhooks not to fire.
• The gpgverify service could consume large amounts of CPU time even when not processing requests. (updated 2018-02-14)

Changes

• GitHub Enterprise is now available in the Paris AWS region.
• Support bundles are more efficiently sanitized during generation.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
• GitHub Enterprise clustering can not be configured without https.
• Deleting a search index doesn't delete all associated metadata, which are then incorrectly reused if a new search index is created. This causes search index repair jobs to be reported as finished in the site admin when they were not.
• GitHub Apps silently fail to be created when the name contains an underscore.
• Pull request review comments migrated with ghe-migrator are displayed in the wrong order.
• The comment count in the "Conversation" tab of a pull request migrated with ghe-migrator can be wrong.
• Git LFS, release and issue assets, user profile images, webhooks, or Subversion access may be unavailable if an appliance is restarted after applying the 2.12.5 or greater hotpatch—if this occurs, please contact Enterprise Support for assistance. (updated 2018-03-19)
• Pull request reviewer usernames were not updated if a reviewer was mapped to a different username when migrating repositories using ghe-migrator. (updated 2018-04-12)
• On a repository that's been locked for migration using ghe-migrator, project boards are not exported. (updated 2018-05-07)
• Nameid-format matching on SAML response is too strict when value is "unspecified", which can cause an error with the "Another user already owns the account." message if the IdP changes NameID. (updated 2018-06-25)

Thanks!

The GitHub Team

Security Fixes

• Packages have been updated to the latest security versions.

Bug Fixes

• The hostname documentation link in the Management Console linked to an invalid location.
• Large Git LFS objects and release downloads were temporarily buffered to the root disk. This could lead to disk space contention.
• The create team API endpoint returned a 500 error if LDAP Sync is enabled and the team already exists.
• The hookshot-unicorn service could fail to start if there was a large backlog of webhook jobs.
• Tearing down replication did not remove the database seed data used when configuring high availability replication.
• The license expiry notification was shown if the appliance was restarted after the current has license expired.
• The elasticsearch-upgrade service was not stopped during the upgrade process when upgrading via a hotpatch. This could lead to unnecessary logging to the root disk.
• Applying a hotpatch that required a reboot did not warn that a reboot is required.
• Postfix attempted to negotiate NTLM authentication if the relay host offered it.
• Toggling each of the Branch Protection settings would produce inconsistent audit log events.
• Toggling the 'Require review from Code Owners' Branch Protection setting did not generate an audit log event.
• Background job logging to /var/log/github/production.log could consume large amounts of disk space. The fast growth of this log file could cause the root disk to fill up.
• Comparing branches with unicode characters in their names could fail with a '500 Internal Server Error'.
• Large API requests could trigger excessive logging in the exceptions log. (updated 2018-01-31)

Changes

• ghe-diagnostics can now upload directly to GitHub using the -u or -t [ticket reference] options.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
• GitHub Enterprise clustering can not be configured without https.
• Deleting a search index doesn't delete all associated metadata, which are then incorrectly reused if a new search index is created. This causes search index repair jobs to be reported as finished in the site admin when they were not.
• GitHub Apps silently fail to be created when the name contains an underscore.
• Pull request review comments migrated with ghe-migrator are displayed in the wrong order.
• The pull request review request has users reversed, after migration with ghe-migrator.
• The comment count in the "Conversation" tab of a pull request migrated with ghe-migrator can be wrong.
• The gpgverify service may consume large amounts of CPU time even when not processing requests. (updated 2018-02-14)
• Pull request reviewer usernames were not updated if a reviewer was mapped to a different username when migrating repositories using ghe-migrator. (updated 2018-04-12)
• On a repository that's been locked for migration using ghe-migrator, project boards are not exported. (updated 2018-05-07)
• Nameid-format matching on SAML response is too strict when value is "unspecified", which can cause an error with the "Another user already owns the account." message if the IdP changes NameID. (updated 2018-06-25)

Thanks!

The GitHub Team

Meltdown

This release addresses the Meltdown (CVE-2017-5754) attack. This has been fixed in the 3.16.51-3+deb8u1 release from Debian. Please note that this patch does not address the Spectre (CVE-2017-5753 and CVE-2017-5715) vulnerability. A fix is not available for the Spectre vulnerability yet.

Internally conducted benchmarks indicate the performance impact is limited to a 2-5% increase in CPU usage on most platforms. The impact can vary depending on your usage and platform though. If you see a significant performance difference, don't hesitate to reach out to Enterprise Support.

Note on Hotpatching

The hotpatch contains an upgrade to the kernel and requires a reboot. The Meltdown attack is not fixed until a reboot is performed.

Security Fixes

• HIGH: Kernel is updated to 3.16.51-3+deb8u1 which implements Kernel Page Table Isolation (KPTI) to address Meltdown.

Bug Fixes

• ghe-dbconsole, in a cluster environment, did not work on nodes without a database role.
• The ghe-repl-status command-line utility incorrectly showed TypeError: no implicit conversion of Symbol into Integer when there are repositories or gists with bad replica counts.
• The ghe-dpages check-replicas command could show an error with widely dispersed geo replicas.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
• GitHub Enterprise clustering can not be configured without https.
• Deleting a search index doesn't delete all associated metadata, which are then incorrectly reused if a new search index is created. This causes search index repair jobs to be reported as finished in the site admin when they were not.
• GitHub Apps silently fail to be created when the name contains an underscore.
• Pull request review comments migrated with ghe-migrator are displayed in the wrong order.
• The pull request review request has users reversed, after migration with ghe-migrator.
• The comment count in the "Conversation" tab of a pull request migrated with ghe-migrator can be wrong.
• The create team API endpoint returns a 500 error if LDAP Sync is enabled and the team already exists.
• Background job logging to /var/log/github/production.log may consume large amounts of disk space. The fast growth of this log file could cause the root disk to fill up.
• Large API requests may trigger excessive logging in the exceptions log. (updated 2018-01-31)
• The gpgverify service may consume large amounts of CPU time even when not processing requests. (updated 2018-02-14)
• Pull request reviewer usernames were not updated if a reviewer was mapped to a different username when migrating repositories using ghe-migrator. (updated 2018-04-12)
• On a repository that's been locked for migration using ghe-migrator, project boards are not exported. (updated 2018-05-07)
• Nameid-format matching on SAML response is too strict when value is "unspecified", which can cause an error with the "Another user already owns the account." message if the IdP changes NameID. (updated 2018-06-25)

Thanks!

The GitHub Team

Meltdown & Spectre

Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715) exploit critical vulnerabilities in modern processors. These hardware vulnerabilities allow programs to extract data which is currently processed on the same machine. This also can affect GitHub Enterprise.

The risk to GitHub Enterprise depends on the environment that it runs in. There are two main vectors of attack that need to be considered.

Virtualization platform

Given that GitHub Enterprise runs on various virtualization platforms, it's essential to update the virtualization platform where possible to mitigate any of these issues. The existing patches and fixes almost all focus on solving Meltdown. Meltdown is more straightforward to fix and most providers focus on this first.

Spectre is more complicated to exploit and also more complicated to fix. KVM for example is not vulnerable to Meltdown but is vulnerable, with a proof of concept, to Spectre which was tested by Google in the project originally (see https://googleprojectzero.blogspot.nl/2018/01/reading-privileged-memory-with-side.html). Specifically under "Reading host memory from a KVM guest". This Spectre exploit tested against a specific kernel version, but nothing implies it's impossible to adapt for other kernel versions and or other virtualization platforms.

The following Cloud and virtualization platforms have released announcements and/or fixes.

• On AWS we use HVM for virtualization. According to Amazon, HVM is not vulnerable to Meltdown. Also see https://aws.amazon.com/security/security-bulletins/AWS-2018-013/
• Xen VMs using PV virtualization are vulnerable. We recommend switching to HVM virtualization as HVM is not vulnerable to Meltdown. Also see https://xenbits.xen.org/xsa/advisory-254.html under "Mitigation".
• Google Cloud is not vulnerable to Meltdown as VMs there are isolated and cross VM attacks are not possible.
  See their FAQ and the Google Cloud Security Bulletins page.
• Microsoft Azure is updating/rebooting infrastructure where necessary to mitigate potential hypervisor level issues. See https://azure.microsoft.com/en-us/blog/securing-azure-customers-from-cpu-vulnerability/.
• VMWare has released patches to address this at the hypervisor level: https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html & https://lists.vmware.com/pipermail/security-announce/2018/000397.html. We strongly encourage customers install those patches.
• Intel has also announced they will be releasing updates for their processors. If the host platform you run GitHub Enterprise on has these patches available in the future, we also strongly recommend installing those.

Inside GitHub Enterprise

The vulnerability can also be exploited if there is code under the control of an attacker running on the same system. GitHub Enterprise has very limited support for custom code in the form of pre-receive hooks. Pre-receive hooks are limited such that administrators are the only ones who can set them up and their runtime execution is limited to 5 seconds. Both these aspects greatly limit the risk of data exposure through pre-receive hooks. As a general rule, administrators should ensure that only known and trusted pre-receive hooks are enabled on their appliance.

GitHub Enterprise is based on Debian Jessie. A fix for Meltdown is not yet available for Debian Jessie, as can be seen in the Debian CVE tracker for Meltdown. The new kernel version will be included in a future release of GitHub Enterprise and can potentially come with a performance regression. Accordingly, we recommend testing that release before putting it into production.

Summary

The primary risk for GitHub Enterprise installations is cross-guest or host <-> guest data leakage on the virtualization platform. This may be mitigated by the support cloud hosting providers, or by the suppliers of virtualization software. There is very limited risk of externally supplied software running within the appliance obtaining data from other processes, mitigated by administrators only enabling pre-receive hooks that are reviewed and trusted.

Security Fixes

• LOW: Pre-receive hooks could access internal cloud platform metadata. The metadata resources have been restricted to the root user.
• Packages have been updated to the latest security versions.

Bug Fixes

• Changing the parent of a nested team can result in the nested team not receiving updated inherited permissions.
• Changes to legal hold state of a repository did not trigger an audit log event.
• After changing HTTP proxy configuration in the Management Console, webhooks did not use the settings unless hookshot-resqued was restarted manually.
• NUMA enabled appliances could crash with a kernel panic. This was a known issue with linux-image-3.16.51-2.
• GitHub Apps referenced an invalid profile in the notifications and comment views.
• The pre-receive hook $GITHUB_PULL_REQUEST_AUTHOR_LOGIN environment variable was empty when pull requests were merged via the API.
• Permission update notifications for GitHub Apps were not sent to organization administrators.

Changes

• GitHub Enterprise support ticket creation via e-mail (enterprise@github.com) has been disabled. Please contact GitHub Enterprise Support using the Submitting a ticket article.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
• GitHub Enterprise clustering can not be configured without https.
• Deleting a search index doesn't delete all associated metadata, which are then incorrectly reused if a new search index is created. This causes search index repair jobs to be reported as finished in the site admin when they were not.
• GitHub Apps silently fail to be created when the name contains an underscore.
• Pull request review comments migrated with ghe-migrator are displayed in the wrong order.
• The pull request review request has users reversed, after migration with ghe-migrator.
• The comment count in the "Conversation" tab of a pull request migrated with ghe-migrator can be wrong.
• The create team API endpoint returns a 500 error if LDAP Sync is enabled and the team already exists.
• The ghe-repl-status command-line utility incorrectly shows TypeError: no implicit conversion of Symbol into Integer when there are repositories or gists with bad replica counts. (updated 2018-01-10)
• Reviewers and the "Review requested" status disappear on pull requests migrated with ghe-migrator. (updated 2018-01-12)
• Background job logging to /var/log/github/production.log may consume large amounts of disk space. The fast growth of this log file could cause the root disk to fill up. (updated 2018-01-16)
• Large API requests may trigger excessive logging in the exceptions log. (updated 2018-01-31)
• The gpgverify service may consume large amounts of CPU time even when not processing requests. (updated 2018-02-14)
• Pull request reviewer usernames were not updated if a reviewer was mapped to a different username when migrating repositories using ghe-migrator. (updated 2018-04-12)
• On a repository that's been locked for migration using ghe-migrator, project boards are not exported. (updated 2018-05-07)
• Nameid-format matching on SAML response is too strict when value is "unspecified", which can cause an error with the "Another user already owns the account." message if the IdP changes NameID. (updated 2018-06-25)

Thanks!

The GitHub Team

Security Fixes

• Packages have been updated to the latest security versions.

Bug Fixes

• After changing the visibility of a repository, wiki search results have a conflicting number of displayed search results. Administrators can reindex the wiki through the site admin dashboard.
• Authentication graphs in the management console were incorrectly empty and auth.result.* metrics weren't forwarded to external collectd servers.
• Orphaned resqued processes accumulated and caused out-of-memory (OOM) issues.
• CODEOWNERS failed with CRLF line endings.
• Nested teams could not be migrated with ghe-migrator.
• Pre-receive hook's enforcement could not be updated with the API.
• GitHub Apps incorrectly linked to a "Report abuse" reference.
• Repository changes and creation could timeout when an organization contains many teams and members.
• When restoring a deleted repository via the site admin dashboard, an error message could be shown even though the restore worked.
• The compare view could display the incorrect additions or deletions status.
• Updates to a pull request through the API could incorrectly modify manitainer_can_modify to false when the field was not a part of the request.

Changes

• /var/log/github/production.log has been updated to include more metadata for resque.performed and resque.queued events.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
• GitHub Enterprise clustering can not be configured without https.
• Deleting a search index doesn't delete all associated metadata, which are then incorrectly reused if a new search index is created. This causes search index repair jobs to be reported as finished in the site admin when they were not.
• Changing the parent of a nested team can result in the nested team not receiving updated inherited permissions.
• GitHub Apps silently fail to be created when the name contains an underscore.
• Changes to legal hold state of a repository does not trigger an audit log event.
• After changing HTTP proxy configuration in the Management Console, webhooks do not use the settings unless hookshot-resqued is restarted manually via SSH by running: sudo systemctl restart hookshot-resqued. (updated 2017-12-20)
• Pull request review comments migrated with ghe-migrator are displayed in the wrong order. (updated 2017-12-27)
• The pull request review request has users reversed, after migration with ghe-migrator. (updated 2017-12-27)
• The comment count in the "Conversation" tab of a pull request migrated with ghe-migrator can be wrong. (updated 2017-12-27)
• NUMA enabled appliances can crash with a kernel panic. This is a known issue with linux-image-3.16.51-2 and the workaround is to add the numa=off parameter to the kernel command line in /boot/grub/grub.cfg. Please contact GitHub Enterprise Support if you have questions. (updated 2017-12-28)
• The create team API endpoint returns a 500 error if LDAP Sync is enabled and the team already exists. (updated 2018-01-09)
• The ghe-repl-status command-line utility incorrectly shows TypeError: no implicit conversion of Symbol into Integer when there are repositories or gists with bad replica counts. (updated 2018-01-10)
• Reviewers and the "Review requested" status disappear on pull requests migrated with ghe-migrator. (updated 2018-01-12)
• Background job logging to /var/log/github/production.log may consume large amounts of disk space. The fast growth of this log file could cause the root disk to fill up. (updated 2018-01-16)
• Large API requests may trigger excessive logging in the exceptions log. (updated 2018-01-31)
• The gpgverify service may consume large amounts of CPU time even when not processing requests. (updated 2018-02-14)
• Pull request reviewer usernames were not updated if a reviewer was mapped to a different username when migrating repositories using ghe-migrator. (updated 2018-04-12)
• On a repository that's been locked for migration using ghe-migrator, project boards are not exported. (updated 2018-05-07)
• Nameid-format matching on SAML response is too strict when value is "unspecified", which can cause an error with the "Another user already owns the account." message if the IdP changes NameID. (updated 2018-06-25)

Thanks!

The GitHub Team

Features

• Archive repositories to indicate when a project is no longer actively maintained.
• Install and renew TLS certificates from Let's Encrypt® on your appliance without any required manual maintenance.
• View the modules, libraries, projects, and corresponding licenses that are used by a GitHub Enterprise appliance.
• Install a hotpatch using the management console or schedule an installation to upgrade your GitHub Enterprise appliance to the latest patch release.
• Attach .log files to issues and pull requests.
• Configure automation for project board columns to keep cards in sync with associated issues and pull requests.
• Request to nest an existing team under your team in your organization’s hierarchy.
• Search repositories by license type.
• Create global web hooks to monitor, respond to, or enforce rules for user and organization management on your appliance.
• View a comment's edit history.
• Place a legal hold on a user or organization to ensure that repositories they own cannot be permanently removed.
• Faster MySQL and Redis failover for high availability and clustering environment.
• View a user's public GPG key by visiting the /login.gpg endpoint.
• GitHub Apps is available as an early access technical preview.

Security Fixes

• Packages have been updated to the latest security versions.
• Users could accept an organization invitation incorrectly sent to an unverified email address.

Bug Fixes

• The ghe-es-search-repair script refused to run in a single instance environment.
• The OpenVPN log was not created if it did not already exist.
• The audit log rotation schedule was unintentionally set to weekly instead of daily.
• Archived repositories were not restored correctly in cluster environments.
• The Management Console was not correctly reloaded after a hotpatch is applied.
• Chrome attempted to automatically fill the SMTP and SNMP password fields with the password for the management console.
• Migration archives excluded users who created a protected branch and were subsequently removed from the organization.
• Git repair jobs repeatedly tried to access unavailable objects, causing high CPU usage.
• Searching for users or email addresses in the site admin tools did not return results for incomplete and fuzzy matches.
• The merge button got stuck in the "Checking for ability to merge" state.
• ghe-cluster-status returned invalid JSON when nodes were unavailable.
• Projects were incorrectly editable when the repositories was locked for migration.
• Users were unable to add collaborators to a personal project when the actor followed a large number of users.
• Pages failed to publish when the publishing source was configured as a path to a submodule.
• The followers and following count incorrectly considered suspended accounts.
• The squash and merge option was not resizing the text area to the height of the commit message.

Changes

• To restrict actions on raw content, including preventing popups, preventing the execution of plugins and scripts, and enforcing a same-origin policy, our content security policy (CSP) header for raw URLs now includes the sandbox attribute.
• babeld.log includes an api_time key for internal timings on verifying authentication.
• codeload.log include a api_ms attribute for internal timings.
• gitauth.log has been updated to add the commit-refs, verification-tokens, pre-2fa, and git-lfs-authenticate actions and include the request_ip and path_info metadata.
• The GitHubMetadata GraphQL API object has been added.
• The meta RESTAPI endpoint has been updated to include installed_version for the GitHub Enterprise version.
• Webhooks payloads have been updated to include two headers, X-GitHub-Enterprise-Version and X-GitHub-Enterprise-Host.
• The git signing API is no longer behind a preview header.
• Outside collaborators will be counted in the team member count view in the site admin dashboard.
• The number of cards awaiting triage has been added to the project section of the site admin dashboard.
• ghe-nwo command-line utility can identify the repository owner from a repository id.
• ghe-version command-line utility returns the current GitHub Enterprise version number.
• Topic descriptions will render GitHub Flavored Markdown.
• Project notes character limit has been increased to 1024 from from 250.
• Project, webhook APIs created_at and updated_at fields have been updated to use a consistent and standard YYYY-MM-DDTHH:MM:SSZ ISO 8601 format.
• GPG verification for commits are parallelized for faster performance.

Backups and Disaster Recovery

GitHub Enterprise 2.12 requires at least GitHub Enterprise Backup Utilities 2.11.2 for Backups and Disaster Recovery.

Upcoming deprecation of Internet Explorer 11 support

Support for Internet Explorer 11 will be deprecated on September 13, 2018. There will be no changes in site functionality, but a warning banner will be displayed to Internet Explorer 11 users.

Upcoming deprecation of VMware ESX 5.5 support

Support for VMware ESX 5.5 will be deprecated on September 19, 2018.

Upcoming deprecation of GitHub Enterprise 2.9

GitHub Enterprise 2.9 will be deprecated as of March 1, 2018. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
• GitHub Enterprise clustering can not be configured without https.
• Deleting a search index doesn't delete all associated metadata, which are then incorrectly reused if a new search index is created. This causes search index repair jobs to be reported as finished in the site admin when they were not.
• Changing the parent of a nested team can result in the nested team not receiving updated inherited permissions.
• After changing the visibility of a repository, wiki search results have a conflicting number of displayed search results. Administrators can reindex the wiki through the site admin dashboard. (updated 2017-12-19)
• GitHub Apps silently fail to be created when the name contains an underscore.
• Authentication graph is incorrectly empty because auth.result.* metrics are missing and not forwarded to external collectd servers.
• Changes to legal hold state of a repository does not trigger an audit log event.
• After changing HTTP proxy configuration in the Management Console, webhooks do not use the settings unless hookshot-resqued is restarted manually via SSH by running: sudo systemctl restart hookshot-resqued. (updated 2017-12-19)
• Pull request review comments migrated with ghe-migrator are displayed in the wrong order. (updated 2017-12-27)
• The pull request review request has users reversed, after migration with ghe-migrator. (updated 2017-12-27)
• The comment count in the "Conversation" tab of a pull request migrated with ghe-migrator can be wrong. (updated 2017-12-27)
• The create team API endpoint returns a 500 error if LDAP Sync is enabled and the team already exists. (updated 2018-01-09)
• The ghe-repl-status command-line utility incorrectly shows TypeError: no implicit conversion of Symbol into Integer when there are repositories or gists with bad replica counts. (updated 2018-01-10)
• Reviewers and the "Review requested" status disappear on pull requests migrated with ghe-migrator. (updated 2018-01-12)
• Large API requests may trigger excessive logging in the exceptions log. (updated 2018-01-31)
• The gpgverify service may consume large amounts of CPU time even when not processing requests. (updated 2018-02-14)
• Pull request reviewer usernames were not updated if a reviewer was mapped to a different username when migrating repositories using ghe-migrator. (updated 2018-04-12)
• On a repository that's been locked for migration using ghe-migrator, project boards are not exported. (updated 2018-05-07)
• Nameid-format matching on SAML response is too strict when value is "unspecified", which can cause an error with the "Another user already owns the account." message if the IdP changes NameID. (updated 2018-06-25)

Thanks!

The GitHub Team