Release notes for the 2.14 series

GitHub Enterprise 2.14.25 July 02, 2019 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • Viewing the profile of a user with a username similar to a common HTML error page, for example 404-html, would display the error page and not the user's profile.
  • Reattaching a forked repository to its parent after changing the visibility would fail for the second and subsequent forks.

Upcoming deprecation of GitHub Enterprise Server 2.14

GitHub Enterprise Server 2.14 will be deprecated as of July 12, 2019 That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise Server as soon as possible.

Known Issues

  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.

Thanks!

The GitHub Team

GitHub Enterprise 2.14.24 June 26, 2019 Download

OAuth app authorization bypass

A CRITICAL vulnerability was identified that allows an attacker to authorize an OAuth application on the account of a targeted user without the approval of the targeted user. This would allow an attacker to execute actions on behalf of the targeted user via the authorized OAuth application. The attacker would need to be able to create an OAuth application on the affected GitHub Enterprise Server instance to perform this attack. Additionally, to execute the attack, the targeted user would need to visit an attacker controlled website.

The affected supported versions are:

  • 2.14.0 - 2.14.23
  • 2.15.0 - 2.15.16
  • 2.16.0 - 2.16.11
  • 2.17.0 - 2.17.2

We strongly recommend upgrading your GitHub Enterprise Server appliance to the latest patch release in your series, GitHub Enterprise Server 2.14.24, 2.15.17, 2.16.12, 2.17.3, or greater immediately. If you have any questions, please contact GitHub support at https://enterprise.github.com/support.

This vulnerability was reported through the GitHub Security Bug Bounty program.

Security Fixes

  • CRITICAL: A malicious OAuth application could be authorized on a targeted user's account without requiring user approval, allowing an attacker to execute actions on behalf of the user.

Known Issues

  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.

Thanks!

The GitHub Team

GitHub Enterprise 2.14.23 June 19, 2019 Download

Security Fixes

  • MEDIUM: An attacker with direct network access to the server could send a specially crafted sequence of network packets that could cause a kernel panic or slow down the system causing a Denial of Service (DoS). For more information, see the associated CVEs: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • GitHub Enterprise incorrectly enforced a version of Backup Utilities that was the same or newer than the precise patch version of GitHub Enterprise.

Known Issues

  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.

Thanks!

The GitHub Team

GitHub Enterprise 2.14.22 June 04, 2019 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Known Issues

  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • GitHub Enterprise incorrectly enforces a version of Backup Utilities that is the same or newer than the precise patch version of GitHub Enterprise. (updated 2019-06-25)

Thanks!

The GitHub Team

GitHub Enterprise 2.14.21 May 21, 2019 Download

Security Fixes

  • HIGH: An endpoint in the GitHub API would disclose sensitive user information in its error response. The disclosed information included authentication tokens that could be used to authenticate as unauthorized users. An authenticated user on the instance would be required to access to the affected API.
  • Packages have been updated to the latest security versions.

Known Issues

  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.

Thanks!

The GitHub Team

GitHub Enterprise 2.14.20 May 07, 2019 Download

Security Fixes

  • In certain cases, when a user would try to authorize their account through the OAuth web application flow, not all of the requested scopes would appear on the authorization page.

Known Issues

  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.

Thanks!

The GitHub Team

GitHub Enterprise 2.14.19 April 23, 2019 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Known Issues

  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.

Thanks!

The GitHub Team

GitHub Enterprise 2.14.18 April 09, 2019 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • Release assets uploaded via the Releases API would fail if the asset is larger than 1GB.
  • The package validation performed when upgrading would print the result of an internal check.
  • The maximum number of allowed connections to the internal HAProxy load balancer could be reached on very large instances leading to a large backlog of resqued jobs.
  • DNS resolution of appliance hostnames in a HA configuration could timeout or return an incorrect IP address.
  • Some pull requests and issues were purged completely when restoring the repository right after deleting it.

Changes

  • Running ghe-repl-promote will now prompt for confirmation. To promote a replica without confirmation, use the -y flag: ghe-repl-promote -y.

Known Issues

  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.

Thanks!

The GitHub Team

GitHub Enterprise 2.14.17 March 26, 2019 Download

Bug Fixes

  • Certain scenarios resulted in a sign out message being displayed incorrectly.

Known Issues

  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • Some pull requests and issues are purged completely when restoring the repository right after deleting it.

Thanks!

The GitHub Team

GitHub Enterprise 2.14.16 March 13, 2019 Download

Arbitrary file content disclosure vulnerability in GitHub Enterprise Server

A CRITICAL issue was identified in Rails that allows an attacker to send a specially crafted request that could allow arbitrary files to be read and the file content to be disclosed.

The affected supported versions are:

  • 2.13.0 - 2.13.21
  • 2.14.0 - 2.14.15
  • 2.15.0 - 2.15.8
  • 2.16.0 - 2.16.3

All older, no longer supported versions are also affected.

We strongly urge upgrading your GitHub Enterprise Server appliance to the latest patch release in your series, GitHub Enterprise Server 2.13.22, 2.14.16, 2.15.9, 2.16.4, or greater immediately. If you have any questions, please contact GitHub support at https://enterprise.github.com/support.

Security Fixes

  • CRITICAL: A specially crafted request could allow arbitrary files to be read and the file content to be disclosed. For more information see the associated Rails CVE: CVE-2019-5418.
  • HIGH: High CPU usage could be triggered by a specially crafted request resulting in Denial of Service (DoS). For more information see the associated Rails CVE: CVE-2019-5419.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • In rare circumstances, a race condition could lead to repository data loss if an automated background maintenance job was triggered during a configuration update.
  • A pull request with a status check that was created by a deleted GitHub App would fail to load and showed a 500 error.
  • A race condition during git operations sometimes caused the default branch to be assigned incorrectly.

Known Issues

  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • Some pull requests and issues are purged completely when restoring the repository right after deleting it. (updated 2019-03-19)

Thanks!

The GitHub Team

GitHub Enterprise 2.14.15 February 26, 2019 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Known Issues

  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. (updated 2019-03-07)
  • Some pull requests and issues are purged completely when restoring the repository right after deleting it. (updated 2019-03-19)

Thanks!

The GitHub Team

GitHub Enterprise 2.14.14 February 13, 2019 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • Uploads of some image types could fail when using Git LFS 2.5.0 or newer.
  • Entries for the babeld.log, gitauth.log, production.log, resqued.log and unicorn.log log files were truncated when forwarded to a central log server.
  • Restoring a backup containing a very large number of deleted repositories could fail with the error "Resource temporarily unavailable".

Known Issues

  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. (updated 2019-03-07)
  • Some pull requests and issues are purged completely when restoring the repository right after deleting it. (updated 2019-03-19)

Thanks!

The GitHub Team

GitHub Enterprise 2.14.13 January 29, 2019 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • Webhooks continued to be delivered via a proxy server after removing the proxy configuration.

Known Issues

  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. (updated 2019-03-07)
  • Some pull requests and issues are purged completely when restoring the repository right after deleting it. (updated 2019-03-19)

Thanks!

The GitHub Team

GitHub Enterprise 2.14.12 January 15, 2019 Download

Bug Fixes

  • Repositories migrated with ghe-migrator we not automatically re-indexed so weren't returned in the search results until manually re-indexed.
  • Users could encounter a 500 Internal Server Error when viewing a pull request on a repository imported with ghe-migrator that contains references to another pull request the user does not have access to.

Changes

  • Wikis for forked repositories now have the "Restrict access to collaborators" setting enabled by default.

Known Issues

  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Pull request review comments can be misplaced when the pull request has large diffs. (updated 2019-01-21)
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. (updated 2019-03-07)
  • Some pull requests and issues are purged completely when restoring the repository right after deleting it. (updated 2019-03-19)

Thanks!

The GitHub Team

GitHub Enterprise 2.14.11 December 11, 2018 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • An Elasticsearch node ID collision could happen when adding a high availability replica that has been part of a high availability replication environment before or has been restored from a backup.
  • 404 Not Found errors were shown in the browser console for some script requests when using the code editor.
  • The import of project boards with ghe-migrator failed when the creator of a card on the board no longer exists on the source instance.
  • Migrating a repository with ghe-migrator could lead to an incorrect mapping between links to pull requests and the correct pull requests.
  • Viewing pull requests with deployments imported with ghe-migrator would fail with a 500 Internal Server Error.

Known Issues

  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Pull request review comments can be misplaced when the pull request has large diffs. (updated 2019-01-21)
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. (updated 2019-03-07)
  • Some pull requests and issues are purged completely when restoring the repository right after deleting it. (updated 2019-03-19)

Thanks!

The GitHub Team

GitHub Enterprise 2.14.10 November 27, 2018 Download

Security Fixes

  • CVE-2018-16471 was addressed by updating Rack.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • A stale temporary file could prevent an object managed by the Alambic service, which handles binary data such as avatars and image attachments, from syncing to HA or cluster replica nodes.
  • Attempting to save settings in the Management Console incorrectly raised a validation error when an already saved TLS certificate or private key contains bag attributes.
  • Custom DNS resolver settings were reverted during appliance hotpatch upgrades.
  • /var/log/error was not automatically rotated with logrotate and could sometimes use too much disk space.
  • A slow memory leak would result in performance degradation over time.
  • The POST /repos/:owner/:repo/pulls REST API endpoint could return a 502 Bad Gateway response due to using suboptimal query indexes.

Known Issues

  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • The import of project boards with ghe-migrator fails when the creator of a card on the board no longer exists on the source instance.
  • Pull request review comments can be misplaced when the pull request has large diffs. (updated 2019-01-21)
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. (updated 2019-03-07)
  • Some pull requests and issues are purged completely when restoring the repository right after deleting it. (updated 2019-03-19)

Thanks!

The GitHub Team

GitHub Enterprise 2.14.9 November 13, 2018 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • Checking the replication status on a replica during a reboot of the primary could prevent replication for Git pre-receive hooks.
  • Text between a pair of double underscores, such as __init__, was removed in code blocks in MediaWiki-formatted pages.
  • After signing in, users were sometimes shown the contents of the manifest.json file instead of being redirected to the correct location in the user interface.

Known Issues

  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • The import of project boards with ghe-migrator fails when the creator of a card on the board no longer exists on the source instance. (updated 2018-11-21)
  • Upgrading to a later version in this series may overwrite custom DNS entries in /etc/resolvconf/resolv.conf.d/head (updated 2018-12-19)
  • Pull request review comments can be misplaced when the pull request has large diffs. (updated 2019-01-21)
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. (updated 2019-03-07)
  • Some pull requests and issues are purged completely when restoring the repository right after deleting it. (updated 2019-03-19)

Thanks!

The GitHub Team

GitHub Enterprise 2.14.8 October 30, 2018 Download

Security Fixes

  • The version string presented when using Git over SSH was misleading, causing security scanners to incorrectly report GitHub as vulnerable.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • All non-root connections to the cloud provider metadata IP address (169.254.169.254) were blocked, preventing Google Cloud load balancer health checks from working correctly.
  • Installing a hotpatch when replication is not setup displayed a harmless error message: grep: /etc/github/repl-state: No such file or directory.
  • Rate limiting was enforced when adding members to organizations.
  • Using ghe-migrator to import a repository including a protected branch which has null in the creator entry failed.
  • The import of protected branches with ghe-migrator fails when the creator of the protected branch no longer exists on the source instance.

Known Issues

  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • The import of project boards with ghe-migrator fails when the creator of a card on the board no longer exists on the source instance. (updated 2018-11-21)
  • Upgrading to a later version in this series may overwrite custom DNS entries in /etc/resolvconf/resolv.conf.d/head (updated 2018-12-19)
  • Pull request review comments can be misplaced when the pull request has large diffs. (updated 2019-01-21)
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. (updated 2019-03-07)
  • Some pull requests and issues are purged completely when restoring the repository right after deleting it. (updated 2019-03-19)

Thanks!

The GitHub Team

GitHub Enterprise 2.14.7 October 09, 2018 Download

Security Fixes

  • The git package has been updated to detect malicious Git submodules that could be used to exploit CVE-2018-17456.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • The access control list (ACL) of configuration files transferred to replica nodes could be lost when configuring High Availability replication.
  • ghe-config-apply contained innocuous and misleading error messages about WARNING: Setting ES auto_expand_replicas failed.
  • The Grafana monitor dashboard truncated background jobs in the graph's legend.
  • Scheduling maintenance mode could cause a 500 Internal Sever Error.
  • Pull request review requests weren't satisfied if a member of a subteam completed the review.

Changes

  • The osqueryi utility has been added to the GitHub Enterprise environment.
  • GitHub Enterprise is now available in Azure Government. (updated 2018-10-18)

Known Issues

  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • The import of protected branches with ghe-migrator fails when the creator of the protected branch no longer exists on the source instance. (updated 2018-10-31)
  • The import of project boards with ghe-migrator fails when the creator of a card on the board no longer exists on the source instance. (updated 2018-11-21)
  • Upgrading to a later version in this series may overwrite custom DNS entries in /etc/resolvconf/resolv.conf.d/head (updated 2018-12-19)
  • Pull request review comments can be misplaced when the pull request has large diffs. (updated 2019-01-21)
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. (updated 2019-03-07)
  • Some pull requests and issues are purged completely when restoring the repository right after deleting it. (updated 2019-03-19)

Thanks!

The GitHub Team

GitHub Enterprise 2.14.6 September 25, 2018 Download

Security Fixes

  • CRITICAL: A file path traversal vulnerability in the jekyll-remote-theme gem of GitHub Pages could allow users to display the content of local files.

Bug Fixes

  • ghe-repl-setup allowed re-adding the same node as a replica.
  • GitHub Enterprise API responses would not be compressed when requested with gzip encoding.
  • Webhooks could fail to be delivered if the compressed payload was greater than 1 MB.
  • Upgrades could fail with Connection timed out if the hookshot service was unable to run migrations due to a firewall update that ran out of order.
  • Repository replication records may be created inconsistently, resulting in unreported replication failures. This type of replication failure is now reported in ghe-repl-status.
  • Replication could fail due to stale or duplicate entries to the primary in a replica's /etc/hosts.
  • Messages sent from the email service hook failed when the upstream SMTP server didn’t accept the plain authentication method.
  • Using Safari, administrators were unable to schedule a future hotpatch upgrade from the Management Console due to an incompatible date parse.
  • ghe-config-check would hang if run without any arguments.
  • hookshot logs weren't purged properly in Elasticsearch and could consume large amounts of disk space.
  • Migrations with ghe-migrator could fail to complete trying to add the same label to an issue.
  • The pull request page could fail to load with a 500 Internal Server Error if a reviewer is no longer a member of the GitHub Enterprise environment.
  • Users were unable to view the diff of comment edits, delete comment edit history items, dismiss the comment edit history onboarding, and reload on comment edits for gist comments.

Changes

  • GitHub Enterprise clustering has been updated to purge older than one hour MySQL binary logs prior to a ghe-restore.

Known Issues

  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • The import of protected branches with ghe-migrator fails when the creator of the protected branch no longer exists on the source instance. (updated 2018-10-31)
  • The import of project boards with ghe-migrator fails when the creator of a card on the board no longer exists on the source instance. (updated 2018-11-21)
  • Upgrading to a later version in this series may overwrite custom DNS entries in /etc/resolvconf/resolv.conf.d/head (updated 2018-12-19)
  • Pull request review comments can be misplaced when the pull request has large diffs. (updated 2019-01-21)
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. (updated 2019-03-07)
  • Some pull requests and issues are purged completely when restoring the repository right after deleting it. (updated 2019-03-19)

Thanks!

The GitHub Team

GitHub Enterprise 2.14.5 September 11, 2018 Download

Security Fixes

  • LOW: A malicious user could execute a 'tab-nabbing' attack by exploiting window.opener when linking from GitHub Enterprise hosted Markdown content.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • Promoting a replica could take an excessive amount of time in a multi-replica environment.
  • Incorrect legends were displayed in the LDAP Management Console graphs.
  • Network interface statistics were not collected or displayed due to a recent kernel upgrade.
  • When executed in verbose mode, ghe-repl-status will set its exit code to 0 even when replication issues are present.
  • The order of nameservers defined in /etc/resolve.conf was not respected when performing lookups.
  • When a web proxy is configured, uploads of files, diagnostics, or support bundles will silently fail.
  • Self-signed TLS certificates would fail to generate on Azure instances.
  • Local connections were not properly closed and resulted in a memory leak.
  • Tags created through a release contained incomplete reflog data
  • Organizations could be incorrectly suspended via the Suspend User REST API.
  • Email visibility could be incorrectly toggled via the REST API.
  • Fixes an issue where rate limits on raw and archive endpoints were left enabled even when configured to be disabled.
  • Users can no longer accidentally upload their private PGP keys.

Changes

  • Optimise Elasticsearch backup process by preferring local copies of indices.

Upcoming deprecation of GitHub Enterprise 2.11

GitHub Enterprise 2.11 will be deprecated as of September 13, 2018. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.

Known Issues

  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • The import of protected branches with ghe-migrator fails when the creator of the protected branch no longer exists on the source instance. (updated 2018-10-31)
  • The import of project boards with ghe-migrator fails when the creator of a card on the board no longer exists on the source instance. (updated 2018-11-21)
  • Upgrading to a later version in this series may overwrite custom DNS entries in /etc/resolvconf/resolv.conf.d/head (updated 2018-12-19)
  • Pull request review comments can be misplaced when the pull request has large diffs. (updated 2019-01-21)
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. (updated 2019-03-07)
  • Some pull requests and issues are purged completely when restoring the repository right after deleting it. (updated 2019-03-19)

Thanks!

The GitHub Team

GitHub Enterprise 2.14.4 August 28, 2018 Download

A file path traversal vulnerability in GitHub Enterprise

A CRITICAL issue was identified that allows an attacker with repository write access to create Pages sites that can display the content of system files. This could used to further escalate the vulnerability to execute arbitrary commands on the GitHub Enterprise appliance.

The affected supported versions are:

  • 2.12.0 - 2.12.17
  • 2.13.0 - 2.13.9
  • 2.14.0 - 2.14.3

GitHub Enterprise 2.11 is not vulnerable.

We strongly recommend upgrading your GitHub Enterprise appliance to the latest patch release in your series, GitHub Enterprise 2.12.18, 2.13.10, 2.14.4, or greater.

Security Fixes

  • CRITICAL: A file path traversal vulnerability in GitHub Pages could allow users to display the content of local files.
  • MEDIUM: Access may have been inadvertently granted to internal IP addresses of GitHub Enterprise. The fix removed any access grants via an IP address.
  • LOW: A malicious user could execute a 'tab-nabbing' attack by exploiting window.opener when linking from GitHub Enterprise hosted Markdown content.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • Corrupted Consul configuration data could prevent appliance configuration changes from completing successfully.
  • Deleting an SNMPv3 user via ghe-snmpv3-remove-user did not remove all account data, preventing administrators from updating the password for the SNMPv3 user.
  • Terminating the ghe-set-password command could result in unexpected shell behavior.
  • Messages sent from the email service hook failed due to a recent security update.
  • Viewing a GitHub App page could result in an error if the parent organization contained repositories which were user-administered.
  • Adding a new integration failed if the license seat limit was reached.

Upcoming deprecation of GitHub Enterprise 2.11

GitHub Enterprise 2.11 will be deprecated as of September 13, 2018. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.

Known Issues

  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • The import of protected branches with ghe-migrator fails when the creator of the protected branch no longer exists on the source instance. (updated 2018-10-31)
  • The import of project boards with ghe-migrator fails when the creator of a card on the board no longer exists on the source instance. (updated 2018-11-21)
  • Pull request review comments can be misplaced when the pull request has large diffs. (updated 2019-01-21)
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. (updated 2019-03-07)
  • Some pull requests and issues are purged completely when restoring the repository right after deleting it. (updated 2019-03-19)

Thanks!

The GitHub Team

GitHub Enterprise 2.14.3 August 21, 2018 Download

Remote code execution with server side request forgery in GitHub Enterprise

A CRITICAL issue was identified that allows an attacker with repository admin or owner privileges to execute arbitrary commands on the appliance.

The affected supported versions are:

  • 2.11.0 - 2.11.23
  • 2.12.0 - 2.12.16
  • 2.13.0 - 2.13.8
  • 2.14.0 - 2.14.2

Errata: A file path traversal vulnerability in GitHub Enterprise

GitHub Enterprise 2.14.3, 2.13.9, and 2.12.17 were not patched properly and are still vulnerable to the file path traversal vulnerability. GitHub Enterprise 2.14.4, 2.13.10, and 2.12.18 will ship next week to address this vulnerability. As a manual workaround, you can disable Pages on the GitHub Enterprise environment. (updated 2018-08-23)

A CRITICAL issue was identified that allows an attacker with repository write access to create Pages sites that can display the content of system files. This could used to further escalate the vulnerability to execute arbitrary commands on the GitHub Enterprise appliance.

The affected supported versions are:

  • 2.12.0 - 2.12.16 2.12.17
  • 2.13.0 - 2.13.8 2.13.9
  • 2.14.0 - 2.14.2 2.14.3

GitHub Enterprise 2.11 is not vulnerable.

Next steps

We strongly recommend upgrading your GitHub Enterprise appliance to the latest patch release in your series, GitHub Enterprise 2.12.17, 2.13.9 or 2.14.3.

Due to a change in the implementation on GitHub Enterprise 2.12 and later, it is not possible to apply the same fix to GitHub Enterprise 2.11 for the remote code execution vulnerability. We strongly recommend upgrading GitHub Enterprise 2.11 to 2.12 or newer.

Security Fixes

  • CRITICAL: An attacker with repository admin or owner privileges could execute arbitrary commands on the appliance.
  • CRITICAL: A file path traversal vulnerability in GitHub Pages could allow users to display the content of local files. (updated 2018-08-23)
  • Packages have been updated to the latest security versions.

Bug Fixes

  • ghe-repl-status, used to query the status of a high availability status, failed with a parse error: Invalid numeric literal at line 1, column 3 error.
  • Harmless 'Cannot add dependency job for unit cloud-config.service, ignoring' messages we reported to syslog when booting non-cloud based appliances.
  • Signing in with SAML authentication on a newly-deployed GitHub Enterprise appliance could fail with a 500 Internal Server Error.
  • MySQL procedures executed when MySQL starts could fail if tables don't exist yet. This could prevent MySQL replication from starting in cluster and high availability environments.
  • Hotpatching on Azure would fail due to a package conflict between waagent and walinuxagent.
  • The public pages for GitHub Apps responded with a 500 Internal Server Error on some installations that use SAML or CAS for authentication.
  • The ghe-org-admin-promote command-line utility would fail when attempting to promote a user without two-factor-authentication enabled as an admin of an org where two-factor authentication is required.
  • New repository maintenance jobs would attempt to start whilst another maintenance job was still running on very large repositories.

Changes

  • Restoring cluster backups could fail if inconsistent repository data is stored in the backup. These cases are now logged and the restore allowed to continue when using backup-utils v2.14.2.
  • Feature upgrades in environments with a large number of labels would take longer than needed.

Upcoming deprecation of GitHub Enterprise 2.11

GitHub Enterprise 2.11 will be deprecated as of September 13, 2018. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.

Known Issues

  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • The import of protected branches with ghe-migrator fails when the creator of the protected branch no longer exists on the source instance. (updated 2018-10-31)
  • The import of project boards with ghe-migrator fails when the creator of a card on the board no longer exists on the source instance. (updated 2018-11-21)
  • Pull request review comments can be misplaced when the pull request has large diffs. (updated 2019-01-21)
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. (updated 2019-03-07)
  • Some pull requests and issues are purged completely when restoring the repository right after deleting it. (updated 2019-03-19)

Errata

  • GitHub Enterprise 2.14.3 was not patched properly and is still vulnerable to the file path traversal vulnerability. (updated 2018-08-23)

Thanks!

The GitHub Team

GitHub Enterprise 2.14.2 August 07, 2018 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • Running ghe-support-upload or ghe-cluster-support-upload with sudo would set restrictive permissions on a temporary directory preventing subsequent execution of these commands by the admin user.
  • The webhook Elasticsearch index replica count was not adjusted when upgrading the appliance leading to Elasticsearch attempting to over or under replicate the index.
  • In high availability environments, Consul would attempt to communicate with the other node using the public IP address in addition to the VPN IP address. These are correctly blocked but result in a flood of errors in the system log.
  • The compare page could fail to load if a user of a fork of the repository has been deleted.
  • Redundant routes were created for archived gists when restoring to a cluster environment. This prevented archived gists from being unarchived.
  • Searching for GitHub.com wiki results could fail with a 406 Not Acceptable.
  • Searching for GitHub.com code results could fail with a 500 Internal Server Error.

Changes

  • The connect timeout has been increased to allow up to four retries during a cluster restore.
  • Repositories which failed periodic maintenance needed manual intervention. GitHub Enterprise now retries maintenance for failed repositories once per week.

Known Issues

  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • The import of protected branches with ghe-migrator fails when the creator of the protected branch no longer exists on the source instance. (updated 2018-10-31)
  • The import of project boards with ghe-migrator fails when the creator of a card on the board no longer exists on the source instance. (updated 2018-11-21)
  • Pull request review comments can be misplaced when the pull request has large diffs. (updated 2019-01-21)
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. (updated 2019-03-07)
  • Some pull requests and issues are purged completely when restoring the repository right after deleting it. (updated 2019-03-19)

Thanks!

The GitHub Team

GitHub Enterprise 2.14.1 July 24, 2018 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • The high availability replication status as reported by ghe-repl-status reported a harmless error, parse error: Invalid numeric literal at line 1, column 3.
  • Attempting to rename a repository and only changing character casing resulted in an error.
  • Pages was not replicated properly when tearing down and re-attaching a former replica.
  • The "Files Changed" view failed to display all changes when the difference contained a type change and the difference was too large.
  • The "Learn more" reference when configuring a "GitHub.com connection" used an incorrect help.github.com guide.
  • Built-in users would not have a password reset button available for administrators when external authentication was used with allowing built-in accounts.

Changes

Upcoming deprecation of GitHub Services

Starting with GitHub Enterprise 2.17.0, support for GitHub Services will be deprecated and administrators will not be able to install or configure new GitHub Services. Existing GitHub Services from a previous version of GitHub Enterprise will continue to function but GitHub Enterprise will not be providing any security or bug fixes to the GitHub Services functionality. At this time, there will be no changes to the existing functionality, but a warning banner will be displayed with the deprecation announcement blog post. Administrators can see which repositories are using GitHub Services with ghe-legacy-github-services-report.

Known Issues

  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • The import of protected branches with ghe-migrator fails when the creator of the protected branch no longer exists on the source instance. (updated 2018-10-31)
  • The import of project boards with ghe-migrator fails when the creator of a card on the board no longer exists on the source instance. (updated 2018-11-21)
  • Pull request review comments can be misplaced when the pull request has large diffs. (updated 2019-01-21)
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. (updated 2019-03-07)
  • Some pull requests and issues are purged completely when restoring the repository right after deleting it. (updated 2019-03-19)

Thanks!

The GitHub Team

GitHub Enterprise 2.14.0 July 12, 2018 Download

Features

Security Fixes

  • HIGH: A GitHub App could download a repository archive that it was not authorized to access during installation.
  • MEDIUM: Command-line injection could be triggered by uploading a specially-crafted pre-receive hook environment.
  • MEDIUM: Environment variables passed to pre-receive hook scripts were not properly escaped.
  • LOW: It was possible to start a shell from the network configuration settings screen available on a virtual console.
  • LOW: Filtering of parameters in log files was changed from a blacklist of fields to a whitelist. This ensures that less values are logged and in the future no values are accidentally logged.
  • LOW: The body of API requests containing sensitive data was written to log files on the appliance. The request body is now only logged for debugging purposes and sensitive data is scrubbed before being logged.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • Parallel uploads of the same Git LFS object could fail but reported as successful.
  • Jupyter notebooks added to a Gist would fail to render on appliances with subdomain isolation disabled.
  • Including the port in the Host header when requesting a Pages site would return a 404 error.
  • A pull request created via the API could be assigned an ID of 0.
  • The LDAP users page at /stafftools/users/ldap had layout and accessibility issues.
  • The Fork button was enabled for repositories in cases where a repository could not be forked anywhere.

Changes

  • Upgrade to Elasticsearch 5.6. An upgrade to GitHub Enterprise 2.14 requires a manual migration while the appliance is running GitHub Enterprise 2.12 or 2.13.
  • Following users is rate limited to 35 users per minute or 300 users per hour.
  • /var/log/github/audit.log has been updated to output audit events only when there has been a change.
  • babeld.log has been updated to include the X-Forwarded-For and ts (timestamp) metadata.
  • Renaming an existing user is enabled for SAML configured appliances.
  • New REST API resources have been added.
  • GraphQL API schema has been updated.
  • New webhook events have been added.

Backups and Disaster Recovery

GitHub Enterprise 2.14 requires at least GitHub Enterprise Backup Utilities 2.14.0 for Backups and Disaster Recovery.

Upcoming deprecation of GitHub Services

Starting with GitHub Enterprise 2.17.0, support for GitHub Services will be deprecated and administrators will not be able to install or configure new GitHub Services. Existing GitHub Services from a previous version of GitHub Enterprise will continue to function but GitHub Enterprise will not be providing any security or bug fixes to the GitHub Services functionality. At this time, there will be no changes to the existing functionality, but a warning banner will be displayed with the deprecation announcement blog post. Administrators can see which repositories are using GitHub Services with ghe-legacy-github-services-report. (updated 2017-07-24)

Upcoming deprecation of Internet Explorer 11 support

Support for Internet Explorer 11 will be deprecated on September 13, 2018.

Known Issues

  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • The high availability replication status as reported by ghe-repl-status could report a harmless error, parse error: Invalid numeric literal at line 1, column 3. (updated 2018-07-17)
  • The import of protected branches with ghe-migrator fails when the creator of the protected branch no longer exists on the source instance. (updated 2018-10-31)
  • The import of project boards with ghe-migrator fails when the creator of a card on the board no longer exists on the source instance. (updated 2018-11-21)
  • Pull request review comments can be misplaced when the pull request has large diffs. (updated 2019-01-21)
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. (updated 2019-03-07)
  • Some pull requests and issues are purged completely when restoring the repository right after deleting it. (updated 2019-03-19)

Thanks!

The GitHub Team

© 2024 GitHub, Inc. All rights reserved.