Heartbleed Vulnerability Information

GitHub Enterprise is not (and was not) affected by the Heartbleed vulnerability. The version of OpenSSL included with the appliance is not vulnerable to the attack. Please contact us at enterprise@github.com if we can help elaborate on this in any way.

Security

• CRIT: An authorized user could perform remote command execution with specially crafted Git requests.
• HIGH: Remote content could be loaded in faceboxes by injecting rel=facebox in user-editable content.
• HIGH: Java applications were potentially remotely exploitable (Oracle's April 2014 Critical Patch Update).
• MED: A potential regex DoS attack vector existed in the API.
• MED: A public repository could be compared to a private fork by an unauthorized user using the API.
• MED: YAML URI parsing could allow arbitrary code execution through a heap overflow (CVE-2014-2525).

Bugfixes

• A race condition during configuration could prevent some processes from restarting.
• Repository size on disk was miscalculated in some circumstances.
• Paths were not always properly UTF-8 encoded when using Subversion.
• File size limits were too restrictive when using Subversion.
• Merging a pull request could introduce repository corruption in some cases.
• Web requests to repository pages were not properly redirected when .git was appended.
• Users could create repositories via the API that they subsequently couldn't access under some conditions.
• The API incorrectly returned a 404 Not Found status in some cases when an incorrect LDAP password was used.