GitHub Enterprise 11.10.333 June 10, 2014 Download

CCS Injection Vulnerability (CVE-2014-0224)

The ChangeCipherSpec vulnerability in the OpenSSL library allows third parties to perform man-in-the-middle attacks. In other words, if attackers can intercept encrypted network traffic they can decrypt it without their victims knowing.

This attack only works on servers that use OpenSSL version 1.0.1 or later. The version at the client doesn't matter. GitHub Enterprise itself is not vulnerable because it ships with OpenSSL 1.0.0.

However, webhooks might be vulnerable to this attack. If the server that is the target of the webhook is running a vulnerable version of OpenSSL and an attacker can intercept network traffic, they would be able to decrypt the communication.

We care about the security of our customers and therefore decided that even though the risk is minimal the best solution is to issue an update.