GitHub Enterprise 11.10.348 October 16, 2014 Download

Bug Fixes

Google Chrome

A bug in Chrome caused our security middleware to incorrectly forbid file uploads, causing an empty response. This could cause initial installation, upgrades, or unlocking with a license file to fail for all instances using the 11.10.320 OVA. The bug is fixed in the 11.10.320.1 OVA included with this release.

Security Fixes

SSLv3 disabled

Google researchers have found a critical vulnerability in the SSLv3 protocol. This protocol is very old and has been replaced with TLS 1.0, 1.1 and 1.2. Due to the vulnerability we have disabled SSLv3 support by default in 11.10.348.

We strongly recommend against reenabling SSLv3 but if it is needed after upgrading to 11.10.348 by legacy software the following steps will reenable it:

ghe-unlock

WARNING: This command opens root access to the admin user via sudo. It is
provided as a troubleshooting facility and should be used only under the
guidance of GitHub Enterprise support.

While unlocked, any user with admin SSH access will have full root access to
the VM. Please use with caution and run the ghe-lock command when finished to
prevent accidental modification of system files.

Do you understand? [Y/n] Y
Okay. Full sudo access via the admin user is now enabled.

Replace the line ssl_protocols TLSv1 TLSv1.1 TLSv1.2; in /etc/nginx/sites-enabled/github.conf with ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;:

sudo sed 's/ssl_protocols TLSv1 TLSv1.1 TLSv1.2/ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2/' -i /etc/nginx/sites-enabled/github.conf
sudo service nginx reload

You can verify if the change was successful by running the following command from outside the instance:

openssl s_client -connect my-enterprise-instance:443 -ssl3

This should show a message similar to the following:

CONNECTED(00000003)
..
Server certificate
-----BEGIN CERTIFICATE-----