The 2.10 series release notes contain important changes in this release series.
GitHub Enterprise includes protection from vulnerable, weak SSH keys (CVE-2017-15361)
In response to CVE-2017-15361, certain SSH authentication RSA keys that were generated by some Yubikey 4 devices are vulnerable to private key factorization. Such keys are considered cryptographically weak and therefore in need of replacement. To help users avoid vulnerable keys, GitHub Enterprise has added capabilities to detect and reject them from being configured for user authentication. GitHub Enterprise now includes an administration utility,
ghe-ssh-weak-fingerprints, to enable admins to list any affected keys and, optionally, perform a bulk revocation.
The affected supported versions are:
- 2.8.0 - 2.8.21
- 2.9.0 - 2.9.13
- 2.10.0 - 2.10.8
- 2.11.0 - 2.11.2
This vulnerability was found and reported internally and we have no evidence that it has been exploited in the wild.
We strongly recommend upgrading your GitHub Enterprise appliance to the latest patch release in your series, GitHub Enterprise 2.8.22, 2.9.14, 2.10.9, or 2.11.3.
Please contact GitHub Enterprise Support if you have questions.
- Packages have been updated to the latest security versions.
- On Firefox browsers, the first page of some PDF files was blank when rendered.
- With private mode enabled, using
git lfs locks to show the current locks on files tracked by Git LFS showed a user ID instead of a username.
- Checking high availability replication status could incorrectly report "CRITICAL: git-hooks replication is behind the primary by 3600s".
- SMTP port was still accepting TLSv1 even after disabling the TLSv1 protocol via the Management Console.
- Migrating specific repositories with
ghe-migrator failed if an organization level Project referred to a repository that wasn't exported.
- Password reset emails included an inaccurate description of when the password reset link would expire.
- The "Clear page cache" link in the site admin modal failed if the current page's URL included query string parameters.
- Restoring a deleted repository from the site admin dashboard did not correctly restore its wiki. (updated 2017-11-09)
- We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
- Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
- On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
- Custom firewall rules aren't maintained during an upgrade.
svn checkout may timeout while the repository data cache is being built. In most cases, subsequent
svn checkout attempts will succeed.
- Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
- GitHub Enterprise clustering can not be configured without https.
- Deleting a search index doesn't delete all associated metadata, which are then incorrectly reused if a new search index is created. This causes search index repair jobs to be reported as finished in the site admin when they were not.
- After changing the visibility of a repository, wiki search results have a conflicting number of displayed search results. Administrators can reindex the wiki through the site admin dashboard. (updated 2017-11-09)
- The create team API endpoint returns a 500 error if LDAP Sync is enabled and the team already exists. (updated 2018-01-09)
- Pull request reviewer usernames were not updated if a reviewer was mapped to a different username when migrating repositories using
ghe-migrator. (updated 2018-04-12)
The GitHub Team