GitHub Enterprise - The best way to build and ship software

GitHub Enterprise 2.11.23 August 21, 2018 Series notes · Download

The 2.11 series release notes contain important changes in this release series.

Remote code execution with server side request forgery in GitHub Enterprise

A CRITICAL issue was identified that allows an attacker with repository admin or owner privileges to execute arbitrary commands on the appliance.

The affected supported versions are:

2.11.0 - 2.11.23
2.12.0 - 2.12.16
2.13.0 - 2.13.8
2.14.0 - 2.14.2

Next steps

Due to a change in the implementation on GitHub Enterprise 2.12 and later, it is not possible to apply the same fix to GitHub Enterprise 2.11. We strongly recommend upgrading GitHub Enterprise 2.11 to 2.12 or newer.

Security Fixes

Packages have been updated to the latest security versions.

Bug Fixes

Harmless 'Cannot add dependency job for unit cloud-config.service, ignoring' messages we reported to syslog when booting non-cloud based appliances.
MySQL procedures executed when MySQL starts could fail if tables don't exist yet. This could prevent MySQL replication from starting in cluster and high availability environments.
Hotpatching on Azure would fail due to a package conflict between waagent and walinuxagent.
The public pages for GitHub Apps responded with a 500 Internal Server Error on some installations that use SAML or CAS for authentication.
The ghe-org-admin-promote command-line utility would fail when attempting to promote a user without two-factor-authentication enabled as an admin of an org where two-factor authentication is required.
New repository maintenance jobs would attempt to start whilst another maintenance job was still running on very large repositories.

Changes

User-Agent has been added to Access-Control-Allow-Headers to support API clients which follow the Fetch specification.

Upcoming deprecation of GitHub Enterprise 2.11

GitHub Enterprise 2.11 will be deprecated as of September 13, 2018. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.

Known Issues

We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
Custom firewall rules aren't maintained during an upgrade.
svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
Pull request review comments migrated with ghe-migrator are displayed in the wrong order.
The pull request review request has users reversed, after migration with ghe-migrator.
The comment count in the "Conversation" tab of a pull request migrated with ghe-migrator can be wrong.
The gpgverify service may consume large amounts of CPU time even when not processing requests.

Thanks!

The GitHub Team

Release notes