The 2.11 series release notes contain important changes in this release series.
Remote code execution with server side request forgery in GitHub Enterprise
A CRITICAL issue was identified that allows an attacker with repository admin or owner privileges to execute arbitrary commands on the appliance.
The affected supported versions are:
- 2.11.0 - 2.11.23
- 2.12.0 - 2.12.16
- 2.13.0 - 2.13.8
- 2.14.0 - 2.14.2
Due to a change in the implementation on GitHub Enterprise 2.12 and later, it is not possible to apply the same fix to GitHub Enterprise 2.11. We strongly recommend upgrading GitHub Enterprise 2.11 to 2.12 or newer.
- Packages have been updated to the latest security versions.
- Harmless 'Cannot add dependency job for unit cloud-config.service, ignoring' messages we reported to syslog when booting non-cloud based appliances.
- MySQL procedures executed when MySQL starts could fail if tables don't exist yet. This could prevent MySQL replication from starting in cluster and high availability environments.
- Hotpatching on Azure would fail due to a package conflict between
- The public pages for GitHub Apps responded with a 500 Internal Server Error on some installations that use SAML or CAS for authentication.
ghe-org-admin-promote command-line utility would fail when attempting to promote a user without two-factor-authentication enabled as an admin of an org where two-factor authentication is required.
- New repository maintenance jobs would attempt to start whilst another maintenance job was still running on very large repositories.
User-Agent has been added to
Access-Control-Allow-Headers to support API clients which follow the Fetch specification.
Upcoming deprecation of GitHub Enterprise 2.11
GitHub Enterprise 2.11 will be deprecated as of September 13, 2018. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.
- We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
- Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
- On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
- Custom firewall rules aren't maintained during an upgrade.
svn checkout may timeout while the repository data cache is being built. In most cases, subsequent
svn checkout attempts will succeed.
- Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
- Pull request review comments migrated with
ghe-migrator are displayed in the wrong order.
- The pull request review request has users reversed, after migration with
- The comment count in the "Conversation" tab of a pull request migrated with
ghe-migrator can be wrong.
gpgverify service may consume large amounts of CPU time even when not processing requests.
The GitHub Team