GitHub Enterprise 2.11.3 October 25, 2017 Series notes · Download

The 2.11 series release notes contain important changes in this release series.

GitHub Enterprise includes protection from vulnerable, weak SSH keys (CVE-2017-15361)

In response to CVE-2017-15361, certain SSH authentication RSA keys that were generated by some Yubikey 4 devices are vulnerable to private key factorization. Such keys are considered cryptographically weak and therefore in need of replacement. To help users avoid vulnerable keys, GitHub Enterprise has added capabilities to detect and reject them from being configured for user authentication. GitHub Enterprise now includes an administration utility, ghe-ssh-weak-fingerprints, to enable admins to list any affected keys and, optionally, perform a bulk revocation.

The affected supported versions are:

This vulnerability was found and reported internally and we have no evidence that it has been exploited in the wild.
We strongly recommend upgrading your GitHub Enterprise appliance to the latest patch release in your series, GitHub Enterprise 2.8.22, 2.9.14, 2.10.9, or 2.11.3.

Please contact GitHub Enterprise Support if you have questions.

Security Fixes

Bug Fixes

Known Issues

Note on Hotpatching

The hotpatch contains an upgrade to the kernel and related packages and requires a reboot. The reboot can be performed at a later time after applying the hotpatch.

Thanks!

The GitHub Team