GitHub Enterprise - The best way to build and ship software

GitHub Enterprise 2.11.3 October 25, 2017 Series notes · Download

The 2.11 series release notes contain important changes in this release series.

GitHub Enterprise includes protection from vulnerable, weak SSH keys (CVE-2017-15361)

In response to CVE-2017-15361, certain SSH authentication RSA keys that were generated by some Yubikey 4 devices are vulnerable to private key factorization. Such keys are considered cryptographically weak and therefore in need of replacement. To help users avoid vulnerable keys, GitHub Enterprise has added capabilities to detect and reject them from being configured for user authentication. GitHub Enterprise now includes an administration utility, ghe-ssh-weak-fingerprints, to enable admins to list any affected keys and, optionally, perform a bulk revocation.

The affected supported versions are:

2.8.0 - 2.8.21
2.9.0 - 2.9.13
2.10.0 - 2.10.8
2.11.0 - 2.11.2

This vulnerability was found and reported internally and we have no evidence that it has been exploited in the wild.
We strongly recommend upgrading your GitHub Enterprise appliance to the latest patch release in your series, GitHub Enterprise 2.8.22, 2.9.14, 2.10.9, or 2.11.3.

Please contact GitHub Enterprise Support if you have questions.

Security Fixes

Packages have been updated to the latest security versions.

Bug Fixes

On Firefox browsers, the first page of some PDF files was blank when rendered.
Hotpatching failed to retain maintenance mode after a hotpatch was applied.
The babeld service required a manual restart after a hotpatch was applied.
SMTP port was still accepting TLSv1 even after disabling the TLSv1 protocol via the Management Console.
With private mode enabled, using git lfs locks to show the current locks on files tracked by Git LFS showed a user ID instead of a username.
Activities were not shown on the dashboard for users without any repositories.
Suspending all dormant users failed due to a serialization bug.
Password reset emails included an inaccurate description of when the password reset link would expire.
Migrating specific repositories with ghe-migrator failed if an organization level Project referred to a repository that wasn't exported.
Querying the Teams API endpoint could result in a 500 HTTP error if LDAP authentication was enabled.
A "Select a user below to manage roles" team maintainers tip was shown for LDAP-mapped teams.
Attempting to reset the password of a suspended user did not redirect the user to the suspended page.
Restoring a deleted repository from the site admin dashboard did not correctly restore its wiki. (updated 2017-11-09)
Checking high availability replication status could incorrectly report "CRITICAL: git-hooks replication is behind the primary by 3600s".
The "Clear page cache" link in the site admin modal failed if the current page's URL included query string parameters.
Pre-receive hooks could succeed or fail incorrectly because the $GITHUB_VIA environment variable contained a truncated value.

Known Issues

We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
Custom firewall rules aren't maintained during an upgrade.
svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
GitHub Enterprise clustering can not be configured without https.
Deleting a search index doesn't delete all associated metadata, which are then incorrectly reused if a new search index is created. This causes search index repair jobs to be reported as finished in the site admin when they were not.
For a user or organization named apps, the profile page at /apps shows an integrations landing page and repository pages at /apps/<repository> result in a 404 Not Found response due to a conflict with an internal URL. (updated 2017-11-08)
Changing the parent of a nested team can result in the nested team not receiving updated inherited permissions. (updated 2017-10-27)
After changing the visibility of a repository, wiki search results have a conflicting number of displayed search results. Administrators can reindex the wiki through the site admin dashboard. (updated 2017-11-09)
After changing HTTP proxy configuration in the Management Console, webhooks do not use the settings unless hookshot-resqued is restarted manually via SSH by running: sudo systemctl restart hookshot-resqued. (updated 2017-12-19)
The merge button could get stuck in the "Checking for ability to merge" state. (updated 2017-12-20)
Rebuilding a search index—including during an upgrade to this version—could cause many exceptions to be logged to /var/log/github/exceptions.log. The fast growth of this log file could cause the root disk to fill up. (updated 2017-12-20)
Pull request review comments migrated with ghe-migrator are displayed in the wrong order. (updated 2017-12-20)
The pull request review request has users reversed, after migration with ghe-migrator. (updated 2017-12-20)
The comment count in the "Conversation" tab of a pull request migrated with ghe-migrator can be wrong. (updated 2017-12-20)
The create team API endpoint returns a 500 error if LDAP Sync is enabled and the team already exists. (updated 2018-01-09)
The gpgverify service may consume large amounts of CPU time even when not processing requests. (updated 2018-02-14)
Pull request reviewer usernames were not updated if a reviewer was mapped to a different username when migrating repositories using ghe-migrator. (updated 2018-04-12)
Nameid-format matching on SAML response is too strict when value is "unspecified", which can cause an error with the "Another user already owns the account." message if the IdP changes NameID. (updated 2018-06-25)

Note on Hotpatching

The hotpatch contains an upgrade to the kernel and related packages and requires a reboot. The reboot can be performed at a later time after applying the hotpatch.

Thanks!