The 2.12 series release notes contain important changes in this release series.
Remote code execution with server side request forgery in GitHub Enterprise
A CRITICAL issue was identified that allows an attacker with repository admin or owner privileges to execute arbitrary commands on the appliance.
The affected supported versions are:
- 2.11.0 - 2.11.23
- 2.12.0 - 2.12.16
- 2.13.0 - 2.13.8
- 2.14.0 - 2.14.2
Errata: A file path traversal vulnerability in GitHub Enterprise
GitHub Enterprise 2.14.3, 2.13.9, and 2.12.17 were not patched properly and are still vulnerable to the file path traversal vulnerability. GitHub Enterprise 2.14.4, 2.13.10, and 2.12.18 will ship next week to address this vulnerability. As a manual workaround, you can disable Pages on the GitHub Enterprise environment. (updated 2018-08-23)
A CRITICAL issue was identified that allows an attacker with repository write access to create Pages sites that can display the content of system files. This could used to further escalate the vulnerability to execute arbitrary commands on the GitHub Enterprise appliance.
The affected supported versions are:
- 2.12.0 -
2.12.16 2.12.17
- 2.13.0 -
2.13.8 2.13.9
- 2.14.0 -
2.14.2 2.14.3
GitHub Enterprise 2.11 is not vulnerable.
Next steps
We strongly recommend upgrading your GitHub Enterprise appliance to the latest patch release in your series, GitHub Enterprise 2.12.17, 2.13.9 or 2.14.3.
Due to a change in the implementation on GitHub Enterprise 2.12 and later, it is not possible to apply the same fix to GitHub Enterprise 2.11 for the remote code execution vulnerability. We strongly recommend upgrading GitHub Enterprise 2.11 to 2.12 or newer.
Security Fixes
- CRITICAL: An attacker with repository admin or owner privileges could execute arbitrary commands on the appliance.
CRITICAL: A file path traversal vulnerability in GitHub Pages could allow users to display the content of local files. (updated 2018-08-23)
- Packages have been updated to the latest security versions.
Bug Fixes
- Harmless 'Cannot add dependency job for unit cloud-config.service, ignoring' messages we reported to syslog when booting non-cloud based appliances.
- MySQL procedures executed when MySQL starts could fail if tables don't exist yet. This could prevent MySQL replication from starting in cluster and high availability environments.
- Hotpatching on Azure would fail due to a package conflict between
waagent
and walinuxagent
.
- The public pages for GitHub Apps responded with a 500 Internal Server Error on some installations that use SAML or CAS for authentication.
- The
ghe-org-admin-promote
command-line utility would fail when attempting to promote a user without two-factor-authentication enabled as an admin of an org where two-factor authentication is required.
- New repository maintenance jobs would attempt to start whilst another maintenance job was still running on very large repositories.
Changes
User-Agent
has been added to Access-Control-Allow-Headers
to support API clients which follow the Fetch specification.
Known Issues
- Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
- On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
- Custom firewall rules aren't maintained during an upgrade.
- svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
- Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
- Pull request review comments migrated with
ghe-migrator
are displayed in the wrong order.
- Git LFS, release and issue assets, user profile images, webhooks, or Subversion access may be unavailable if an appliance is restarted after applying the 2.12.5 or greater hotpatch—if this occurs, please contact Enterprise Support for assistance.
Errata
- GitHub Enterprise 2.12.17 was not patched properly and is still vulnerable to the file path traversal vulnerability. (updated 2018-08-23)
Thanks!
The GitHub Team