The 2.12 series release notes contain important changes in this release series.
Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715) exploit critical vulnerabilities in modern processors. These hardware vulnerabilities allow programs to extract data which is currently processed on the same machine. This also can affect GitHub Enterprise.
The risk to GitHub Enterprise depends on the environment that it runs in. There are two main vectors of attack that need to be considered.
Given that GitHub Enterprise runs on various virtualization platforms, it's essential to update the virtualization platform where possible to mitigate any of these issues. The existing patches and fixes almost all focus on solving Meltdown. Meltdown is more straightforward to fix and most providers focus on this first.
Spectre is more complicated to exploit and also more complicated to fix. KVM for example is not vulnerable to Meltdown but is vulnerable, with a proof of concept, to Spectre which was tested by Google in the project originally (see https://googleprojectzero.blogspot.nl/2018/01/reading-privileged-memory-with-side.html). Specifically under "Reading host memory from a KVM guest". This Spectre exploit tested against a specific kernel version, but nothing implies it's impossible to adapt for other kernel versions and or other virtualization platforms.
The following Cloud and virtualization platforms have released announcements and/or fixes.
The vulnerability can also be exploited if there is code under the control of an attacker running on the same system. GitHub Enterprise has very limited support for custom code in the form of pre-receive hooks. Pre-receive hooks are limited such that administrators are the only ones who can set them up and their runtime execution is limited to 5 seconds. Both these aspects greatly limit the risk of data exposure through pre-receive hooks. As a general rule, administrators should ensure that only known and trusted pre-receive hooks are enabled on their appliance.
GitHub Enterprise is based on Debian Jessie. A fix for Meltdown is not yet available for Debian Jessie, as can be seen in the Debian CVE tracker for Meltdown. The new kernel version will be included in a future release of GitHub Enterprise and can potentially come with a performance regression. Accordingly, we recommend testing that release before putting it into production.
The primary risk for GitHub Enterprise installations is cross-guest or host <-> guest data leakage on the virtualization platform. This may be mitigated by the support cloud hosting providers, or by the suppliers of virtualization software. There is very limited risk of externally supplied software running within the appliance obtaining data from other processes, mitigated by administrators only enabling pre-receive hooks that are reviewed and trusted.
hookshot-resqued was restarted manually.
$GITHUB_PULL_REQUEST_AUTHOR_LOGIN environment variable was empty when pull requests were merged via the API.
firstname.lastname@example.org) has been disabled. Please contact GitHub Enterprise Support using the Submitting a ticket article.
ghe-migrator are displayed in the wrong order.
ghe-migrator can be wrong.
ghe-repl-status command-line utility incorrectly shows
TypeError: no implicit conversion of Symbol into Integer when there are repositories or gists with bad replica counts. (updated 2018-01-10)
ghe-migrator. (updated 2018-01-12)
/var/log/github/production.log may consume large amounts of disk space. The fast growth of this log file could cause the root disk to fill up. (updated 2018-01-16)
gpgverify service may consume large amounts of CPU time even when not processing requests. (updated 2018-02-14)
ghe-migrator. (updated 2018-04-12)
ghe-migrator, project boards are not exported. (updated 2018-05-07)
NameID. (updated 2018-06-25)
The GitHub Team