The 2.12 series release notes contain important changes in this release series.
A file path traversal vulnerability in the
jekyll-remote-theme gem for GitHub Enterprise
A CRITICAL issue was identified that allows an attacker with repository write access to create Pages sites that can display the content of system files. This could used to further escalate the vulnerability to execute arbitrary commands on the GitHub Enterprise appliance.
The affected supported versions are:
- 2.12.0 - 2.12.19
- 2.13.0 - 2.13.11
- 2.14.0 - 2.14.5
We strongly recommend upgrading your GitHub Enterprise appliance to the latest patch release in your series, GitHub Enterprise 2.12.20, 2.13.12, 2.14.6, or greater.
- CRITICAL: A file path traversal vulnerability in the
jekyll-remote-theme gem of GitHub Pages could allow users to display the content of local files.
- GitHub Enterprise API responses would not be compressed when requested with
- Webhooks could fail to be delivered if the compressed payload was greater than 1 MB.
- Upgrades could fail with
Connection timed out if the hookshot service was unable to run migrations due to a firewall update that ran out of order.
- Repository replication records may be created inconsistently, resulting in unreported replication failures. This type of replication failure is now reported in
ghe-repl-setup allowed re-adding the same node as a replica.
- Using Safari, administrators were unable to schedule a future hotpatch upgrade from the Management Console due to an incompatible date parse.
ghe-config-check would hang if run without any arguments.
hookshot logs weren't purged properly in Elasticsearch and could consume large amounts of disk space.
- Migrations with
ghe-migrator could fail to complete trying to add the same label to an issue.
- Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
- On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
- Custom firewall rules aren't maintained during an upgrade.
- svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
- Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
- Pull request review comments migrated with
ghe-migrator are displayed in the wrong order.
- Git LFS, release and issue assets, user profile images, webhooks, or Subversion access may be unavailable if an appliance is restarted after applying the 2.12.5 or greater hotpatch—if this occurs, please contact Enterprise Support for assistance.
The GitHub Team