The 2.13 series release notes contain important changes in this release series.

A file path traversal vulnerability in the jekyll-remote-theme gem for GitHub Enterprise

A CRITICAL issue was identified that allows an attacker with repository write access to create Pages sites that can display the content of system files. This could used to further escalate the vulnerability to execute arbitrary commands on the GitHub Enterprise appliance.

The affected supported versions are:

• 2.12.0 - 2.12.19
• 2.13.0 - 2.13.11
• 2.14.0 - 2.14.5

We strongly recommend upgrading your GitHub Enterprise appliance to the latest patch release in your series, GitHub Enterprise 2.12.20, 2.13.12, 2.14.6, or greater.

Security Fixes

• CRITICAL: A file path traversal vulnerability in the jekyll-remote-theme gem of GitHub Pages could allow users to display the content of local files.

Bug Fixes

• GitHub Enterprise API responses would not be compressed when requested with gzip encoding.
• Webhooks could fail to be delivered if the compressed payload was greater than 1 MB.
• Upgrades could fail with Connection timed out if the hookshot service was unable to run migrations due to a firewall update that ran out of order.
• Repository replication records may be created inconsistently, resulting in unreported replication failures. This type of replication failure is now reported in ghe-repl-status.
• ghe-repl-setup allowed re-adding the same node as a replica.
• Using Safari, administrators were unable to schedule a future hotpatch upgrade from the Management Console due to an incompatible date parse.
• ghe-config-check would hang if run without any arguments.
• hookshot logs weren't purged properly in Elasticsearch and could consume large amounts of disk space.
• Migrations with ghe-migrator could fail to complete trying to add the same label to an issue.
• The pull request page could fail to load with a 500 Internal Server Error if a reviewer is no longer a member of the GitHub Enterprise environment.

Known Issues

• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
• Pull request review comments are missing from an import with ghe-migrator.
• The import of protected branches with ghe-migrator fails when the creator of the protected branch no longer exists on the source instance. (updated 2018-10-31)
• The import of project boards with ghe-migrator fails when the creator of a card on the board no longer exists on the source instance. (updated 2018-11-21)

Thanks!

The GitHub Team