GitHub Enterprise - The best way to build and ship software

GitHub Enterprise 2.13.9 August 21, 2018 Series notes · Download

The 2.13 series release notes contain important changes in this release series.

Remote code execution with server side request forgery in GitHub Enterprise

A CRITICAL issue was identified that allows an attacker with repository admin or owner privileges to execute arbitrary commands on the appliance.

The affected supported versions are:

2.11.0 - 2.11.23
2.12.0 - 2.12.16
2.13.0 - 2.13.8
2.14.0 - 2.14.2

Errata: A file path traversal vulnerability in GitHub Enterprise

GitHub Enterprise 2.14.3, 2.13.9, and 2.12.17 were not patched properly and are still vulnerable to the file path traversal vulnerability. GitHub Enterprise 2.14.4, 2.13.10, and 2.12.18 will ship next week to address this vulnerability. As a manual workaround, you can disable Pages on the GitHub Enterprise environment. (updated 2018-08-23)

A CRITICAL issue was identified that allows an attacker with repository write access to create Pages sites that can display the content of system files. This could used to further escalate the vulnerability to execute arbitrary commands on the GitHub Enterprise appliance.

The affected supported versions are:

2.12.0 - ~~2.12.16~~ 2.12.17
2.13.0 - ~~2.13.8~~ 2.13.9
2.14.0 - ~~2.14.2~~ 2.14.3

GitHub Enterprise 2.11 is not vulnerable.

Next steps

We strongly recommend upgrading your GitHub Enterprise appliance to the latest patch release in your series, GitHub Enterprise 2.12.17, 2.13.9 or 2.14.3.

Due to a change in the implementation on GitHub Enterprise 2.12 and later, it is not possible to apply the same fix to GitHub Enterprise 2.11 for the remote code execution vulnerability. We strongly recommend upgrading GitHub Enterprise 2.11 to 2.12 or newer.

Security Fixes

CRITICAL: An attacker with repository admin or owner privileges could execute arbitrary commands on the appliance.
CRITICAL: A file path traversal vulnerability in GitHub Pages could allow users to display the content of local files. (updated 2018-08-23)
Packages have been updated to the latest security versions.

Bug Fixes

Harmless 'Cannot add dependency job for unit cloud-config.service, ignoring' messages we reported to syslog when booting non-cloud based appliances.
MySQL procedures executed when MySQL starts could fail if tables don't exist yet. This could prevent MySQL replication from starting in cluster and high availability environments.
Hotpatching on Azure would fail due to a package conflict between waagent and walinuxagent.
The public pages for GitHub Apps responded with a 500 Internal Server Error on some installations that use SAML or CAS for authentication.
The ghe-org-admin-promote command-line utility would fail when attempting to promote a user without two-factor-authentication enabled as an admin of an org where two-factor authentication is required.
New repository maintenance jobs would attempt to start whilst another maintenance job was still running on very large repositories.

Changes

Restoring cluster backups could fail if inconsistent repository data is stored in the backup. These cases are now logged and the restore allowed to continue when using backup-utils v2.14.2.
Feature upgrades in environments with a large number of labels would take longer than needed.
User-Agent has been added to Access-Control-Allow-Headers to support API clients which follow the Fetch specification.

Known Issues

Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
Custom firewall rules aren't maintained during an upgrade.
svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
Pull request review comments are missing from an import with ghe-migrator.
The import of protected branches with ghe-migrator fails when the creator of the protected branch no longer exists on the source instance. (updated 2018-10-31)
The import of project boards with ghe-migrator fails when the creator of a card on the board no longer exists on the source instance. (updated 2018-11-21)

Errata

GitHub Enterprise 2.13.9 was not patched properly and is still vulnerable to the file path traversal vulnerability. (updated 2018-08-23)

Thanks!

The GitHub Team

Release notes