- HIGH: A GitHub App could download a repository archive that it was not authorized to access during installation.
- MEDIUM: Command-line injection could be triggered by uploading a specially-crafted pre-receive hook environment.
- MEDIUM: Environment variables passed to pre-receive hook scripts were not properly escaped.
- LOW: It was possible to start a shell from the network configuration settings screen available on a virtual console.
- LOW: Filtering of parameters in log files was changed from a blacklist of fields to a whitelist. This ensures that less values are logged and in the future no values are accidentally logged.
- LOW: The body of API requests containing sensitive data was written to log files on the appliance. The request body is now only logged for debugging purposes and sensitive data is scrubbed before being logged.
- Packages have been updated to the latest security versions.
- Parallel uploads of the same Git LFS object could fail but reported as successful.
- Jupyter notebooks added to a Gist would fail to render on appliances with subdomain isolation disabled.
- Including the port in the
Host header when requesting a Pages site would return a 404 error.
- A pull request created via the API could be assigned an ID of
- The LDAP users page at
/stafftools/users/ldap had layout and accessibility issues.
- The Fork button was enabled for repositories in cases where a repository could not be forked anywhere.
- Upgrade to Elasticsearch 5.6. An upgrade to GitHub Enterprise 2.14 requires a manual migration while the appliance is running GitHub Enterprise 2.12 or 2.13.
- Following users is rate limited to 35 users per minute or 300 users per hour.
/var/log/github/audit.log has been updated to output audit events only when there has been a change.
babeld.log has been updated to include the
ts (timestamp) metadata.
- Renaming an existing user is enabled for SAML configured appliances.
- New REST API resources have been added.
- GraphQL API schema has been updated.
- New webhook events have been added.
Backups and Disaster Recovery
GitHub Enterprise 2.14 requires at least GitHub Enterprise Backup Utilities 2.14.0 for Backups and Disaster Recovery.
Upcoming deprecation of GitHub Services
Starting with GitHub Enterprise 2.17.0, support for GitHub Services will be deprecated and administrators will not be able to install or configure new GitHub Services. Existing GitHub Services from a previous version of GitHub Enterprise will continue to function but GitHub Enterprise will not be providing any security or bug fixes to the GitHub Services functionality. At this time, there will be no changes to the existing functionality, but a warning banner will be displayed with the deprecation announcement blog post. Administrators can see which repositories are using GitHub Services with
ghe-legacy-github-services-report. (updated 2017-07-24)
Upcoming deprecation of Internet Explorer 11 support
Support for Internet Explorer 11 will be deprecated on September 13, 2018.
- On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
- Custom firewall rules aren't maintained during an upgrade.
- svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
- Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
- The high availability replication status as reported by
ghe-repl-status could report a harmless error,
parse error: Invalid numeric literal at line 1, column 3. (updated 2018-07-17)
- The import of protected branches with
ghe-migrator fails when the creator of the protected branch no longer exists on the source instance. (updated 2018-10-31)
- The import of project boards with
ghe-migrator fails when the creator of a card on the board no longer exists on the source instance. (updated 2018-11-21)
- Pull request review comments can be misplaced when the pull request has large diffs. (updated 2019-01-21)
- Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. (updated 2019-03-07)
- Some pull requests and issues are purged completely when restoring the repository right after deleting it. (updated 2019-03-19)
The GitHub Team