GitHub Enterprise - The best way to build and ship software

GitHub Enterprise 2.14.3 August 21, 2018 Series notes · Download

The 2.14 series release notes contain important changes in this release series.

Remote code execution with server side request forgery in GitHub Enterprise

A CRITICAL issue was identified that allows an attacker with repository admin or owner privileges to execute arbitrary commands on the appliance.

The affected supported versions are:

2.11.0 - 2.11.23
2.12.0 - 2.12.16
2.13.0 - 2.13.8
2.14.0 - 2.14.2

Errata: A file path traversal vulnerability in GitHub Enterprise

GitHub Enterprise 2.14.3, 2.13.9, and 2.12.17 were not patched properly and are still vulnerable to the file path traversal vulnerability. GitHub Enterprise 2.14.4, 2.13.10, and 2.12.18 will ship next week to address this vulnerability. As a manual workaround, you can disable Pages on the GitHub Enterprise environment. (updated 2018-08-23)

A CRITICAL issue was identified that allows an attacker with repository write access to create Pages sites that can display the content of system files. This could used to further escalate the vulnerability to execute arbitrary commands on the GitHub Enterprise appliance.

The affected supported versions are:

2.12.0 - ~~2.12.16~~ 2.12.17
2.13.0 - ~~2.13.8~~ 2.13.9
2.14.0 - ~~2.14.2~~ 2.14.3

GitHub Enterprise 2.11 is not vulnerable.

Next steps

We strongly recommend upgrading your GitHub Enterprise appliance to the latest patch release in your series, GitHub Enterprise 2.12.17, 2.13.9 or 2.14.3.

Due to a change in the implementation on GitHub Enterprise 2.12 and later, it is not possible to apply the same fix to GitHub Enterprise 2.11 for the remote code execution vulnerability. We strongly recommend upgrading GitHub Enterprise 2.11 to 2.12 or newer.

Security Fixes

CRITICAL: An attacker with repository admin or owner privileges could execute arbitrary commands on the appliance.
CRITICAL: A file path traversal vulnerability in GitHub Pages could allow users to display the content of local files. (updated 2018-08-23)
Packages have been updated to the latest security versions.

Bug Fixes

ghe-repl-status, used to query the status of a high availability status, failed with a parse error: Invalid numeric literal at line 1, column 3 error.
Harmless 'Cannot add dependency job for unit cloud-config.service, ignoring' messages we reported to syslog when booting non-cloud based appliances.
Signing in with SAML authentication on a newly-deployed GitHub Enterprise appliance could fail with a 500 Internal Server Error.
MySQL procedures executed when MySQL starts could fail if tables don't exist yet. This could prevent MySQL replication from starting in cluster and high availability environments.
Hotpatching on Azure would fail due to a package conflict between waagent and walinuxagent.
The public pages for GitHub Apps responded with a 500 Internal Server Error on some installations that use SAML or CAS for authentication.
The ghe-org-admin-promote command-line utility would fail when attempting to promote a user without two-factor-authentication enabled as an admin of an org where two-factor authentication is required.
New repository maintenance jobs would attempt to start whilst another maintenance job was still running on very large repositories.

Changes

Restoring cluster backups could fail if inconsistent repository data is stored in the backup. These cases are now logged and the restore allowed to continue when using backup-utils v2.14.2.
Feature upgrades in environments with a large number of labels would take longer than needed.

Upcoming deprecation of GitHub Enterprise 2.11

GitHub Enterprise 2.11 will be deprecated as of September 13, 2018. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.

Known Issues

On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
Custom firewall rules aren't maintained during an upgrade.
svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
The import of protected branches with ghe-migrator fails when the creator of the protected branch no longer exists on the source instance. (updated 2018-10-31)
The import of project boards with ghe-migrator fails when the creator of a card on the board no longer exists on the source instance. (updated 2018-11-21)
Pull request review comments can be misplaced when the pull request has large diffs. (updated 2019-01-21)
Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. (updated 2019-03-07)
Some pull requests and issues are purged completely when restoring the repository right after deleting it. (updated 2019-03-19)

Errata

GitHub Enterprise 2.14.3 was not patched properly and is still vulnerable to the file path traversal vulnerability. (updated 2018-08-23)

Thanks!

The GitHub Team

Release notes