The 2.14 series release notes contain important changes in this release series.
A file path traversal vulnerability in GitHub Enterprise
A CRITICAL issue was identified that allows an attacker with repository write access to create Pages sites that can display the content of system files. This could used to further escalate the vulnerability to execute arbitrary commands on the GitHub Enterprise appliance.
The affected supported versions are:
- 2.12.0 - 2.12.17
- 2.13.0 - 2.13.9
- 2.14.0 - 2.14.3
GitHub Enterprise 2.11 is not vulnerable.
We strongly recommend upgrading your GitHub Enterprise appliance to the latest patch release in your series, GitHub Enterprise 2.12.18, 2.13.10, 2.14.4, or greater.
Security Fixes
- CRITICAL: A file path traversal vulnerability in GitHub Pages could allow users to display the content of local files.
- MEDIUM: Access may have been inadvertently granted to internal IP addresses of GitHub Enterprise. The fix removed any access grants via an IP address.
- LOW: A malicious user could execute a 'tab-nabbing' attack by exploiting
window.opener when linking from GitHub Enterprise hosted Markdown content.
- Packages have been updated to the latest security versions.
Bug Fixes
- Corrupted Consul configuration data could prevent appliance configuration changes from completing successfully.
- Deleting an SNMPv3 user via
ghe-snmpv3-remove-user did not remove all account data, preventing administrators from updating the password for the SNMPv3 user.
- Terminating the
ghe-set-password command could result in unexpected shell behavior.
- Messages sent from the email service hook failed due to a recent security update.
- Viewing a GitHub App page could result in an error if the parent organization contained repositories which were user-administered.
- Adding a new integration failed if the license seat limit was reached.
Upcoming deprecation of GitHub Enterprise 2.11
GitHub Enterprise 2.11 will be deprecated as of September 13, 2018. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.
Known Issues
- On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
- Custom firewall rules aren't maintained during an upgrade.
- svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
- Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
- The import of protected branches with
ghe-migrator fails when the creator of the protected branch no longer exists on the source instance. (updated 2018-10-31)
- The import of project boards with
ghe-migrator fails when the creator of a card on the board no longer exists on the source instance. (updated 2018-11-21)
- Pull request review comments can be misplaced when the pull request has large diffs. (updated 2019-01-21)
- Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. (updated 2019-03-07)
- Some pull requests and issues are purged completely when restoring the repository right after deleting it. (updated 2019-03-19)
Thanks!
The GitHub Team