The 2.14 series release notes contain important changes in this release series.
A file path traversal vulnerability in the jekyll-remote-theme gem for GitHub Enterprise
A CRITICAL issue was identified that allows an attacker with repository write access to create Pages sites that can display the content of system files. This could used to further escalate the vulnerability to execute arbitrary commands on the GitHub Enterprise appliance.
The affected supported versions are:
- 2.12.0 - 2.12.19
- 2.13.0 - 2.13.11
- 2.14.0 - 2.14.5
We strongly recommend upgrading your GitHub Enterprise appliance to the latest patch release in your series, GitHub Enterprise 2.12.20, 2.13.12, 2.14.6, or greater.
Security Fixes
- CRITICAL: A file path traversal vulnerability in the
jekyll-remote-theme gem of GitHub Pages could allow users to display the content of local files.
Bug Fixes
ghe-repl-setup allowed re-adding the same node as a replica. - GitHub Enterprise API responses would not be compressed when requested with
gzip encoding.
- Webhooks could fail to be delivered if the compressed payload was greater than 1 MB.
- Upgrades could fail with
Connection timed out if the hookshot service was unable to run migrations due to a firewall update that ran out of order.
- Repository replication records may be created inconsistently, resulting in unreported replication failures. This type of replication failure is now reported in
ghe-repl-status.
- Replication could fail due to stale or duplicate entries to the primary in a replica's
/etc/hosts.
- Messages sent from the email service hook failed when the upstream SMTP server didn’t accept the
plain authentication method.
- Using Safari, administrators were unable to schedule a future hotpatch upgrade from the Management Console due to an incompatible date parse.
ghe-config-check would hang if run without any arguments. hookshot logs weren't purged properly in Elasticsearch and could consume large amounts of disk space. - Migrations with
ghe-migrator could fail to complete trying to add the same label to an issue.
- The pull request page could fail to load with a
500 Internal Server Error if a reviewer is no longer a member of the GitHub Enterprise environment.
- Users were unable to view the diff of comment edits, delete comment edit history items, dismiss the comment edit history onboarding, and reload on comment edits for gist comments.
Changes
- GitHub Enterprise clustering has been updated to purge older than one hour MySQL binary logs prior to a
ghe-restore.
Known Issues
- On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
- Custom firewall rules aren't maintained during an upgrade.
- svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
- Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
- The import of protected branches with
ghe-migrator fails when the creator of the protected branch no longer exists on the source instance. (updated 2018-10-31)
- The import of project boards with
ghe-migrator fails when the creator of a card on the board no longer exists on the source instance. (updated 2018-11-21)
- Upgrading to a later version in this series may overwrite custom DNS entries in
/etc/resolvconf/resolv.conf.d/head (updated 2018-12-19)
- Pull request review comments can be misplaced when the pull request has large diffs. (updated 2019-01-21)
- Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. (updated 2019-03-07)
- Some pull requests and issues are purged completely when restoring the repository right after deleting it. (updated 2019-03-19)
Thanks!
The GitHub Team