- HIGH: An attacker could inject potentially malicious options into Git sub-commands when executed on the server. This could allow an attacker to truncate existing files on the server or execute other unintended functionality of affected Git sub-commands. To exploit this vulnerability, an attacker would need permission to create a branch within a repository on the GitHub Enterprise Server instance. This vulnerability was reported through the GitHub Security Bug Bounty program.
- MEDIUM: GitHub App permissions could be incorrectly set by the user.
- Packages have been updated to the latest security versions.
- GitHub Enterprise Server was incorrectly using
email@example.com as the sender of notification emails if a URL was used for the support link instead of an email address.
- GitHub app managers were able to access and manage applications for the organization after being removed from it.
- Lines in gists were not selectable.
- WireGuard replaces OpenVPN as the technology used to encrypt communication between nodes in High Availability configurations.
- Webhook payloads include the milestone object when milestones are added or removed.
- Links to all the pull requests associated with a security alert are viewable on the security alerts page.
- Users are able to update their branch with the base branch when a pull request is in draft status.
- Files marked as reviewed will be marked as unreviewed for all users that have previously reviewed the file after a new commit has been made.
- Reduced memory utilization on GitHub Enterprise Server instances.
longpoll service has been replaced with
- Replication must be stopped during a feature upgrade.
Backups and Disaster Recovery
GitHub Enterprise Server 2.18 requires at least GitHub Enterprise Backup Utilities 2.18.0 for Backups and Disaster Recovery.
Upcoming deprecation of GitHub Enterprise Server 2.15
GitHub Enterprise Server 2.15 will be deprecated as of October 16, 2019. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise Server as soon as possible.
- On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
- Custom firewall rules are not maintained during an upgrade.
- Subversion (SVN) checkout may timeout while the repository data cache is being built. In most cases, subsequent Subversion checkout attempts will succeed.
- Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
- Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
- Issue, pull request, and project pages may not automatically update with changes from other users. (updated 2019-08-30)
- When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
- Security alerts are not reported when pushing to a repository on the command line. (updated 2020-06-23)
The GitHub Team