The 2.18 series release notes contain important changes in this release series.
Downloads Have Been Disabled
Downloads of the 2.18.24 release have been disabled as a result of a bug discovered after release. Subsequent releases in the 2.18 series include a correction for the bug.
If you have already upgraded your appliance to GitHub Enterprise 2.18.24, please contact support for assistance.
- CRITICAL: A remote code execution vulnerability was identified in GitHub Pages that could allow an attacker to execute commands as part building a GitHub Pages site. This issue was due to an outdated and vulnerable dependency used in the Pages build process. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server. To mitigate this vulnerability, Kramdown has been updated to address CVE-2020-14001.
- HIGH: An attacker could inject a malicious argument into a Git sub-command when executed on GitHub Enterprise Server. This could allow an attacker to overwrite arbitrary files with partially user-controlled content and potentially execute arbitrary commands on the GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need permission to access repositories within the GitHub Enterprise Server instance. However, due to other protections in place, we could not identify a way to actively exploit this vulnerability. This vulnerability was reported through the GitHub Security Bug Bounty program.
- Packages have been updated to the latest security versions.
- The virtualization platform for oVirt KVM systems was not properly detected, causing problems during upgrades.
- The service memory allocation calculation could allocate an incorrect or unbounded memory allocation to a service resulting in poor system performance.
- Issues could not be sorted by Recently updated on repositories migrated to a new instance.
- GitHub Connect was using a deprecated GitHub.com API endpoint.
- The 404 page contained GitHub.com contact and status links in the footer.
Upcoming deprecation of GitHub Enterprise Server 2.18
GitHub Enterprise Server 2.18 will be deprecated as of August 20, 2020 That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise Server as soon as possible.
- On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
- Custom firewall rules are not maintained during an upgrade.
- Subversion (SVN) checkout may timeout while the repository data cache is being built. In most cases, subsequent Subversion checkout attempts will succeed.
- Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
- Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
- When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
- Security alerts are not reported when pushing to a repository on the command line.
The GitHub Team