The 2.19 series release notes contain important changes in this release series.

Downloads Have Been Disabled

Downloads of the 2.19.19 release have been disabled as a result of a bug discovered after release. Subsequent releases in the 2.19 series include a correction for the bug.

If you have already upgraded your appliance to GitHub Enterprise 2.19.19, please contact support for assistance.

Security Fixes

• CRITICAL: A remote code execution vulnerability was identified in GitHub Pages that could allow an attacker to execute commands as part building a GitHub Pages site. This issue was due to an outdated and vulnerable dependency used in the Pages build process. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server. To mitigate this vulnerability, Kramdown has been updated to address CVE-2020-14001.
• HIGH: An attacker could inject a malicious argument into a Git sub-command when executed on GitHub Enterprise Server. This could allow an attacker to overwrite arbitrary files with partially user-controlled content and potentially execute arbitrary commands on the GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need permission to access repositories within the GitHub Enterprise Server instance. However, due to other protections in place, we could not identify a way to actively exploit this vulnerability. This vulnerability was reported through the GitHub Security Bug Bounty program.
• Packages have been updated to the latest security versions.

Bug Fixes

• The service memory allocation calculation could allocate an incorrect or unbounded memory allocation to a service resulting in poor system performance.
• The virtualization platform for oVirt KVM systems was not properly detected, causing problems during upgrades.
• GitHub Connect was using a deprecated GitHub.com API endpoint.
• Issues could not be sorted by Recently updated on repositories migrated to a new instance.
• The 404 page contained GitHub.com contact and status links in the footer.

Known Issues

• On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
• Custom firewall rules are not maintained during an upgrade.
• Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
• Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
• When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
• Security alerts are not reported when pushing to a repository on the command line.

Thanks!

The GitHub Team