The 2.19 series release notes contain important changes in this release series.
- CRITICAL: A remote code execution vulnerability was identified in GitHub Pages that could be exploited when building a GitHub Pages site. User-controlled configuration of the underlying parsers used by GitHub Pages were not sufficiently restricted and made it possible to execute commands on the GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server. The underlying issues contributing to this vulnerability were identified both internally and through the GitHub Security Bug Bounty program. We have issued CVE-2020-10518.
- MEDIUM: An improper access control vulnerability was identified that allowed authenticated users of the instance to determine the names of unauthorized private repositories given their numerical IDs. This vulnerability did not allow unauthorized access to any repository content besides the name. This vulnerability affected all versions of GitHub Enterprise Server prior to 2.22 and has been assigned CVE-2020-10517. The vulnerability was reported via the GitHub Bug Bounty program.
- Packages have been updated to the latest security versions.
- A message was not logged when the ghe-config-apply process had finished running ghe-es-auto-expand.
- Excessive logging to the
syslog file could occur on high-availability replicas if the primary appliance is unavailable.
- Database re-seeding on a replica could fail with an error:
Got packet bigger than 'max_allowed_packet'
- Syntax highlighting of some languages failed to render correctly.
- In some cases duplicate user data could cause a 500 error while running the ghe-license-usage script.
- Removed the license seat count information on the administrative SSH MOTD due to a performance issue impacting GitHub Enterprise Server clusters.
- On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
- Custom firewall rules are not maintained during an upgrade.
- Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
- Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
- When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
- Security alerts are not reported when pushing to a repository on the command line.
The GitHub Team