The 2.21 series release notes contain important changes in this release series.
Downloads Have Been Disabled
Downloads of the 2.21.4 release have been disabled as a result of a bug discovered after release. Subsequent releases in the 2.21 series include a correction for the bug.
If you have already upgraded your appliance to GitHub Enterprise 2.21.4, please contact support for assistance.
- CRITICAL: A remote code execution vulnerability was identified in GitHub Pages that could allow an attacker to execute commands as part building a GitHub Pages site. This issue was due to an outdated and vulnerable dependency used in the Pages build process. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server. To mitigate this vulnerability, Kramdown has been updated to address CVE-2020-14001.
- HIGH: High: An attacker could inject a malicious argument into a Git sub-command when executed on GitHub Enterprise Server. This could allow an attacker to overwrite arbitrary files with partially user-controlled content and potentially execute arbitrary commands on the GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need permission to access repositories within the GHES instance. However, due to other protections in place, we could not identify a way to actively exploit this vulnerability. This vulnerability was reported through the GitHub Security Bug Bounty program.
- Packages have been updated to the latest security versions.
- A Consul configuration error prevented some background jobs from being processed on standalone instances.
- The service memory allocation calculation could allocate an incorrect or unbounded memory allocation to a service resulting in poor system performance.
- The virtualization platform for oVirt KVM systems was not properly detected, causing problems during upgrades.
- The error message for invalid authentication with a password via Git command line didn't populate the URL linking to adding the appropriate token or SSH key.
- Creating an issue on a user repository using the Issue Template feature could fail with an Internal Server Error.
- Visiting the Explore section failed with a 500 Internal Server error.
- Issues could not be sorted by Recently updated on repositories migrated to a new instance.
- GitHub Connect was using a deprecated GitHub.com API endpoint.
- Internal metrics gathering for background jobs contributed to CPU and memory use unnecessarily.
- The 404 page contained GitHub.com contact and status links in the footer.
- Background jobs for an unreleased feature were queued and left unprocessed.
- On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
- Custom firewall rules are not maintained during an upgrade.
- Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
- Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
- When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
- Security alerts are not reported when pushing to a repository on the command line.
- Audit logs may be attributed to 127.0.0.1 instead of the actual source IP address. (updated 2020-11-02)
The GitHub Team