The 2.4 series release notes contain important changes in this release series.
Several vulnerabilities in ImageMagick, a package commonly used by web services to process images, have been discovered and disclosed by members of the Mail.ru Security team. One of the vulnerabilities is critical and can lead to remote code execution when processing user submitted images.
Final patches for all the disclosed vulnerabilities within ImageMagick are still pending. This release mitigates the remote code execution vulnerability by implementing the recommended policy to disable the vulnerable ImageMagick coders.
This vulnerability exists in ImageMagick but there is no evidence that it has been exploited on GitHub Enterprise.
We strongly recommend that all GitHub Enterprise customers upgrade their instances as soon as possible.
If you can't immediately upgrade, the issue can be mitigated by implementing the policy changes as follows:
SSH to your GitHub Enterprise appliance.
sudo vi /etc/ImageMagick/policy.xml
Disable the vulnerable coders by replacing the
<policymap> section with:
<policymap> <policy domain="coder" rights="none" pattern="EPHEMERAL" /> <policy domain="coder" rights="none" pattern="URL" /> <policy domain="coder" rights="none" pattern="HTTPS" /> <policy domain="coder" rights="none" pattern="MVG" /> <policy domain="coder" rights="none" pattern="MSL" /> </policymap>
There is no need to reboot or restart any services; the changes will take effect immediately.
Please contact GitHub Enterprise Support if you have any questions.
The GitHub Team