The 2.5 series release notes contain important changes in this release series.

Remote Code Execution in GitHub Enterprise Management Console

An issue was identified that could allow an attacker to execute arbitrary commands on the GitHub Enterprise appliance. This vulnerability exists in the Management Console which is accessible from port 8080 and 8443. This is only applicable to GitHub Enterprise 2.5.0, 2.5.1, 2.5.2, and 2.5.3.

We strongly recommend you upgrade your GitHub Enterprise appliance to GitHub Enterprise 2.5.4 immediately.

This vulnerability was reported to our GitHub Security Bug Bounty program and we have no evidence that it has been exploited in the wild.

If you're unable to upgrade immediately, the issue can be mitigated by blocking traffic to port 8080 and 8443 from any untrusted IP addresses. If your GitHub Enterprise appliance is behind a firewall device, you can block inbound requests to port 8443 and 8080 and allow trusted IP addresses. Alternatively, you can do this directly in the appliance,

1. SSH to your GitHub Enterprise appliancee

2. Block all traffic to ports 8080 and 8443

   $ sudo ufw insert 1 deny proto tcp from any to any port 8080,8443
   

3. Allow a trusted IP address to access the Management Console by replacing <IPADDRESS>

   $ sudo ufw insert 1 allow proto tcp from <IPADDRESS> to any port 8080,8443
   

To remove the mitigation on your appliance,

1. SSH to your GitHub Enterprise appliance

2. Identify the numbered firewall rule to remove

   $ sudo ufw status numbered | grep '8080,8443/tcp' | grep DENY | head -n1
   

3. Remove the firewall rule by replacing <NUMBER>

   $ sudo ufw delete <NUMBER>
   

4. Run steps 2 and 3 until the firewall rules from step 2 are removed.

Please contact GitHub Enterprise Support if you have any questions.

Security Fixes

• CRITICAL There was a remote code execution vulnerability through the Management Console.

Bug Fixes

• The Management Console email test could fail due to certificate validation errors. Emails sent from the GitHub application would still be successfully delivered.

Changes

• Shell history is written after each command.

Known issues

• HIGH Release assets from a public repository can be accessed by unauthenticated users in private mode. (updated 2016-05-27)
• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• On instances upgraded from 2.3 and earlier, restoring an archived protected branch will not restore all the settings correctly. This does not affect new instances.
• Duplicate uploads are stored in more than three hosts in a cluster with more than three replica file servers.
• User sessions are not properly revoked when they reach the expiry limit set by the SAML IdP.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed. (updated 2016-05-24)
• Migration data exported from GitHub Enterprise with ghe-migrator does not include issue file attachments, which may cause imports to another server to fail. (updated 2016-06-09)
• Console text is difficult to read on OpenStack KVM. (updated 2016-08-03)
• The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host. (updated 2017-02-23)
• Git LFS objects may take up to an hour to replicate in a High Availability configuration. (updated 2017-02-23)

Thanks!

The GitHub Team