GitHub Enterprise 2.5.6 May 04, 2016 Series notes · Download

The 2.5 series release notes contain important changes in this release series.

Security Fixes

Remote Code Execution in ImageMagick

Several vulnerabilities in ImageMagick, a package commonly used by web services to process images, have been discovered and disclosed by members of the Mail.ru Security team. One of the vulnerabilities is critical and can lead to remote code execution when processing user submitted images.

Final patches for all the disclosed vulnerabilities within ImageMagick are still pending. This release mitigates the remote code execution vulnerability by implementing the recommended policy to disable the vulnerable ImageMagick coders.

This vulnerability exists in ImageMagick but there is no evidence that it has been exploited on GitHub Enterprise.

We strongly recommend that all GitHub Enterprise customers upgrade their instances as soon as possible.

Mitigation
If you can't immediately upgrade, the issue can be mitigated by implementing the policy changes as follows:

  1. SSH to your GitHub Enterprise appliance.

  2. Edit the /etc/ImageMagick/policy.xml file:

    sudo vi /etc/ImageMagick/policy.xml
    
  3. Disable the vulnerable coders by replacing the <policymap> section with:

    <policymap>
      <policy domain="coder" rights="none" pattern="EPHEMERAL" />
      <policy domain="coder" rights="none" pattern="URL" />
      <policy domain="coder" rights="none" pattern="HTTPS" />
      <policy domain="coder" rights="none" pattern="MVG" />
      <policy domain="coder" rights="none" pattern="MSL" />
    </policymap>
    

There is no need to reboot or restart any services; the changes will take effect immediately.

Please contact GitHub Enterprise Support if you have any questions.

Bug Fixes

Known issues

Thanks!

The GitHub Team