GitHub Enterprise - The best way to build and ship software

GitHub Enterprise 2.6.16 January 31, 2017 Series notes · Download

The 2.6 series release notes contain important changes in this release series.

SAML authentication bypass with XML signature wrapping in GitHub Enterprise

A CRITICAL issue was identified that allows an attacker to bypass SAML authentication. The vulnerability is applicable if the attacker has access to a validly signed SAML assertion or response against the configured Verification certificate. When applicable, an attacker can sign in as any user, including administrators.

The affected supported versions are:

2.8.0 - 2.8.6
2.7.0 - 2.7.10
2.6.0 - 2.6.15
2.5.0 - 2.5.20
2.4.0 - 2.4.22

Note: This is a different vulnerability than the one addressed in GitHub Enterprise 2.8.6, 2.7.10, 2.6.15, and 2.5.20.

Remote code execution with server side request forgery in GitHub Enterprise

A CRITICAL issue was identified that allows an attacker to execute arbitrary commands on the GitHub Enterprise appliance. The vulnerability is applicable if the attacker has access to configure a repository's Webhooks - owner or admin privileges to a repository.

The affected supported versions are:

2.8.0 - 2.8.6
2.7.0 - 2.7.10
2.6.0 - 2.6.15
2.5.0 - 2.5.20
2.4.0 - 2.4.22

Next steps

We strongly recommend upgrading your GitHub Enterprise appliance to the latest patch release in your series, GitHub Enterprise 2.8.7, 2.7.11, 2.6.16, 2.5.21, or 2.4.23.

Additionally, if SAML authentication is configured in your appliance, all existing SAML user sessions should be destroyed:

Put your GitHub Enterprise environment in Maintenance Mode.
SSH to your primary GitHub Enterprise appliance.

Destroy the existing SAML sessions.

$ echo SAML::Session.destroy_all | ghe-console -y

Upgrade to the latest patch release in your series, GitHub Enterprise 2.8.7, 2.7.11, 2.6.16, 2.5.21, or 2.4.23.

If possible, we also recommend restricting Management Console access to your site administrators.

These vulnerabilities were reported through the GitHub Security Bug Bounty program and we have no evidence that they have been exploited in the wild. To learn more about the Bug Bounty program for GitHub Enterprise, visit https://bounty.github.com/targets/github-enterprise.html and our recent blog post about the inclusion of GitHub Enterprise, Bug Bounty anniversary promotion: bigger bounties in January and February.

Please contact GitHub Enterprise Support if you have any questions.

Security Fixes

CRITICAL: An attacker could bypass SAML authentication via XML signature wrapping and log in as any other user.
CRITICAL: There was a remote code execution vulnerability via server side request forgery.
HIGH: With built-in authentication, suspended users could log in.
Packages have been updated to the latest security versions.

Known Issues

We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
Custom firewall rules aren't maintained during an upgrade.
Enqueued background jobs are sometimes not purged when a repository is deleted.
On instances upgraded from 2.3 and earlier, restoring a protected branch archived whilst running 2.3, will not restore all the settings correctly. This does not affect new instances or protected branches archived on later releases.
Editing custom messages in the Admin Center doesn't provide emoji suggestions.
Native emoji are lost when saving custom messages in the Admin Center.
Repository push logs don't record whether a push was forced.
svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
Uploading PNG images with through the web interface can fail with the error 'Something went really wrong, and we can't process that file.'
GitHub Enterprise clustering can not be configured without https.
Console text is difficult to read on OpenStack KVM.
The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host. (updated 2017-02-23)
Git LFS objects may take up to an hour to replicate in a High Availability configuration. (updated 2017-02-23)
An issue or pull request comment containing the string "User-Agent: GitHub-Hookshot" incorrectly triggers a firewall rule and causes an internal server error on several pages, including the author's profile page. (updated 2017-03-30)

Thanks!