GitHub Enterprise 2.8.22 October 25, 2017 Series notes · Download

The 2.8 series release notes contain important changes in this release series.

GitHub Enterprise includes protection from vulnerable, weak SSH keys (CVE-2017-15361)

In response to CVE-2017-15361, certain SSH authentication RSA keys that were generated by some Yubikey 4 devices are vulnerable to private key factorization. Such keys are considered cryptographically weak and therefore in need of replacement. To help users avoid vulnerable keys, GitHub Enterprise has added capabilities to detect and reject them from being configured for user authentication. GitHub Enterprise now includes an administration utility, ghe-ssh-weak-fingerprints, to enable admins to list any affected keys and, optionally, perform a bulk revocation.

The affected supported versions are:

This vulnerability was found and reported internally and we have no evidence that it has been exploited in the wild.
We strongly recommend upgrading your GitHub Enterprise appliance to the latest patch release in your series, GitHub Enterprise 2.8.22, 2.9.14, 2.10.9, or 2.11.3.

Please contact GitHub Enterprise Support if you have questions.

Upcoming deprecation of GitHub Enterprise 2.8

GitHub Enterprise 2.8 will be deprecated as of November 9, 2017. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.

Security Fixes

Bug Fixes

Known Issues

Thanks!

The GitHub Team