GitHub Enterprise 2.8.6 January 12, 2017 Series notes · Download

The 2.8 series release notes contain important changes in this release series.

SAML authentication bypass in GitHub Enterprise

A CRITICAL issue was identified that allows an attacker to bypass SAML authentication by creating a fake response. This could allow the attacker to sign in as any user, including administrators.

The affected supported versions are:

If you are using SAML as your authentication method, we strongly recommend upgrading your GitHub Enterprise appliance to the latest patch release in your series, GitHub Enterprise 2.8.6, 2.7.10, 2.6.15, or 2.5.20.

Additionally, all existing user sessions should be destroyed:

  1. Put your GitHub Enterprise environment in Maintenance Mode.

  2. SSH to your primary GitHub Enterprise appliance.

  3. Destroy the existing SAML sessions.

    $ echo SAML::Session.destroy_all | ghe-console -y
    
  4. Upgrade to the latest patch release in your series, GitHub Enterprise 2.8.6, 2.7.10, 2.6.15, or 2.5.20.

This vulnerability was reported through the GitHub Security Bug Bounty program and we have no evidence that it has been exploited in the wild.

Please contact GitHub Enterprise Support if you have any questions.

Security Fixes

Bug Fixes

Changes

Known Issues

Thanks!

The GitHub Team