GitHub Enterprise 11.10.354 March 24, 2015 Download

Security Fixes

Release series end of life

The 11.10.354 release is part of the 11.10.340 release series. No more security patches will be released in this series after 7 July 2015, even for critical security issues. All customers are encouraged to upgrade to the latest release.


The GitHub Team

GitHub Enterprise 11.10.353 March 10, 2015 Download

GitHub Enterprise 11.10.353 Update Released

The 11.10.353 release for GitHub Enterprise is now available for download from The full release notes for 11.10.353 follow:

Security Fixes

FREAK attack

Researchers from INRIA, Microsoft Research and IMDEA have discovered a vulnerability that can cause affected servers to use weakened encryption on SSL connections, making it easier for an attacker with access to the connection to decrypt the communication.

GitHub Enterprise versions 2.0.7, 2.1.0 and newer are not vulnerable to this attack as they were already updated to OpenSSL 1.0.1-4ubuntu5.21 before this attack was published.

Release series end of life

The 11.10.353 release is part of the 11.10.340 release series. No more security patches will be released in this series after 7 July 2015, even for critical security issues. All customers are encouraged to upgrade to the latest release.

GitHub Enterprise 11.10.352 January 30, 2015 Download

Important Security Vulnerability Fixed in 11.10.352

The following important security vulnerability has been fixed in the 11.10.352 release:

  • MEDIUM: Buffer overflow in gethostbyname. Also known as the GHOST vulnerability.

GHOST vulnerability

Qualys researchers have found a buffer overflow vulnerability in the gethostbyname function in the C standard library that could allow remote code execution under some circumstances. There is currently no known way to exploit GitHub Enterprise remotely using this vulnerability, as many services don't use gethostbyname in a way that is exploitable. However, as a precaution we recommend upgrading to this latest patch release or to a later version.

If you have any questions, please contact support at


The GitHub Team

GitHub Enterprise 11.10.351 December 22, 2014 Download

Security Fixes

  • CRITICAL: Remote code execution possible via ntpd.
  • MEDIUM: Specially crafted Gist updates could bypass the Git client protection introduced in 11.10.349.
  • MEDIUM: The web editor could be used to bypass the Git client protection introduced in 11.10.349.

NTP vulnerability

Critical vulnerabilities in the Network Time Protocol (NTP) have been discovered and disclosed by members of the Google Security Team. These vulnerabilities make it possible for a remote attacker to send a carefully crafted packet with malicious arbitrary code that will execute at the privilege level of the ntpd process.

This release includes patches to NTP from upstream to make sure it is not exploitable. As an additional measure, we've also updated the firewall rules to be more strict. We strongly recommend that all GitHub Enterprise customers upgrade their instances as soon as possible.

More details on the vulnerabilities can be found in the ICSA-14-353-01 advisory.

If you can't immediately upgrade, the attack can be mitigated by removing the firewall rule that accepts traffic to port 123. To temporarily remove the rule, SSH into the appliance and run:

sudo ufw delete allow ghe-123

The rule will be re-enabled if settings are saved or a configuration run is performed. To prevent the rule from being restored, SSH into the appliance and run:

sudo rm /data/enterprise/cookbooks/ufw/files/default/ufw_apps/ghe-123
sudo rm /etc/ufw/applications.d/ghe-123

If you have any questions, please contact support at

GitHub Enterprise 11.10.349 December 19, 2014 Download

Git client vulnerability

Yesterday a critical Git security vulnerability was announced that affects all versions of the official Git client and all related software that interacts with Git repositories.

While GitHub Enterprise itself is not directly affected, it may be used as a distribution point for an attacker to reach unpatched clients. This release detects and blocks malicious trees from being pushed to an Enterprise instance, eliminating it as an attack vector.

Important details

It it critical to note that this release only provides mitigation against low-levels attacks where a user with write access could attempt to push malicious files to a GitHub Enterprise instance. It does not prevent interactions with malicious external Git servers that can open up command-line level attack vectors, as those must be dealt with at the Git client level.

For full protection, we strongly recommend you ensure that all developers update their Git clients, in addition to upgrading to this release. Installing this update alone does not mean your organization is fully safe against this vulnerability. The only way to make sure none of your developers are vulnerable is to have everyone upgrade their Git client.

More details on the vulnerability can be found in the official Git mailing list announcement, on the git-blame blog, and on the GitHub blog.

If you have any questions, please contact support at

GitHub Enterprise 11.10.348 October 16, 2014 Download

Bug Fixes

  • Quickly recreating a repository after deletion could result in the new repository being deleted.
  • A billing plan could be incorrectly assigned to a user, causing upgrades to fail.
  • MOTD was incorrectly enabled for non-interactive SSH sessions.
  • The Subversion bridge could fail to restart.
  • Repositories with missing discussion metadata were not properly deleted.
  • Gists from previous versions were not shown in searches after upgrade.
  • Duplicate repository records could cause upgrades to fail.
  • Git garbage collection could run while a backup was in progress.
  • Internal hooks could cause poor Git performance.
  • Active Directory LDAP subgroups were not searched recursively.
  • Diffs of STL files did not work in private mode.
  • Clicking links in Gists in Firefox redirected incorrectly to an error page.

Google Chrome

A bug in Chrome caused our security middleware to incorrectly forbid file uploads, causing an empty response. This could cause initial installation, upgrades, or unlocking with a license file to fail for all instances using the 11.10.320 OVA. The bug is fixed in the 11.10.320.1 OVA included with this release.

Security Fixes

SSLv3 disabled

Google researchers have found a critical vulnerability in the SSLv3 protocol. This protocol is very old and has been replaced with TLS 1.0, 1.1 and 1.2. Due to the vulnerability we have disabled SSLv3 support by default in 11.10.348.

We strongly recommend against reenabling SSLv3 but if it is needed after upgrading to 11.10.348 by legacy software the following steps will reenable it:


WARNING: This command opens root access to the admin user via sudo. It is
provided as a troubleshooting facility and should be used only under the
guidance of GitHub Enterprise support.

While unlocked, any user with admin SSH access will have full root access to
the VM. Please use with caution and run the ghe-lock command when finished to
prevent accidental modification of system files.

Do you understand? [Y/n] Y
Okay. Full sudo access via the admin user is now enabled.

Replace the line ssl_protocols TLSv1 TLSv1.1 TLSv1.2; in /etc/nginx/sites-enabled/github.conf with ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;:

sudo sed 's/ssl_protocols TLSv1 TLSv1.1 TLSv1.2/ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2/' -i /etc/nginx/sites-enabled/github.conf
sudo service nginx reload

You can verify if the change was successful by running the following command from outside the instance:

openssl s_client -connect my-enterprise-instance:443 -ssl3

This should show a message similar to the following:

Server certificate

GitHub Enterprise 11.10.347 September 28, 2014 Download

Security fixes


  • Forking regression which resulted in substantially more disk space and resource utilization.

GitHub Enterprise 11.10.346 September 25, 2014 Download

Security fixes

GitHub Enterprise 11.10.345 September 24, 2014 Download

Security fixes

GitHub Enterprise 11.10.344 September 02, 2014 Download


  • Site admin rocket icon did not show in Internet Explorer 11.
  • Proxy services for Git, Git HTTP and SVN did not log correctly.
  • Recent webhook delivery metadata were not displayed in repository settings under some circumstances.
  • Pull request synchronization in the site admin could cause a Not Found error.
  • Compiled GitHub Pages sites could be improperly removed.
  • Support bundles could be extremely large. Rotated logs are now excluded by default.
  • Visiting the user page of a suspended user incorrectly caused a Not Found error.
  • LDAP user listing in the site admin could time out.
  • LDAP posixGroup membership checks failed improperly.
  • Testing connection settings caused an error when the LDAP server was unreachable.

Security fixes

GitHub Enterprise 11.10.343 July 30, 2014 Download


  • Incorrect rendering of repository pages when following a link from a Gist.
  • Pages generation could fail with SSL enabled.
  • reStructuredText files failed to render.
  • To prevent broken avatars, set as the default fallback for serving identicons.
  • Filtered SNMP community string from the support bundles.
  • LDAP authentication timeouts could cause sign in and HTTP clones to fail.
  • Upgrades could fail if VMware tools had been installed.
  • Collectd was sending duplicate packets when forwarding messages.
  • Changed authentication settings could fail to take effect.
  • To prevent system authentication logs from becoming too large, we now rotate the auth.log daily and discard them after one week.
  • Administrators did not have permission to update firewall rules with UFW.
  • Git incorrectly detected commits as unreachable on fetch.
  • Elasticsearch status was inconsistent after upgrade.
  • When creating a repository with the same name as a deleted repository, the deleted code was restored.
  • Upgrade could fail with a large user sessions table.
  • Improved styling of search results sort order button.
  • Better handling errors when renaming users from stafftools.
  • Seat count was misreported.
  • Gists with legacy ID URLs cound not be cloned.
  • Commit build statuses were not shown after upgrade.
  • Removed site_admin API scope from metadata calls.
  • Unlocking repositories failed after a sudo timeout with LDAP authentication enabled.
  • Webhooks status icons remained grey on delivery.
  • Image diffs did not load consistently.

Security fixes

  • MED: Pages repository submodule could access other repositories on the VM.

Upgrade path

  • Please upgrade your instance to GitHub Enterprise 11.10.317 or later before upgrading to 11.10.343.

GitHub Enterprise 11.10.342 July 10, 2014 Download


  • Upgrade could fail due to incorrect process ordering
  • Upgrade could timeout during database migration
  • Upgrade could fail when repository data cannot be found
  • Incorrectly allowed duplicate SSH keys in the Management Console
  • Gist log files were not rotated
  • API rate limiting incorrectly enabled

Upgrade path

  • Please upgrade your instance to GitHub Enterprise 11.10.317 or later before upgrading to 11.10.342.

GitHub Enterprise 11.10.341 July 07, 2014 Download


  • Upgrades could fail when using LDAP.

11.10.340 Improvements

This release also includes all features and bug fixes from 11.10.340, including:

New Features

LDAP improvements


  • Improperly displayed information about Git alternate networks on the repository admin page.
  • Blacklist "network" for user/organization names.
  • Improperly displayed Mirrors filter on repositories listing.
  • Inconsistent interface elements displayed when interacting with internal links on custom tabs.
  • Improperly excluded some system log files from log forwarding.
  • Error during sign in when LDAP passwords contain accented characters.
  • Error when creating an LDAP user through the site admin if the login was normalized.
  • Failed to load LDAP users page when the directory server's size limit was exceeded.

Security fixes

  • MED: Timing attack vulnerability in Management Console.