The 11.10.354 release is part of the 11.10.340 release series. No more security patches will be released in this series after 7 July 2015, even for critical security issues. All customers are encouraged to upgrade to the latest release.
Thanks!
The GitHub Team
The 11.10.353 release for GitHub Enterprise is now available for download from https://enterprise.github.com/download. The full release notes for 11.10.353 follow:
Researchers from INRIA, Microsoft Research and IMDEA have discovered a vulnerability that can cause affected servers to use weakened encryption on SSL connections, making it easier for an attacker with access to the connection to decrypt the communication.
GitHub Enterprise versions 2.0.7, 2.1.0 and newer are not vulnerable to this attack as they were already updated to OpenSSL 1.0.1-4ubuntu5.21 before this attack was published.
The 11.10.353 release is part of the 11.10.340 release series. No more security patches will be released in this series after 7 July 2015, even for critical security issues. All customers are encouraged to upgrade to the latest release.
The following important security vulnerability has been fixed in the 11.10.352 release:
gethostbyname. Also known as the GHOST vulnerability.Qualys researchers have found a buffer overflow vulnerability in the gethostbyname function in the C standard library that could allow remote code execution under some circumstances. There is currently no known way to exploit GitHub Enterprise remotely using this vulnerability, as many services don't use gethostbyname in a way that is exploitable. However, as a precaution we recommend upgrading to this latest patch release or to a later version.
If you have any questions, please contact support at enterprise@github.com
Thanks!
The GitHub Team
ntpd.Critical vulnerabilities in the Network Time Protocol (NTP) have been discovered and disclosed by members of the Google Security Team. These vulnerabilities make it possible for a remote attacker to send a carefully crafted packet with malicious arbitrary code that will execute at the privilege level of the ntpd process.
This release includes patches to NTP from upstream to make sure it is not exploitable. As an additional measure, we've also updated the firewall rules to be more strict. We strongly recommend that all GitHub Enterprise customers upgrade their instances as soon as possible.
More details on the vulnerabilities can be found in the ICSA-14-353-01 advisory.
Mitigation
If you can't immediately upgrade, the attack can be mitigated by removing the firewall rule that accepts traffic to port 123. To temporarily remove the rule, SSH into the appliance and run:
sudo ufw delete allow ghe-123
The rule will be re-enabled if settings are saved or a configuration run is performed. To prevent the rule from being restored, SSH into the appliance and run:
sudo rm /data/enterprise/cookbooks/ufw/files/default/ufw_apps/ghe-123
sudo rm /etc/ufw/applications.d/ghe-123
If you have any questions, please contact support at enterprise@github.com
Yesterday a critical Git security vulnerability was announced that affects all versions of the official Git client and all related software that interacts with Git repositories.
While GitHub Enterprise itself is not directly affected, it may be used as a distribution point for an attacker to reach unpatched clients. This release detects and blocks malicious trees from being pushed to an Enterprise instance, eliminating it as an attack vector.
It it critical to note that this release only provides mitigation against low-levels attacks where a user with write access could attempt to push malicious files to a GitHub Enterprise instance. It does not prevent interactions with malicious external Git servers that can open up command-line level attack vectors, as those must be dealt with at the Git client level.
For full protection, we strongly recommend you ensure that all developers update their Git clients, in addition to upgrading to this release. Installing this update alone does not mean your organization is fully safe against this vulnerability. The only way to make sure none of your developers are vulnerable is to have everyone upgrade their Git client.
More details on the vulnerability can be found in the official Git mailing list announcement, on the git-blame blog, and on the GitHub blog.
If you have any questions, please contact support at enterprise@github.com
A bug in Chrome caused our security middleware to incorrectly forbid file uploads, causing an empty response. This could cause initial installation, upgrades, or unlocking with a license file to fail for all instances using the 11.10.320 OVA. The bug is fixed in the 11.10.320.1 OVA included with this release.
Google researchers have found a critical vulnerability in the SSLv3 protocol. This protocol is very old and has been replaced with TLS 1.0, 1.1 and 1.2. Due to the vulnerability we have disabled SSLv3 support by default in 11.10.348.
We strongly recommend against reenabling SSLv3 but if it is needed after upgrading to 11.10.348 by legacy software the following steps will reenable it:
ghe-unlock
WARNING: This command opens root access to the admin user via sudo. It is
provided as a troubleshooting facility and should be used only under the
guidance of GitHub Enterprise support.
While unlocked, any user with admin SSH access will have full root access to
the VM. Please use with caution and run the ghe-lock command when finished to
prevent accidental modification of system files.
Do you understand? [Y/n] Y
Okay. Full sudo access via the admin user is now enabled.
Replace the line ssl_protocols TLSv1 TLSv1.1 TLSv1.2; in /etc/nginx/sites-enabled/github.conf with ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;:
sudo sed 's/ssl_protocols TLSv1 TLSv1.1 TLSv1.2/ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2/' -i /etc/nginx/sites-enabled/github.conf
sudo service nginx reload
You can verify if the change was successful by running the following command from outside the instance:
openssl s_client -connect my-enterprise-instance:443 -ssl3
This should show a message similar to the following:
CONNECTED(00000003)
..
Server certificate
-----BEGIN CERTIFICATE-----
posixGroup membership checks failed improperly.This release also includes all features and bug fixes from 11.10.340, including:
go-import meta tag.posixGroup and groupOfUniqueNames in addition to the current groupOfNames.Mirrors filter on repositories listing.