ghe-repl-setup
to hang.github_audit
log stream are logged twice.GitHub Enterprise 2.0 is now deprecated. That means that no patch releases will be made, even for critical security issues, after this release. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.
Thanks!
The GitHub Team
ghe-repl-setup
to hang.github_audit
log stream are logged twice.GitHub Enterprise 2.0 will be deprecated as of January 1, 2016. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.
Thanks!
The GitHub Team
ghe-repl-setup
to hang.github_audit
log stream are logged twice.GitHub Enterprise 2.0 will be deprecated as of January 1, 2016. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.
Thanks!
The GitHub Team
ghe-repl-setup
to hang.github_audit
log stream are logged twice.GitHub Enterprise 2.0 will be deprecated as of January 1, 2016. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.
Thanks!
The GitHub Team
ghe-repl-setup
to hang.github_audit
log stream are logged twice.Thanks!
The GitHub Team
.mediawiki
suffix could leak information to the Google Chart API when they were displayed.ghe-repl-setup
to hang.github_audit
log stream are logged twice.Thanks!
The GitHub Team
Kernel and packages have been updated to the latest security versions.
ghe-repl-setup
to hang.github_audit
log stream are logged twice.Thanks!
The GitHub Team
ghe-repl-setup
to hang.github_audit
log stream are logged twice.Thanks!
The GitHub Team
Ubuntu packages have been updated to the latest security versions.
ghe-repl-setup
to hang.github_audit
log stream are logged twice.Thanks!
The GitHub Team
ghe-repl-setup
to hang.github_audit
log stream are being logged twice.Thanks!
The GitHub Team
ghe-repl-setup
to hang.github_audit
log stream are being logged twice.Thanks!
The GitHub Team
ghe-repl-setup
to hang.github_audit
log stream are being logged twice.Thanks!
The GitHub Team
Ubuntu kernel and packages have been updated to the latest security versions.
LOW: Update libssh
to address denial of service vulnerabilities CVE-2014-8132 and CVE-2015-3145.
ghe-repl-setup
to hang.github_audit
log stream are being logged twice.Thanks!
The GitHub Team
Note the 2.0.x releases are not susceptible to the XSS vulnerability mentioned in the 2.1.6 release notes.
ghe-repl-setup
to hang.github_audit
log stream are being logged twice.Thanks!
The GitHub Team
public_repo
scope, requests for lists of issues would return issues from private repositories.ghe-repl-setup
to hang.github_audit
log stream are being logged twice.Thanks!
The GitHub Team
ghe-repl-setup
to hang.github_audit
log stream are being logged twice.ghe-repl-setup
to hang.ghe-repl-promote
.ghe-org-owner-promote
command line utility is currently broken.github_audit
log stream are being logged twice.ghe-repl-promote
was fixed in 2.0.2.NameID
, but didn't include email
as a released attribute, users could sign in the first time but couldn't sign in again after signing out.ghe-repl-status
was really slow. We made it faster.ghe-repl-status
was missing how far behind replication was.github_audit
log stream.undefined
instead of the hostname and Ruby version.nice
so it won't affect anything else).ghe-repl-setup
to hang.ghe-repl-promote
.ghe-org-owner-promote
command line utility is currently broken.github_audit
log stream are being logged twice.ghe-upgrade
.gethostbyname
. Also known as the GHOST vulnerability.Qualys researchers have found a buffer overflow vulnerability in the gethostbyname
function in the C standard library that could allow remote code execution under some circumstances. There is currently no known way to exploit GitHub Enterprise remotely using this vulnerability, as many services don't use gethostbyname
in a way that is exploitable. However, as a precaution we recommend upgrading to this latest patch release or to a later version.
ghe-repl-promote
was fixed in 2.0.2.Thanks!
The GitHub Team
https://enterprise.github.com/releases
https://enterprise.github.com/releases/2.0.6
https://enterprise.github.com/staff/releases/2.0.6/edit
https://enterprise.github.com/staff/notifications/206-update-released/
The following important security vulnerabilities have been fixed in the 2.0.6 release:
gethostbyname
. Also known as the GHOST vulnerability.Qualys researchers have found a buffer overflow vulnerability in the gethostbyname
function in the C standard library that could allow remote code execution under some circumstances. There is currently no known way to exploit GitHub Enterprise remotely using this vulnerability, as many services don't use gethostbyname
in a way that is exploitable. However, as a precaution we recommend upgrading to this latest patch release or to a later version.
If you have any questions, please contact support at enterprise@github.com
Thanks!
The GitHub Team
ntpd
.Critical vulnerabilities in the Network Time Protocol (NTP) have been discovered and disclosed by members of the Google Security Team. These vulnerabilities make it possible for a remote attacker to send a carefully crafted packet with malicious arbitrary code that will execute at the privilege level of the ntpd
process.
This release includes patches to NTP from upstream to make sure it is not exploitable. As an additional measure, we've also updated the firewall rules to be more strict. We strongly recommend that all GitHub Enterprise customers upgrade their instances as soon as possible.
More details on the vulnerabilities can be found in the ICSA-14-353-01 advisory.
Mitigation
If you can't immediately upgrade, the attack can be mitigated by removing the firewall rule that accepts traffic to port 123. To temporarily remove the rule, SSH into the appliance and run:
sudo ufw delete allow ghe-123
If you have any questions, please contact support at enterprise@github.com
ghe-repl-setup
to hang.ghe-repl-promote
.ghe-upgrade
.ghe-upgrade
runs even though the license file is present.Yesterday a critical Git security vulnerability was announced that affects all versions of the official Git client and all related software that interacts with Git repositories.
While GitHub Enterprise itself is not directly affected, it may be used as a distribution point for an attacker to reach unpatched clients. This release detects and blocks malicious trees from being pushed to an Enterprise instance, eliminating it as an attack vector.
It it critical to note that this release only provides mitigation against low-levels attacks where a user with write access could attempt to push malicious files to a GitHub Enterprise instance. It does not prevent interactions with malicious external Git servers that can open up command-line level attack vectors, as those must be dealt with at the Git client level.
For full protection, we strongly recommend you ensure that all developers update their Git clients, in addition to upgrading to this release. Installing this update alone does not mean your organization is fully safe against this vulnerability. The only way to make sure none of your developers are vulnerable is to have everyone upgrade their Git client.
More details on the vulnerability can be found in the official Git mailing list announcement, on the git-blame blog, and on the GitHub blog.
If you have any questions, please contact support at enterprise@github.com
enterprise@github.com
default.s
rather than any key to start network setup./usr/local/bin/ghe-btop
utility to query the status of babeld
.ghe-repl-setup
to hang.ghe-repl-promote
.ghe-upgrade
.ghe-upgrade
runs even though the license file is present.ghe-repl-setup
to hang.ghe-repl-promote
.ghe-upgrade
.ghe-upgrade
runs even though the license file is present.ghe-repl-promote
was fixed in 2.0.2.ghe-user-csv
command line utility didn't include email addresses in some circumstances.ghe-restore
, maintenance mode was automatically enabled, which could be confusing. Maintenance mode now has to be enabled manually through the management console, using the management console API, or using the ghe-maintenance
command line utility.ghe-upgrade
expects the upgrade filename to be github-enterprise-esx-2.0.2.pkg
on VMWare or github-enterprise-ami-2.0.2.pkg
on AWS.ghe-repl-setup
to hang.ghe-repl-promote
.ghe-upgrade
.ghe-upgrade
runs even though the license file is present.ghe-repl-promote
was fixed in this release.collectd
and log data are were not preserved through upgrades.Z
for compliance with the SAML Core 1.3.3 standard.ghe-mysql-checksum
script to checksum InnoDB tables.Major change: DNS settings are no longer configured via the the Management Console, and any custom nameservers specified via the console will be lost after upgrading to 2.0.1.
When configured to use DHCP, GitHub Enterprise now relies on the DNS nameservers provided by the DHCP server. This is the default configuration for GitHub on AWS, and no changes are required when upgrading an EC2 instance.
If you are using DHCP on VMWare and your server does not provide nameservers, or if you need custom nameservers that are different from your DHCP lease, please add them to /etc/resolvconf/resolv.conf.d/head
after upgrading.
If you are using a static IP configuration, please reconfigure static network configuration after upgrading to 2.0.1, either via tty1 or sudo ghe-setup-network -v
.
Note: You may also choose to add custom nameservers to /etc/resolvconf/resolv.conf.d/head
before running ghe-upgrade
. These settings will be retained across the upgrade to 2.0.1 and future releases.
The 2.0.1 release ships with some known issues that we were unable to fix before release. If any of these will cause major problems for your organization, we recommending waiting for 2.1.0 or 2.0.2 before upgrading.
ghe-restore
should require that maintenance mode is enabled before restoring.ghe-repl-status-git
is CPU intensive and may be slow on the primary node.ghe-user-csv
script doesn't return valid email addresses.servolux filename:Gemfile
.ghe-upgrade
command-line tool over SSH.sudo
access to perform regular administrative tasks and troubleshooting.Supported LDAP servers are now Active Directory, FreeIPA, Oracle Directory Server Enterprise Edition, OpenLDAP, Open Directory and 389 Directory Server. These are the servers that we will test before shipping a GitHub Enterprise release. If you need support for another LDAP server please contact GitHub Enterprise Support.
Enterprise 2.0 OVAs will no longer run with VirtualBox. VirtualBox has previously offered a poor customer experience for GitHub Enterprise. The supported hypervisors are VMware ESX and Amazon Web Service's EC2. VMware desktop products (e.g. VMware Workstation, VMware Fusion, VMware Player) are supported for trial purposes but should not be used in production.
The 2.0.0 release ships with some known issues that we were unable to fix before release. If any of these will cause major problems for your organization, we recommending waiting for 2.1.0 or 2.0.1 before upgrading.
ghe-restore
should require that maintenance mode is enabled before restoring.ghe-repl-status-git
is CPU intense and may be slow on the primary node.collectd
data is not preserved through upgrades.ghe-user-csv
script doesn't return valid email addresses.