window.opener
when linking from GitHub Enterprise hosted Markdown content.GitHub Enterprise 2.11 will be deprecated as of September 13, 2018. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.
svn checkout
may timeout while the repository data cache is being built. In most cases, subsequent svn checkout
attempts will succeed.ghe-migrator
are displayed in the wrong order.ghe-migrator
.ghe-migrator
can be wrong.gpgverify
service may consume large amounts of CPU time even when not processing requests.Thanks!
The GitHub Team
window.opener
when linking from GitHub Enterprise hosted Markdown content.ghe-snmpv3-remove-user
did not remove all account data, preventing administrators from updating the password for the SNMPv3 user.ghe-set-password
command could result in unexpected shell behavior.ghe-legacy-github-services-report
.GitHub Enterprise 2.11 will be deprecated as of September 13, 2018. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.
svn checkout
may timeout while the repository data cache is being built. In most cases, subsequent svn checkout
attempts will succeed.ghe-migrator
are displayed in the wrong order.ghe-migrator
.ghe-migrator
can be wrong.gpgverify
service may consume large amounts of CPU time even when not processing requests.Thanks!
The GitHub Team
A CRITICAL issue was identified that allows an attacker with repository admin or owner privileges to execute arbitrary commands on the appliance.
The affected supported versions are:
Due to a change in the implementation on GitHub Enterprise 2.12 and later, it is not possible to apply the same fix to GitHub Enterprise 2.11. We strongly recommend upgrading GitHub Enterprise 2.11 to 2.12 or newer.
waagent
and walinuxagent
.ghe-org-admin-promote
command-line utility would fail when attempting to promote a user without two-factor-authentication enabled as an admin of an org where two-factor authentication is required.User-Agent
has been added to Access-Control-Allow-Headers
to support API clients which follow the Fetch specification.GitHub Enterprise 2.11 will be deprecated as of September 13, 2018. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.
svn checkout
may timeout while the repository data cache is being built. In most cases, subsequent svn checkout
attempts will succeed.ghe-migrator
are displayed in the wrong order.ghe-migrator
.ghe-migrator
can be wrong.gpgverify
service may consume large amounts of CPU time even when not processing requests.Thanks!
The GitHub Team
connect
timeout has been increased to allow up to four retries during a cluster restore.GitHub Enterprise 2.11 will be deprecated as of September 13, 2018. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.
svn checkout
may timeout while the repository data cache is being built. In most cases, subsequent svn checkout
attempts will succeed.ghe-migrator
are displayed in the wrong order.ghe-migrator
.ghe-migrator
can be wrong.gpgverify
service may consume large amounts of CPU time even when not processing requests.Thanks!
The GitHub Team
svn checkout
may timeout while the repository data cache is being built. In most cases, subsequent svn checkout
attempts will succeed.ghe-migrator
are displayed in the wrong order.ghe-migrator
.ghe-migrator
can be wrong.gpgverify
service may consume large amounts of CPU time even when not processing requests.Thanks!
The GitHub Team
/stafftools/users/ldap
had layout and accessibility issues.Host
header when requesting a Pages site would return a 404 error.svn checkout
may timeout while the repository data cache is being built. In most cases, subsequent svn checkout
attempts will succeed.ghe-migrator
are displayed in the wrong order.ghe-migrator
.ghe-migrator
can be wrong.gpgverify
service may consume large amounts of CPU time even when not processing requests.Thanks!
The GitHub Team
/etc
directory.NameID
. (updated 2018-06-25)svn checkout
may timeout while the repository data cache is being built. In most cases, subsequent svn checkout
attempts will succeed.ghe-migrator
are displayed in the wrong order.ghe-migrator
.ghe-migrator
can be wrong.gpgverify
service may consume large amounts of CPU time even when not processing requests.Thanks!
The GitHub Team
A number of critical Git security vulnerabilities were recently announced that affect all versions of the official Git client.
We strongly recommend that you ensure that all users update their Git clients, in addition to upgrading to this GitHub Enterprise release.
More details on these vulnerabilities can be found in the official announcement, and the associated CVEs, CVE-2018-11233 and CVE-2018-11235.
svn checkout
may timeout while the repository data cache is being built. In most cases, subsequent svn checkout
attempts will succeed.ghe-migrator
are displayed in the wrong order.ghe-migrator
.ghe-migrator
can be wrong.gpgverify
service may consume large amounts of CPU time even when not processing requests.NameID
. (updated 2018-06-25)Thanks!
The GitHub Team
A number of critical Git security vulnerabilities were recently announced that affect all versions of the official Git client.
We strongly recommend that you ensure that all users update their Git clients, in addition to upgrading to this GitHub Enterprise release.
More details on these vulnerabilities can be found in the official announcement, and the associated CVEs, CVE-2018-11233 and CVE-2018-11235. (updated 2018-05-30)
svn checkout
may timeout while the repository data cache is being built. In most cases, subsequent svn checkout
attempts will succeed.ghe-migrator
are displayed in the wrong order.ghe-migrator
.ghe-migrator
can be wrong.gpgverify
service may consume large amounts of CPU time even when not processing requests.NameID
. (updated 2018-06-25)Thanks!
The GitHub Team
collectd.log
contained superfluous Elasticsearch plugin warnings.ghe-migrator
failed to import a GitHub.com migration archive when a pull request's requested reviewer was not a member of the organization.svn checkout
may timeout while the repository data cache is being built. In most cases, subsequent svn checkout
attempts will succeed.ghe-migrator
are displayed in the wrong order.ghe-migrator
.ghe-migrator
can be wrong.gpgverify
service may consume large amounts of CPU time even when not processing requests.NameID
. (updated 2018-06-25)Thanks!
The GitHub Team
ghe-migrator
.ghe-migrator
failed when the user was not a member of the organization at the time of export.svn checkout
may timeout while the repository data cache is being built. In most cases, subsequent svn checkout
attempts will succeed.ghe-migrator
are displayed in the wrong order.ghe-migrator
.ghe-migrator
can be wrong.gpgverify
service may consume large amounts of CPU time even when not processing requests.NameID
. (updated 2018-06-25)Thanks!
The GitHub Team
svn checkout
may timeout while the repository data cache is being built. In most cases, subsequent svn checkout
attempts will succeed.ghe-migrator
are displayed in the wrong order.ghe-migrator
.ghe-migrator
can be wrong.gpgverify
service may consume large amounts of CPU time even when not processing requests.ghe-migrator
. (updated 2018-04-12)NameID
. (updated 2018-06-25)Thanks!
The GitHub Team
documentation_url
field in some GraphQL API v4 responses referred to the REST API v3 documentation rather than the GraphQL API v4 documentation.403 Forbidden
response for some Git LFS-tracked files.svn checkout
may timeout while the repository data cache is being built. In most cases, subsequent svn checkout
attempts will succeed.ghe-migrator
are displayed in the wrong order.ghe-migrator
.ghe-migrator
can be wrong.gpgverify
service may consume large amounts of CPU time even when not processing requests. (updated 2018-02-14)ghe-migrator
. (updated 2018-04-12)NameID
. (updated 2018-06-25)Thanks!
The GitHub Team
ghe-migrator
can be wrong.ghe-repl-status
could show an inaccurate count when Alambic replication was behind.svn checkout
may timeout while the repository data cache is being built. In most cases, subsequent svn checkout
attempts will succeed.ghe-migrator
are displayed in the wrong order.ghe-migrator
.gpgverify
service may consume large amounts of CPU time even when not processing requests. (updated 2018-02-14)ghe-migrator
. (updated 2018-04-12)NameID
. (updated 2018-06-25)Thanks!
The GitHub Team
ghe-migrator
.ghe-migrator
.ghe-migrator
.500 internal server
error when submitting the form.gpgverify
service could consume large amounts of CPU time even when not processing requests. (updated 2018-02-14)svn checkout
may timeout while the repository data cache is being built. In most cases, subsequent svn checkout
attempts will succeed.ghe-migrator
are displayed in the wrong order.ghe-migrator
can be wrong.ghe-migrator
. (updated 2018-04-12)NameID
. (updated 2018-06-25)Thanks!
The GitHub Team
hookshot-unicorn
service could fail to start if there was a large backlog of webhook jobs.elasticsearch-upgrade
service was not stopped during the upgrade process when upgrading via a hotpatch. This could lead to unnecessary logging to the root disk.ghe-diagnostics
can now upload directly to GitHub using the -u
or -t [ticket reference]
options.svn checkout
may timeout while the repository data cache is being built. In most cases, subsequent svn checkout
attempts will succeed.ghe-migrator
are displayed in the wrong order.ghe-migrator
.ghe-migrator
can be wrong.gpgverify
service may consume large amounts of CPU time even when not processing requests. (updated 2018-02-14)ghe-migrator
. (updated 2018-04-12)NameID
. (updated 2018-06-25)Thanks!
The GitHub Team
This release addresses the Meltdown (CVE-2017-5754) attack. This has been fixed in the 3.16.51-3+deb8u1
release from Debian. Please note that this patch does not address the Spectre (CVE-2017-5753 and CVE-2017-5715) vulnerability. A fix is not available for the Spectre vulnerability yet.
Internally conducted benchmarks indicate the performance impact is limited to a 2-5% increase in CPU usage on most platforms. The impact can vary depending on your usage and platform though. If you see a significant performance difference, don't hesitate to reach out to Enterprise Support.
The hotpatch contains an upgrade to the kernel and requires a reboot. The Meltdown attack is not fixed until a reboot is performed.
ghe-dpages check-replicas
command could show an error incorrectly with widely dispersed geo replicas.svn checkout
may timeout while the repository data cache is being built. In most cases, subsequent svn checkout
attempts will succeed.ghe-migrator
are displayed in the wrong order.ghe-migrator
.ghe-migrator
can be wrong.gpgverify
service may consume large amounts of CPU time even when not processing requests. (updated 2018-02-14)ghe-migrator
. (updated 2018-04-12)NameID
. (updated 2018-06-25)Thanks!
The GitHub Team
Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715) exploit critical vulnerabilities in modern processors. These hardware vulnerabilities allow programs to extract data which is currently processed on the same machine. This also can affect GitHub Enterprise.
The risk to GitHub Enterprise depends on the environment that it runs in. There are two main vectors of attack that need to be considered.
Given that GitHub Enterprise runs on various virtualization platforms, it's essential to update the virtualization platform where possible to mitigate any of these issues. The existing patches and fixes almost all focus on solving Meltdown. Meltdown is more straightforward to fix and most providers focus on this first.
Spectre is more complicated to exploit and also more complicated to fix. KVM for example is not vulnerable to Meltdown but is vulnerable, with a proof of concept, to Spectre which was tested by Google in the project originally (see https://googleprojectzero.blogspot.nl/2018/01/reading-privileged-memory-with-side.html). Specifically under "Reading host memory from a KVM guest". This Spectre exploit tested against a specific kernel version, but nothing implies it's impossible to adapt for other kernel versions and or other virtualization platforms.
The following Cloud and virtualization platforms have released announcements and/or fixes.
The vulnerability can also be exploited if there is code under the control of an attacker running on the same system. GitHub Enterprise has very limited support for custom code in the form of pre-receive hooks. Pre-receive hooks are limited such that administrators are the only ones who can set them up and their runtime execution is limited to 5 seconds. Both these aspects greatly limit the risk of data exposure through pre-receive hooks. As a general rule, administrators should ensure that only known and trusted pre-receive hooks are enabled on their appliance.
GitHub Enterprise is based on Debian Jessie. A fix for Meltdown is not yet available for Debian Jessie, as can be seen in the Debian CVE tracker for Meltdown. The new kernel version will be included in a future release of GitHub Enterprise and can potentially come with a performance regression. Accordingly, we recommend testing that release before putting it into production.
The primary risk for GitHub Enterprise installations is cross-guest or host <-> guest data leakage on the virtualization platform. This may be mitigated by the support cloud hosting providers, or by the suppliers of virtualization software. There is very limited risk of externally supplied software running within the appliance obtaining data from other processes, mitigated by administrators only enabling pre-receive hooks that are reviewed and trusted.
root
user.hookshot-resqued
was restarted manually.$GITHUB_PULL_REQUEST_AUTHOR_LOGIN
environment variable was empty when pull requests were merged via the API.enterprise@github.com
) has been disabled. Please contact GitHub Enterprise Support using the Submitting a ticket article.svn checkout
may timeout while the repository data cache is being built. In most cases, subsequent svn checkout
attempts will succeed.ghe-migrator
are displayed in the wrong order.ghe-migrator
.ghe-migrator
can be wrong.gpgverify
service may consume large amounts of CPU time even when not processing requests. (updated 2018-02-14)ghe-migrator
. (updated 2018-04-12)NameID
. (updated 2018-06-25)Thanks!
The GitHub Team
resqued
processes accumulated and caused out-of-memory (OOM) issues.CODEOWNERS
failed with CRLF line endings.ghe-migrator
.enforcement
could not be updated with the API.manitainer_can_modify
to false
when the field was not a part of the request.svn checkout
may timeout while the repository data cache is being built. In most cases, subsequent svn checkout
attempts will succeed.hookshot-resqued
is restarted manually via SSH by running: sudo systemctl restart hookshot-resqued
. (updated 2017-12-20)ghe-migrator
are displayed in the wrong order. (updated 2017-12-20)ghe-migrator
. (updated 2017-12-20)ghe-migrator
can be wrong. (updated 2017-12-20)linux-image-3.16.51-2
and the workaround is to add the numa=off
parameter to the kernel command line in /boot/grub/grub.cfg
. Please contact GitHub Enterprise Support if you have questions. (updated 2017-12-28)gpgverify
service may consume large amounts of CPU time even when not processing requests. (updated 2018-02-14)ghe-migrator
. (updated 2018-04-12)NameID
. (updated 2018-06-25)Thanks!
The GitHub Team
ghe-es-search-repair
script refused to run in a single instance environment./var/log/github/exceptions.log
. The fast growth of this log file could cause the root disk to fill up. (updated 2017-12-20)svn checkout
may timeout while the repository data cache is being built. In most cases, subsequent svn checkout
attempts will succeed.hookshot-resqued
is restarted manually via SSH by running: sudo systemctl restart hookshot-resqued
. (updated 2017-12-19)ghe-migrator
are displayed in the wrong order. (updated 2017-12-20)ghe-migrator
. (updated 2017-12-20)ghe-migrator
can be wrong. (updated 2017-12-20)gpgverify
service may consume large amounts of CPU time even when not processing requests. (updated 2018-02-14)ghe-migrator
. (updated 2018-04-12)NameID
. (updated 2018-06-25)Thanks!
The GitHub Team
ghe-migrator
if the repository is locked.svn checkout
may timeout while the repository data cache is being built. In most cases, subsequent svn checkout
attempts will succeed.hookshot-resqued
is restarted manually via SSH by running: sudo systemctl restart hookshot-resqued
. (updated 2017-12-19)/var/log/github/exceptions.log
. The fast growth of this log file could cause the root disk to fill up. (updated 2017-12-20)ghe-migrator
are displayed in the wrong order. (updated 2017-12-20)ghe-migrator
. (updated 2017-12-20)ghe-migrator
can be wrong. (updated 2017-12-20)gpgverify
service may consume large amounts of CPU time even when not processing requests. (updated 2018-02-14)ghe-migrator
. (updated 2018-04-12)NameID
. (updated 2018-06-25)Thanks!
The GitHub Team
ghe-set-password
when the appliance is in recovery mode.ghe-diagnostics
could output Connection refused
line items when Redis, Memcached, or Elasticsearch services aren't running.apps
, the profile page at /apps
showed an integrations landing page and repository pages at /apps/<repository>
resulting in a 404 Not Found
response due to a conflict with an internal URL. (updated 2017-11-08)svn checkout
may timeout while the repository data cache is being built. In most cases, subsequent svn checkout
attempts will succeed.hookshot-resqued
is restarted manually via SSH by running: sudo systemctl restart hookshot-resqued
. (updated 2017-12-19)/var/log/github/exceptions.log
. The fast growth of this log file could cause the root disk to fill up. (updated 2017-12-20)ghe-migrator
are displayed in the wrong order. (updated 2017-12-20)ghe-migrator
. (updated 2017-12-20)ghe-migrator
can be wrong. (updated 2017-12-20)gpgverify
service may consume large amounts of CPU time even when not processing requests. (updated 2018-02-14)ghe-migrator
. (updated 2018-04-12)NameID
. (updated 2018-06-25)Thanks!
The GitHub Team
In response to CVE-2017-15361, certain SSH authentication RSA keys that were generated by some Yubikey 4 devices are vulnerable to private key factorization. Such keys are considered cryptographically weak and therefore in need of replacement. To help users avoid vulnerable keys, GitHub Enterprise has added capabilities to detect and reject them from being configured for user authentication. GitHub Enterprise now includes an administration utility, ghe-ssh-weak-fingerprints
, to enable admins to list any affected keys and, optionally, perform a bulk revocation.
The affected supported versions are:
This vulnerability was found and reported internally and we have no evidence that it has been exploited in the wild.
We strongly recommend upgrading your GitHub Enterprise appliance to the latest patch release in your series, GitHub Enterprise 2.8.22, 2.9.14, 2.10.9, or 2.11.3.
Please contact GitHub Enterprise Support if you have questions.
babeld
service required a manual restart after a hotpatch was applied.git lfs locks
to show the current locks on files tracked by Git LFS showed a user ID instead of a username.ghe-migrator
failed if an organization level Project referred to a repository that wasn't exported.$GITHUB_VIA
environment variable contained a truncated value.svn checkout
may timeout while the repository data cache is being built. In most cases, subsequent svn checkout
attempts will succeed.apps
, the profile page at /apps
shows an integrations landing page and repository pages at /apps/<repository>
result in a 404 Not Found
response due to a conflict with an internal URL. (updated 2017-11-08)hookshot-resqued
is restarted manually via SSH by running: sudo systemctl restart hookshot-resqued
. (updated 2017-12-19)/var/log/github/exceptions.log
. The fast growth of this log file could cause the root disk to fill up. (updated 2017-12-20)ghe-migrator
are displayed in the wrong order. (updated 2017-12-20)ghe-migrator
. (updated 2017-12-20)ghe-migrator
can be wrong. (updated 2017-12-20)gpgverify
service may consume large amounts of CPU time even when not processing requests. (updated 2018-02-14)ghe-migrator
. (updated 2018-04-12)NameID
. (updated 2018-06-25)The hotpatch contains an upgrade to the kernel and related packages and requires a reboot. The reboot can be performed at a later time after applying the hotpatch.
Thanks!
The GitHub Team
Failed drop elasticsearch scan file
error.ghe-migrator
.We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
Custom firewall rules aren't maintained during an upgrade.
svn checkout
may timeout while the repository data cache is being built. In most cases, subsequent svn checkout
attempts will succeed.
Git LFS tracked files uploaded with through the web interface are incorrectly added directly to the repository.
GitHub Enterprise clustering can not be configured without https.
Deleting a search index doesn't delete all associated metadata, which are then incorrectly reused if a new search index is created. This causes search index repair jobs to be reported as finished in the site admin when they were not.
Hotpatch upgrades 2.11.2 could fail reloading the babeld service. If the upgrade fails, run the following command from the affected appliance(s):
$ sudo systemctl restart babeld
For a user or organization named apps
, the profile page at /apps
shows an integrations landing page and repository pages at /apps/<repository>
result in a 404 Not Found
response due to a conflict with an internal URL. (updated 2017-10-24)
Changing the parent of a nested team can result in the nested team not receiving updated inherited permissions. (updated 2017-10-27)
After changing the visibility of a repository, wiki search results have a conflicting number of displayed search results. Administrators can reindex the wiki through the site admin dashboard. (updated 2017-11-09)
After changing HTTP proxy configuration in the Management Console, webhooks do not use the settings unless hookshot-resqued
is restarted manually via SSH by running: sudo systemctl restart hookshot-resqued
. (updated 2017-12-19)
The merge button could get stuck in the "Checking for ability to merge" state. (updated 2017-12-20)
Rebuilding a search index—including during an upgrade to this version—could cause many exceptions to be logged to /var/log/github/exceptions.log
. The fast growth of this log file could cause the root disk to fill up. (updated 2017-12-20)
Pull request review comments migrated with ghe-migrator
are displayed in the wrong order. (updated 2017-12-20)
The pull request review request has users reversed, after migration with ghe-migrator
. (updated 2017-12-20)
The comment count in the "Conversation" tab of a pull request migrated with ghe-migrator
can be wrong. (updated 2017-12-20)
The create team API endpoint returns a 500 error if LDAP Sync is enabled and the team already exists. (updated 2018-01-09)
The gpgverify
service may consume large amounts of CPU time even when not processing requests. (updated 2018-02-14)
Pull request reviewer usernames were not updated if a reviewer was mapped to a different username when migrating repositories using ghe-migrator
. (updated 2018-04-12)
Nameid-format matching on SAML response is too strict when value is "unspecified", which can cause an error with the "Another user already owns the account." message if the IdP changes NameID
. (updated 2018-06-25)
Thanks!
The GitHub Team
This release has been withdrawn and is no longer available. Please upgrade to a newer version or contact support for assistance.
If you have already upgraded your appliance to GitHub Enterprise 2.11.1, please contact support for assistance.
Failed drop elasticsearch scan file
error.ghe-migrator
.We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
Custom firewall rules aren't maintained during an upgrade.
svn checkout
may timeout while the repository data cache is being built. In most cases, subsequent svn checkout
attempts will succeed.
Git LFS tracked files uploaded with through the web interface are incorrectly added directly to the repository.
GitHub Enterprise clustering can not be configured without https.
Deleting a search index doesn't delete all associated metadata, which are then incorrectly reused if a new search index is created. This causes search index repair jobs to be reported as finished in the site admin when they were not.
Hotpatch upgrades from 2.11.0 to 2.11.1 and configuration updates could fail reloading the babeld service. If the upgrade or configuration update fails, run the following command from the affected appliance(s): (updated 2017-09-21)
$ sudo systemctl restart babeld
For a user or organization named apps
, the profile page at /apps
shows an integrations landing page and repository pages at /apps/<repository>
result in a 404 Not Found
response due to a conflict with an internal URL. (updated 2017-10-24)
Changing the parent of a nested team can result in the nested team not receiving updated inherited permissions. (updated 2017-10-27)
After changing the visibility of a repository, wiki search results have a conflicting number of displayed search results. Administrators can reindex the wiki through the site admin dashboard. (updated 2017-11-09)
After changing HTTP proxy configuration in the Management Console, webhooks do not use the settings unless hookshot-resqued
is restarted manually via SSH by running: sudo systemctl restart hookshot-resqued
. (updated 2017-12-19)
The merge button could get stuck in the "Checking for ability to merge" state. (updated 2017-12-20)
Rebuilding a search index—including during an upgrade to this version—could cause many exceptions to be logged to /var/log/github/exceptions.log
. The fast growth of this log file could cause the root disk to fill up. (updated 2017-12-20)
Pull request review comments migrated with ghe-migrator
are displayed in the wrong order. (updated 2017-12-20)
The pull request review request has users reversed, after migration with ghe-migrator
. (updated 2017-12-20)
The comment count in the "Conversation" tab of a pull request migrated with ghe-migrator
can be wrong. (updated 2017-12-20)
The create team API endpoint returns a 500 error if LDAP Sync is enabled and the team already exists. (updated 2018-01-09)
The gpgverify
service may consume large amounts of CPU time even when not processing requests. (updated 2018-02-14)
Pull request reviewer usernames were not updated if a reviewer was mapped to a different username when migrating repositories using ghe-migrator
. (updated 2018-04-12)
Nameid-format matching on SAML response is too strict when value is "unspecified", which can cause an error with the "Another user already owns the account." message if the IdP changes NameID
. (updated 2018-06-25)
Thanks!
The GitHub Team
README
and CONTRIBUTING
files, in a repository's docs
folder.SUPPORT
file for your project./stafftools
.gh-pages
branch is deleted.ghe-cluster-config-node-init
could fail silently.#
from commit messages..zip
, .docx
, to conversations in issues and pull requests would fail./tmp
. Running pre-receive hooks as an unprivileged dedicated user improves security by limiting access to the rest of the system from pre-receive hooks.samplicator
, the utility that sends statistics to the metrics servers in cluster environments, now runs as an unprivileged dedicated user.GitHub Enterprise 2.11 requires at least GitHub Enterprise Backup Utilities 2.11.0 for Backups and Disaster Recovery.
GitHub Enterprise 2.8 will be deprecated as of November 9, 2017. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.
We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
Custom firewall rules aren't maintained during an upgrade.
svn checkout
may timeout while the repository data cache is being built. In most cases, subsequent svn checkout
attempts will succeed.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
GitHub Enterprise clustering can not be configured without https.
Deleting a search index doesn't delete all associated metadata, which are then incorrectly reused if a new search index is created. This causes search index repair jobs to be reported as finished in the site admin when they were not.
Upgrading a high availability environment from a 2.10 release to 2.11.0 could fail with the following error: (updated 2017-09-14)
```bash
$ ghe-upgrade ./github-enterprise-ami-2.11.0.pkg
*** verifying upgrade package signature...
725MiB 0:00:05 [ 141MiB/s] [===========================>] 100%
gpg: Signature made Tue 12 Sep 2017 05:03:10 AM UTC using RSA key ID 0D65D57A
gpg: Good signature from "GitHub Enterprise (Upgrade Package Key) <enterprise@github.com>"
*** applying update...
Scanning for incompatible Elasticsearch mappings...
waiting for ssh for [ghe-host-replica] to be available
ssh command returned 255
Failed drop elasticsearch scan file
```
If you encounter this error, run the following command from your primary or replica appliance before running ghe-upgrade
again:
```bash
$ ghe-cluster-each -- sudo touch /data/user/common/es-scan-complete
```
Users may have a missing dashboard (i.e. default authenticated homepage) if they don't own or have direct collaboration permissions to any repositories. If users are encountering this error, they can work around this issue by creating a personal repository. (updated 2017-09-14)
For a user or organization named apps
, the profile page at /apps
shows an integrations landing page and repository pages at /apps/<repository>
result in a 404 Not Found
response due to a conflict with an internal URL. (updated 2017-10-24)
Changing the parent of a nested team can result in the nested team not receiving updated inherited permissions. (updated 2017-10-27)
After changing the visibility of a repository, wiki search results have a conflicting number of displayed search results. Administrators can reindex the wiki through the site admin dashboard. (updated 2017-11-09)
After changing HTTP proxy configuration in the Management Console, webhooks do not use the settings unless hookshot-resqued
is restarted manually via SSH by running: sudo systemctl restart hookshot-resqued
. (updated 2017-12-19)
The merge button could get stuck in the "Checking for ability to merge" state. (updated 2017-12-20)
Rebuilding a search index—including during an upgrade to this version—could cause many exceptions to be logged to /var/log/github/exceptions.log
. The fast growth of this log file could cause the root disk to fill up. (updated 2017-12-20)
Pull request review comments migrated with ghe-migrator
are displayed in the wrong order. (updated 2017-12-20)
The pull request review request has users reversed, after migration with ghe-migrator
. (updated 2017-12-20)
The comment count in the "Conversation" tab of a pull request migrated with ghe-migrator
can be wrong. (updated 2017-12-20)
The create team API endpoint returns a 500 error if LDAP Sync is enabled and the team already exists. (updated 2018-01-09)
The gpgverify
service may consume large amounts of CPU time even when not processing requests. (updated 2018-02-14)
Pull request reviewer usernames were not updated if a reviewer was mapped to a different username when migrating repositories using ghe-migrator
. (updated 2018-04-12)
Nameid-format matching on SAML response is too strict when value is "unspecified", which can cause an error with the "Another user already owns the account." message if the IdP changes NameID
. (updated 2018-06-25)
Thanks!
The GitHub Team