GitHub Enterprise 2.13.23 March 26, 2019 Download

Bug Fixes

  • Certain scenarios resulted in a sign out message being displayed incorrectly.

Known Issues

  • Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Pull request review comments are missing from an import with ghe-migrator.

Deprecation of GitHub Enterprise Server 2.13

GitHub Enterprise Server 2.13 will be deprecated as of March 27, 2019. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise Server as soon as possible.

Thanks!

The GitHub Team

GitHub Enterprise 2.13.22 March 13, 2019 Download

Arbitrary file content disclosure vulnerability in GitHub Enterprise Server

A CRITICAL issue was identified in Rails that allows an attacker to send a specially crafted request that could allow arbitrary files to be read and the file content to be disclosed.

The affected supported versions are:

  • 2.13.0 - 2.13.21
  • 2.14.0 - 2.14.15
  • 2.15.0 - 2.15.8
  • 2.16.0 - 2.16.3

All older, no longer supported versions are also affected.

We strongly urge upgrading your GitHub Enterprise Server appliance to the latest patch release in your series, GitHub Enterprise Server 2.13.22, 2.14.16, 2.15.9, 2.16.4, or greater immediately. If you have any questions, please contact GitHub support at https://enterprise.github.com/support.

Security Fixes

  • CRITICAL: A specially crafted request could allow arbitrary files to be read and the file content to be disclosed. For more information see the associated Rails CVE: CVE-2019-5418.
  • HIGH: High CPU usage could be triggered by a specially crafted request resulting in Denial of Service (DoS). For more information see the associated Rails CVE: CVE-2019-5419.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • In rare circumstances, a race condition could lead to repository data loss if an automated background maintenance job was triggered during a configuration update.

Known Issues

  • Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Pull request review comments are missing from an import with ghe-migrator.

Thanks!

The GitHub Team

GitHub Enterprise 2.13.21 February 26, 2019 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Known Issues

  • Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Pull request review comments are missing from an import with ghe-migrator.

Thanks!

The GitHub Team

GitHub Enterprise 2.13.20 February 13, 2019 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • Entries for the babeld.log, gitauth.log, production.log, resqued.log and unicorn.log log files were truncated when forwarded to a central log server.

Known Issues

  • Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Pull request review comments are missing from an import with ghe-migrator.

Thanks!

The GitHub Team

GitHub Enterprise 2.13.19 January 29, 2019 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • Webhooks continued to be delivered via a proxy server after removing the proxy configuration.

Known Issues

  • Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Pull request review comments are missing from an import with ghe-migrator.

Thanks!

The GitHub Team

GitHub Enterprise 2.13.18 January 15, 2019 Download

Bug Fixes

  • Repositories migrated with ghe-migrator we not automatically re-indexed so weren't returned in the search results until manually re-indexed.
  • Users could encounter a 500 Internal Server Error when viewing a pull request on a repository imported with ghe-migrator that contains references to another pull request the user does not have access to.

Changes

  • Wikis for forked repositories now have the "Restrict access to collaborators" setting enabled by default.

Known Issues

  • Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Pull request review comments are missing from an import with ghe-migrator.

Thanks!

The GitHub Team

GitHub Enterprise 2.13.17 December 11, 2018 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • 404 Not Found errors were shown in the browser console for some script requests when using the code editor.
  • The import of project boards with ghe-migrator failed when the creator of a card on the board no longer exists on the source instance.
  • Migrating a repository with ghe-migrator could lead to an incorrect mapping between links to pull requests and the correct pull requests.

Known Issues

  • Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Pull request review comments are missing from an import with ghe-migrator.

Thanks!

The GitHub Team

GitHub Enterprise 2.13.16 November 27, 2018 Download

Security Fixes

  • CVE-2018-16471 was addressed by updating Rack.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • A stale temporary file could prevent an object managed by the Alambic service, which handles binary data such as avatars and image attachments, from syncing to HA or cluster replica nodes.
  • Attempting to save settings in the Management Console incorrectly raised a validation error when an already saved TLS certificate or private key contains bag attributes.
  • /var/log/error was not automatically rotated with logrotate and could sometimes use too much disk space.

Known Issues

  • Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Pull request review comments are missing from an import with ghe-migrator.
  • The import of project boards with ghe-migrator fails when the creator of a card on the board no longer exists on the source instance.

Thanks!

The GitHub Team

GitHub Enterprise 2.13.15 November 13, 2018 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • Checking the replication status on a replica during a reboot of the primary could prevent replication for Git pre-receive hooks.
  • Text between a pair of double underscores, such as __init__, was removed in code blocks in MediaWiki-formatted pages.
  • After signing in, users were sometimes shown the contents of the manifest.json file instead of being redirected to the correct location in the user interface.

Known Issues

  • Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Pull request review comments are missing from an import with ghe-migrator.
  • The import of project boards with ghe-migrator fails when the creator of a card on the board no longer exists on the source instance. (updated 2018-11-21)

Thanks!

The GitHub Team

GitHub Enterprise 2.13.14 October 30, 2018 Download

Security Fixes

  • The version string presented when using Git over SSH was misleading, causing security scanners to incorrectly report GitHub as vulnerable.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • All non-root connections to the cloud provider metadata IP address (169.254.169.254) were blocked, preventing Google Cloud load balancer health checks from working correctly.
  • Installing a hotpatch when replication is not setup displayed a harmless error message: grep: /etc/github/repl-state: No such file or directory.
  • Rate limiting was enforced when adding members to organizations.
  • Using ghe-migrator to import a repository including a protected branch which has null in the creator entry failed.
  • The import of protected branches with ghe-migrator fails when the creator of the protected branch no longer exists on the source instance.

Known Issues

  • Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Pull request review comments are missing from an import with ghe-migrator.
  • The import of project boards with ghe-migrator fails when the creator of a card on the board no longer exists on the source instance. (updated 2018-11-21)

Thanks!

The GitHub Team

GitHub Enterprise 2.13.13 October 09, 2018 Download

Security Fixes

  • The git package has been updated to detect malicious Git submodules that could be used to exploit CVE-2018-17456.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • The access control list (ACL) of configuration files transferred to replica nodes could be lost when configuring High Availability replication.
  • The Grafana monitor dashboard truncated background jobs in the graph's legend.
  • Organization migrations could fail to be exported if a pull request review comment could not be encoded properly.
  • Pull request review requests weren't satisfied if a member of a subteam completed the review.

Changes

  • The osqueryi utility has been added to the GitHub Enterprise environment.
  • GitHub Enterprise is now available in Azure Government. (updated 2018-10-18)

Known Issues

  • Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Pull request review comments are missing from an import with ghe-migrator.
  • The import of protected branches with ghe-migrator fails when the creator of the protected branch no longer exists on the source instance. (updated 2018-10-31)
  • The import of project boards with ghe-migrator fails when the creator of a card on the board no longer exists on the source instance. (updated 2018-11-21)

Thanks!

The GitHub Team

GitHub Enterprise 2.13.12 September 25, 2018 Download

Security Fixes

  • CRITICAL: A file path traversal vulnerability in the jekyll-remote-theme gem of GitHub Pages could allow users to display the content of local files.

Bug Fixes

  • GitHub Enterprise API responses would not be compressed when requested with gzip encoding.
  • Webhooks could fail to be delivered if the compressed payload was greater than 1 MB.
  • Upgrades could fail with Connection timed out if the hookshot service was unable to run migrations due to a firewall update that ran out of order.
  • Repository replication records may be created inconsistently, resulting in unreported replication failures. This type of replication failure is now reported in ghe-repl-status.
  • ghe-repl-setup allowed re-adding the same node as a replica.
  • Using Safari, administrators were unable to schedule a future hotpatch upgrade from the Management Console due to an incompatible date parse.
  • ghe-config-check would hang if run without any arguments.
  • hookshot logs weren't purged properly in Elasticsearch and could consume large amounts of disk space.
  • Migrations with ghe-migrator could fail to complete trying to add the same label to an issue.
  • The pull request page could fail to load with a 500 Internal Server Error if a reviewer is no longer a member of the GitHub Enterprise environment.

Known Issues

  • Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Pull request review comments are missing from an import with ghe-migrator.
  • The import of protected branches with ghe-migrator fails when the creator of the protected branch no longer exists on the source instance. (updated 2018-10-31)
  • The import of project boards with ghe-migrator fails when the creator of a card on the board no longer exists on the source instance. (updated 2018-11-21)

Thanks!

The GitHub Team

GitHub Enterprise 2.13.11 September 11, 2018 Download

Security Fixes

  • LOW: A malicious user could execute a 'tab-nabbing' attack by exploiting window.opener when linking from GitHub Enterprise hosted Markdown content.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • Promoting a replica could take an excessive amount of time in a multi-replica environment.
  • Incorrect legends were displayed in the LDAP Management Console graphs.
  • Self-signed TLS certificates would fail to generate on Azure instances.
  • Tags created through a release contained incomplete reflog data
  • Organizations could be incorrectly suspended via the Suspend User REST API.
  • Email visibility could be incorrectly toggled via the REST API.
  • Fixes an issue where rate limits on raw and archive endpoints were left enabled even when configured to be disabled.
  • Users can no longer accidentally upload their private PGP keys.

Changes

  • Optimise Elasticsearch backup process by preferring local copies of indices.

Known Issues

  • Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Pull request review comments are missing from an import with ghe-migrator.
  • The import of protected branches with ghe-migrator fails when the creator of the protected branch no longer exists on the source instance. (updated 2018-10-31)
  • The import of project boards with ghe-migrator fails when the creator of a card on the board no longer exists on the source instance. (updated 2018-11-21)

Thanks!

The GitHub Team

GitHub Enterprise 2.13.10 August 28, 2018 Download

A file path traversal vulnerability in GitHub Enterprise

A CRITICAL issue was identified that allows an attacker with repository write access to create Pages sites that can display the content of system files. This could used to further escalate the vulnerability to execute arbitrary commands on the GitHub Enterprise appliance.

The affected supported versions are:

  • 2.12.0 - 2.12.17
  • 2.13.0 - 2.13.9
  • 2.14.0 - 2.14.3

GitHub Enterprise 2.11 is not vulnerable.

We strongly recommend upgrading your GitHub Enterprise appliance to the latest patch release in your series, GitHub Enterprise 2.12.18, 2.13.10, 2.14.4, or greater.

Security Fixes

  • CRITICAL: A file path traversal vulnerability in GitHub Pages could allow users to display the content of local files.
  • MEDIUM: Access may have been inadvertently granted to internal IP addresses of GitHub Enterprise. The fix removed any access grants via an IP address.
  • LOW: A malicious user could execute a 'tab-nabbing' attack by exploiting window.opener when linking from GitHub Enterprise hosted Markdown content.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • Corrupted Consul configuration data could prevent appliance configuration changes from completing successfully.
  • Deleting an SNMPv3 user via ghe-snmpv3-remove-user did not remove all account data, preventing administrators from updating the password for the SNMPv3 user.
  • Terminating the ghe-set-password command could result in unexpected shell behavior.
  • Messages sent from the email service hook failed due to a recent security update.
  • Adding a new integration failed if the license seat limit was reached.

Known Issues

  • Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Pull request review comments are missing from an import with ghe-migrator.
  • The import of protected branches with ghe-migrator fails when the creator of the protected branch no longer exists on the source instance. (updated 2018-10-31)
  • The import of project boards with ghe-migrator fails when the creator of a card on the board no longer exists on the source instance. (updated 2018-11-21)

Thanks!

The GitHub Team

GitHub Enterprise 2.13.9 August 21, 2018 Download

Remote code execution with server side request forgery in GitHub Enterprise

A CRITICAL issue was identified that allows an attacker with repository admin or owner privileges to execute arbitrary commands on the appliance.

The affected supported versions are:

  • 2.11.0 - 2.11.23
  • 2.12.0 - 2.12.16
  • 2.13.0 - 2.13.8
  • 2.14.0 - 2.14.2

Errata: A file path traversal vulnerability in GitHub Enterprise

GitHub Enterprise 2.14.3, 2.13.9, and 2.12.17 were not patched properly and are still vulnerable to the file path traversal vulnerability. GitHub Enterprise 2.14.4, 2.13.10, and 2.12.18 will ship next week to address this vulnerability. As a manual workaround, you can disable Pages on the GitHub Enterprise environment. (updated 2018-08-23)

A CRITICAL issue was identified that allows an attacker with repository write access to create Pages sites that can display the content of system files. This could used to further escalate the vulnerability to execute arbitrary commands on the GitHub Enterprise appliance.

The affected supported versions are:

  • 2.12.0 - 2.12.16 2.12.17
  • 2.13.0 - 2.13.8 2.13.9
  • 2.14.0 - 2.14.2 2.14.3

GitHub Enterprise 2.11 is not vulnerable.

Next steps

We strongly recommend upgrading your GitHub Enterprise appliance to the latest patch release in your series, GitHub Enterprise 2.12.17, 2.13.9 or 2.14.3.

Due to a change in the implementation on GitHub Enterprise 2.12 and later, it is not possible to apply the same fix to GitHub Enterprise 2.11 for the remote code execution vulnerability. We strongly recommend upgrading GitHub Enterprise 2.11 to 2.12 or newer.

Security Fixes

  • CRITICAL: An attacker with repository admin or owner privileges could execute arbitrary commands on the appliance.
  • CRITICAL: A file path traversal vulnerability in GitHub Pages could allow users to display the content of local files. (updated 2018-08-23)
  • Packages have been updated to the latest security versions.

Bug Fixes

  • Harmless 'Cannot add dependency job for unit cloud-config.service, ignoring' messages we reported to syslog when booting non-cloud based appliances.
  • MySQL procedures executed when MySQL starts could fail if tables don't exist yet. This could prevent MySQL replication from starting in cluster and high availability environments.
  • Hotpatching on Azure would fail due to a package conflict between waagent and walinuxagent.
  • The public pages for GitHub Apps responded with a 500 Internal Server Error on some installations that use SAML or CAS for authentication.
  • The ghe-org-admin-promote command-line utility would fail when attempting to promote a user without two-factor-authentication enabled as an admin of an org where two-factor authentication is required.
  • New repository maintenance jobs would attempt to start whilst another maintenance job was still running on very large repositories.

Changes

  • Restoring cluster backups could fail if inconsistent repository data is stored in the backup. These cases are now logged and the restore allowed to continue when using backup-utils v2.14.2.
  • Feature upgrades in environments with a large number of labels would take longer than needed.
  • User-Agent has been added to Access-Control-Allow-Headers to support API clients which follow the Fetch specification.

Known Issues

  • Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Pull request review comments are missing from an import with ghe-migrator.
  • The import of protected branches with ghe-migrator fails when the creator of the protected branch no longer exists on the source instance. (updated 2018-10-31)
  • The import of project boards with ghe-migrator fails when the creator of a card on the board no longer exists on the source instance. (updated 2018-11-21)

Errata

  • GitHub Enterprise 2.13.9 was not patched properly and is still vulnerable to the file path traversal vulnerability. (updated 2018-08-23)

Thanks!

The GitHub Team

GitHub Enterprise 2.13.8 August 07, 2018 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • In high availability environments, Consul would attempt to communicate with the other node using the public IP address in addition to the VPN IP address. These are correctly blocked but result in a flood of errors in the system log.
  • The compare page could fail to load if a user of a fork of the repository has been deleted.
  • Redundant routes were created for archived gists when restoring to a cluster environment. This prevented archived gists from being unarchived.

Changes

  • The connect timeout has been increased to allow up to four retries during a cluster restore.
  • Repositories which failed periodic maintenance needed manual intervention. GitHub Enterprise now retries maintenance for failed repositories once per week.

Known Issues

  • Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Pull request review comments are missing from an import with ghe-migrator.
  • The import of protected branches with ghe-migrator fails when the creator of the protected branch no longer exists on the source instance. (updated 2018-10-31)
  • The import of project boards with ghe-migrator fails when the creator of a card on the board no longer exists on the source instance. (updated 2018-11-21)

Thanks!

The GitHub Team

GitHub Enterprise 2.13.7 July 24, 2018 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • The review requirement of a protected branch did not take into consideration a a review created by a GitHub App.
  • Pages was not replicated properly when tearing down and re-attaching a former replica.
  • The "Files Changed" view failed to display all changes when the difference contained a type change and the difference was too large.
  • Built-in users would not have a password reset button available for administrators when external authentication was used with allowing built-in accounts.

Changes

  • GitHub Apps have been updated to allow archiving repositories.
  • GitHub Apps have been updated to allow reviewing pull requests.

Known Issues

  • Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Pull request review comments are missing from an import with ghe-migrator.
  • The import of protected branches with ghe-migrator fails when the creator of the protected branch no longer exists on the source instance. (updated 2018-10-31)
  • The import of project boards with ghe-migrator fails when the creator of a card on the board no longer exists on the source instance. (updated 2018-11-21)

Thanks!

The GitHub Team

GitHub Enterprise 2.13.6 July 10, 2018 Download

Security Fixes

  • MEDIUM: Environment variables passed to pre-receive hook scripts were not properly escaped.
  • LOW: It was possible to start a shell from the network configuration settings screen available on a virtual console.
  • LOW: Filtering of parameters in log files was changed from a blacklist of fields to a whitelist. This ensures that less values are logged and in the future no values are accidentally logged.
  • LOW: The body of API requests containing sensitive data was written to log files on the appliance. The request body is now only logged for debugging purposes and sensitive data is scrubbed before being logged.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • Parallel uploads of the same Git LFS object could fail but still be reported as successful.
  • A hotpatch could be applied to the appliance whilst a configuration run was in progress. This could lead to inconsistencies and unexpected behaviour.
  • Jupyter notebooks added to a Gist would fail to render on appliances with subdomain isolation disabled.
  • A pull request created via the API could be assigned an ID of 0.
  • The LDAP users page at /stafftools/users/ldap had layout and accessibility issues.
  • The Fork button was enabled for repositories in cases where a repository could not be forked anywhere.
  • Including the port in the Host header when requesting a Pages site would return a 404 error.

Known Issues

  • Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Pull request review comments are missing from an import with ghe-migrator.
  • The import of protected branches with ghe-migrator fails when the creator of the protected branch no longer exists on the source instance. (updated 2018-10-31)
  • The import of project boards with ghe-migrator fails when the creator of a card on the board no longer exists on the source instance. (updated 2018-11-21)

Thanks!

The GitHub Team

GitHub Enterprise 2.13.5 June 19, 2018 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • Pre-receive hooks would fail if the pre-receive environment lacked a /etc directory.
  • Active git processes were not displayed on the Management Console's maintenance page
  • Nameid-format matching on SAML response is too strict when value is "unspecified", which can cause an error with the "Another user already owns the account." message if the IdP changes NameID. (updated 2018-06-25)

Known Issues

  • Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • GitHub Enterprise clustering can not be configured without https.
  • Pull request review comments are missing from an import with ghe-migrator.
  • The import of protected branches with ghe-migrator fails when the creator of the protected branch no longer exists on the source instance. (updated 2018-10-31)
  • The import of project boards with ghe-migrator fails when the creator of a card on the board no longer exists on the source instance. (updated 2018-11-21)

Thanks!

The GitHub Team

GitHub Enterprise 2.13.4 June 05, 2018 Download

Git client vulnerabilities

A number of critical Git security vulnerabilities were recently announced that affect all versions of the official Git client.

We strongly recommend that you ensure that all users update their Git clients, in addition to upgrading to this GitHub Enterprise release.

More details on these vulnerabilities can be found in the official announcement, and the associated CVEs, CVE-2018-11233 and CVE-2018-11235.

Security Fixes

  • CRITICAL There was a remote code execution vulnerability that leveraged CVE-2018-11235 during the Pages build process. The Git package has been updated to address the vulnerability in the Pages build process. This fix is also available in GitHub Enterprise 2.13.2 and 2.13.3.
  • GitHub will block pushing malicious Git submodules that could be used to exploit Git clients vulnerable to CVE-2018-11235.
  • User passwords could end up being logged in plain text in the audit log.

Bug Fixes

  • Elasticsearch metrics in the management console metrics dashboards have been fixed.
  • Importing a Subversion repository that was created with an older version of Subversion would fail in specific scenarios.
  • The GitHub Services deprecation warning contained a broken link to the deprecation announcement blog post.
  • Increased performance of pull request reviewer selection box.
  • Performance of issues and pull requests has been improved by ensuring data is properly cached.
  • Enable marking one search index as primary when there are multiple primary Elasticsearch indexes listed.

Known Issues

  • Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • GitHub Enterprise clustering can not be configured without https.
  • Pull request review comments are missing from an import with ghe-migrator.
  • Nameid-format matching on SAML response is too strict when value is "unspecified", which can cause an error with the "Another user already owns the account." message if the IdP changes NameID. (updated 2018-06-25)
  • The import of protected branches with ghe-migrator fails when the creator of the protected branch no longer exists on the source instance. (updated 2018-10-31)
  • The import of project boards with ghe-migrator fails when the creator of a card on the board no longer exists on the source instance. (updated 2018-11-21)

Thanks!

The GitHub Team

GitHub Enterprise 2.13.3 May 22, 2018 Download

Git client vulnerabilities

A number of critical Git security vulnerabilities were recently announced that affect all versions of the official Git client.

We strongly recommend that you ensure that all users update their Git clients, in addition to upgrading to this GitHub Enterprise release.

More details on these vulnerabilities can be found in the official announcement, and the associated CVEs, CVE-2018-11233 and CVE-2018-11235. (updated 2018-05-30)

Security Fixes

  • CRITICAL There was a remote code execution vulnerability that leveraged CVE-2018-11235 during the Pages build process. The Git package has been updated to address the vulnerability in the Pages build process. This fix is also available in GitHub Enterprise 2.13.2. (updated 2018-05-30)
  • Packages have been updated to the latest security versions.

Bug Fixes

  • The Management Console contained broken links to help documentation.
  • Maintenance mode could be unset while a configuration run was in progress.
  • Viewing a team discussion showed a "You can't perform that action at this time" error at the top of the page.
  • A background job that purges deleted storage objects could cause backups to fail if run whilst a backup was in progress.
  • Restoring a backup to an unconfigured GitHub Enterprise appliance could fail to restore Pages data with a "could not find 3 online voting fileservers" error.
  • Updating branch protections from the API ignored the restricted teams parameter.
  • Exporting a repository didn't include project boards.
  • Performing bulk actions, like labelling, on pull requests would silently fail if issues were disabled.

Changes

  • Add a notice for the upcoming GitHub services deprecation.
  • Admins can see which repositories are using GitHub Services with ghe-legacy-github-services-report.
  • Improve Git rate limit configuration to prevent over-limiting of Git operations.

Known Issues

  • Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • GitHub Enterprise clustering can not be configured without https.
  • Pull request review comments are missing from an import with ghe-migrator.
  • Nameid-format matching on SAML response is too strict when value is "unspecified", which can cause an error with the "Another user already owns the account." message if the IdP changes NameID. (updated 2018-06-25)
  • The import of protected branches with ghe-migrator fails when the creator of the protected branch no longer exists on the source instance. (updated 2018-10-31)
  • The import of project boards with ghe-migrator fails when the creator of a card on the board no longer exists on the source instance. (updated 2018-11-21)

Thanks!

The GitHub Team

GitHub Enterprise 2.13.2 May 08, 2018 Download

Security Fixes

  • CRITICAL There was a remote code execution vulnerability that leveraged CVE-2018-11235 during the Pages build process. The Git package has been updated to address the vulnerability in the Pages build process. (updated 2018-05-30)
  • Packages have been updated to the latest security versions.
  • GitHub App user-to-server tokens generated for site-admins can access the internal GraphQL schema.

Bug Fixes

  • When booted into recovery mode, using ghe-set-password to reset the Management Console password would fail unless the haproxy-internal-proxy service was manually started.
  • collectd.log contained superfluous Elasticsearch plugin warnings.
  • ghe-migrator failed to import a GitHub.com migration archive when a pull request's requested reviewer was not a member of the organization.
  • Commits pushed to a closed pull request were not included when fetching the pull request's tracking branch.

Changes

  • Our unified Git proxy, babeld, now uses the BoringSSL cryptographic library to avoid lock contention issues in Git over SSH connections, which may have been encountered on large and busy appliances.

Known Issues

  • Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • GitHub Enterprise clustering can not be configured without https.
  • Pull request review comments are missing from an import with ghe-migrator.
  • We incorrectly show a warning message, "You can't perform this action at this time", on team discussion pages. The message can be safely ignored.
  • On a repository that's been locked for migration using ghe-migrator, project boards are not exported.
  • Nameid-format matching on SAML response is too strict when value is "unspecified", which can cause an error with the "Another user already owns the account." message if the IdP changes NameID. (updated 2018-06-25)
  • The import of protected branches with ghe-migrator fails when the creator of the protected branch no longer exists on the source instance. (updated 2018-10-31)
  • The import of project boards with ghe-migrator fails when the creator of a card on the board no longer exists on the source instance. (updated 2018-11-21)

Thanks!

The GitHub Team

GitHub Enterprise 2.13.1 April 10, 2018 Download

Security Fixes

  • LOW: Changed how certain types of exceptions are handled to prevent sensitive user data from being written to log files.

Bug Fixes

  • Resetting the self signed certificate, either manually or as a result of a hostname or IP change, would fail.
  • Monitoring graphs in the management console can be unavailable when a metrics node is down in a cluster configuration.
  • Updates the support of automatically-managed TLS certificates from Let's Encrypt to request a single-domain certificate when Subdomain Isolation is disabled, and a multi-domain (SAN) certificate when Subdomain Isolation is enabled. A GitHub Enterprise installation will no longer require a wildcard DNS record to use this feature when Subdomain Isolation is disabled.
  • Corrects calculation of hour and day of month for the crontab entry supporting renewals of automatically-managed ACME (Let's Encrypt) TLS certificates.
  • Users may be unable to sign in to GitHub Enterprise via a private GitHub Pages site if subdomain isolation is enabled.
  • After upgrading to 2.13.0, users could lose access to their LDAP mapped teams when LDAP sync was enabled.
  • The dashboard graphs at /dashboards/overview were empty.
  • Generated identicons for GitHub Apps and OAuth Apps responded with a 404 Not Found.
  • LDAP sync could suspend user accounts created with built-in authentication.
  • Pages builds failed when TLS is disabled.

Changes

  • Proportional Set Size (PSS) metric has been added to ghe-diagnostics.
  • Disabled redundant UDP listener in memcached.
  • Updated ESX image guest identifier to other26xLinux64Guest, which allows provisioning 65-128 virtual CPU cores on VMWare.
  • The footer has been updated to display current version of GitHub Enterprise.

Known Issues

  • Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • GitHub Enterprise clustering can not be configured without https.
  • Pull request review comments are missing from an import with ghe-migrator.
  • We incorrectly show a warning message, "You can't perform this action at this time", on team discussion pages. The message can be safely ignored. (updated 2018-04-11)
  • On a repository that's been locked for migration using ghe-migrator, project boards are not exported. (updated 2018-05-07)
  • Nameid-format matching on SAML response is too strict when value is "unspecified", which can cause an error with the "Another user already owns the account." message if the IdP changes NameID. (updated 2018-06-25)
  • The import of protected branches with ghe-migrator fails when the creator of the protected branch no longer exists on the source instance. (updated 2018-10-31)
  • The import of project boards with ghe-migrator fails when the creator of a card on the board no longer exists on the source instance. (updated 2018-11-21)

Thanks!

The GitHub Team

GitHub Enterprise 2.13.0 March 27, 2018 Download

Features

Security Fixes

Bug Fixes

  • After a review request has been removed, users could be missing from the pull request reviwer's list.
  • The OAuth authorization page did not list the requested organization access for outside collaborators.
  • The milestone:*, milestone:any, and milestone:none search queries were not returning the correct issue or pull requests.
  • From /stafftools, administrators could incorrectly delete user accounts when they were the sole owner of a repository.
  • API search results with an out of bound page query returned an inaccurate prev reference.
  • Organization projects were redundantly imported creating duplicate projects.
  • Pull request reviewer usernames were not updated if a reviewer was mapped to a different username when migrating repositories using ghe-migrator.

Changes

  • Enterprise Administration API resources require the site_admin scope when authenticating with an access token.
  • An e-mail notification will be sent to users after an addition or removal of an e-mail address.
  • An e-mail notification will be sent to users during a two-factor authentication lockout.
  • An e-mail notification will be sent to users when a two-factor recovery code is used.
  • The original project creator will retain administrative access when transferring owner from /stafftools.
  • Emojis are supported on label names.
  • Label names are required to be 50 characters or fewer. Existing labels will be unchanged but must adhere to the character limit to be updated.
  • Saved replies character limit has been increased to 100 from 50.
  • ghe-org-admin-promote requires an -a flag to give admin privileges to all site administrators in all organizations.
  • New REST API resources have been added.
  • GraphQL API schema has been updated.

Backups and Disaster Recovery

GitHub Enterprise 2.13 requires at least GitHub Enterprise Backup Utilities 2.13.0 for Backups and Disaster Recovery.

Starting with Backup Utilities 2.13.0, version support is inline with that of the GitHub Enterprise upgrade requirements and as such, support is limited to three versions of GitHub Enterprise: the version that corresponds with the version of Backup Utilities, and the two releases prior to it.

For example, Backup Utilities 2.13.0 can be used to backup and restore all patch releases from 2.11.0 to the latest patch release of GitHub Enterprise 2.13. Backup utilities 2.14.0 will be released when GitHub Enterprise 2.14.0 is released and will then be used to backup all releases of GitHub Enterprise from 2.12.0 to the latest patch release of GitHub Enterprise 2.14.

Backup Utilities 2.11.4 and earlier offer support for GitHub Enterprise 2.10 and earlier releases.

Upcoming deprecation of Internet Explorer 11 support

Support for Internet Explorer 11 will be deprecated on September 13, 2018. There will be no changes in site functionality, but a warning banner will be displayed to Internet Explorer 11 users.

Upcoming deprecation of VMware ESX 5.5 support

Support for VMware ESX 5.5 will be deprecated on September 19, 2018.

Upcoming deprecation of GitHub Enterprise 2.10

GitHub Enterprise 2.10 will be deprecated as of June 5, 2018. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.

Known Issues

  • Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • GitHub Enterprise clustering can not be configured without https.
  • Pull request review comments are missing from an import with ghe-migrator.
  • After upgrading to 2.13.0, users can lose access to their LDAP mapped teams when LDAP sync is enabled. Please contact Enterprise Support to manually workaround this issue. (updated 2018-03-28)
  • Pages builds fail when TLS is disabled. (updated 2018-04-03)
  • We incorrectly show a warning message, "You can't perform this action at this time", on team discussion pages. The message can be safely ignored. (updated 2018-04-11)
  • On a repository that's been locked for migration using ghe-migrator, project boards are not exported. (updated 2018-05-07)
  • Nameid-format matching on SAML response is too strict when value is "unspecified", which can cause an error with the "Another user already owns the account." message if the IdP changes NameID. (updated 2018-06-25)
  • The import of protected branches with ghe-migrator fails when the creator of the protected branch no longer exists on the source instance. (updated 2018-10-31)
  • The import of project boards with ghe-migrator fails when the creator of a card on the board no longer exists on the source instance. (updated 2018-11-21)

Thanks!

The GitHub Team