GitHub Enterprise 2.15.4 December 11, 2018 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • An Elasticsearch node ID collision could happen when adding a high availability replica that has been part of a high availability replication environment before or has been restored from a backup.
  • A "Hook is now disabled" notice was shown instead of "Hook is now enabled" when enabling a pre-receive hook on either an organization or repository.
  • Some settings available on the /business page were inaccessible when the company name in the license file is comprised of multi byte strings.
  • 404 Not Found errors were shown in the browser console for some script requests when using the code editor.
  • The import of project boards with ghe-migrator failed when the creator of a card on the board no longer exists on the source instance.
  • Migrating a repository with ghe-migrator could lead to an incorrect mapping between links to pull requests and the correct pull requests.
  • Listing the GUIDs of migrations that are in progress with the ghe-migrator list command failed with a "undefined method 'uniq' error.
  • Viewing pull requests with deployments imported with ghe-migrator would fail with a 500 Internal Server Error.
  • Invalid search qualifiers for a particular search type were treated as part of the search query and not ignored in GitHub.com searches.

Known Issues

  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

Thanks!

The GitHub Team

GitHub Enterprise 2.15.3 November 27, 2018 Download

Security Fixes

  • CVE-2018-16471 was addressed by updating Rack.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • A stale temporary file could prevent an object managed by the Alambic service, which handles binary data such as avatars and image attachments, from syncing to HA or cluster replica nodes.
  • Attempting to save settings in the Management Console incorrectly raised a validation error when an already saved TLS certificate or private key contains bag attributes.
  • Custom DNS resolver settings were reverted during appliance hotpatch upgrades.
  • /var/log/error was not automatically rotated with logrotate and could sometimes use too much disk space.
  • Submitting a comment after clicking the "Start a new conversation" button on a pull request diff raised an error under some circumstances.
  • There was a layout issue with a notice shown to new organization members on the dashboard.
  • Git authentication errors suggested the SSH protocol to the user even if it was disabled.
  • The GitHub App installation settings page always showed the viewer as the one that had installed the App.
  • Complicated rebases within very busy repositories could cause replicas to get out of sync, sometimes leading to transient push errors.
  • The POST /repos/:owner/:repo/pulls REST API endpoint could return a 502 Bad Gateway response due to using suboptimal query indexes.
  • The repository permissions settings for newly created organizations could get stuck in an "Update in progress" state.
  • Pre-receive hook failures were not communicated to the end user when attempting to merge a pull request.
  • The "Unsupported Browser" notice was not correctly shown when an unsupported browser was being used.

Known Issues

  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Listing the GUIDs of migrations that are in progress with the ghe-migrator list command throws an error and fails.
  • The import of project boards with ghe-migrator fails when the creator of a card on the board no longer exists on the source instance.

Thanks!

The GitHub Team

GitHub Enterprise 2.15.2 November 13, 2018 Download

Security Fixes

  • MEDIUM: Rack packages have been updated to address cross-site scripting (XSS) and Denial of Service (DoS) vulnerabilities CVE-2018-16470 and CVE-2018-16471 respectively.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • Checking the replication status on a replica during a reboot of the primary could prevent replication for Git pre-receive hooks.
  • When a business had enforced a two-factor authentication policy, business admins were able to be added when they didn't have two-factor authentication enabled.
  • Text between a pair of double underscores, such as __init__, was removed in code blocks in MediaWiki-formatted pages.
  • The "Start a new conversation" button on a pull request diff did not work for threads targeting the context of a change rather than an addition or deletion.
  • When creating a new organization, the preview of the resulting organization URL was reset on validation.
  • The BackfillEnterpriseBusinessAdminsAndOrganizationsTransition data transition could fail while running migrations.
  • Under some circumstances, attempting to create a new organization would result in a 422 Unprocessable Entity error.
  • Pre-receive hook target enforcement options did not properly reflect their persisted values.
  • Issue and pull request pages could fail to load if they were referred to by a project the viewer of the issue does not have access to.
  • A user's roles in an organization were represented inconsistently at /stafftools/users/:user/organization_memberships in comparison to user-facing pages.
  • When an invalid admin value was provided to the REST API endpoint to create an organization, an organization without any owners was created rather than a meaningful error message being returned.
  • Some settings available on the /business page were inaccessible when the company name in the license file is comprised of multi byte strings.
  • After signing in, users were sometimes shown the contents of the manifest.json file instead of being redirected to the correct location in the user interface.

Known Issues

  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Listing the GUIDs of migrations that are in progress with the ghe-migrator list command throws an error and fails. (updated 2018-11-21)
  • The import of project boards with ghe-migrator fails when the creator of a card on the board no longer exists on the source instance. (updated 2018-11-21)

Thanks!

The GitHub Team

GitHub Enterprise 2.15.1 October 30, 2018 Download

Security Fixes

  • The version string presented when using Git over SSH was misleading, causing security scanners to incorrectly report GitHub as vulnerable.

Bug Fixes

  • Installing a hotpatch when replication is not setup displayed a harmless error message: grep: /etc/github/repl-state: No such file or directory.
  • The addition of new GitHub Services was deprecated too early.
  • The App request/response Grafana section did not report any metrics.
  • The page shown to a user when an abuse detection mechanism is triggered contained links only relevant to GitHub.com.
  • Rate limiting was enforced when adding members to organizations.
  • Changing a team member's role would not complete after prompting for authentication.
  • Using ghe-migrator to import a repository including a protected branch which has null in the creator entry failed.
  • Organizations created using the REST API were not listed on the global business profile page.
  • The import of protected branches with ghe-migrator fails when the creator of the protected branch no longer exists on the source instance.

Changes

  • GitHub Connect settings pages now show the connected GitHub.com organization or user.

Known Issues

  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • The App request/response Grafana section is not reporting any metrics.
  • Creating a new organization may cause a 422 Unprocessable Entity error. (updated 2018-11-03)
  • Some settings may become inaccessible when the company name in the license file is comprised of multi byte strings. (updated 2018-11-7)
  • Listing the GUIDs of migrations that are in progress with the ghe-migrator list command throws an error and fails. (updated 2018-11-21)
  • The import of project boards with ghe-migrator fails when the creator of a card on the board no longer exists on the source instance. (updated 2018-11-21)

Thanks!

The GitHub Team

GitHub Enterprise 2.15.0 October 16, 2018 Download

Features

  • Business administrators can enable, disable, or no-policy repository creation, deletion, visibility change, forking, and permissions to all repositories and organizations.
  • Automatically protect branches with regex patterns.
  • Link repositories for your organization-owned projects to make searching faster and more relevant.
  • Show the issue and pull request details from a project board.
  • Resolve conversations in a pull request review.
  • Sign commits using X.509 certificates and S/MIME signatures.
  • Quote replies or copy permalinks in issue and pull request conversations.
  • Hide off topic, outdated, or resolved comments in issue and pull request conversations.
  • Pushes will be rejected if a Git LFS object hasn't been uploaded properly.
  • Pull request URL is included in the output of a git push.
  • Opt-in to the activity overview dashboard to view work across all your organizations and repositories.
  • Clustering environments support an elasticsearch-server in a separate datacenter. (updated 2018-10-29)
  • Wiki, search, and releases pages have been updated to be responsive.
  • The + and - diff markers are no longer copied to your clipboard when copying content from a diff.
  • Remove files directly from a pull request.
  • Permalinked comments will be highlighted for easier discovery.
  • Use a keyboard shortcut (e.g., ⌘ shift enter) to leave a pull request review comment.
  • Collapse all diffs by using the alt shortcut and clicking the inverted caret icon in any file header.
  • Edit a repository's README.md directly from the repository's root page.
  • After pushing the changes, quickly create a pull request from the pull requests or code tab.
  • Add members directly from the team discussion page using the + button.

Security Fixes

  • HIGH: LDAP users could authenticate as another user because GitHub Enterprise was incorrectly encoding whitespaces from the relative distinguished name (RDN).
  • LOW: The issues API could disclose private organization membership status. The organization membership information now requires the repo or read:org scope.
  • The git package has been updated to detect malicious Git submodules that could be used to exploit CVE-2018-17456.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • The access control list (ACL) of configuration files transferred to replica nodes could be lost when configuring High Availability replication.
  • ghe-config-apply contained innocuous and misleading error messages about WARNING: Setting ES auto_expand_replicas failed.
  • The Grafana monitor dashboard truncated background jobs in the graph's legend.
  • Scheduling maintenance mode could cause a 500 Internal Sever Error.
  • Pull request review requests weren't satisfied if a member of a subteam completed the review.
  • Healthcheck requests from the provider (i.e., AWS, Azure, or GCP) were blocked.
  • Users could get stuck choosing where to fork and be shown an indefinite spinning icon.

Changes

  • The osqueryi utility has been added to the GitHub Enterprise environment.
  • The diff lines are omitted for file deletions.
  • Collapsed review threads are requested and loaded when uncollapsing the view.
  • The agilezen, boxcar, codeportingcsharp2java, coffeedocinfo, coop, cube, distiller, hall, honbu, loggly, masterbranch, nma, notifymyandroid, pushalot, swiggle, stormpath, trajector, visualops, and yammer GitHub services have been deprecated.
  • New REST API resources have been added.
  • GraphQL API schema has been updated.
  • New webhook events have been added.
  • GitHub Apps has been updated to access more API resources and GraphQL queries.
  • GitHub Enterprise is now available in Azure Government. (updated 2018-10-18)

Backups and Disaster Recovery

GitHub Enterprise 2.15 requires at least GitHub Enterprise Backup Utilities 2.15.0 for Backups and Disaster Recovery.

Upcoming deprecation of GitHub Enterprise 2.12

GitHub Enterprise 2.12 will be deprecated as of December 12, 2018. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.

Upcoming deprecation of GitHub Services

Starting with GitHub Enterprise 2.17.0, support for GitHub Services will be deprecated and administrators will not be able to install or configure new GitHub Services. Existing GitHub Services from a previous version of GitHub Enterprise will continue to function but GitHub Enterprise will not be providing any security or bug fixes to the GitHub Services functionality. At this time, there will be no changes to the existing functionality, but a warning banner will be displayed with the deprecation announcement blog post. Administrators can see which repositories are using GitHub Services with ghe-legacy-github-services-report.

Deprecation of Internet Explorer 11 support Upcoming deprecation of Internet Explorer 11 support

Support for Internet Explorer 11 has been deprecated as of GitHub Enterprise 2.15.0. Internet Explorer is still supported in GitHub Enterprise 2.15.0. Support for Internet Explorer 11 will be deprecated in the next feature release, 2.16.0. (updated 2018-11-22)

Known Issues

  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • The App request/response Grafana section is not reporting any metrics.
  • The import of protected branches with ghe-migrator fails when the creator of the protected branch no longer exists on the source instance. (updated 2018-10-31)
  • Creating a new organization may cause a 422 Unprocessable Entity error. (updated 2018-11-03)
  • Some settings may become inaccessible when the company name in the license file is comprised of multi byte strings. (updated 2018-11-7)
  • Listing the GUIDs of migrations that are in progress with the ghe-migrator list command throws an error and fails. (updated 2018-11-21)
  • The import of project boards with ghe-migrator fails when the creator of a card on the board no longer exists on the source instance. (updated 2018-11-21)

Errata

  • elasticsearch-server was added as part of preliminary work needed for Elasticsearch indices replication under cluster disaster recovery. This update does not affect any instance of GitHub Enterprise at this time. (updated 2018-10-29)

Thanks!

The GitHub Team