GitHub Enterprise 2.15.20 August 13, 2019 Download

Security Fixes

  • HIGH: An attacker could inject potentially malicious options into Git sub-commands when executed on the server. This could allow an attacker to truncate existing files on the server or execute other unintended functionality of affected Git sub-commands. To exploit this vulnerability, an attacker would need permission to create a branch within a repository on the GitHub Enterprise Server instance. This vulnerability was reported through the GitHub Security Bug Bounty program.
  • MEDIUM: GitHub App permissions could be incorrectly set by the user.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • GitHub Enterprise Server was incorrectly using support@example.com as the sender of notification emails in certain circumstances.
  • Comparing OAuth Access Tokens returned 404 Not Found error.
  • Deleting a repository and its projects could delete other owned or accessible projects.
  • When enabling a feature for GitHub Connect resulted in an error, users were not properly notified.

Changes

  • Reduced memory utilization on GitHub Enterprise Server instances.

Known Issues

  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • Resque workers may not be cleaned up following a configuration run leading to a growing number of stale workers which in turn could lead to high memory consumption.

Thanks!

The GitHub Team

GitHub Enterprise 2.15.19 July 23, 2019 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • Identical node identifiers on high availability replica nodes could prevent configuring or updating high availability replication.
  • Consul did not automatically recover when a node's identity changed unexpectedly.

Known Issues

  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • Resque workers may not be cleaned up following a configuration run leading to a growing number of stale workers which in turn could lead to high memory consumption.

Thanks!

The GitHub Team

GitHub Enterprise 2.15.18 July 02, 2019 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • Viewing the profile of a user with a username similar to a common HTML error page, for example 404-html, would display the error page and not the user's profile.
  • Reattaching a forked repository to its parent after changing the visibility would fail for the second and subsequent forks.
  • LFS pushes could fail if a repository admin was suspended.

Known Issues

  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • Resque workers may not be cleaned up following a configuration run leading to a growing number of stale workers which in turn could lead to high memory consumption.

Thanks!

The GitHub Team

GitHub Enterprise 2.15.17 June 26, 2019 Download

OAuth app authorization bypass

A CRITICAL vulnerability was identified that allows an attacker to authorize an OAuth application on the account of a targeted user without the approval of the targeted user. This would allow an attacker to execute actions on behalf of the targeted user via the authorized OAuth application. The attacker would need to be able to create an OAuth application on the affected GitHub Enterprise Server instance to perform this attack. Additionally, to execute the attack, the targeted user would need to visit an attacker controlled website.

The affected supported versions are:

  • 2.14.0 - 2.14.23
  • 2.15.0 - 2.15.16
  • 2.16.0 - 2.16.11
  • 2.17.0 - 2.17.2

We strongly recommend upgrading your GitHub Enterprise Server appliance to the latest patch release in your series, GitHub Enterprise Server 2.14.24, 2.15.17, 2.16.12, 2.17.3, or greater immediately. If you have any questions, please contact GitHub support at https://enterprise.github.com/support.

This vulnerability was reported through the GitHub Security Bug Bounty program.

Security Fixes

  • CRITICAL: A malicious OAuth application could be authorized on a targeted user's account without requiring user approval, allowing an attacker to execute actions on behalf of the user.

Known Issues

  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • Resque workers may not be cleaned up following a configuration run leading to a growing number of stale workers which in turn could lead to high memory consumption.

Thanks!

The GitHub Team

GitHub Enterprise 2.15.16 June 19, 2019 Download

Security Fixes

  • MEDIUM: An attacker with direct network access to the server could send a specially crafted sequence of network packets that could cause a kernel panic or slow down the system causing a Denial of Service (DoS). For more information, see the associated CVEs: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • Internal API data values exceeded internal buffer sizes and caused access from the Git command-line to fail unconditionally for some users or deploy keys.
  • Pre-seeding the initial replica appliance in a HA configuration would result in the failure of the existing primary appliance.
  • The "Learn why" link beside the message "Custom sign-in messages are disabled when SAML authentication is enabled" pointed to a nonexistent help article.
  • GitHub Enterprise incorrectly enforced a version of Backup Utilities that was the same or newer than the precise patch version of GitHub Enterprise.

Changes

  • When pushing a very large number of Git LFS objects to a repository, the returning "Git LFS Integrity Check" warning message was confusing, leading users to think something went wrong.

Known Issues

  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • Resque workers may not be cleaned up following a configuration run leading to a growing number of stale workers which in turn could lead to high memory consumption.

Thanks!

The GitHub Team

GitHub Enterprise 2.15.15 June 04, 2019 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • Using ghe-migrator or exporting from GitHub.com, an export would silently fail to export pull request review comments when a repository was archived.

Changes

  • Adjusted the memcached graph to include the memory "used" in addition to the memory "free".

Known Issues

  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • Resque workers may not be cleaned up following a configuration run leading to a growing number of stale workers which in turn could lead to high memory consumption.
  • GitHub Enterprise incorrectly enforces a version of Backup Utilities that is the same or newer than the precise patch version of GitHub Enterprise. (updated 2019-06-25)

Thanks!

The GitHub Team

GitHub Enterprise 2.15.14 May 21, 2019 Download

Security Fixes

  • HIGH: An endpoint in the GitHub API would disclose sensitive user information in its error response. The disclosed information included authentication tokens that could be used to authenticate as unauthorized users. An authenticated user on the instance would be required to access to the affected API.
  • Packages have been updated to the latest security versions.

Known Issues

  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • Resque workers may not be cleaned up following a configuration run leading to a growing number of stale workers which in turn could lead to high memory consumption.

Thanks!

The GitHub Team

GitHub Enterprise 2.15.13 May 07, 2019 Download

Security Fixes

  • In certain cases, when a user would try to authorize their account through the OAuth web application flow, not all of the requested scopes would appear on the authorization page.

Bug Fixes

  • When using the quote reply feature ~strikethrough~ text was not preserved and suggested changes were duplicated.
  • Using ghe-migrator, an import would fail if an attachment file was missing from the export archive.

Known Issues

  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • Resque workers may not be cleaned up following a configuration run leading to a growing number of stale workers which in turn could lead to high memory consumption. (updated 2019-05-08)

Thanks!

The GitHub Team

GitHub Enterprise 2.15.12 April 23, 2019 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • GitHub Connect disconnection messages did not always reflect the enabled features.
  • Password change emails were incorrectly being sent for accounts created on initial LDAP login

Known Issues

  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • Resque workers may not be cleaned up following a configuration run leading to a growing number of stale workers which in turn could lead to high memory consumption. (updated 2019-05-08)

Thanks!

The GitHub Team

GitHub Enterprise 2.15.11 April 09, 2019 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • Release assets uploaded via the Releases API would fail if the asset is larger than 1GB.
  • The maximum number of allowed connections to the internal HAProxy load balancer could be reached on very large instances leading to a large backlog of resqued jobs.
  • The package validation performed when upgrading would print the result of an internal check.
  • DNS resolution of appliance hostnames in a HA configuration could timeout or return an incorrect IP address.
  • Some pull requests and issues were purged completely when restoring the repository right after deleting it.
  • Links to the security alerts help documentation were incorrect.
  • When creating a new repository, default repository visibility input could have the wrong value selected.

Changes

  • Running ghe-repl-promote will now prompt for confirmation. To promote a replica without confirmation, use the -y flag: ghe-repl-promote -y.

Known Issues

  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • Resque workers may not be cleaned up following a configuration run leading to a growing number of stale workers which in turn could lead to high memory consumption. (updated 2019-05-08)

Thanks!

The GitHub Team

GitHub Enterprise 2.15.10 March 26, 2019 Download

Bug Fixes

  • Certain scenarios resulted in a sign out message being displayed incorrectly.

Known Issues

  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • Some pull requests and issues are purged completely when restoring the repository right after deleting it.
  • Resque workers may not be cleaned up following a configuration run leading to a growing number of stale workers which in turn could lead to high memory consumption. (updated 2019-05-08)

Thanks!

The GitHub Team

GitHub Enterprise 2.15.9 March 13, 2019 Download

Arbitrary file content disclosure vulnerability in GitHub Enterprise Server

A CRITICAL issue was identified in Rails that allows an attacker to send a specially crafted request that could allow arbitrary files to be read and the file content to be disclosed.

The affected supported versions are:

  • 2.13.0 - 2.13.21
  • 2.14.0 - 2.14.15
  • 2.15.0 - 2.15.8
  • 2.16.0 - 2.16.3

All older, no longer supported versions are also affected.

We strongly urge upgrading your GitHub Enterprise Server appliance to the latest patch release in your series, GitHub Enterprise Server 2.13.22, 2.14.16, 2.15.9, 2.16.4, or greater immediately. If you have any questions, please contact GitHub support at https://enterprise.github.com/support.

Security Fixes

  • CRITICAL: A specially crafted request could allow arbitrary files to be read and the file content to be disclosed. For more information see the associated Rails CVE: CVE-2019-5418.
  • HIGH: High CPU usage could be triggered by a specially crafted request resulting in Denial of Service (DoS). For more information see the associated Rails CVE: CVE-2019-5419.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • Appliance upgrades could time out when updating significantly large databases.
  • In rare circumstances, a race condition could lead to repository data loss if an automated background maintenance job was triggered during a configuration update.
  • A pull request with a status check that was created by a deleted GitHub App would fail to load and showed a 500 error.
  • A race condition during git operations sometimes caused the default branch to be assigned incorrectly.

Known Issues

  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • Some pull requests and issues are purged completely when restoring the repository right after deleting it. (updated 2019-03-19)
  • Resque workers may not be cleaned up following a configuration run leading to a growing number of stale workers which in turn could lead to high memory consumption. (updated 2019-05-08)

Thanks!

The GitHub Team

GitHub Enterprise 2.15.8 February 26, 2019 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Known Issues

  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. (updated 2019-03-07)
  • Some pull requests and issues are purged completely when restoring the repository right after deleting it. (updated 2019-03-19)
  • Resque workers may not be cleaned up following a configuration run leading to a growing number of stale workers which in turn could lead to high memory consumption. (updated 2019-05-08)

Thanks!

The GitHub Team

GitHub Enterprise 2.15.7 February 13, 2019 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • Uploads of some image types could fail when using Git LFS 2.5.0 or newer.
  • The Consul service could fail to start when attaching storage devices configured on other instances.
  • Entries for the babeld.log, gitauth.log, production.log, resqued.log and unicorn.log log files were truncated when forwarded to a central log server.
  • Viewing the global business profile page for organizations with a lot of users could timeout.
  • Restoring a backup containing a very large number of deleted repositories could fail with the error "Resource temporarily unavailable".
  • Repositories owned by organizations could not be deleted by organization owners if the Repository deletion and transfer business setting was set to Disabled.

Known Issues

  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. (updated 2019-03-07)
  • Some pull requests and issues are purged completely when restoring the repository right after deleting it. (updated 2019-03-19)
  • Resque workers may not be cleaned up following a configuration run leading to a growing number of stale workers which in turn could lead to high memory consumption. (updated 2019-05-08)

Thanks!

The GitHub Team

GitHub Enterprise 2.15.6 January 29, 2019 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • Webhooks continued to be delivered via a proxy server after removing the proxy configuration.
  • Successful delivery logs for Webhooks sent through a proxy server were reported as a delivery error if the proxy server inserted additional headers.

Known Issues

  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. (updated 2019-03-07)
  • Some pull requests and issues are purged completely when restoring the repository right after deleting it. (updated 2019-03-19)
  • Resque workers may not be cleaned up following a configuration run leading to a growing number of stale workers which in turn could lead to high memory consumption. (updated 2019-05-08)

Thanks!

The GitHub Team

GitHub Enterprise 2.15.5 January 15, 2019 Download

Bug Fixes

  • Repositories migrated with ghe-migrator we not automatically re-indexed so weren't returned in the search results until manually re-indexed.
  • The GitHub 2FA user interface was not disabled if an external authentication provider is configured.
  • LFS objects were not reassociated with repositories when the repositories were unarchived.
  • Adding a repository to an organisation team via Add or Update team repository as a GitHub app, would fail with error "You must have administrative rights on this repository".
  • Users could encounter a 500 Internal Server Error when viewing a pull request on a repository imported with ghe-migrator that contains references to another pull request the user does not have access to.
  • Creating or modifying Issue Templates on a repository with pre-receive hooks that rejected pushes would fail with a 500 Internal Server error.
  • Listing all repositories of a team, via the user interface or API, that contained one or more disabled repositories would fail with a 500 Internal Server Error.

Changes

  • Searching GitHub.com through GitHub Connect now works with all search prefixes accepted when searching directly in GitHub.com (e.g.: repo:, org:, etc.).
  • Wikis for forked repositories now have the "Restrict access to collaborators" setting enabled by default.

Known Issues

  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Pull request review comments can be misplaced when the pull request has large diffs. (updated 2019-01-21)
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. (updated 2019-03-07)
  • Some pull requests and issues are purged completely when restoring the repository right after deleting it. (updated 2019-03-19)
  • Resque workers may not be cleaned up following a configuration run leading to a growing number of stale workers which in turn could lead to high memory consumption. (updated 2019-05-08)

Thanks!

The GitHub Team

GitHub Enterprise 2.15.4 December 11, 2018 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • An Elasticsearch node ID collision could happen when adding a high availability replica that has been part of a high availability replication environment before or has been restored from a backup.
  • A "Hook is now disabled" notice was shown instead of "Hook is now enabled" when enabling a pre-receive hook on either an organization or repository.
  • Some settings available on the /business page were inaccessible when the company name in the license file is comprised of multi byte strings.
  • 404 Not Found errors were shown in the browser console for some script requests when using the code editor.
  • The import of project boards with ghe-migrator failed when the creator of a card on the board no longer exists on the source instance.
  • Migrating a repository with ghe-migrator could lead to an incorrect mapping between links to pull requests and the correct pull requests.
  • Listing the GUIDs of migrations that are in progress with the ghe-migrator list command failed with a "undefined method 'uniq' error.
  • Viewing pull requests with deployments imported with ghe-migrator would fail with a 500 Internal Server Error.
  • Invalid search qualifiers for a particular search type were treated as part of the search query and not ignored in GitHub.com searches.

Known Issues

  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Pull request review comments can be misplaced when the pull request has large diffs. (updated 2019-01-21)
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. (updated 2019-03-07)
  • Some pull requests and issues are purged completely when restoring the repository right after deleting it. (updated 2019-03-19)
  • Resque workers may not be cleaned up following a configuration run leading to a growing number of stale workers which in turn could lead to high memory consumption. (updated 2019-05-08)

Thanks!

The GitHub Team

GitHub Enterprise 2.15.3 November 27, 2018 Download

Security Fixes

  • CVE-2018-16471 was addressed by updating Rack.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • A stale temporary file could prevent an object managed by the Alambic service, which handles binary data such as avatars and image attachments, from syncing to HA or cluster replica nodes.
  • Attempting to save settings in the Management Console incorrectly raised a validation error when an already saved TLS certificate or private key contains bag attributes.
  • Custom DNS resolver settings were reverted during appliance hotpatch upgrades.
  • /var/log/error was not automatically rotated with logrotate and could sometimes use too much disk space.
  • Submitting a comment after clicking the "Start a new conversation" button on a pull request diff raised an error under some circumstances.
  • There was a layout issue with a notice shown to new organization members on the dashboard.
  • Git authentication errors suggested the SSH protocol to the user even if it was disabled.
  • The GitHub App installation settings page always showed the viewer as the one that had installed the App.
  • Complicated rebases within very busy repositories could cause replicas to get out of sync, sometimes leading to transient push errors.
  • The POST /repos/:owner/:repo/pulls REST API endpoint could return a 502 Bad Gateway response due to using suboptimal query indexes.
  • The repository permissions settings for newly created organizations could get stuck in an "Update in progress" state.
  • Pre-receive hook failures were not communicated to the end user when attempting to merge a pull request.
  • The "Unsupported Browser" notice was not correctly shown when an unsupported browser was being used.

Known Issues

  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Listing the GUIDs of migrations that are in progress with the ghe-migrator list command throws an error and fails.
  • The import of project boards with ghe-migrator fails when the creator of a card on the board no longer exists on the source instance.
  • Some settings available on the /business page are inaccessible when the company name in the license file is comprised of multi byte strings.
  • Pull request review comments can be misplaced when the pull request has large diffs. (updated 2019-01-21)
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. (updated 2019-03-07)
  • Some pull requests and issues are purged completely when restoring the repository right after deleting it. (updated 2019-03-19)
  • Resque workers may not be cleaned up following a configuration run leading to a growing number of stale workers which in turn could lead to high memory consumption. (updated 2019-05-08)

Thanks!

The GitHub Team

GitHub Enterprise 2.15.2 November 13, 2018 Download

Security Fixes

  • MEDIUM: Rack packages have been updated to address cross-site scripting (XSS) and Denial of Service (DoS) vulnerabilities CVE-2018-16470 and CVE-2018-16471 respectively.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • Checking the replication status on a replica during a reboot of the primary could prevent replication for Git pre-receive hooks.
  • When a business had enforced a two-factor authentication policy, business admins were able to be added when they didn't have two-factor authentication enabled.
  • Text between a pair of double underscores, such as __init__, was removed in code blocks in MediaWiki-formatted pages.
  • The "Start a new conversation" button on a pull request diff did not work for threads targeting the context of a change rather than an addition or deletion.
  • When creating a new organization, the preview of the resulting organization URL was reset on validation.
  • The BackfillEnterpriseBusinessAdminsAndOrganizationsTransition data transition could fail while running migrations.
  • Under some circumstances, attempting to create a new organization would result in a 422 Unprocessable Entity error.
  • Pre-receive hook target enforcement options did not properly reflect their persisted values.
  • Issue and pull request pages could fail to load if they were referred to by a project the viewer of the issue does not have access to.
  • A user's roles in an organization were represented inconsistently at /stafftools/users/:user/organization_memberships in comparison to user-facing pages.
  • When an invalid admin value was provided to the REST API endpoint to create an organization, an organization without any owners was created rather than a meaningful error message being returned.
  • After signing in, users were sometimes shown the contents of the manifest.json file instead of being redirected to the correct location in the user interface.

Known Issues

  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Some settings available on the /business page are inaccessible when the company name in the license file is comprised of multi byte strings.
  • Listing the GUIDs of migrations that are in progress with the ghe-migrator list command throws an error and fails. (updated 2018-11-21)
  • The import of project boards with ghe-migrator fails when the creator of a card on the board no longer exists on the source instance. (updated 2018-11-21)
  • Pull request review comments can be misplaced when the pull request has large diffs. (updated 2019-01-21)
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. (updated 2019-03-07)
  • Some pull requests and issues are purged completely when restoring the repository right after deleting it. (updated 2019-03-19)
  • Resque workers may not be cleaned up following a configuration run leading to a growing number of stale workers which in turn could lead to high memory consumption. (updated 2019-05-08)

Errata

  • The issue that some settings available on the /business page are inaccessible when the company name in the license file is comprised of multi byte strings was incorrectly included in the bug fixes section instead of the known issues section. (updated 2019-01-10)

Thanks!

The GitHub Team

GitHub Enterprise 2.15.1 October 30, 2018 Download

Security Fixes

  • The version string presented when using Git over SSH was misleading, causing security scanners to incorrectly report GitHub as vulnerable.

Bug Fixes

  • Installing a hotpatch when replication is not setup displayed a harmless error message: grep: /etc/github/repl-state: No such file or directory.
  • The addition of new GitHub Services was deprecated too early.
  • The App request/response Grafana section did not report any metrics.
  • The page shown to a user when an abuse detection mechanism is triggered contained links only relevant to GitHub.com.
  • Rate limiting was enforced when adding members to organizations.
  • Changing a team member's role would not complete after prompting for authentication.
  • Using ghe-migrator to import a repository including a protected branch which has null in the creator entry failed.
  • Organizations created using the REST API were not listed on the global business profile page.
  • The import of protected branches with ghe-migrator fails when the creator of the protected branch no longer exists on the source instance.

Changes

  • GitHub Connect settings pages now show the connected GitHub.com organization or user.

Known Issues

  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • The App request/response Grafana section is not reporting any metrics.
  • Creating a new organization may cause a 422 Unprocessable Entity error. (updated 2018-11-03)
  • Some settings available on the /business page are inaccessible when the company name in the license file is comprised of multi byte strings. (updated 2018-11-7)
  • Listing the GUIDs of migrations that are in progress with the ghe-migrator list command throws an error and fails. (updated 2018-11-21)
  • The import of project boards with ghe-migrator fails when the creator of a card on the board no longer exists on the source instance. (updated 2018-11-21)
  • Pull request review comments can be misplaced when the pull request has large diffs. (updated 2019-01-21)
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. (updated 2019-03-07)
  • Some pull requests and issues are purged completely when restoring the repository right after deleting it. (updated 2019-03-19)
  • Resque workers may not be cleaned up following a configuration run leading to a growing number of stale workers which in turn could lead to high memory consumption. (updated 2019-05-08)

Thanks!

The GitHub Team

GitHub Enterprise 2.15.0 October 16, 2018 Download

Features

  • Business administrators can enable, disable, or no-policy repository creation, deletion, visibility change, forking, and permissions to all repositories and organizations.
  • Automatically protect branches with regex patterns.
  • Link repositories for your organization-owned projects to make searching faster and more relevant.
  • Show the issue and pull request details from a project board.
  • Resolve conversations in a pull request review.
  • Sign commits using X.509 certificates and S/MIME signatures.
  • Quote replies or copy permalinks in issue and pull request conversations.
  • Hide off topic, outdated, or resolved comments in issue and pull request conversations.
  • Pushes will be rejected if a Git LFS object hasn't been uploaded properly.
  • Pull request URL is included in the output of a git push.
  • Opt-in to the activity overview dashboard to view work across all your organizations and repositories.
  • Clustering environments support an elasticsearch-server in a separate datacenter. (updated 2018-10-29)
  • Wiki, search, and releases pages have been updated to be responsive.
  • The + and - diff markers are no longer copied to your clipboard when copying content from a diff.
  • Remove files directly from a pull request.
  • Permalinked comments will be highlighted for easier discovery.
  • Use a keyboard shortcut (e.g., ⌘ shift enter) to leave a pull request review comment.
  • Collapse all diffs by using the alt shortcut and clicking the inverted caret icon in any file header.
  • Edit a repository's README.md directly from the repository's root page.
  • After pushing the changes, quickly create a pull request from the pull requests or code tab.
  • Add members directly from the team discussion page using the + button.

Security Fixes

  • HIGH: LDAP users could authenticate as another user because GitHub Enterprise was incorrectly encoding whitespaces from the relative distinguished name (RDN).
  • LOW: The issues API could disclose private organization membership status. The organization membership information now requires the repo or read:org scope.
  • The git package has been updated to detect malicious Git submodules that could be used to exploit CVE-2018-17456.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • The access control list (ACL) of configuration files transferred to replica nodes could be lost when configuring High Availability replication.
  • ghe-config-apply contained innocuous and misleading error messages about WARNING: Setting ES auto_expand_replicas failed.
  • The Grafana monitor dashboard truncated background jobs in the graph's legend.
  • Scheduling maintenance mode could cause a 500 Internal Sever Error.
  • Pull request review requests weren't satisfied if a member of a subteam completed the review.
  • Healthcheck requests from the provider (i.e., AWS, Azure, or GCP) were blocked.
  • Users could get stuck choosing where to fork and be shown an indefinite spinning icon.

Changes

  • The osqueryi utility has been added to the GitHub Enterprise environment.
  • The diff lines are omitted for file deletions.
  • Collapsed review threads are requested and loaded when uncollapsing the view.
  • The agilezen, boxcar, codeportingcsharp2java, coffeedocinfo, coop, cube, distiller, hall, honbu, loggly, masterbranch, nma, notifymyandroid, pushalot, swiggle, stormpath, trajector, visualops, and yammer GitHub services have been deprecated.
  • New REST API resources have been added.
  • GraphQL API schema has been updated.
  • New webhook events have been added.
  • GitHub Apps has been updated to access more API resources and GraphQL queries.
  • GitHub Enterprise is now available in Azure Government. (updated 2018-10-18)

Backups and Disaster Recovery

GitHub Enterprise 2.15 requires at least GitHub Enterprise Backup Utilities 2.15.0 for Backups and Disaster Recovery.

Upcoming deprecation of GitHub Enterprise 2.12

GitHub Enterprise 2.12 will be deprecated as of December 12, 2018. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.

Upcoming deprecation of GitHub Services

Starting with GitHub Enterprise 2.17.0, support for GitHub Services will be deprecated and administrators will not be able to install or configure new GitHub Services. Existing GitHub Services from a previous version of GitHub Enterprise will continue to function but GitHub Enterprise will not be providing any security or bug fixes to the GitHub Services functionality. At this time, there will be no changes to the existing functionality, but a warning banner will be displayed with the deprecation announcement blog post. Administrators can see which repositories are using GitHub Services with ghe-legacy-github-services-report.

Deprecation of Internet Explorer 11 support Upcoming deprecation of Internet Explorer 11 support

Support for Internet Explorer 11 has been deprecated as of GitHub Enterprise 2.15.0. Internet Explorer is still supported in GitHub Enterprise 2.15.0. Support for Internet Explorer 11 will be deprecated in the next feature release, 2.16.0. (updated 2018-11-22)

Known Issues

  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • The App request/response Grafana section is not reporting any metrics.
  • The import of protected branches with ghe-migrator fails when the creator of the protected branch no longer exists on the source instance. (updated 2018-10-31)
  • Creating a new organization may cause a 422 Unprocessable Entity error. (updated 2018-11-03)
  • Some settings available on the /business page are inaccessible when the company name in the license file is comprised of multi byte strings. (updated 2018-11-7)
  • Listing the GUIDs of migrations that are in progress with the ghe-migrator list command throws an error and fails. (updated 2018-11-21)
  • The import of project boards with ghe-migrator fails when the creator of a card on the board no longer exists on the source instance. (updated 2018-11-21)
  • Pull request review comments can be misplaced when the pull request has large diffs. (updated 2019-01-21)
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. (updated 2019-03-07)
  • Some pull requests and issues are purged completely when restoring the repository right after deleting it. (updated 2019-03-19)
  • Resque workers may not be cleaned up following a configuration run leading to a growing number of stale workers which in turn could lead to high memory consumption. (updated 2019-05-08)

Errata

  • elasticsearch-server was added as part of preliminary work needed for Elasticsearch indices replication under cluster disaster recovery. This update does not affect any instance of GitHub Enterprise at this time. (updated 2018-10-29)

Thanks!

The GitHub Team