GitHub Enterprise 2.16.6 April 09, 2019 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • Release assets uploaded via the Releases API would fail if the asset is larger than 1GB.
  • The package validation performed when upgrading would print the result of an internal check.
  • The maximum number of allowed connections to the internal HAProxy load balancer could be reached on very large instances leading to a large backlog of resqued jobs.
  • DNS resolution of appliance hostnames in a HA configuration could timeout or return an incorrect IP address.
  • Some pull requests and issues were purged completely when restoring the repository right after deleting it.
  • When creating a new repository, default repository visibility input could have the wrong value selected.
  • Links to the security alerts help documentation were incorrect.

Changes

  • Running ghe-repl-promote will now prompt for confirmation. To promote a replica without confirmation, use the -y flag: ghe-repl-promote -y.

Known Issues

  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.

Thanks!

The GitHub Team

GitHub Enterprise 2.16.5 March 26, 2019 Download

Bug Fixes

  • Certain high throughput conditions caused MySQL to consume a large amount of CPU time.
  • Certain scenarios resulted in a sign out message being displayed incorrectly.
  • Inefficient connection handling for an internal service created unnecessary log entries and in extreme cases could lead to a service outage.

Known Issues

  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • Some pull requests and issues are purged completely when restoring the repository right after deleting it.

Thanks!

The GitHub Team

GitHub Enterprise 2.16.4 March 13, 2019 Download

Arbitrary file content disclosure vulnerability in GitHub Enterprise Server

A CRITICAL issue was identified in Rails that allows an attacker to send a specially crafted request that could allow arbitrary files to be read and the file content to be disclosed.

The affected supported versions are:

  • 2.13.0 - 2.13.21
  • 2.14.0 - 2.14.15
  • 2.15.0 - 2.15.8
  • 2.16.0 - 2.16.3

All older, no longer supported versions are also affected.

We strongly urge upgrading your GitHub Enterprise Server appliance to the latest patch release in your series, GitHub Enterprise Server 2.13.22, 2.14.16, 2.15.9, 2.16.4, or greater immediately. If you have any questions, please contact GitHub support at https://enterprise.github.com/support.

Security Fixes

  • CRITICAL: A specially crafted request could allow arbitrary files to be read and the file content to be disclosed. For more information see the associated Rails CVE: CVE-2019-5418.
  • HIGH: High CPU usage could be triggered by a specially crafted request resulting in Denial of Service (DoS). For more information see the associated Rails CVE: CVE-2019-5419.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • Repository pushes could fail to register in a cluster environment when a node was marked as offline.
  • Appliance upgrades could time out when updating significantly large databases.
  • In rare circumstances, a race condition could lead to repository data loss if an automated background maintenance job was triggered during a configuration update.
  • Files couldn't be deleted via the web editor.
  • LFS pushes could fail if a repository admin was suspended.
  • With private mode disabled, the "Explore" menu shown when signed out included a "Collections" link.
  • A race condition during git operations sometimes caused the default branch to be assigned incorrectly.

Known Issues

  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • Some pull requests and issues are purged completely when restoring the repository right after deleting it. (updated 2019-03-19)

Thanks!

The GitHub Team

GitHub Enterprise 2.16.3 February 26, 2019 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • The "Ignore whitespace changes" option was not honoured with progressively loaded diffs.
  • The custom sign out message was displayed on the sign in page in certain situations.

Known Issues

  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. (updated 2019-03-07)
  • Some pull requests and issues are purged completely when restoring the repository right after deleting it. (updated 2019-03-19)

Thanks!

The GitHub Team

GitHub Enterprise 2.16.2 February 13, 2019 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • Uploads of some image types could fail when using Git LFS 2.5.0 or newer.
  • Entries for the babeld.log, gitauth.log, production.log, resqued.log and unicorn.log log files were truncated when forwarded to a central log server.
  • Stricter REST API validation was prematurely enabled. As a result, API requests that previously succeeded may have been rejected with a 422 Unprocessable Entity response.
  • Viewing the global business profile page for organizations with a lot of users could timeout.
  • Restoring a backup containing a very large number of deleted repositories could fail with the error "Resource temporarily unavailable".
  • Repositories owned by organizations could not be deleted by organization owners if the Repository deletion and transfer business setting was set to Disabled.
  • Repository pages with a lot of tags and branches could take a very long time to load.

Known Issues

  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. (updated 2019-03-07)
  • Some pull requests and issues are purged completely when restoring the repository right after deleting it. (updated 2019-03-19)

Thanks!

The GitHub Team

GitHub Enterprise 2.16.1 January 29, 2019 Download

Security Fixes

  • MEDIUM: A race condition allowed a malicious GitHub App integrator to gain escalated user privileges by quickly updating their App's permissions during the OAuth flow.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • Webhooks continued to be delivered via a proxy server after removing the proxy configuration.
  • Background jobs for the Content Attachments API used by GitHub Apps were not processed and as a result context information was not shown.
  • Successful delivery logs for Webhooks sent through a proxy server were reported as a delivery error if the proxy server inserted additional headers.
  • The migrations that are run while upgrading to GitHub Enterprise Server 2.16.0 could report "Column cache_version_number cannot be null" errors being logged to /var/log/github/exceptions.log.

Changes

  • Site admins can no longer create GitHup Apps and OAuth apps that start with the reserved words github or gist.

Known Issues

  • On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Stricter REST API validation has been prematurely enabled. As a result, API requests that previously succeeded may be rejected with a 422 Unprocessable Entity response. (updated 2019-02-01)
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. (updated 2019-03-07)
  • Some pull requests and issues are purged completely when restoring the repository right after deleting it. (updated 2019-03-19)

Thanks!

The GitHub Team

GitHub Enterprise 2.16.0 January 22, 2019 Download

Features

  • The Deployments API includes new states. Deployments API integrates with GitHub Flow. (updated: 2019-04-02)
  • Integrator links can be expanded with relevant details in the context of GitHub comments via API.
  • Only pull request authors or users with write access to repository can resolve conversations.
  • Repository administrator can delete issues.
  • Users can subscribe to only receive repository notifications for releases.
  • Organization administrators can control whether users can create public, private, or no repositories.
  • A timeline event is shown when users force push to a branch.
  • Users can filter Pull Request by file type or hide deleted files.
  • Repository administrators can transfer an issue to another repository where the administrator also has repository administration privileges. (updated: 2019-04-08)
  • ‘Allow members to invite external collaborators’ setting added to Organization Settings page.
  • Pull request reviews automatically update the merge button.
  • 2-up image diffs will now also display file size alongside the width and height data.
  • When hovering over the status of a commit in a pull request's timeline, the full details for that status is displayed in a popover.
  • When searching from a user profile page users have the option to search by "this user".
  • Users can pre-fill values in the new Release form fields using URL query parameters.
  • Filtering files in a pull request by file type.
  • Bookmark any notification to move it into a prioritized list called Saved for Later.
  • When writing a comment with -1 or +1, GitHub suggests leaving a reaction.
  • Maintainers can add more template automation in the form of a default title, labels, and assignees.
  • When a user clicks the "Fork" button on a repository that has been already forked, the user's existing forks are listed.
  • Create and upload file to empty repos.

Bug Fixes

  • The native browser tooltip overlaid the GitHub custom tooltip when a commit message contained Closes #issue text.
  • The repository selection radio button and dropdown selection could be hidden when installing a GitHub App.

Changes

  • Recent changes to a project board will be highlighted since a user's last visit.
  • When viewing recent activity on a personal dashboard, timestamps will include a deep link to the most recent comment.
  • The owner dropdown is highlighted first on the "Create a new repository" page.
  • The keyboard shortcuts help dialog modal has been redesigned.
  • Comments are only outdated when the line the comment is related to changes.
  • New installs of Enterprise Server will use GitHub's NTP server pool by default and the upgrade package will change old default servers to the new NTP pool.

Backups and Disaster Recovery

GitHub Enterprise Server 2.16 requires at least GitHub Enterprise Backup Utilities 2.16.0 for Backups and Disaster Recovery.

Upcoming deprecation of GitHub Enterprise Server 2.13

GitHub Enterprise Server 2.13 will be deprecated as of March 27, 2019. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise Server as soon as possible.

Upcoming deprecation of GitHub Services

Starting with GitHub Enterprise Server 2.17.0, support for GitHub Services will be deprecated and administrators will not be able to install or configure new GitHub Services. Existing GitHub Services from a previous version of GitHub Enterprise Server will continue to function but GitHub Enterprise Server will not be providing any security or bug fixes to the GitHub Services functionality. At this time, there will be no changes to the existing functionality, but a warning banner will be displayed with the deprecation announcement blog post. Administrators can see which repositories are using GitHub Services with ghe-legacy-github-services-report.

Deprecation of Internet 11 Support

Starting with GitHub Enterprise Server 2.16.0, Internet Explorer 11 is no longer a supported browser. See a current list of supported browsers on this page.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Stricter REST API validation has been prematurely enabled. As a result, API requests that previously succeeded may be rejected with a 422 Unprocessable Entity response. (updated 2019-02-01)
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. (updated 2019-03-07)
  • Some pull requests and issues are purged completely when restoring the repository right after deleting it. (updated 2019-03-19)

Errata

  • The ability for repository administrators to transfer an issue to another repository is not included in GitHub Enterprise Server 2.16.0.

Thanks!

The GitHub Team