GitHub Enterprise Server 2.17.25 May 19, 2020 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • Restoring the membership of a user to an organization did not instrument the actor in webhook and audit log payloads.

Upcoming deprecation of GitHub Enterprise Server 2.17

GitHub Enterprise Server 2.17 will be deprecated as of May 23, 2020 That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise Server as soon as possible.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • Subversion (SVN) checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • Lines in gists are not selectable.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

Thanks!

The GitHub Team

GitHub Enterprise Server 2.17.24 May 05, 2020 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • When an organization member was reinstated, the webhook payload reported the ghost user as the sender and not the actual user performing the reinstatement.
  • The garbage collection of temporary files could lead to a license validation error.

Upcoming deprecation of GitHub Enterprise Server 2.17

GitHub Enterprise Server 2.17 will be deprecated as of May 23, 2020 That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise Server as soon as possible.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • Subversion (SVN) checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • Lines in gists are not selectable.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

Thanks!

The GitHub Team

GitHub Enterprise Server 2.17.23 April 23, 2020 Download

Security Fixes

  • HIGH: OpenSSL has been updated to address CVE-2020-1967.
  • HIGH: Git has been updated to address CVE-2020-5260 and CVE-2020-11008. New restrictions prevent malicious repositories from being pushed to the server instance, protecting clients which have not yet been patched.
  • LOW: ImageMagick has been updated to address CVE-2019-10131.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • A mismatch in MySQL configurations could cause backups to fail in large installations.
  • A periodic task to clean up old log files would fail and send error messages to the local root account.
  • The recovery console would prompt for a root password, even if the root account was locked.
  • When a GitHub Enterprise Server license contained non-ASCII characters, a GET request to the Management Console API /setup/api/settings endpoint would result in an Internal Server Error.
  • When using the GraphQL's API for filtering issues assigned to a non-existent user, the message received would not be descriptive enough.
  • A CODEOWNERS file with a leading UTF-8 Byte Order Mark would cause all codeowner rules to be ignored.

Changes

  • When an external identity provider controlled user's site administrator status, users could not be demoted via the command line utility.

Upcoming deprecation of GitHub Enterprise Server 2.17

GitHub Enterprise Server 2.17 will be deprecated as of May 23, 2020 That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise Server as soon as possible.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • Subversion (SVN) checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • Lines in gists are not selectable.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

Thanks!

The GitHub Team

GitHub Enterprise Server 2.17.22 April 07, 2020 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • The hotpatch mechanism did not properly handle the case where extracted patch contents were no longer present on the filesystem.
  • A maximum Git object size of 100MB option could not be selected for a repository when the global enterprise account had a Git object size option other than 100MB set.
  • Results from the the Issues and Pull Requests API could have inconsistent behaviour when ordering by the updated_at field.
  • The SecurityVulnerability package field could not be queried via the GraphQL API.

Upcoming deprecation of GitHub Enterprise Server 2.17

GitHub Enterprise Server 2.17 will be deprecated as of May 23, 2020 That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise Server as soon as possible.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • Subversion (SVN) checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • Lines in gists are not selectable.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

Thanks!

The GitHub Team

GitHub Enterprise Server 2.17.21 March 25, 2020 Download

Bug Fixes

  • SAML Authentication requests and Metadata were not strictly encoded, causing some Identity Providers to not correctly process Service Provider initiated Authentication requests.
  • When using GitHub Connect, the GHES license sync process sent information that was not required.
  • ghe-migrator exports did not contain milestone users, which could break import operations.

Upcoming deprecation of GitHub Enterprise Server 2.17

GitHub Enterprise Server 2.17 will be deprecated as of May 23, 2020 That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise Server as soon as possible.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • Subversion (SVN) checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • Lines in gists are not selectable.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

Thanks!

The GitHub Team

GitHub Enterprise Server 2.17.20 March 10, 2020 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • In some cases the forwarded log entries, mainly for audit.log were getting truncated.
  • The ghe-license-check command-line utility returned an "Invalid license file" error for some valid licenses, causing configuration changes to fail.
  • Alambic exception logs were not forwarded by syslog.
  • The org_block event is not unavailable but was appearing for GitHub Apps on GitHub Enterprise Server.
  • GraphQL query responses sometimes returned unmatched node identifiers for ProtectedBranch objects.
  • The GitHub App credential used by GitHub Connect failed to refresh immediately after expiry.
  • Using ghe-migrator or exporting from GitHub.com, an export would silently fail to export non-image attachments.
  • Pre-receive hook returned 500 error on web UI when UTF-8 characters were encountered.
  • Signing out on Chrome was taking 30+ seconds when using a non-incognito browser.
  • Leaving a comment in reply to a pull request comment was intermittently creating a pending pull request review.

Changes

  • The ghe-license-usage command-line utility includes a new --unencrypted option to provide visibility into the exported license usage file.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • Subversion (SVN) checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • Lines in gists are not selectable.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

Thanks!

The GitHub Team

GitHub Enterprise Server 2.17.19 February 27, 2020 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • Subversion (SVN) checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • Lines in gists are not selectable.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

Thanks!

The GitHub Team

GitHub Enterprise Server 2.17.18 February 11, 2020 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • The Dependency Graph for Python repositories failed to update.
  • The GITHUB_REPO_PUBLIC environment variable passed to pre-receive hooks could be empty.

Changes

  • Improved formatting of the example output of blocked Subversion access on the Admin Center repository Subversion management page.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • Subversion (SVN) checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • Lines in gists are not selectable.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

Thanks!

The GitHub Team

GitHub Enterprise Server 2.17.17 January 28, 2020 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • Obtaining a Lets Encrypt via Enterprise Manage would fail to install the certificate.
  • Support bundle generation wasn't possible when consul was unavailable.
  • Service startup wouldn't wait for MySQL database to accept connections.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • Subversion (SVN) checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • Lines in gists are not selectable.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

Thanks!

The GitHub Team

GitHub Enterprise Server 2.17.16 January 15, 2020 Download

Security Fixes

Bug Fixes

  • The root disk utilization graph in the Management Console was missing on AWS Nitro instance types.
  • The Alambic storage service could hit a file descriptor limit that could cause the kernel to hang and other services to log errors.
  • Importing of teams with nested teams with security visibility could fail. Nested teams will now be imported as top-level teams if they are imported as children of a team with secret visibility.
  • When a repository is locked users could still directly visit pull request URLs and modify the reviewers.
  • A team created via the API V3 would not automatically add its creator as a maintainer, which caused it to be inaccessible to that person.
  • A GitHub App with the proper set of permissions was not able to create teams with LDAP.
  • The DNS resolution for GitHub Connect could timeout.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • Subversion (SVN) checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • Lines in gists are not selectable.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

Thanks!

The GitHub Team

GitHub Enterprise Server 2.17.15 December 17, 2019 Download

Security Fixes

  • MEDIUM: An attacker could push a malicious GitHub Pages branch with overlapping submodule names, possibly leading to remote code execution within the GitHub Pages build container. To exploit this vulnerability, an attacker would need permission to create a branch within a repository on the GitHub Enterprise Server instance. CVE-2019-1387
  • Packages have been updated to the latest security versions.

Bug Fixes

  • Unknown locales were generating errors when running commands in the administrative shell.
  • ghe-config-check was returning validation errors for github-ssl.acme.ca-conf and syslog.cert.
  • The Let's Encrypt certificate registration feature consistently failed following an update to the external API.
  • Upgrades could fail due to a missing SQL table.
  • Commit objects could be lost in some cases if an update of a replica failed and then a repair operation was ran.
  • A GraphQL query to retrieve the additions and deletions for a changed binary file returned a 500 error.
  • Audit log did not include some entries when changing protected branches settings.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • Subversion (SVN) checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • Lines in gists are not selectable.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

Thanks!

The GitHub Team

GitHub Enterprise Server 2.17.14 December 03, 2019 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • Graphs for some metrics in the Management Console 'Monitor' page were displaying data in the opposite ordering than expected.
  • Backups of GitHub Enterprise Server clusters could intermittently fail due to duplicated Gist repository references.
  • Transient, non-fatal errors returned from external LDAP servers during team synchronization operations could cause the incorrect removal of team members.

Changes

  • Background job queues have been re-ordered to reduce the chances of user-visible jobs being delayed on very busy instances.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • Subversion (SVN) checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • Lines in gists are not selectable.
  • The Let's Encrypt certificate registration feature consistently fails following an update to the external API.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

Thanks!

The GitHub Team

GitHub Enterprise Server 2.17.13 November 20, 2019 Download

Security Fixes

  • HIGH: The legacy avatar upgrade functionality was vulnerable to a Server-Side Request Forgery (SSRF) vulnerability when fetching image content from third-party avatar services. This could allow an attacker to make GET requests to internal services reachable from the GitHub Enterprise deployment.
  • LOW: The script-src: 'unsafe-inline' CSP header was applied to all paths for Enterprise Manager.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • Promoting a replica in an active HA environment could fail to properly apply configuration changes and remove a pre-flight check holding page.
  • In certain cluster configurations, background jobs are unable to communicate with local storage services.
  • MySQL replication lag could rise significantly on high traffic instances during times of peak user activity.

Changes

  • The Google Accounts Daemon and google_set_hostname DHCP hook are now disabled on Google Cloud Platform images.
  • GitHub Enterprise Server is now available in the eu-north-1 AWS region.
  • MySQL database seeding progress is reported during replication setup and recorded in the configuration log.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • Subversion (SVN) checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • Lines in gists are not selectable.
  • When using Let's Encrypt with a new installation, an error can occur when creating a new Let's Encrypt account.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

Thanks!

The GitHub Team

GitHub Enterprise Server 2.17.12 November 05, 2019 Download

Security Fixes

  • MEDIUM: The repository import functionality was vulnerable to a Server Side Request Forgery (SSRF) issue when importing TFS repositories.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • The storage objects were incorrectly deleted from non-voting replicas.
  • In some cases systemd would fail to start services after a reboot.
  • Submitting the form to request to change a team's parent team with an empty value caused an error.
  • Unsubscribe email notification language was inconsistent with the language used in the web interface.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • Subversion (SVN) checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • Lines in gists are not selectable.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

Thanks!

The GitHub Team

GitHub Enterprise Server 2.17.11 October 23, 2019 Download

Security Fixes

  • HIGH: The repository import functionality was vulnerable to a command injection issue when importing Mercurial repositories.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • A 500 Internal Server Error could occur when creating a new organization.
  • GitHub Apps were unable to modify GitHub Team memberships via the API.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • Subversion (SVN) checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • Lines in gists are not selectable.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

Thanks!

The GitHub Team

GitHub Enterprise Server 2.17.10 October 08, 2019 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • Webhooks could not be created or updated to point to .consul domains.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • Subversion (SVN) checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • Lines in gists are not selectable.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

Thanks!

The GitHub Team

GitHub Enterprise Server 2.17.9 September 25, 2019 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • It was possible for the two-factor authentication requirement on the global enterprise account to remain enabled after switching to an authentication mode that does not support built-in two-factor authentication (such as SAML).
  • In large repos the protected branch settings page was loading slowly and triggering a timeout error.

Changes

  • The number of pull requests that can be created from the same head SHA1 is limited to 100 by default.
  • Added support for r5.8xlarge and r5.16xlarge EC2 instance types

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • Subversion (SVN) checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • Lines in gists are not selectable.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

Thanks!

The GitHub Team

GitHub Enterprise Server 2.17.8 September 10, 2019 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • Site administrators could have two-factor authentication disabled via the Site Admin dashboard when two-factor authentication was enabled on the global enterprise account.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • Subversion (SVN) checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • Lines in gists are not selectable.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

Thanks!

The GitHub Team

GitHub Enterprise Server 2.17.7 August 27, 2019 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • On appliances that send a lot of notifications, GitHub Enterprise opened too many connections to the configured email server which delayed delivery in certain cases.
  • GPG key warning used to appear during fresh installs.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • Subversion (SVN) checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • Lines in gists are not selectable.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

Thanks!

The GitHub Team

GitHub Enterprise Server 2.17.6 August 13, 2019 Download

Security Fixes

  • HIGH: An attacker could inject potentially malicious options into Git sub-commands when executed on the server. This could allow an attacker to truncate existing files on the server or execute other unintended functionality of affected Git sub-commands. To exploit this vulnerability, an attacker would need permission to create a branch within a repository on the GitHub Enterprise Server instance. This vulnerability was reported through the GitHub Security Bug Bounty program.
  • MEDIUM: GitHub App permissions could be incorrectly set by the user.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • The database wouldn't automatically reconnect, which caused dependency graphs not to show on repositories.
  • When creating an organization, name availability check wouldn't correctly display its URL.
  • Using ghe-migrator or exporting from GitHub.com, an export would silently fail to export issue comments when a repository was archived.
  • GitHub Enterprise Server was incorrectly using support@example.com as the sender of notification emails in certain circumstances.
  • GitHub app managers were able to access and manage applications for the organization after being removed from it.
  • Comparing OAuth Access Tokens returned 404 Not Found error.
  • Deleting a repository and its projects could delete other owned or accessible projects.
  • When enabling a feature for GitHub Connect resulted in an error, users were not properly notified.

Changes

  • Reduced memory utilization on GitHub Enterprise Server instances.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • Subversion (SVN) checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • Lines in gists are not selectable.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

Thanks!

The GitHub Team

GitHub Enterprise Server 2.17.5 July 23, 2019 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • Identical node identifiers on high availability replica nodes could prevent configuring or updating high availability replication.
  • Consul did not automatically recover when a node's identity changed unexpectedly.
  • An incorrect free memory total was calculated when determining the available memory required to install a hotpatch.
  • Hypervisor type and root volumes were incorrectly detected on AWS Nitro instance types, preventing non-hotpatch upgrades.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • Subversion (SVN) checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • Lines in gists are not selectable.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

Thanks!

The GitHub Team

GitHub Enterprise Server 2.17.4 July 02, 2019 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • Resque workers may not have been cleaned up following a configuration run leading to a growing number of stale workers which in turn could lead to high memory consumption.
  • Viewing the profile of a user with a username similar to a common HTML error page, for example 404-html, would display the error page and not the user's profile.
  • Reattaching a forked repository to its parent after changing the visibility would fail for the second and subsequent forks.
  • The global enterprise account members page did not list all members of the installation.
  • Creating a new repository could fail with a 404 error if the user is an owner of a large number of organizations.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • Subversion (SVN) checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • Hypervisor type and root volumes are incorrectly detected on AWS Nitro instance types, preventing non-hotpatch upgrades. (updated: 2019-07-09)
  • Lines in gists are not selectable. (updated: 2019-07-19)
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

Thanks!

The GitHub Team

GitHub Enterprise Server 2.17.3 June 26, 2019 Download

OAuth app authorization bypass

A CRITICAL vulnerability was identified that allows an attacker to authorize an OAuth application on the account of a targeted user without the approval of the targeted user. This would allow an attacker to execute actions on behalf of the targeted user via the authorized OAuth application. The attacker would need to be able to create an OAuth application on the affected GitHub Enterprise Server instance to perform this attack. Additionally, to execute the attack, the targeted user would need to visit an attacker controlled website.

The affected supported versions are:

  • 2.14.0 - 2.14.23
  • 2.15.0 - 2.15.16
  • 2.16.0 - 2.16.11
  • 2.17.0 - 2.17.2

We strongly recommend upgrading your GitHub Enterprise Server appliance to the latest patch release in your series, GitHub Enterprise Server 2.14.24, 2.15.17, 2.16.12, 2.17.3, or greater immediately. If you have any questions, please contact GitHub support at https://enterprise.github.com/support.

This vulnerability was reported through the GitHub Security Bug Bounty program.

Security Fixes

  • CRITICAL: A malicious OAuth application could be authorized on a targeted user's account without requiring user approval, allowing an attacker to execute actions on behalf of the user.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • Subversion (SVN) checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • Resque workers may not be cleaned up following a configuration run leading to a growing number of stale workers which in turn could lead to high memory consumption.
  • Hypervisor type and root volumes are incorrectly detected on AWS Nitro instance types, preventing non-hotpatch upgrades. (updated: 2019-07-09)
  • Lines in gists are not selectable. (updated: 2019-07-19)
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

Thanks!

The GitHub Team

GitHub Enterprise Server 2.17.2 June 19, 2019 Download

Security Fixes

  • MEDIUM: An attacker with direct network access to the server could send a specially crafted sequence of network packets that could cause a kernel panic or slow down the system causing a Denial of Service (DoS). For more information, see the associated CVEs: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • Internal API data values exceeded internal buffer sizes and caused access from the Git command-line to fail unconditionally for some users or deploy keys.
  • In single node appliances, the ghe-export-audit-logs command did not correctly detect the instance type in some cases, causing backups to fail.
  • Adding a new node to a currently or previously configured high availability replication primary node that has been upgraded to GitHub Enterprise Server 2.17 could fail due to a missing /etc/openvpn/easy-rsa/openssl.cnf file.
  • Pre-seeding the initial replica appliance in a HA configuration would result in the failure of the existing primary appliance.
  • The GitHub Connect "Learn more" link beside the message "You can now connect to an enterprise account" pointed to a nonexistent help article.
  • The "Learn why" link beside the message "Custom sign-in messages are disabled when SAML authentication is enabled" pointed to a nonexistent help article.
  • The GraphQL API would only return 300 objects instead of the documented 3000.
  • In the GraphQL API, the suggestedReviewers field returned an error when queried in combination with some other fields (e.g., additions or deletions).
  • Displayed an invalid prompt when editing FUNDING.yml, which would then also fail to preview changes correctly.
  • The Collaboration "Funding model links" section would appear within the UI.
  • Pre-receive hooks that printed non UTF-8 characters would fail with an "incompatible character encodings" error message.
  • When attempting to search for private repositories on GitHub.com via GitHub Connect, a 500 Internal Server Error occurred.
  • GitHub Enterprise Server incorrectly enforced a version of Backup Utilities that was the same or newer than the precise patch version of GitHub Enterprise Server.

Changes

  • GitHub Enterprise is now available in the AWS GovCloud (US-East) region.
  • When pushing a very large number of Git LFS objects to a repository, the returning "Git LFS Integrity Check" warning message was confusing, leading users to think something went wrong.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • Subversion (SVN) checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • Resque workers may not be cleaned up following a configuration run leading to a growing number of stale workers which in turn could lead to high memory consumption.
  • Hypervisor type and root volumes are incorrectly detected on AWS Nitro instance types, preventing non-hotpatch upgrades. (updated: 2019-07-09)
  • Lines in gists are not selectable. (updated: 2019-07-19)
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

Thanks!

The GitHub Team

GitHub Enterprise Server 2.17.1 June 04, 2019 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • Using ghe-migrator or exporting from GitHub.com, an export would silently fail to export pull request review comments when a repository was archived.
  • Rename conflicts were not detected while importing from some 3rd party systems using ghe-migrator.
  • The GitHub Blog URL was incorrect.
  • GitHub app permissions were not properly displayed during app creation.
  • The global enterprise account listed suspended outside collaborators.
  • Recently promoted site admins could be suspended by another site admin without revoking site admin privilege first.
  • A partially completed GitHub Connect permissions request would be requested on a subsequent unrelated permission request.

Changes

  • Adjusted the memcached graph to include the memory "used" in addition to the memory "free".
  • client_id and client_secret were added to the JSON payload when creating a GitHub App via manifest.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • Subversion (SVN) checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • Resque workers may not be cleaned up following a configuration run leading to a growing number of stale workers which in turn could lead to high memory consumption.
  • Adding a new node to a currently or previously configured high availability replication primary node that has been upgraded to GitHub Enterprise Server 2.17 may fail due to a missing /etc/openvpn/easy-rsa/openssl.cnf file. (updated: 2019-06-19)
  • GitHub Enterprise Server incorrectly enforces a version of Backup Utilities that is the same or newer than the precise patch version of GitHub Enterprise Server. (updated 2019-06-25)
  • Hypervisor type and root volumes are incorrectly detected on AWS Nitro instance types, preventing non-hotpatch upgrades. (updated: 2019-07-09)
  • Lines in gists are not selectable. (updated: 2019-07-19)
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

Thanks!

The GitHub Team

GitHub Enterprise Server 2.17.0 May 23, 2019 Download

Features

  • Users can create draft pull requests.
  • Pull request reviewers can expand and contract the diff view.
  • Code authors can commit a batch of suggested changes as a single commit.
  • Security alerts are available to customers utilizing GitHub Connect.
  • Organization owners can view and export a list of users that have access to a repository.
  • Users can create and manage their own project boards.
  • Users can set a status on their profile.
  • GitHub Enterprise Server supports more AWS EC2 instance types with the AWS Nitro System.
  • Organization owners can revoke personal access token via the API.
  • Users can view a list of all the repository releases that are being watched.
  • Organization owners can restrict members' ability to create teams.
  • Users can view all of their subscriptions to issues and pull requests.
  • Audit log data is now stored in MySQL instead of Elasticsearch.
  • Users can exclude labels from search in an issue or pull request list filter.
  • Organization owners can grant users the ability to manage either individual GitHub Apps or all GitHub Apps in an organization.
  • Users can mark previously viewed notifications as unread.
  • License usage can be uploaded to GitHub Enterprise Cloud for customers utilizing GitHub Connect.
  • Users can view information about the author of an issue or pull request by hovering over their username in sticky conversation headers.
  • Users can reset their profile picture to the default identicon.
  • Organization admins can restrict email notifications for activity within their organization to one or more verified domains. (update: 2019-10-04)
  • Pull request review summary comments now support reactions, edit history, quote replies, and copying URLs.
  • Users can pin gists to their profile.
  • Organization admins can enable the dependency graph for their organization if utilizing GitHub Connect.
  • Users can re-request a code review to notify requested reviewers that changes have been made to a pull request.
  • Users can select a different repository when opening a new issue from a comment.
  • Users can copy comment permalinks on mobile.
  • GitHub Enterprise Server admins can enable Transport Layer Security (TLS) version 1.3.
  • Users can close or open an issue or pull request from the projects side pane.

Security Fixes

  • HIGH: An endpoint in the GitHub API would disclose sensitive user information in its error response. The disclosed information included authentication tokens that could be used to authenticate as unauthorized users. An authenticated user on the instance would be required to access to the affected API.
  • LOW: External collaborators received security vulnerability alerts after write access to a repository was revoked.
  • LOW: Assigned issues in another users private repository could appear in an issues search.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • The /var/log/github/exceptions.log file could include a large number of QueryWarningLogger::QueryWarning errors.
  • Organizations imported with ghe-migrator were not added to the global enterprise account.
  • The diff context for diffs that included submodules would sometimes load incorrect content.

Changes

  • 'Business Account' has been renamed to 'Enterprise Account'.
  • The user/organization dashboard is now full-width and responsive.
  • When a user opens a new issue from a comment, the new issue will include the full original comment text in its body.
  • Users can close the detail pane for a project board by pressing the esc key.
  • Organization names can now include spaces.
  • The blob editor page is now responsive.
  • The maximum number of files in API diffs is 3000.
  • Organization admins can view the Two-Factor Authentication (2FA) status of organization members via the API.
  • Deleted repositories can be restored in bulk.
  • Users must have at least one verified email to create a gist.
  • If contribution guidelines have been added to a repository, they are shown in the sidebar when a user opens their first issue in that repository.
  • Organization administrators can invite members of other organizations in the same business when there are no remaining seats.
  • The live page updates keep-alive has been reduced to 30 seconds to better accommodate load balancer related timeouts.
  • The minimum recommended hardware requirements for GitHub Enterprise Server have been updated. (updated 2019-05-30)

Backups and Disaster Recovery

GitHub Enterprise Server 2.17 requires at least GitHub Enterprise Backup Utilities 2.17.0 for Backups and Disaster Recovery.

Upcoming deprecation of GitHub Enterprise Server 2.14

GitHub Enterprise Server 2.14 will be deprecated as of July 12, 2019. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise Server as soon as possible.

Deprecation of GitHub Services

Starting with GitHub Enterprise Server 2.17.0, support for GitHub Services is now deprecated and administrators will not be able to install or configure new GitHub Services. Existing GitHub Services from a previous version of GitHub Enterprise Server will continue to function but GitHub Enterprise Server will not be providing any security or bug fixes to the GitHub Services functionality. At this time, there will be no changes to the existing functionality, but a warning banner is displayed with the deprecation announcement blog post. Administrators can see which repositories are using GitHub Services with ghe-legacy-github-services-report.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • Subversion (SVN) checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • Resque workers may not be cleaned up following a configuration run leading to a growing number of stale workers which in turn could lead to high memory consumption.
  • Adding a new node to a currently or previously configured high availability replication primary node that has been upgraded to GitHub Enterprise Server 2.17 may fail due to a missing /etc/openvpn/easy-rsa/openssl.cnf file. (updated: 2019-06-19)
  • Hypervisor type and root volumes are incorrectly detected on AWS Nitro instance types, preventing non-hotpatch upgrades. (updated: 2019-07-09)
  • Lines in gists are not selectable. (updated: 2019-07-19)
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

Errata

  • The ability for Organization admins to restrict email notifications for activity within their organization is not included in GitHub Enterprise Server 2.17.0.

Thanks!

The GitHub Team