GitHub Enterprise 2.17.8 September 10, 2019 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • Site administrators could have two-factor authentication disabled via the Site Admin dashboard when two-factor authentication was enabled on the global enterprise account.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • Subversion (SVN) checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • Lines in gists are not selectable.

Thanks!

The GitHub Team

GitHub Enterprise 2.17.7 August 27, 2019 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • On appliances that send a lot of notifications, GitHub Enterprise opened too many connections to the configured email server which delayed delivery in certain cases.
  • GPG key warning used to appear during fresh installs.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • Subversion (SVN) checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • Lines in gists are not selectable.

Thanks!

The GitHub Team

GitHub Enterprise 2.17.6 August 13, 2019 Download

Security Fixes

  • HIGH: An attacker could inject potentially malicious options into Git sub-commands when executed on the server. This could allow an attacker to truncate existing files on the server or execute other unintended functionality of affected Git sub-commands. To exploit this vulnerability, an attacker would need permission to create a branch within a repository on the GitHub Enterprise Server instance. This vulnerability was reported through the GitHub Security Bug Bounty program.
  • MEDIUM: GitHub App permissions could be incorrectly set by the user.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • The database wouldn't automatically reconnect, which caused dependency graphs not to show on repositories.
  • When creating an organization, name availability check wouldn't correctly display its URL.
  • Using ghe-migrator or exporting from GitHub.com, an export would silently fail to export issue comments when a repository was archived.
  • GitHub Enterprise Server was incorrectly using support@example.com as the sender of notification emails in certain circumstances.
  • GitHub app managers were able to access and manage applications for the organization after being removed from it.
  • Comparing OAuth Access Tokens returned 404 Not Found error.
  • Deleting a repository and its projects could delete other owned or accessible projects.
  • When enabling a feature for GitHub Connect resulted in an error, users were not properly notified.

Changes

  • Reduced memory utilization on GitHub Enterprise Server instances.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • Subversion (SVN) checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • Lines in gists are not selectable.

Thanks!

The GitHub Team

GitHub Enterprise 2.17.5 July 23, 2019 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • Identical node identifiers on high availability replica nodes could prevent configuring or updating high availability replication.
  • Consul did not automatically recover when a node's identity changed unexpectedly.
  • An incorrect free memory total was calculated when determining the available memory required to install a hotpatch.
  • Hypervisor type and root volumes were incorrectly detected on AWS Nitro instance types, preventing non-hotpatch upgrades.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • Subversion (SVN) checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • Lines in gists are not selectable.

Thanks!

The GitHub Team

GitHub Enterprise 2.17.4 July 02, 2019 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • Resque workers may not have been cleaned up following a configuration run leading to a growing number of stale workers which in turn could lead to high memory consumption.
  • Viewing the profile of a user with a username similar to a common HTML error page, for example 404-html, would display the error page and not the user's profile.
  • Reattaching a forked repository to its parent after changing the visibility would fail for the second and subsequent forks.
  • The global enterprise account members page did not list all members of the installation.
  • Creating a new repository could fail with a 404 error if the user is an owner of a large number of organizations.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • Subversion (SVN) checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • Hypervisor type and root volumes are incorrectly detected on AWS Nitro instance types, preventing non-hotpatch upgrades. (updated: 2019-07-09)
  • Lines in gists are not selectable. (updated: 2019-07-19)

Thanks!

The GitHub Team

GitHub Enterprise 2.17.3 June 26, 2019 Download

OAuth app authorization bypass

A CRITICAL vulnerability was identified that allows an attacker to authorize an OAuth application on the account of a targeted user without the approval of the targeted user. This would allow an attacker to execute actions on behalf of the targeted user via the authorized OAuth application. The attacker would need to be able to create an OAuth application on the affected GitHub Enterprise Server instance to perform this attack. Additionally, to execute the attack, the targeted user would need to visit an attacker controlled website.

The affected supported versions are:

  • 2.14.0 - 2.14.23
  • 2.15.0 - 2.15.16
  • 2.16.0 - 2.16.11
  • 2.17.0 - 2.17.2

We strongly recommend upgrading your GitHub Enterprise Server appliance to the latest patch release in your series, GitHub Enterprise Server 2.14.24, 2.15.17, 2.16.12, 2.17.3, or greater immediately. If you have any questions, please contact GitHub support at https://enterprise.github.com/support.

This vulnerability was reported through the GitHub Security Bug Bounty program.

Security Fixes

  • CRITICAL: A malicious OAuth application could be authorized on a targeted user's account without requiring user approval, allowing an attacker to execute actions on behalf of the user.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • Subversion (SVN) checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • Resque workers may not be cleaned up following a configuration run leading to a growing number of stale workers which in turn could lead to high memory consumption.
  • Hypervisor type and root volumes are incorrectly detected on AWS Nitro instance types, preventing non-hotpatch upgrades. (updated: 2019-07-09)
  • Lines in gists are not selectable. (updated: 2019-07-19)

Thanks!

The GitHub Team

GitHub Enterprise 2.17.2 June 19, 2019 Download

Security Fixes

  • MEDIUM: An attacker with direct network access to the server could send a specially crafted sequence of network packets that could cause a kernel panic or slow down the system causing a Denial of Service (DoS). For more information, see the associated CVEs: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • Internal API data values exceeded internal buffer sizes and caused access from the Git command-line to fail unconditionally for some users or deploy keys.
  • In single node appliances, the ghe-export-audit-logs command did not correctly detect the instance type in some cases, causing backups to fail.
  • Adding a new node to a currently or previously configured high availability replication primary node that has been upgraded to GitHub Enterprise Server 2.17 could fail due to a missing /etc/openvpn/easy-rsa/openssl.cnf file.
  • Pre-seeding the initial replica appliance in a HA configuration would result in the failure of the existing primary appliance.
  • The GitHub Connect "Learn more" link beside the message "You can now connect to an enterprise account" pointed to a nonexistent help article.
  • The "Learn why" link beside the message "Custom sign-in messages are disabled when SAML authentication is enabled" pointed to a nonexistent help article.
  • The GraphQL API would only return 300 objects instead of the documented 3000.
  • In the GraphQL API, the suggestedReviewers field returned an error when queried in combination with some other fields (e.g., additions or deletions).
  • Displayed an invalid prompt when editing FUNDING.yml, which would then also fail to preview changes correctly.
  • The Collaboration "Funding model links" section would appear within the UI.
  • Pre-receive hooks that printed non UTF-8 characters would fail with an "incompatible character encodings" error message.
  • When attempting to search for private repositories on GitHub.com via GitHub Connect, a 500 Internal Server Error occurred.
  • GitHub Enterprise Server incorrectly enforced a version of Backup Utilities that was the same or newer than the precise patch version of GitHub Enterprise Server.

Changes

  • GitHub Enterprise is now available in the AWS GovCloud (US-East) region.
  • When pushing a very large number of Git LFS objects to a repository, the returning "Git LFS Integrity Check" warning message was confusing, leading users to think something went wrong.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • Subversion (SVN) checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • Resque workers may not be cleaned up following a configuration run leading to a growing number of stale workers which in turn could lead to high memory consumption.
  • Hypervisor type and root volumes are incorrectly detected on AWS Nitro instance types, preventing non-hotpatch upgrades. (updated: 2019-07-09)
  • Lines in gists are not selectable. (updated: 2019-07-19)

Thanks!

The GitHub Team

GitHub Enterprise 2.17.1 June 04, 2019 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • Using ghe-migrator or exporting from GitHub.com, an export would silently fail to export pull request review comments when a repository was archived.
  • Rename conflicts were not detected while importing from some 3rd party systems using ghe-migrator.
  • The GitHub Blog URL was incorrect.
  • GitHub app permissions were not properly displayed during app creation.
  • The global enterprise account listed suspended outside collaborators.
  • Recently promoted site admins could be suspended by another site admin without revoking site admin privilege first.
  • A partially completed GitHub Connect permissions request would be requested on a subsequent unrelated permission request.

Changes

  • Adjusted the memcached graph to include the memory "used" in addition to the memory "free".
  • client_id and client_secret were added to the JSON payload when creating a GitHub App via manifest.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • Subversion (SVN) checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • Resque workers may not be cleaned up following a configuration run leading to a growing number of stale workers which in turn could lead to high memory consumption.
  • Adding a new node to a currently or previously configured high availability replication primary node that has been upgraded to GitHub Enterprise Server 2.17 may fail due to a missing /etc/openvpn/easy-rsa/openssl.cnf file. (updated: 2019-06-19)
  • GitHub Enterprise Server incorrectly enforces a version of Backup Utilities that is the same or newer than the precise patch version of GitHub Enterprise Server. (updated 2019-06-25)
  • Hypervisor type and root volumes are incorrectly detected on AWS Nitro instance types, preventing non-hotpatch upgrades. (updated: 2019-07-09)
  • Lines in gists are not selectable. (updated: 2019-07-19)

Thanks!

The GitHub Team

GitHub Enterprise 2.17.0 May 23, 2019 Download

Features

  • Users can create draft pull requests.
  • Pull request reviewers can expand and contract the diff view.
  • Code authors can commit a batch of suggested changes as a single commit.
  • Security alerts are available to customers utilizing GitHub Connect.
  • Organization owners can view and export a list of users that have access to a repository.
  • Users can create and manage their own project boards.
  • Users can set a status on their profile.
  • GitHub Enterprise Server supports more AWS EC2 instance types with the AWS Nitro System.
  • Organization owners can revoke personal access token via the API.
  • Users can view a list of all the repository releases that are being watched.
  • Organization owners can restrict members' ability to create teams.
  • Users can view all of their subscriptions to issues and pull requests.
  • Audit log data is now stored in MySQL instead of Elasticsearch.
  • Users can exclude labels from search in an issue or pull request list filter.
  • Organization owners can grant users the ability to manage either individual GitHub Apps or all GitHub Apps in an organization.
  • Users can mark previously viewed notifications as unread.
  • License usage can be uploaded to GitHub Enterprise Cloud for customers utilizing GitHub Connect.
  • Users can view information about the author of an issue or pull request by hovering over their username in sticky conversation headers.
  • Users can reset their profile picture to the default identicon.
  • Pull request review summary comments now support reactions, edit history, quote replies, and copying URLs.
  • Organization admins can restrict email notifications for activity within their organization to one or more verified domains.
  • Users can pin gists to their profile.
  • Organization admins can enable the dependency graph for their organization if utilizing GitHub Connect.
  • Users can re-request a code review to notify requested reviewers that changes have been made to a pull request.
  • Users can select a different repository when opening a new issue from a comment.
  • Users can copy comment permalinks on mobile.
  • GitHub Enterprise Server admins can enable Transport Layer Security (TLS) version 1.3.
  • Users can close or open an issue or pull request from the projects side pane.

Security Fixes

  • HIGH: An endpoint in the GitHub API would disclose sensitive user information in its error response. The disclosed information included authentication tokens that could be used to authenticate as unauthorized users. An authenticated user on the instance would be required to access to the affected API.
  • LOW: External collaborators received security vulnerability alerts after write access to a repository was revoked.
  • LOW: Assigned issues in another users private repository could appear in an issues search.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • The /var/log/github/exceptions.log file could include a large number of QueryWarningLogger::QueryWarning errors.
  • Organizations imported with ghe-migrator were not added to the global enterprise account.
  • The diff context for diffs that included submodules would sometimes load incorrect content.

Changes

  • 'Business Account' has been renamed to 'Enterprise Account'.
  • The user/organization dashboard is now full-width and responsive.
  • When a user opens a new issue from a comment, the new issue will include the full original comment text in its body.
  • Users can close the detail pane for a project board by pressing the esc key.
  • Organization names can now include spaces.
  • The blob editor page is now responsive.
  • The maximum number of files in API diffs is 3000.
  • Organization admins can view the Two-Factor Authentication (2FA) status of organization members via the API.
  • Deleted repositories can be restored in bulk.
  • Users must have at least one verified email to create a gist.
  • If contribution guidelines have been added to a repository, they are shown in the sidebar when a user opens their first issue in that repository.
  • Organization administrators can invite members of other organizations in the same business when there are no remaining seats.
  • The live page updates keep-alive has been reduced to 30 seconds to better accommodate load balancer related timeouts.
  • The minimum recommended hardware requirements for GitHub Enterprise Server have been updated. (updated 2019-05-30)

Backups and Disaster Recovery

GitHub Enterprise Server 2.17 requires at least GitHub Enterprise Backup Utilities 2.17.0 for Backups and Disaster Recovery.

Upcoming deprecation of GitHub Enterprise Server 2.14

GitHub Enterprise Server 2.14 will be deprecated as of July 12, 2019. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise Server as soon as possible.

Deprecation of GitHub Services

Starting with GitHub Enterprise Server 2.17.0, support for GitHub Services is now deprecated and administrators will not be able to install or configure new GitHub Services. Existing GitHub Services from a previous version of GitHub Enterprise Server will continue to function but GitHub Enterprise Server will not be providing any security or bug fixes to the GitHub Services functionality. At this time, there will be no changes to the existing functionality, but a warning banner is displayed with the deprecation announcement blog post. Administrators can see which repositories are using GitHub Services with ghe-legacy-github-services-report.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules aren't maintained during an upgrade.
  • Subversion (SVN) checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • Resque workers may not be cleaned up following a configuration run leading to a growing number of stale workers which in turn could lead to high memory consumption.
  • Adding a new node to a currently or previously configured high availability replication primary node that has been upgraded to GitHub Enterprise Server 2.17 may fail due to a missing /etc/openvpn/easy-rsa/openssl.cnf file. (updated: 2019-06-19)
  • Hypervisor type and root volumes are incorrectly detected on AWS Nitro instance types, preventing non-hotpatch upgrades. (updated: 2019-07-09)
  • Lines in gists are not selectable. (updated: 2019-07-19)

Thanks!

The GitHub Team