GitHub Enterprise 2.18.10 January 15, 2020 Download

Security Fixes

Bug Fixes

  • The root disk utilization graph in the Management Console was missing on AWS Nitro instance types.
  • The Alambic storage service could hit a file descriptor limit that could cause the kernel to hang and other services to log errors.
  • Importing of teams with nested teams with security visibility could fail. Nested teams will now be imported as top-level teams if they are imported as children of a team with secret visibility.
  • When a repository is locked users could still directly visit pull request URLs and modify the reviewers.
  • A team created via the API V3 would not automatically add its creator as a maintainer, which caused it to be inaccessible to that person.
  • A GitHub App with the proper set of permissions was not able to create teams with LDAP.
  • The DNS resolution for GitHub Connect could timeout.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Subversion (SVN) checkout may timeout while the repository data cache is being built. In most cases, subsequent Subversion checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.

Thanks!

The GitHub Team

GitHub Enterprise 2.18.9 December 17, 2019 Download

Security Fixes

  • MEDIUM: An attacker could push a malicious GitHub Pages branch with overlapping submodule names, possibly leading to remote code execution within the GitHub Pages build container. To exploit this vulnerability, an attacker would need permission to create a branch within a repository on the GitHub Enterprise Server instance. CVE-2019-1387
  • Packages have been updated to the latest security versions.

Bug Fixes

  • Unknown locales were generating errors when running commands in the administrative shell.
  • ghe-config-check was returning validation errors for github-ssl.acme.ca-conf and syslog.cert.
  • The Let's Encrypt certificate registration feature consistently failed following an update to the external API.
  • Upgrades could fail due to a missing SQL table.
  • Commit objects could be lost in some cases if an update of a replica failed and then a repair operation was ran.
  • Commit messages containing links were not clickable or properly rendered in blame view.
  • When importing review comments that were created using old versions of GHES, some comments would fail to import due to corrupt diffs.
  • Audit log did not include some entries when changing protected branches settings.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Subversion (SVN) checkout may timeout while the repository data cache is being built. In most cases, subsequent Subversion checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.

Thanks!

The GitHub Team

GitHub Enterprise 2.18.8 December 03, 2019 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • Graphs for some metrics in the Management Console 'Monitor' page were displaying data in the opposite ordering than expected.
  • Site Admin users could encounter timeouts when attempting to impersonate accounts that were members of a large number of Organizations.
  • Backups of GitHub Enterprise Server clusters could intermittently fail due to duplicated Gist repository references.
  • Transient, non-fatal errors returned from external LDAP servers during team synchronization operations could cause the incorrect removal of team members.
  • GrahpQL queries that referenced Organizations could run slowly and occasionally time out on a GitHub Enterprise Server instance that contained a large number of Organizations.
  • Inviting users to a team could time out if the invitees weren't already members of that team's Organization.

Changes

  • Background job queues have been re-ordered to reduce the chances of user-visible jobs being delayed on very busy instances.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Subversion (SVN) checkout may timeout while the repository data cache is being built. In most cases, subsequent Subversion checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • The Let's Encrypt certificate registration feature consistently fails following an update to the external API.

Thanks!

The GitHub Team

GitHub Enterprise 2.18.7 November 20, 2019 Download

Security Fixes

  • HIGH: The legacy avatar upgrade functionality was vulnerable to a Server-Side Request Forgery (SSRF) vulnerability when fetching image content from third-party avatar services. This could allow an attacker to make GET requests to internal services reachable from the GitHub Enterprise deployment.
  • LOW: The script-src: 'unsafe-inline' CSP header was applied to all paths for Enterprise Manager.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • Promoting a replica in an active HA environment could fail to properly apply configuration changes and remove a pre-flight check holding page.
  • A race condition could occur when a replica node was rebooted, preventing the internal VPN from starting correctly.
  • MySQL replication lag could rise significantly on high traffic instances during times of peak user activity.

Changes

  • The Google Accounts Daemon and google_set_hostname DHCP hook are now disabled on Google Cloud Platform images.
  • GitHub Enterprise Server is now available in the eu-north-1 AWS region.
  • MySQL database seeding progress is reported during replication setup and recorded in the configuration log.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Subversion (SVN) checkout may timeout while the repository data cache is being built. In most cases, subsequent Subversion checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • When using Let's Encrypt with a new installation, an error can occur when creating a new Let's Encrypt account.

Thanks!

The GitHub Team

GitHub Enterprise 2.18.6 November 05, 2019 Download

Security Fixes

  • MEDIUM: The repository import functionality was vulnerable to a Server Side Request Forgery (SSRF) issue when importing TFS repositories.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • The storage objects were incorrectly deleted from non-voting replicas.
  • In some cases systemd would fail to start services after a reboot.
  • Submitting the form to request to change a team's parent team with an empty value caused an error.
  • The GitHub App installation page returned a timeout error for some users and Apps.
  • Unsubscribe email notification language was inconsistent with the language used in the web interface.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Subversion (SVN) checkout may timeout while the repository data cache is being built. In most cases, subsequent Subversion checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.

Thanks!

The GitHub Team

GitHub Enterprise 2.18.5 October 23, 2019 Download

Security Fixes

  • HIGH: The repository import functionality was vulnerable to a command injection issue when importing Mercurial repositories.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • In a clustering environment, trying to add files to a repository using the web interface or pushing commits from the command line interface could fail.
  • A 500 Internal Server Error could occur when creating a new organization.
  • GitHub Apps were unable to modify GitHub Team memberships via the API.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Subversion (SVN) checkout may timeout while the repository data cache is being built. In most cases, subsequent Subversion checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.

Thanks!

The GitHub Team

GitHub Enterprise 2.18.4 October 08, 2019 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • Git pushes could take a long time when pushing to a fork of a repository with a lot of forks.
  • Webhooks could not be created or updated to point to .consul domains.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Subversion (SVN) checkout may timeout while the repository data cache is being built. In most cases, subsequent Subversion checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.

Thanks!

The GitHub Team

GitHub Enterprise 2.18.3 September 25, 2019 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • Missing /etc/aliases.db file caused the deferred mail queue to fill with internal alert messages.
  • The text toolbar and the subheading were overlapping on the global enterprise account Messages pages.
  • It was possible for the two-factor authentication requirement on the global enterprise account to remain enabled after switching to an authentication mode that does not support built-in two-factor authentication (such as SAML).
  • In large repos the protected branch settings page was loading slowly and triggering a timeout error.
  • Attempting to unarchive a repository would fail due to schema mismatch.
  • Viewing blobs in a repository was slow and could cause timeout errors under certain network conditions.
  • Forking a private repository into an organization was erroneously blocked by an error that mentioned upgrading your plan.

Changes

  • Added support for r5.8xlarge and r5.16xlarge EC2 instance types
  • The number of pull requests that can be created from the same head SHA1 is limited to 100 by default.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Subversion (SVN) checkout may timeout while the repository data cache is being built. In most cases, subsequent Subversion checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.

Thanks!

The GitHub Team

GitHub Enterprise 2.18.2 September 10, 2019 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • Live updates for pull requests and issues would fail due to an incorrect list of allowed origin domains.
  • A Git operation could fail to connect to the server with a SIGABRT error in certain cases.
  • WireGuard private keys were missing in some cases, causing a failure to connect.
  • Restarting replication after an upgrade using ghe-repl-start could fail to detect an existing configuration run and break the replication between HA nodes.
  • Promotion of an HA replica would cause a memory leak in some cases.
  • Site administrators could have two-factor authentication disabled via the Site Admin dashboard when two-factor authentication was enabled on the global enterprise account.
  • A background job that doesn't apply to GitHub Enterprise Server was enqueued but never processed.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Subversion (SVN) checkout may timeout while the repository data cache is being built. In most cases, subsequent Subversion checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.

Thanks!

The GitHub Team

GitHub Enterprise 2.18.1 August 27, 2019 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • On appliances that send a lot of notifications, GitHub Enterprise opened too many connections to the configured email server which delayed delivery in certain cases.
  • When a SAML Session expired before a form was submitted, users of Chrome would not be redirected to the SAML authentication workflow.

Changes

  • Adjusted the amount of logging for the Alive service to reduce noise.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Subversion (SVN) checkout may timeout while the repository data cache is being built. In most cases, subsequent Subversion checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • Issue, pull request, and project pages may not automatically update with changes from other users. (updated 2019-08-30)

Thanks!

The GitHub Team

GitHub Enterprise 2.18.0 August 20, 2019 Download

Features

Security Fixes

  • HIGH: An attacker could inject potentially malicious options into Git sub-commands when executed on the server. This could allow an attacker to truncate existing files on the server or execute other unintended functionality of affected Git sub-commands. To exploit this vulnerability, an attacker would need permission to create a branch within a repository on the GitHub Enterprise Server instance. This vulnerability was reported through the GitHub Security Bug Bounty program.
  • MEDIUM: GitHub App permissions could be incorrectly set by the user.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • GitHub Enterprise Server was incorrectly using support@example.com as the sender of notification emails if a URL was used for the support link instead of an email address.
  • GitHub app managers were able to access and manage applications for the organization after being removed from it.
  • Lines in gists were not selectable.

Changes

  • WireGuard replaces OpenVPN as the technology used to encrypt communication between nodes in High Availability configurations.
  • Webhook payloads include the milestone object when milestones are added or removed.
  • Links to all the pull requests associated with a security alert are viewable on the security alerts page.
  • Users are able to update their branch with the base branch when a pull request is in draft status.
  • Files marked as reviewed will be marked as unreviewed for all users that have previously reviewed the file after a new commit has been made.
  • Reduced memory utilization on GitHub Enterprise Server instances.
  • The longpoll service has been replaced with alive.
  • Replication must be stopped during a feature upgrade.

Backups and Disaster Recovery

GitHub Enterprise Server 2.18 requires at least GitHub Enterprise Backup Utilities 2.18.0 for Backups and Disaster Recovery.

Upcoming deprecation of GitHub Enterprise Server 2.15

GitHub Enterprise Server 2.15 will be deprecated as of October 16, 2019. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise Server as soon as possible.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Subversion (SVN) checkout may timeout while the repository data cache is being built. In most cases, subsequent Subversion checkout attempts will succeed.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • Issue, pull request, and project pages may not automatically update with changes from other users. (updated 2019-08-30)

Thanks!

The GitHub Team