GitHub Enterprise 2.19.24 October 09, 2020 Download

Security Fixes

  • A user whose LDAP directory username standardizes to an existing GHES account login could authenticate into the existing account.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • The NameID Format dropdown in the Management Console would be reset to "unspecified" after setting it to "persistent".
  • Saving settings via the management console would append a newline to the TLS/SSL certificate and key files which triggered unnecessary reloading of some services.
  • System logs for Dependency Graph were not rotating, allowing unbounded storage growth.
  • When importing a repository with ghe-migrator, an unexpected exception could occur when inconsistent data is present.
  • When using ghe-migrator to import PR review requests, records associated with deleted users would result in extraneous database records.
  • When importing users with ghe-migrator, an error of "Emails is invalid" would occur if the system-generated email address were longer than 100 characters.
  • The Pull Request page could give an error if unexpected bytes were present in a data field.

Changes

  • Remove the requirement for SSH fingerprints in ghe-migrator archives as it can always be computed.
  • GitHub App Manifests now include the request_oauth_on_install field.

Upcoming deprecation of GitHub Enterprise Server 2.19

GitHub Enterprise Server 2.19 will be deprecated as of November 12, 2020 That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise Server as soon as possible.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
  • Security alerts are not reported when pushing to a repository on the command line.

Thanks!

The GitHub Team

GitHub Enterprise 2.19.23 September 23, 2020 Download

Security Fixes

  • MEDIUM: ImageMagick has been updated to address DSA-4715-1.
  • Packages have been updated to the latest security versions.

Upcoming deprecation of GitHub Enterprise Server 2.19

GitHub Enterprise Server 2.19 will be deprecated as of November 12, 2020 That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise Server as soon as possible.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
  • Security alerts are not reported when pushing to a repository on the command line.

Thanks!

The GitHub Team

GitHub Enterprise 2.19.22 September 08, 2020 Download

Bug Fixes

  • A service health check caused session growth resulting in filesystem inode exhaustion.
  • Upgrading using a hotpatch could fail with an error: 'libdbi1' was not found

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
  • Security alerts are not reported when pushing to a repository on the command line.

Thanks!

The GitHub Team

GitHub Enterprise 2.19.21 August 26, 2020 Download

Security Fixes

  • CRITICAL: A remote code execution vulnerability was identified in GitHub Pages that could be exploited when building a GitHub Pages site. User-controlled configuration of the underlying parsers used by GitHub Pages were not sufficiently restricted and made it possible to execute commands on the GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server. The underlying issues contributing to this vulnerability were identified both internally and through the GitHub Security Bug Bounty program. We have issued CVE-2020-10518.
  • MEDIUM: An improper access control vulnerability was identified that allowed authenticated users of the instance to determine the names of unauthorized private repositories given their numerical IDs. This vulnerability did not allow unauthorized access to any repository content besides the name. This vulnerability affected all versions of GitHub Enterprise Server prior to 2.22 and has been assigned CVE-2020-10517. The vulnerability was reported via the GitHub Bug Bounty program.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • A message was not logged when the ghe-config-apply process had finished running ghe-es-auto-expand.
  • Excessive logging to the syslog file could occur on high-availability replicas if the primary appliance is unavailable.
  • Database re-seeding on a replica could fail with an error: Got packet bigger than 'max_allowed_packet'
  • Syntax highlighting of some languages failed to render correctly.
  • In some cases duplicate user data could cause a 500 error while running the ghe-license-usage script.

Changes

  • Removed the license seat count information on the administrative SSH MOTD due to a performance issue impacting GitHub Enterprise Server clusters.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
  • Security alerts are not reported when pushing to a repository on the command line.

Thanks!

The GitHub Team

GitHub Enterprise 2.19.20 August 12, 2020 Download

Bug Fixes

  • Recent changes to memory allocations could lead to a degradation in system performance

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
  • Security alerts are not reported when pushing to a repository on the command line.

Thanks!

The GitHub Team

GitHub Enterprise 2.19.19 August 11, 2020 Download

Downloads Have Been Disabled

Downloads of the 2.19.19 release have been disabled as a result of a bug discovered after release. Subsequent releases in the 2.19 series include a correction for the bug.

If you have already upgraded your appliance to GitHub Enterprise 2.19.19, please contact support for assistance.

Security Fixes

  • CRITICAL: A remote code execution vulnerability was identified in GitHub Pages that could allow an attacker to execute commands as part building a GitHub Pages site. This issue was due to an outdated and vulnerable dependency used in the Pages build process. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server. To mitigate this vulnerability, Kramdown has been updated to address CVE-2020-14001.
  • HIGH: An attacker could inject a malicious argument into a Git sub-command when executed on GitHub Enterprise Server. This could allow an attacker to overwrite arbitrary files with partially user-controlled content and potentially execute arbitrary commands on the GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need permission to access repositories within the GitHub Enterprise Server instance. However, due to other protections in place, we could not identify a way to actively exploit this vulnerability. This vulnerability was reported through the GitHub Security Bug Bounty program.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • The service memory allocation calculation could allocate an incorrect or unbounded memory allocation to a service resulting in poor system performance.
  • The virtualization platform for oVirt KVM systems was not properly detected, causing problems during upgrades.
  • GitHub Connect was using a deprecated GitHub.com API endpoint.
  • Issues could not be sorted by Recently updated on repositories migrated to a new instance.
  • The 404 page contained GitHub.com contact and status links in the footer.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
  • Security alerts are not reported when pushing to a repository on the command line.

Thanks!

The GitHub Team

GitHub Enterprise 2.19.18 July 21, 2020 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • GitHub App Manifest creation flow was unusable in some scenarios when a SameSite Cookie policy was applied.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
  • Security alerts are not reported when pushing to a repository on the command line.

Thanks!

The GitHub Team

GitHub Enterprise 2.19.17 July 09, 2020 Download

Security Fixes

  • MEDIUM: Updated nginx to 1.16.1 and addressed CVE-2019-20372. (updated 2020-07-22)
  • Packages have been updated to the latest security versions.

Bug Fixes

  • Certain log files did not rotate every 7 days.
  • Rapid reuse of webhook source ports resulted in rejected connections.
  • Site Administrators could not unlock a repository more than once.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
  • Security alerts are not reported when pushing to a repository on the command line.

Thanks!

The GitHub Team

GitHub Enterprise 2.19.16 June 23, 2020 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • Excessively large log events could lead to log forwarding instability when UDP was used as the transport mechanism.
  • Automatic unsuspension of a user through SSO did not complete if the SSH keys attribute had keys already associated with the user's account.
  • Previewing a GitHub App description written in markdown was not properly rendered.
  • Webhooks could be triggered twice by a single commit via the web user interface.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
  • Security alerts are not reported when pushing to a repository on the command line.

Thanks!

The GitHub Team

GitHub Enterprise 2.19.15 June 02, 2020 Download

Security Fixes

  • HIGH: An improper access control vulnerability was identified in the GitHub Enterprise Server API that allowed an organization member to escalate permissions and gain access to unauthorized repositories within an organization. This vulnerability affected all versions of GitHub Enterprise Server prior to 2.21. We have issued CVE-2020-10516 in response to this issue. The vulnerability was reported via the GitHub Bug Bounty program.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • Internet-facing GitHub Enterprise Server instances could be indexed by search engines.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • When pushing to a gist, an exception could be triggered during the post-receive hook.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
  • Security alerts are not reported when pushing to a repository on the command line. (updated 2020-06-23)

Thanks!

The GitHub Team

GitHub Enterprise 2.19.14 May 19, 2020 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • After the license file was updated, services were not properly reloaded causing functionality loss.
  • Internal API requests updating Dependency Graph information could fail if the response body was too large.
  • The affiliations argument to some GraphQL repository connections was not respected.
  • Automatic unsuspension of a user through SSO did not complete if the SAML email attribute had different casing than the GitHub user email.
  • Restoring the membership of a user to an organization did not instrument the actor in webhook and audit log payloads.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • When pushing to a gist, an exception could be triggered during the post-receive hook.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
  • Security alerts are not reported when pushing to a repository on the command line. (updated 2020-06-23)

Thanks!

The GitHub Team

GitHub Enterprise 2.19.13 May 05, 2020 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • If a repository has the "automatically delete head branches" setting enabled, the head branch wasn't automatically deleted, when a pull request was merged by a GitHub App installation.
  • When an organization member was reinstated, the webhook payload reported the ghost user as the sender and not the actual user performing the reinstatement.
  • If a repository has the "automatically delete head branches" setting enabled, the head branch wasn't automatically deleted where the head repository was different from the base repository.
  • The garbage collection of temporary files could lead to a license validation error.
  • In some situations, including when a repository is first created, the pre-receive hook would be run without a value populated for the GITHUB_REPO_PUBLIC environment variable.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • When pushing to a gist, an exception could be triggered during the post-receive hook.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
  • Security alerts are not reported when pushing to a repository on the command line. (updated 2020-06-23)

Thanks!

The GitHub Team

GitHub Enterprise 2.19.12 April 23, 2020 Download

Security Fixes

  • HIGH: OpenSSL has been updated to address CVE-2020-1967.
  • HIGH: Git has been updated to address CVE-2020-5260 and CVE-2020-11008. New restrictions prevent malicious repositories from being pushed to the server instance, protecting clients which have not yet been patched.
  • LOW: ImageMagick has been updated to address CVE-2019-10131.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • A mismatch in MySQL configurations could cause backups to fail in large installations.
  • A periodic task to clean up old log files would fail and send error messages to the local root account.
  • When a GitHub Enterprise Server license contained non-ASCII characters, a GET request to the Management Console API /setup/api/settings endpoint would result in an Internal Server Error.
  • The recovery console would prompt for a root password, even if the root account was locked.
  • When using the GraphQL's API for filtering issues assigned to a non-existent user, the message received would not be descriptive enough.
  • A CODEOWNERS file with a leading UTF-8 Byte Order Mark would cause all codeowner rules to be ignored.

Changes

  • When an external identity provider controlled user's site administrator status, users could not be demoted via the command line utility.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • When pushing to a gist, an exception could be triggered during the post-receive hook.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
  • Security alerts are not reported when pushing to a repository on the command line. (updated 2020-06-23)

Thanks!

The GitHub Team

GitHub Enterprise 2.19.11 April 07, 2020 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • The hotpatch mechanism did not properly handle the case where extracted patch contents were no longer present on the filesystem.
  • A maximum Git object size of 100MB option could not be selected for a repository when the global enterprise account had a Git object size option other than 100MB set.
  • Results from the the Issues and Pull Requests API could have inconsistent behaviour when ordering by the updated_at field.
  • The SecurityVulnerability package field could not be queried via the GraphQL API.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • When pushing to a gist, an exception could be triggered during the post-receive hook.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
  • Security alerts are not reported when pushing to a repository on the command line. (updated 2020-06-23)

Thanks!

The GitHub Team

GitHub Enterprise 2.19.10 March 25, 2020 Download

Bug Fixes

  • SAML Authentication requests and Metadata were not strictly encoded, causing some Identity Providers to not correctly process Service Provider initiated Authentication requests.
  • When using GitHub Connect, the GHES license sync process sent information that was not required.
  • When pushing to a Gist, an exception could be triggered during the post-receive hook.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • When pushing to a gist, an exception could be triggered during the post-receive hook.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
  • Security alerts are not reported when pushing to a repository on the command line. (updated 2020-06-23)

Thanks!

The GitHub Team

GitHub Enterprise 2.19.9 March 10, 2020 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • In some cases the forwarded log entries, mainly for audit.log were getting truncated.
  • The ghe-license-check command-line utility returned an "Invalid license file" error for some valid licenses, causing configuration changes to fail.
  • Alambic exception logs were not forwarded by syslog.
  • The org_block event is not unavailable but was appearing for GitHub Apps on GitHub Enterprise Server.
  • GraphQL query responses sometimes returned unmatched node identifiers for ProtectedBranch objects.
  • The GitHub App credential used by GitHub Connect failed to refresh immediately after expiry.
  • Leaving a comment in reply to a pull request comment was intermittently creating a pending pull request review.
  • Using ghe-migrator or exporting from GitHub.com, an export would silently fail to export non-image attachments.
  • Pre-receive hook returned 500 error on web UI when UTF-8 characters were encountered.

Changes

  • The ghe-license-usage command-line utility includes a new --unencrypted option to provide visibility into the exported license usage file.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • When pushing to a gist, an exception could be triggered during the post-receive hook.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
  • Security alerts are not reported when pushing to a repository on the command line. (updated 2020-06-23)

Thanks!

The GitHub Team

GitHub Enterprise 2.19.8 February 27, 2020 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • Restore from backups would fail with an Invalid RDB version number error.
  • Upgrading an HA replica would stall indefinitely waiting for MySQL to start.
  • Importing teams from external sources failed when there were spaces in the team name.
  • PR review comments with unexpected values for "position" or "original_position" caused imports to fail.
  • Project hovercards were not properly displayed.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • When pushing to a gist, an exception could be triggered during the post-receive hook.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
  • Security alerts are not reported when pushing to a repository on the command line. (updated 2020-06-23)

Thanks!

The GitHub Team

GitHub Enterprise 2.19.7 February 11, 2020 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • The Dependency Graph for Python repositories failed to update.
  • The GITHUB_REPO_PUBLIC environment variable passed to pre-receive hooks could be empty.

Changes

  • Background queues were re-prioritized to increase performance in large environments.
  • Improved formatting of the example output of blocked Subversion access on the Admin Center repository Subversion management page.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • When pushing to a gist, an exception could be triggered during the post-receive hook.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
  • Security alerts are not reported when pushing to a repository on the command line. (updated 2020-06-23)

Thanks!

The GitHub Team

GitHub Enterprise 2.19.6 January 28, 2020 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • Obtaining a Lets Encrypt via Enterprise Manage would fail to install the certificate.
  • Support bundle generation wasn't possible when consul was unavailable.
  • Service startup wouldn't wait for MySQL database to accept connections.
  • GitHub Apps acting on behalf of a user could not list a repositories forks via the REST API.
  • GitHub Connect code search presented the user with an error instead of search results.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • When pushing to a gist, an exception could be triggered during the post-receive hook.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
  • Security alerts are not reported when pushing to a repository on the command line. (updated 2020-06-23)

Thanks!

The GitHub Team

GitHub Enterprise 2.19.5 January 15, 2020 Download

Security Fixes

Bug Fixes

  • The root disk utilization graph in the Management Console was missing on AWS Nitro instance types.
  • The Alambic storage service could hit a file descriptor limit that could cause the kernel to hang and other services to log errors.
  • Importing of teams with nested teams with security visibility could fail. Nested teams will now be imported as top-level teams if they are imported as children of a team with secret visibility.
  • When a repository is locked users could still directly visit pull request URLs and modify the reviewers.
  • A team created via the API V3 would not automatically add its creator as a maintainer, which caused it to be inaccessible to that person.
  • A GitHub App with the proper set of permissions was not able to create teams with LDAP.
  • The DNS resolution for GitHub Connect could timeout.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • When pushing to a gist, an exception could be triggered during the post-receive hook.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
  • Security alerts are not reported when pushing to a repository on the command line. (updated 2020-06-23)

Thanks!

The GitHub Team

GitHub Enterprise 2.19.4 December 17, 2019 Download

Security Fixes

  • MEDIUM: An attacker could push a malicious GitHub Pages branch with overlapping submodule names, possibly leading to remote code execution within the GitHub Pages build container. To exploit this vulnerability, an attacker would need permission to create a branch within a repository on the GitHub Enterprise Server instance. CVE-2019-1387
  • Packages have been updated to the latest security versions.

Bug Fixes

  • Unknown locales were generating errors when running commands in the administrative shell.
  • ghe-config-check was returning validation errors for github-ssl.acme.ca-conf and syslog.cert.
  • The Let's Encrypt certificate registration feature consistently failed following an update to the external API.
  • Upgrades could fail due to a missing SQL table.
  • Commit objects could be lost in some cases if an update of a replica failed and then a repair operation was ran.
  • Commit messages containing links were not clickable or properly rendered in blame view.
  • When importing review comments that were created using old versions of GHES, some comments would fail to import due to corrupt diffs.
  • Audit log did not include some entries when changing protected branches settings.

Changes

  • Increase autolink reference limit to 50.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • When pushing to a gist, an exception could be triggered during the post-receive hook.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
  • Security alerts are not reported when pushing to a repository on the command line. (updated 2020-06-23)

Thanks!

The GitHub Team

GitHub Enterprise 2.19.3 December 03, 2019 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • Graphs for some metrics in the Management Console 'Monitor' page were displaying data in the opposite ordering than expected.
  • Site Admin users could encounter timeouts when attempting to impersonate accounts that were members of a large number of Organizations.
  • Backups of GitHub Enterprise Server clusters could intermittently fail due to duplicated Gist repository references.
  • Transient, non-fatal errors returned from external LDAP servers during team synchronization operations could cause the incorrect removal of team members.
  • GitHub Apps were unable to modify GitHub Team memberships via the API.
  • GrahpQL queries that referenced Organizations could run slowly and occasionally time out on a GitHub Enterprise Server instance that contained a large number of Organizations.
  • Inviting users to a team could time out if the invitees weren't already members of that team's Organization.

Changes

  • Background job queues have been re-ordered to reduce the chances of user-visible jobs being delayed on very busy instances.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • The Let's Encrypt certificate registration feature consistently fails following an update to the external API.
  • When pushing to a gist, an exception could be triggered during the post-receive hook.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
  • Security alerts are not reported when pushing to a repository on the command line. (updated 2020-06-23)

Thanks!

The GitHub Team

GitHub Enterprise 2.19.2 November 20, 2019 Download

Security Fixes

  • HIGH: The legacy avatar upgrade functionality was vulnerable to a Server-Side Request Forgery (SSRF) vulnerability when fetching image content from third-party avatar services. This could allow an attacker to make GET requests to internal services reachable from the GitHub Enterprise deployment.

Bug Fixes

  • Storage objects were incorrectly deleted from non-voting replicas, potentially leading to data loss on replica promotion.
  • Unsubscribe email notification language was inconsistent with the language used in the web interface.
  • Team membership information could be destroyed during an upgrade from GHES 2.17.
  • The related issues feature was incorrectly included in the release.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • The Let's Encrypt certificate registration feature consistently fails following an update to the external API.
  • When pushing to a gist, an exception could be triggered during the post-receive hook.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
  • Security alerts are not reported when pushing to a repository on the command line. (updated 2020-06-23)

Thanks!

The GitHub Team

GitHub Enterprise 2.19.1 November 15, 2019 Download

Due to a database migration error, we have disabled access to the 2.19.1 images. This error will be resolved in the next patch release.

Security Fixes

  • LOW: The script-src: 'unsafe-inline' CSP header was applied to all paths for Enterprise Manager.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • Promoting a replica in an active HA environment could fail to properly apply configuration changes and remove a pre-flight check holding page.
  • In certain cluster configurations, background jobs are unable to communicate with local storage services.
  • Upgrading from 2.17 to 2.19 could fail with a database migration error.

Changes

  • The Google Accounts Daemon and google_set_hostname DHCP hook are now disabled on Google Cloud Platform images.
  • GitHub Enterprise Server is now available in the eu-north-1 AWS region.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • The Let's Encrypt certificate registration feature consistently fails following an update to the external API.
  • When pushing to a gist, an exception could be triggered during the post-receive hook.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
  • Security alerts are not reported when pushing to a repository on the command line. (updated 2020-06-23)

Thanks!

The GitHub Team

GitHub Enterprise 2.19.0 November 12, 2019 Download

Due to a database migration error, we have disabled access to the 2.19.0 images. This error will be resolved in the next patch release.

Features

  • Organization and repository administrators can assign the triage and maintain roles to users and teams.
  • When an issue is referenced with a closing keyword in a pull request description, the referenced issue will now surface the relevant pull request information in its header.
  • The dependency graph supports .vcxproj and .fsproj files that list NuGet dependencies in their PackageReference section.
  • The WebAuthn standard is supported for authentication.
  • Users can change the project board columns of issues directly from the issue sidebar.
  • GitHub Pages supports adding a remote theme using Jekyll.
  • Administrators can utilize the Audit Log GraphQL API.
  • The dependency graph supports scoped npm packages.
  • Repositories can be set to delete the head branch of a pull request once it has merged into the base branch.
  • Enterprise accounts can be managed using the GraphQL API.
  • Enterprise accounts can issue their members SSH certificates to access repositories over Git.
  • Administrators can enable autolink references on repositories. (updated 2019-11-13)

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • Team maintainers could not add child teams to their teams if "Allow members to create teams" was disabled.
  • Pull requests authors with read permissions could not re-request reviews.
  • A label could be shown as removed from a pull request that it was never added to.

Changes

  • The web notification retention policy has been increased to 5 months for all notification types.
  • The ghe-repl-status command shows more granular status information for consul replication.
  • Audit log data is now stored in Elasticsearch instead of MySQL.
  • Users will only be able to see the Secret teams they are part of in the list of teams.
  • Users will be listed as owners of the organizations they own when logged in.
  • Pull requests are shown under Recent Activity when they've recently been reviewed.

Backups and Disaster Recovery

GitHub Enterprise Server 2.19 requires at least GitHub Enterprise Backup Utilities 2.19.0 for Backups and Disaster Recovery.

Upcoming Deprecation of GitHub Enterprise Server 2.16

GitHub Enterprise Server 2.16 will be deprecated as of January 22, 2020. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise Server as soon as possible.

Upcoming Deprecation of Adding New SSH-DSS Keys

The addition of new SSH-DSS keys will be removed in GitHub Enterprise Server 2.20.0.

Upcoming Deprecation of the Legacy Gravatar Service

Support for using an external service for Avatars was deprecated in GitHub Enterprise Server 2.1.0. At the time, functionality was implemented to copy avatars from the external service to the GitHub Enterprise Server and the configuration options remained in Enterprise Manage for instances configured with an external service prior to the deprecation. This functionality and configuration will be removed from GitHub Enterprise Server 2.20.0.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • The Let's Encrypt certificate registration feature consistently fails following an update to the external API.
  • When pushing to a gist, an exception could be triggered during the post-receive hook.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
  • Security alerts are not reported when pushing to a repository on the command line. (updated 2020-06-23)

Thanks!

The GitHub Team