rbenv
, used by many components of GitHub Enterprise, have been tightened.GitHub Enterprise 2.2 is now deprecated. That means that no patch releases will be made, even for critical security issues, after this release. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.
Thanks!
The GitHub Team
Thanks!
The GitHub Team
Thanks!
The GitHub Team
Thanks!
The GitHub Team
Thanks!
The GitHub Team
Several vulnerabilities in ImageMagick, a package commonly used by web services to process images, have been discovered and disclosed by members of the Mail.ru Security team. One of the vulnerabilities is critical and can lead to remote code execution when processing user submitted images.
Final patches for all the disclosed vulnerabilities within ImageMagick are still pending. This release mitigates the remote code execution vulnerability by implementing the recommended policy to disable the vulnerable ImageMagick coders.
This vulnerability exists in ImageMagick but there is no evidence that it has been exploited on GitHub Enterprise.
We strongly recommend that all GitHub Enterprise customers upgrade their instances as soon as possible.
Mitigation
If you can't immediately upgrade, the issue can be mitigated by implementing the policy changes as follows:
SSH to your GitHub Enterprise appliance.
Edit the /etc/ImageMagick/policy.xml
file:
sudo vi /etc/ImageMagick/policy.xml
Disable the vulnerable coders by replacing the <policymap>
section with:
<policymap>
<policy domain="coder" rights="none" pattern="EPHEMERAL" />
<policy domain="coder" rights="none" pattern="URL" />
<policy domain="coder" rights="none" pattern="HTTPS" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />
</policymap>
There is no need to reboot or restart any services; the changes will take effect immediately.
Please contact GitHub Enterprise Support if you have any questions.
Thanks!
The GitHub Team
Thanks!
The GitHub Team
_gh_render
cookie, potentially allowing the render cookie to be sent in plaintext HTTP requests. However, Enterprise sets the Strict-Transport-Security
header for modern browsers when SSL is enabled, which largely mitigates the issue.Thanks!
The GitHub Team
ca-certificates
package has been updated to remove outdated certificate authority (CA) certificates. This update refreshes the included certificates and removes the SPI CA and CA certificates with 1024-bit RSA keys.Thanks!
The GitHub Team
glibc
packages have been updated to address CVE-2015-7547, a getaddrinfo
stack-based buffer overflow.libssh
packages have been updated to address CVE-2016-0739, a weakness in diffie-hellman secret key generation.nss
packages have been updated to address CVE-2016-1938.Thanks!
The GitHub Team
Repositories that are in an incomplete state, which is a rare problem, can cause the migration to the new repository disk layout to fail.
Enqueued background jobs are sometimes not purged when a repository is deleted.
Organization invitation emails are sent from the configured support email address rather than the no-reply address.
We can fail to properly create the key for the secure connection between a high availability replica and the primary, which causes replication setup to fail.
Management console sessions can expire too quickly for Safari users.
Gist repositories are not garbage collected by the maintenance scheduler.
Gist profile pages don't have proper styling when subdomain isolation is disabled.
Custom firewall rules aren't maintained during an upgrade.
Dashboard activity feed links point to wrong hostname after restoring from backup if the hostname has changed.
On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
Jobs stuck on code indexing can delay other jobs from running.
Replication setup fails for IPv6 hosts.
The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.
Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
Gists can't be created when using Safari 8.x in Private Mode.
Deleting a user doesn't delete their gists, which can cause problems with replication.
In our instructions to merge a pull request on the command line, we show the steps to merge using the Git protocol even when private mode is on. Private mode forces authentication but the Git protocol is unauthenticated so the steps will always fail. We also don't show the steps to merge using SSH.
We incorrectly redirect to the dashboard if you access GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
We display the time in the scheduled maintenance banner in UTC instead of the viewer's timezone.
Users with LDAP DNs longer than 255 characters are suspended if LDAP Sync is enabled.
Viewing raw files in repositories owned by a user or organization named "github" fails with a 400 error. (updated 2015-12-15)
HIGH (CVE-2015-7547) 2.2 is vulnerable to glibc getaddrinfo stack-based buffer overflow
. To manually patch your appliance, apply the hotfix by connecting to your appliance via SSH and running these commands: (updated 2016-02-17)
$ curl -O https://github-enterprise.s3.amazonaws.com/patches/github-enterprise-libc-precise.hpkg
$ md5sum github-enterprise-libc-precise.hpkg # c068256696f2775579e2cd8223f82306
$ chmod +x github-enterprise-libc-precise.hpkg
$ ./github-enterprise-libc-precise.hpkg
Thanks!
The GitHub Team
An issue has been identified that could allow an attacker to execute arbitrary commands on a user’s computer if they had Git LFS installed and cloned a malicious repository. Git LFS supports a per-repository configuration file to customize how certain aspects of Git LFS function. However, this file also allowed arbitrary Git configuration options to be modified. We have addressed the vulnerability by whitelisting the set of per-repository Git LFS configuration options that can be used to a safe subset.
GitHub Enterprise is not directly affected as this is a client-side vulnerability and Git LFS is disabled on GitHub Enterprise by default. If you have enabled Git LFS on your appliance, we recommend you upgrade your clients to Git LFS 1.0.1 or later to address this vulnerability.
Thanks!
The GitHub Team
Thanks!
The GitHub Team
ghe-upgrade
would fail with a GPG signature error if run as the root user.Thanks!
The GitHub Team
Thanks!
The GitHub Team
.mediawiki
suffix could leak information to the Google Chart API when they were displayed.Thanks!
The GitHub Team
longpoll
service, which provides live updates to Issues and Pull Requests pages, didn't restart properly if it was terminated.ghe-storage-extend
command, which resizes the storage volume, could fail with a Volume group name ghe_storage_* has invalid characters
error under some circumstances.Thanks!
The GitHub Team
Thanks!
The GitHub Team
longpoll
process, which handles live updates to issues, to the ghe-service-list
output.Repositories that are in an incomplete state, which is a rare problem, can cause the migration to the new repository disk layout to fail.
Enqueued background jobs are sometimes not purged when a repository is deleted.
Organization invitation emails are sent from the configured support email address rather than the no-reply address.
We can fail to properly create the key for the secure connection between a high availability replica and the primary, which causes replication setup to fail.
Management console sessions can expire too quickly for Safari users.
Gist repositories are not garbage collected by the maintenance scheduler.
Gist profile pages don't have proper styling when subdomain isolation is disabled.
Custom firewall rules aren't maintained during an upgrade.
Dashboard activity feed links point to wrong hostname after restoring from backup if the hostname has changed.
On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
Jobs stuck on code indexing can delay other jobs from running.
Replication setup fails for IPv6 hosts.
The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.
Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
Gists can't be created when using Safari 8.x in Private Mode.
Deleting a user doesn't delete their gists, which can cause problems with replication.
In our instructions to merge a pull request on the command line, we show the steps to merge using the Git protocol even when private mode is on. Private mode forces authentication but the Git protocol is unauthenticated so the steps will always fail. We also don't show the steps to merge using SSH.
We incorrectly redirect to the dashboard if you access GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
We display the time in the scheduled maintenance banner in UTC instead of the viewer's timezone.
Users with LDAP DNs longer than 255 characters are suspended if LDAP Sync is enabled.
Using uppercase characters in the hostname causes a redirect loop.
When a fork is detached from its repository network by an administrator or by changing visibility, its filesystem path won't be updated on a high availability replica until at least one commit has been pushed. (updated 2015-08-13)
Updates to Wiki pages by users without a primary email address set throw errors. (updated 2015-08-25)
Viewing raw files in repositories owned by a user or organization named "github" fails with a 400 error. (updated 2015-12-15)
Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails. (updated 2016-01-14)
Thanks!
The GitHub Team
github_audit
and haproxy
log streams were being logged twice.Repositories that are in an incomplete state, which is a rare problem, can cause the migration to the new repository disk layout to fail.
Enqueued background jobs are sometimes not purged when a repository is deleted.
Organization invitation emails are sent from the configured support email address rather than the no-reply address.
We can fail to properly create the key for the secure connection between a high availability replica and the primary, which causes replication setup to fail.
Management console sessions can expire too quickly for Safari users.
Gist repositories are not garbage collected by the maintenance scheduler.
Gist profile pages don't have proper styling when subdomain isolation is disabled.
Custom firewall rules aren't maintained during an upgrade.
Dashboard activity feed links point to wrong hostname after restoring from backup if the hostname has changed.
On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
Jobs stuck on code indexing can delay other jobs from running.
Replication setup fails for IPv6 hosts.
The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.
Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
The site admin shows errors in the 'repo reflogs' section, which isn't fully implemented on GitHub Enterprise.
Gists can't be created when using Safari 8.x in Private Mode.
Deleting a user doesn't delete their gists, which can cause problems with replication.
In our instructions to merge a pull request on the command line, we show the steps to merge using the Git protocol even when private mode is on. Private mode forces authentication but the Git protocol is unauthenticated so the steps will always fail. We also don't show the steps to merge using SSH.
We incorrectly redirect to the dashboard if you access GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
We display the time in the scheduled maintenance banner in UTC instead of the viewer's timezone.
Users with LDAP DNs longer than 255 characters are suspended if LDAP Sync is enabled.
Services fail to start properly after upgrading to this release if SSL is disabled. (updated 2015-07-20)
Using uppercase characters in the hostname causes a redirect loop. (updated 2015-07-28)
When a fork is detached from its repository network by an administrator or by changing visibility, its filesystem path won't be updated on a high availability replica until at least one commit has been pushed. (updated 2015-08-13)
Updates to Wiki pages by users without a primary email address set throw errors. (updated 2015-08-25)
Viewing raw files in repositories owned by a user or organization named "github" fails with a 400 error. (updated 2015-12-15)
Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails. (updated 2016-01-14)
Thanks!
The GitHub Team
ghe-resque-info
script incorrectly showed all background job queues as empty.Thanks!
The GitHub Team
KeyInfo
element with no signing certificate in the AuthnRequest
response, which caused errors for some identity providers. We don't include the optional KeyInfo
element at all now.github_audit
log stream were being logged twice.ghe-resque-info
script incorrectly shows all background job queues as empty. (updated 2015-06-16)Thanks!
The GitHub Team
ghe-set-password
failed.Ubuntu kernel and packages have been updated to the latest security versions.
LOW: Update libssh
to address denial of service vulnerabilities CVE-2014-8132 and CVE-2015-3145.
Changing the repository storage layout has been improved significantly in this release, cutting down the migration time from hours to minutes. If your instance contains more than 20,000 repositories (including gists and wikis) you can now upgrade to 2.2.2.
Please refer to the "Repository storage changes" section of the 2.2.0 release notes for further advice on upgrading.
We've improved the validation of the SAML responses we receive. A response message must now contain a Recipient
set to the Assertion Consumer Service URL, http(s)://[hostname]/saml/consume
.
In addition to the Recipient
attribute, GitHub Enterprise will now also verify the Destination
and Audience
attributes, if they are supplied in the response message.
Most SAML implementations already provide this information in their responses.
github_audit
log stream are being logged twice.Thanks!
The GitHub Team
ghe-set-password
fails. (updated 2015-05-19)Thanks!
The GitHub Team
With the new features added in GitHub Enterprise 2.2.0, you can:
site/stats
API endpoint has been removed..
).ghe-btop
command line utility incorrectly dropped --help
and --usage
flags.content-type
header set correctly in Pages.ghe-repl-setup
to hang.This release changes the way GitHub Enterprise stores repositories, which reduces disk usage by sharing Git objects between forks and improves caching performance when reading repository data. This is a major change, and has some implications you need to be aware of.
Changing the repository storage layout can take several hours if your instance contains many repositories. We're working on making this faster so if your instance contains more than 20,000 repositories (including gists and wikis) we do not recommend upgrading to GitHub Enterprise 2.2 until further notice. Everyone should now upgrade to GitHub Enterprise 2.2.2 or later, as the migration process has been made significantly faster.
You can check how many repositories you have using the Admin Stats API. For example, you can SSH into the VM and run the following command, then add together "total_repos", "total_wikis", and "total_gists":
curl -s http://127.0.0.1:1337/api/v3/enterprise/stats/all
As a precaution, before your upgrade you should take a backup-utils snapshot after putting the instance in maintenance mode. We also recommend taking a disk snapshot of the user data volume.
The upgrade process takes care of moving repository data from the existing storage layout to the new storage layout. If you have a large amount of repository data moving the data can take some time, so we recommend that you test the upgrade on a staging instance first. You can use the test upgrade to make an estimate of how long of a maintenance window you'll need for your production instance.
After upgrading, you may notice a large number of background jobs being processed. Each job is optimizing a repository for the new storage layout, but uses a high nice
value, so should have minimal impact on performance. The jobs will be enqueued in the maint_localhost
jobs queue, which may have a large backlog, but it's a dedicated queue and won't block other jobs from completing.
For compatibility with the new repository layout, you need to upgrade backup-utils to version 2.2.
The first update taken after you upgrade will be a full backup rather than an incremental backup. This means it will take more disk space and more time to complete. Subsequent backups will be incremental again.
Some customers routinely ran Git garbage collection on their repositories. The existing repository layout maps nicely to what you can see in the user interface, so you could easily find a repository on disk at /data/repositories/[owner]/[repository].git. This is no longer the case with the new repository layout, but it does let us be smarter about running garbage collection, so running it manually shouldn't be necessary.
So that they could be restored if necessary, deleted repositories were previously moved to the /data/repositories/__purgatory__ directory. This special area for archived repositories is no longer needed or used. Repositories are kept in their normal location until purged three months after being archived.
Please contact Enterprise Support if you have any questions about this change.
Due to the invasive changes in the repository disk layout in GitHub Enterprise 2.2, we strongly recommend reading the upgrade guide prior to upgrading your virtual machine. This provides information about using snapshots and rolling back to a pre-upgrade state in the event an upgrade fails or is interrupted.
User authentication via GitHub OAuth is being deprecated and will be removed in a future feature release. It will be removed no sooner than November 2015.
GitHub Enterprise includes support for authenticating users via OAuth to accounts on GitHub.com because it provides a simple way to set up external authentication. However, after speaking with many customers, we've found that organizations commonly have other sources they want to use to automate identity and access management.
We want to focus on features that best meet the needs of our users, so we're planning to remove support for GitHub OAuth in a future feature release and focus on making ongoing improvements to other authentication methods like SAML and LDAP.
Note that this change will only affect user authentication via GitHub.com and not personal access tokens or OAuth applications added to your GitHub Enterprise instance.
=
character from new and current administrative SSH keys when adding or removing keys. This will cause administrative SSH access to the instance to fail for those keys.ghe-set-password
fails. (updated 2015-05-19)Thanks!
The GitHub Team