GitHub Enterprise 2.20.19 October 20, 2020 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • The enterprise account "Confirm two-factor requirement policy" messaging was incorrect.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
  • Security alerts are not reported when pushing to a repository on the command line.

Thanks!

The GitHub Team

GitHub Enterprise 2.20.18 October 09, 2020 Download

Security Fixes

  • A user whose LDAP directory username standardizes to an existing GHES account login could authenticate into the existing account.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • The NameID Format dropdown in the Management Console would be reset to "unspecified" after setting it to "persistent".
  • Saving settings via the management console would append a newline to the TLS/SSL certificate and key files which triggered unnecessary reloading of some services.
  • System logs for Dependency Graph were not rotating, allowing unbounded storage growth.
  • Links to GitHub Security Advisories would use a URL with the hostname of the GitHub Enterprise Server instance instead of GitHub.com, directing the user to a nonexistent URL.
  • When importing a repository with ghe-migrator, an unexpected exception could occur when inconsistent data is present.
  • When using ghe-migrator to import PR review requests, records associated with deleted users would result in extraneous database records.
  • When importing users with ghe-migrator, an error of "Emails is invalid" would occur if the system-generated email address were longer than 100 characters.
  • Logging webhook activity could use large amounts of disk space and cause the root disk to become full.

Changes

  • Support is added for the AWS EC2 instance type m5.16xlarge.
  • Remove the requirement for SSH fingerprints in ghe-migrator archives as it can always be computed.
  • GitHub App Manifests now include the request_oauth_on_install field.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
  • Security alerts are not reported when pushing to a repository on the command line.

Thanks!

The GitHub Team

GitHub Enterprise 2.20.17 September 23, 2020 Download

Security Fixes

  • MEDIUM: ImageMagick has been updated to address DSA-4715-1.
  • Packages have been updated to the latest security versions.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
  • Security alerts are not reported when pushing to a repository on the command line.

Thanks!

The GitHub Team

GitHub Enterprise 2.20.16 September 08, 2020 Download

Bug Fixes

  • A service health check caused session growth resulting in filesystem inode exhaustion.
  • Upgrading using a hotpatch could fail with an error: 'libdbi1' was not found

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
  • Security alerts are not reported when pushing to a repository on the command line.

Thanks!

The GitHub Team

GitHub Enterprise 2.20.15 August 26, 2020 Download

Security Fixes

  • CRITICAL: A remote code execution vulnerability was identified in GitHub Pages that could be exploited when building a GitHub Pages site. User-controlled configuration of the underlying parsers used by GitHub Pages were not sufficiently restricted and made it possible to execute commands on the GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server. The underlying issues contributing to this vulnerability were identified both internally and through the GitHub Security Bug Bounty program. We have issued CVE-2020-10518.
  • MEDIUM: An improper access control vulnerability was identified that allowed authenticated users of the instance to determine the names of unauthorized private repositories given their numerical IDs. This vulnerability did not allow unauthorized access to any repository content besides the name. This vulnerability affected all versions of GitHub Enterprise Server prior to 2.22 and has been assigned CVE-2020-10517. The vulnerability was reported via the GitHub Bug Bounty program.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • A message was not logged when the ghe-config-apply process had finished running ghe-es-auto-expand.
  • Excessive logging to the syslog file could occur on high-availability replicas if the primary appliance is unavailable.
  • Database re-seeding on a replica could fail with an error: Got packet bigger than 'max_allowed_packet'
  • In some cases duplicate user data could cause a 500 error while running the ghe-license-usage script.

Changes

  • In a high availability or geo-replication configuration, replica instances would exit maintenance mode when ghe-config-apply ran.
  • We've added support for the R5a and R5n AWS instance types.
  • Removed the license seat count information on the administrative SSH MOTD due to a performance issue impacting GitHub Enterprise Server clusters.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
  • Security alerts are not reported when pushing to a repository on the command line.

Thanks!

The GitHub Team

GitHub Enterprise 2.20.14 August 12, 2020 Download

Bug Fixes

  • Resolved an issue that could lead to high CPU usage while generating system configuration templates.
  • Recent changes to memory allocations could lead to a degradation in system performance

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
  • Security alerts are not reported when pushing to a repository on the command line.

Thanks!

The GitHub Team

GitHub Enterprise 2.20.13 August 11, 2020 Download

Downloads Have Been Disabled

Downloads of the 2.20.13 release have been disabled as a result of a bug discovered after release. Subsequent releases in the 2.20 series include a correction for the bug.

If you have already upgraded your appliance to GitHub Enterprise 2.20.13, please contact support for assistance.

Security Fixes

  • CRITICAL: A remote code execution vulnerability was identified in GitHub Pages that could allow an attacker to execute commands as part building a GitHub Pages site. This issue was due to an outdated and vulnerable dependency used in the Pages build process. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server. To mitigate this vulnerability, Kramdown has been updated to address CVE-2020-14001.
  • HIGH: An attacker could inject a malicious argument into a Git sub-command when executed on GitHub Enterprise Server. This could allow an attacker to overwrite arbitrary files with partially user-controlled content and potentially execute arbitrary commands on the GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need permission to access repositories within the GitHub Enterprise Server instance. However, due to other protections in place, we could not identify a way to actively exploit this vulnerability. This vulnerability was reported through the GitHub Security Bug Bounty program.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • A Consul configuration error prevented some background jobs from being processed on standalone instances.
  • The service memory allocation calculation could allocate an incorrect or unbounded memory allocation to a service resulting in poor system performance.
  • The virtualization platform for oVirt KVM systems was not properly detected, causing problems during upgrades.
  • The error message for invalid authentication with a password via Git command line didn't populate the URL linking to adding the appropriate token or SSH key.
  • GitHub Connect was using a deprecated GitHub.com API endpoint.
  • Issues could not be sorted by Recently updated on repositories migrated to a new instance.
  • The 404 page contained GitHub.com contact and status links in the footer.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
  • Security alerts are not reported when pushing to a repository on the command line.

Thanks!

The GitHub Team

GitHub Enterprise 2.20.12 July 21, 2020 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • The Management Console monitor graphs would sometimes not display correctly on larger screens.
  • GitHub App Manifest creation flow was unusable in some scenarios when a SameSite Cookie policy was applied.

Changes

  • Improvements to HAProxy scaling.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
  • Security alerts are not reported when pushing to a repository on the command line.

Thanks!

The GitHub Team

GitHub Enterprise 2.20.11 July 09, 2020 Download

Security Fixes

  • MEDIUM: Updated nginx to 1.16.1 and addressed CVE-2019-20372. (updated 2020-07-22)
  • Packages have been updated to the latest security versions.

Bug Fixes

  • Dependency graph was not detecting dependencies when deployed in a cluster configuration with multiple Redis nodes.
  • Certain log files did not rotate every 7 days.
  • Rapid reuse of webhook source ports resulted in rejected connections.
  • Incorrect background jobs could attempt to run on instances configured as passive replicas.
  • Internal repositories were not correctly included in search results for SAML-enabled orgs.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
  • Security alerts are not reported when pushing to a repository on the command line.

Thanks!

The GitHub Team

GitHub Enterprise 2.20.10 June 23, 2020 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • Excessively large log events could lead to log forwarding instability when UDP was used as the transport mechanism.
  • Automatic unsuspension of a user through SSO did not complete if the SSH keys attribute had keys already associated with the user's account.
  • The repository permission hash from the REST API indicated no access for business members who have pull access to internal repositories.
  • Previewing a GitHub App description written in markdown was not properly rendered.
  • The audit log did not include branch protection changes events.
  • Trying to assign code review to a member of an empty team would result in a '500 Internal Server Error'.
  • Code review assignment using the load balancing algorithm could repeatedly assign to the same team member.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
  • Security alerts are not reported when pushing to a repository on the command line.
  • Dependency graph is not detecting dependencies when deployed in a cluster configuration with multiple Redis nodes. (updated 2020-06-30)

Thanks!

The GitHub Team

GitHub Enterprise 2.20.9 June 02, 2020 Download

Security Fixes

  • HIGH: An improper access control vulnerability was identified in the GitHub Enterprise Server API that allowed an organization member to escalate permissions and gain access to unauthorized repositories within an organization. This vulnerability affected all versions of GitHub Enterprise Server prior to 2.21. We have issued CVE-2020-10516 in response to this issue. The vulnerability was reported via the GitHub Bug Bounty program.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • Internet-facing GitHub Enterprise Server instances could be indexed by search engines.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • When pushing to a gist, an exception could be triggered during the post-receive hook.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
  • Security alerts are not reported when pushing to a repository on the command line. (updated 2020-06-23)
  • Dependency graph is not detecting dependencies when deployed in a cluster configuration with multiple Redis nodes. (updated 2020-06-30)

Thanks!

The GitHub Team

GitHub Enterprise 2.20.8 May 19, 2020 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • After the license file was updated, services were not properly reloaded causing functionality loss.
  • Internal API requests updating Dependency Graph information could fail if the response body was too large.
  • The affiliations argument to some GraphQL repository connections was not respected.
  • Automatic unsuspension of a user through SSO did not complete if the SAML email attribute had different casing than the GitHub user email.
  • Restoring the membership of a user to an organization did not instrument the actor in webhook and audit log payloads.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • When pushing to a gist, an exception could be triggered during the post-receive hook.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
  • Security alerts are not reported when pushing to a repository on the command line. (updated 2020-06-23)
  • Dependency graph is not detecting dependencies when deployed in a cluster configuration with multiple Redis nodes. (updated 2020-06-30)

Thanks!

The GitHub Team

GitHub Enterprise 2.20.7 May 05, 2020 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • ghe-repl-start and ghe-repl-status displayed syntax errors.
  • If a repository has the "automatically delete head branches" setting enabled, the head branch wasn't automatically deleted, when a pull request was merged by a GitHub App installation.
  • When an organization member was reinstated, the webhook payload reported the ghost user as the sender and not the actual user performing the reinstatement.
  • If a repository has the "automatically delete head branches" setting enabled, the head branch wasn't automatically deleted where the head repository was different from the base repository.
  • The garbage collection of temporary files could lead to a license validation error.
  • In some situations, including when a repository is first created, the pre-receive hook would be run without a value populated for the GITHUB_REPO_PUBLIC environment variable.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • When pushing to a gist, an exception could be triggered during the post-receive hook.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
  • Security alerts are not reported when pushing to a repository on the command line. (updated 2020-06-23)
  • Dependency graph is not detecting dependencies when deployed in a cluster configuration with multiple Redis nodes. (updated 2020-06-30)

Thanks!

The GitHub Team

GitHub Enterprise 2.20.6 April 23, 2020 Download

Security Fixes

  • HIGH: OpenSSL has been updated to address CVE-2020-1967.
  • HIGH: Git has been updated to address CVE-2020-5260 and CVE-2020-11008. New restrictions prevent malicious repositories from being pushed to the server instance, protecting clients which have not yet been patched.
  • LOW: ImageMagick has been updated to address CVE-2019-10131.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • The git user lacked permissions to invoke the processes required to convert existing repositories using Subversion, from the v4 format to v3 LRS.
  • A mismatch in MySQL configurations could cause backups to fail in large installations.
  • When upgrading from previous versions, background job workers would sometimes not spawn, preventing essential features such as merging pull requests.
  • When a GitHub Enterprise Server license contained non-ASCII characters, a GET request to the Management Console's API /setup/api/settings endpoint would result in an Internal Server Error.
  • The recovery console would prompt for a root password, even if the root account was locked.
  • A CODEOWNERS file with a leading UTF-8 Byte Order Mark would cause all codeowner rules to be ignored.

Changes

  • When the orchestrator-client cron job failed, multiple emails would be sent to the root account.
  • When an external identity provider controlled user's site administrator status, users could not be demoted via the command line utility.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • When pushing to a gist, an exception could be triggered during the post-receive hook.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
  • Security alerts are not reported when pushing to a repository on the command line. (updated 2020-06-23)
  • Dependency graph is not detecting dependencies when deployed in a cluster configuration with multiple Redis nodes. (updated 2020-06-30)

Thanks!

The GitHub Team

GitHub Enterprise 2.20.5 April 07, 2020 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • A maximum Git object size of 100MB option could not be selected for a repository when the global enterprise account had a Git object size option other than 100MB set.
  • Results from the the Issues and Pull Requests API could have inconsistent behaviour when ordering by the updated_at field.
  • The SecurityVulnerability package field could not be queried via the GraphQL API.
  • Changing a repository from public to internal displayed an irrelevant billing message.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • When pushing to a gist, an exception could be triggered during the post-receive hook.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
  • When upgrading from previous versions, background job workers may not be spawned, preventing essential features such as merging pull requests.
  • Security alerts are not reported when pushing to a repository on the command line. (updated 2020-06-23)
  • Dependency graph is not detecting dependencies when deployed in a cluster configuration with multiple Redis nodes. (updated 2020-06-30)

Thanks!

The GitHub Team

GitHub Enterprise 2.20.4 March 25, 2020 Download

Bug Fixes

  • SAML Authentication requests and Metadata were not strictly encoded, causing some Identity Providers to not correctly process Service Provider initiated Authentication requests.
  • ghe-migrator exports did not contain milestone users, which could break import operations.
  • When pushing to a Gist, an exception could be triggered during the post-receive hook.
  • ghe-repl-status could fail when trying to display repositories that were not fully replicated.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • When pushing to a gist, an exception could be triggered during the post-receive hook.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
  • When upgrading from previous versions, background job workers may not be spawned, preventing essential features such as merging pull requests. (updated 2020-04-07)
  • Security alerts are not reported when pushing to a repository on the command line. (updated 2020-06-23)
  • Dependency graph is not detecting dependencies when deployed in a cluster configuration with multiple Redis nodes. (updated 2020-06-30)

Thanks!

The GitHub Team

GitHub Enterprise 2.20.3 March 12, 2020 Download

Bug Fixes

  • Upgrades and settings updates would fail if background worker configurations had been customised.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • When pushing to a gist, an exception could be triggered during the post-receive hook.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
  • When upgrading from previous versions, background job workers may not be spawned, preventing essential features such as merging pull requests. (updated 2020-04-07)
  • Security alerts are not reported when pushing to a repository on the command line. (updated 2020-06-23)
  • Dependency graph is not detecting dependencies when deployed in a cluster configuration with multiple Redis nodes. (updated 2020-06-30)

Thanks!

The GitHub Team

GitHub Enterprise 2.20.2 March 10, 2020 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • In some cases the forwarded log entries, mainly for audit.log were getting truncated.
  • The ghe-license-check command-line utility returned an "Invalid license file" error for some valid licenses, causing configuration changes to fail.
  • Alambic exception logs were not forwarded by syslog.
  • The org_block event is not unavailable but was appearing for GitHub Apps on GitHub Enterprise Server.
  • GraphQL query responses sometimes returned unmatched node identifiers for ProtectedBranch objects.
  • The GitHub App credential used by GitHub Connect failed to refresh immediately after expiry.
  • Leaving a comment in reply to a pull request comment was intermittently creating a pending pull request review.
  • Using ghe-migrator or exporting from GitHub.com, an export would silently fail to export non-image attachments.
  • Pre-receive hook returned 500 error on web UI when UTF-8 characters were encountered.

Changes

  • The ghe-license-usage command-line utility includes a new --unencrypted option to provide visibility into the exported license usage file.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • When pushing to a gist, an exception could be triggered during the post-receive hook.
  • Upgrades and settings updates will fail if background worker configurations have been customised.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
  • When upgrading from previous versions, background job workers may not be spawned, preventing essential features such as merging pull requests. (updated 2020-04-07)
  • Security alerts are not reported when pushing to a repository on the command line. (updated 2020-06-23)
  • Dependency graph is not detecting dependencies when deployed in a cluster configuration with multiple Redis nodes. (updated 2020-06-30)

Thanks!

The GitHub Team

GitHub Enterprise 2.20.1 February 27, 2020 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • Restore from backups would fail with an Invalid RDB version number error.
  • Upgrading an HA replica would stall indefinitely waiting for MySQL to start.
  • PR review comments with unexpected values for "position" or "original_position" caused imports to fail.
  • Duplicate webhook entries in the database could cause upgrades from previous versions to fail.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • When pushing to a gist, an exception could be triggered during the post-receive hook.
  • Upgrades and settings updates will fail if background worker configurations have been customised.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
  • When upgrading from previous versions, background job workers may not be spawned, preventing essential features such as merging pull requests. (updated 2020-04-07)
  • Security alerts are not reported when pushing to a repository on the command line. (updated 2020-06-23)
  • Dependency graph is not detecting dependencies when deployed in a cluster configuration with multiple Redis nodes. (updated 2020-06-30)

Thanks!

The GitHub Team

GitHub Enterprise 2.20.0 February 11, 2020 Download

Features

  • On a repository branch, repository administrators can reject any push that contains a merge commit by enabling Require linear history using branch protection rules.
  • Repository administrators can grant all users with push access the ability to force-push to a protected branch by enabling Allow force pushes using branch protection rules.
  • Repository administrators can grant all users with push access the ability to delete a protected branch by enabling Allow deletions using branch protection rules.
  • Administrators can set a maxobjectsize limit on repositories, limiting the size of push commits to a repository that are not in Git LFS.
  • Organization owners can create a set of default labels when creating a new repository.

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • When a member of an organization tried to view a public repository in that organization, an SSO prompt could break the page display.
  • When viewing a users' profile, the links to that users' teams could be broken.
  • Users with the maintain role were unable to edit repository topics.
  • A user who isn't an administrator for an organization would receive a 500 error when attempting to access the sign up page.
  • The edit history popup would not display on gist comments.
  • A new account could be registered with an email that was already registered.
  • A storage service was hitting a file descriptor limit and causing kernel hanging and other services to log errors.
  • When an autolink reference was part of a url, the hyperlink could be removed.
  • When adding a comment to a pull request, the Linked Issues section from the sidebar could disappear.
  • When editing an existing organization invitation for a user, a duplicate header could be appear on the Teams table.
  • The resqued service could stop logging events when the queues became too large.
  • Self-signed certificates are not automatically generated when running the ghe-config-apply command for cluster and high-availability configurations.

Changes

  • No logo will be displayed for a topic if one has not been uploaded.
  • When viewing an issue on a mobile browser, the issue metadata is listed at the top of the page.
  • Consul's top-level domain has changed from ".consul" to ".ghe.local".
  • The hookshot service no longer relies on ElasticSearch and only uses MySQL as a database store.
  • Improved visual distinction between issue, project and discussion has been implemented on project note cards.
  • On a pull request review, a notice is displayed if a multi-line comment is truncated.
  • Users can view their audit log on the Security Log tab of their personal settings page.

Internal Visibility in GitHub Enterprise Server

On May 23, 2019 GitHub launched internal visibility for repositories within a GitHub Enterprise Cloud account, making it easier to innersource code and projects to organization members while restricting access to outside collaborators. Our goal, starting with GitHub Enterprise Server 2.20, is to unify the repository visibility experience between GitHub Enterprise Cloud and GitHub Enterprise Server.

In this release, administrators may run an optional migration script to convert all public repositories into internal repositories. When running this migration when private mode is enabled, administrators should expect the following changes:

  • All organization public repositories become internal repositories
  • All user public repositories become private
  • Forks of public repositories become private forks (fork network maintained)
  • Creation of public repositories will be disabled (can be re-enabled)

This migration is optional at this time to allow customers to test these changes on a non-production instance. This migration will become mandatory in a later release. For more information, please contact GitHub Enterprise Support.

Backups and Disaster Recovery

GitHub Enterprise Server 2.20 requires at least GitHub Enterprise Backup Utilities 2.20.0 for Backups and Disaster Recovery.

Upcoming Deprecation of GitHub Enterprise Server 2.17

GitHub Enterprise Server 2.17 will be deprecated as of May 23, 2020. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise Server as soon as possible.

Deprecation of Adding New SSH-DSS Keys

The addition of new SSH-DSS keys is removed in GitHub Enterprise Server 2.20.0.

Deprecation of the Legacy Gravatar Service

Support for using an external service for Avatars was deprecated in GitHub Enterprise Server 2.1.0. At the time, functionality was implemented to copy avatars from the external service to the GitHub Enterprise Server and the configuration options remained in Enterprise Manage for instances configured with an external service prior to the deprecation. This functionality and configuration is removed from GitHub Enterprise Server 2.20.0.

Deprecation of API Password-based HTTP basic authentication

Password-based HTTP basic authentication to the GitHub API is deprecated and will be removed in an upcoming release of GitHub Enterprise Server.

You will no longer be able to use password-based HTTP basic authentication for the few endpoints on GitHub Enterprise Server that previously supported it. The affected endpoints include Atom feeds, a legacy repository archive endpoint, and a GitHub Enterprise only "stafftools reports" endpoint. This functionality will continue to work with personal access tokens. (updated 2020-02-28)

Removal of GitHub Services

Starting with GitHub Enterprise Server 2.17.0, support for GitHub Services was deprecated and administrators were not able to install or configure new GitHub Services. GitHub Services support is removed entirely in GitHub Enterprise Server 2.20.0 and existing services will no longer function. (updated 2020-04-07)

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • When pushing to a gist, an exception could be triggered during the post-receive hook.
  • Duplicate webhook entries in the database can cause upgrades from previous versions to fail. (updated 2020-02-26)
  • Upgrades and settings updates will fail if background worker configurations have been customised.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
  • When upgrading from previous versions, background job workers may not be spawned, preventing essential features such as merging pull requests. (updated 2020-04-07)
  • Security alerts are not reported when pushing to a repository on the command line. (updated 2020-06-23)
  • Dependency graph is not detecting dependencies when deployed in a cluster configuration with multiple Redis nodes. (updated 2020-06-30)

Thanks!

The GitHub Team