GitHub Enterprise 2.21.9 October 09, 2020 Download

Security Fixes

  • A user whose LDAP directory username standardizes to an existing GHES account login could authenticate into the existing account.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • The NameID Format dropdown in the Management Console would be reset to "unspecified" after setting it to "persistent".
  • Saving settings via the management console would append a newline to the TLS/SSL certificate and key files which triggered unnecessary reloading of some services.
  • System logs for Dependency Graph were not rotating, allowing unbounded storage growth.
  • Upgrade could fail if the resqued workers override setting is in use.
  • When importing a repository with ghe-migrator, an unexpected exception could occur when inconsistent data is present.
  • Links to GitHub Security Advisories would use a URL with the hostname of the GitHub Enterprise Server instance instead of GitHub.com, directing the user to a nonexistent URL.
  • The enterprise account security settings page showed a "View your organizations' current configurations" link for the "Two-factor authentication" setting when the authentication mode in use does not support built in two-factor authentication.
  • When using ghe-migrator to import PR review requests, records associated with deleted users would result in extraneous database records.
  • When importing users with ghe-migrator, an error of "Emails is invalid" would occur if the system-generated email address were longer than 100 characters.
  • Logging webhook activity could use large amounts of disk space and cause the root disk to become full.

Changes

  • Support is added for the AWS EC2 instance type m5.16xlarge.
  • Remove the requirement for SSH fingerprints in ghe-migrator archives as it can always be computed.
  • GitHub App Manifests now include the request_oauth_on_install field.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
  • Security alerts are not reported when pushing to a repository on the command line.

Thanks!

The GitHub Team

GitHub Enterprise 2.21.8 September 23, 2020 Download

Security Fixes

  • MEDIUM: ImageMagick has been updated to address DSA-4715-1.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • Admins were unable to see delivered repository webhooks and instead saw "Sorry, something went wrong and we weren't able to fetch the deliveries for this hook".

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
  • Security alerts are not reported when pushing to a repository on the command line.

Thanks!

The GitHub Team

GitHub Enterprise 2.21.7 September 08, 2020 Download

Bug Fixes

  • A service health check caused session growth resulting in filesystem inode exhaustion.
  • Upgrading using a hotpatch could fail with an error: 'libdbi1' was not found

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
  • Security alerts are not reported when pushing to a repository on the command line.

Thanks!

The GitHub Team

GitHub Enterprise 2.21.6 August 26, 2020 Download

Security Fixes

  • CRITICAL: A remote code execution vulnerability was identified in GitHub Pages that could be exploited when building a GitHub Pages site. User-controlled configuration of the underlying parsers used by GitHub Pages were not sufficiently restricted and made it possible to execute commands on the GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server. The underlying issues contributing to this vulnerability were identified both internally and through the GitHub Security Bug Bounty program. We have issued CVE-2020-10518.
  • MEDIUM: An improper access control vulnerability was identified that allowed authenticated users of the instance to determine the names of unauthorized private repositories given their numerical IDs. This vulnerability did not allow unauthorized access to any repository content besides the name. This vulnerability affected all versions of GitHub Enterprise Server prior to 2.22 and has been assigned CVE-2020-10517. The vulnerability was reported via the GitHub Bug Bounty program.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • A message was not logged when the ghe-config-apply process had finished running ghe-es-auto-expand.
  • Excessive logging to the syslog file could occur on high-availability replicas if the primary appliance is unavailable.
  • Database re-seeding on a replica could fail with an error: Got packet bigger than 'max_allowed_packet'
  • In some cases duplicate user data could cause a 500 error while running the ghe-license-usage script.
  • Using ghe-migrator, the add command would fail to lock a repository when using the --lock flag.

Changes

  • In a high availability or geo-replication configuration, replica instances would exit maintenance mode when ghe-config-apply ran.
  • We've added support for the R5a and R5n AWS instance types.
  • Removed the license seat count information on the administrative SSH MOTD due to a performance issue impacting GitHub Enterprise Server clusters.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
  • Security alerts are not reported when pushing to a repository on the command line.

Thanks!

The GitHub Team

GitHub Enterprise 2.21.5 August 12, 2020 Download

Bug Fixes

  • Resolved an issue that could lead to high CPU usage while generating system configuration templates.
  • Recent changes to memory allocations could lead to a degradation in system performance
  • Temporary connectivity issues while running database migrations could cause data loss.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
  • Security alerts are not reported when pushing to a repository on the command line.

Thanks!

The GitHub Team

GitHub Enterprise 2.21.4 August 11, 2020 Download

Downloads Have Been Disabled

Downloads of the 2.21.4 release have been disabled as a result of a bug discovered after release. Subsequent releases in the 2.21 series include a correction for the bug.

If you have already upgraded your appliance to GitHub Enterprise 2.21.4, please contact support for assistance.

Security Fixes

  • CRITICAL: A remote code execution vulnerability was identified in GitHub Pages that could allow an attacker to execute commands as part building a GitHub Pages site. This issue was due to an outdated and vulnerable dependency used in the Pages build process. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server. To mitigate this vulnerability, Kramdown has been updated to address CVE-2020-14001.
  • HIGH: High: An attacker could inject a malicious argument into a Git sub-command when executed on GitHub Enterprise Server. This could allow an attacker to overwrite arbitrary files with partially user-controlled content and potentially execute arbitrary commands on the GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need permission to access repositories within the GHES instance. However, due to other protections in place, we could not identify a way to actively exploit this vulnerability. This vulnerability was reported through the GitHub Security Bug Bounty program.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • A Consul configuration error prevented some background jobs from being processed on standalone instances.
  • The service memory allocation calculation could allocate an incorrect or unbounded memory allocation to a service resulting in poor system performance.
  • The virtualization platform for oVirt KVM systems was not properly detected, causing problems during upgrades.
  • The error message for invalid authentication with a password via Git command line didn't populate the URL linking to adding the appropriate token or SSH key.
  • Creating an issue on a user repository using the Issue Template feature could fail with an Internal Server Error.
  • Visiting the Explore section failed with a 500 Internal Server error.
  • Issues could not be sorted by Recently updated on repositories migrated to a new instance.
  • GitHub Connect was using a deprecated GitHub.com API endpoint.
  • Internal metrics gathering for background jobs contributed to CPU and memory use unnecessarily.
  • The 404 page contained GitHub.com contact and status links in the footer.
  • Background jobs for an unreleased feature were queued and left unprocessed.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
  • Security alerts are not reported when pushing to a repository on the command line.

Thanks!

The GitHub Team

GitHub Enterprise 2.21.3 July 21, 2020 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • The Management Console monitor graphs would sometimes not display correctly on larger screens.
  • GitHub App Manifest creation flow was unusable in some scenarios when a SameSite Cookie policy was applied.
  • In some circumstances, accessing the 'Explore' page would throw an application error.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
  • Security alerts are not reported when pushing to a repository on the command line.

Thanks!

The GitHub Team

GitHub Enterprise 2.21.2 July 09, 2020 Download

Security Fixes

  • MEDIUM: Updated nginx to 1.16.1 and addressed CVE-2019-20372. (updated 2020-07-22)
  • Packages have been updated to the latest security versions.

Bug Fixes

  • Certain log files did not rotate every 7 days.
  • Rapid reuse of webhook source ports resulted in rejected connections.
  • Incorrect background jobs could attempt to run on instances configured as passive replicas.
  • The VPN between nodes could become unstable causing errors to be logged and free space on the root volume to be exhausted.
  • Internal repositories were not correctly included in search results for SAML-enabled orgs.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
  • Security alerts are not reported when pushing to a repository on the command line.

Thanks!

The GitHub Team

GitHub Enterprise 2.21.1 June 23, 2020 Download

This release provides a fix for the major bug affecting the 2.21.0 release. We appreciate your patience in upgrading to 2.21 while we fixed these issues.

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • Excessively large log events could lead to log forwarding instability when UDP was used as the transport mechanism.
  • The internal communication service used to access MySQL could restart more often than required, including part way through the upgrade process, which could cause the upgrade to partially fail. We have reduced the rate of restarts and made the code more robust.
  • Automatic unsuspension of a user through SSO did not complete if the SSH keys attribute had keys already associated with the user's account.
  • The repository permission hash from the REST API indicated no access for business members who have pull access to internal repositories.
  • The "Repository issue deletion" Enterprise account policy did not reflect the currently saved setting.
  • The audit log did not include branch protection changes events.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
  • Security alerts are not reported when pushing to a repository on the command line.

Thanks!

The GitHub Team

GitHub Enterprise 2.21.0 June 09, 2020 Download

Downloads Have Been Disabled

Downloads of the 2.21.0 release have been disabled as a result of a major bug affecting multiple customers. Subsequent releases in the 2.21 series include a correction for the bug.

If you have already upgraded your appliance to GitHub Enterprise 2.21.0, please contact support for assistance.

Features

Security Fixes

  • An improper access control vulnerability was identified in the GitHub Enterprise Server API that allowed an organization member to escalate permissions and gain access to unauthorized repositories within an organization. This vulnerability affected all versions of GitHub Enterprise Server prior to 2.21. We have issued CVE-2020-10516 in response to this issue. The vulnerability was reported via the GitHub Bug Bounty program.

Bug Fixes

  • If a user with push access minimized another user's comment, the author of the comment could unminimize it even if they had insufficient privileges.
  • Users could accidentally merge to master from the issue template editor and blob editor.
  • When a user deleted an account from GitHub, the audit log records did not correctly show organization removal records.
  • The gist avatar for the current user would link to a non-existent URL.
  • The organization repositories tab count did not include internal repositories.
  • Clicking the "Show All Teams" button when transferring a repository caused a 500 error.
  • Long filenames could cause overflow issues when showing the 'Changed since last view' label or the 'Show rich' diff toggle on the diff file view.
  • Hovercards for organization teams misreported their member size.
  • The pull request review comment popup window had a scrolling issue.
  • Haproxy could become saturated causing a slowdown in git operations.
  • The Dependency Graph feature was not automatically enabled after HA replica promotion.
  • A timeout could be triggered on the releases index page for repositories with thousands of draft pull requests.
  • It was not possible to filter pull requests by both state and draft at the same time.
  • If a pull request changed a submodule pointer, then clicking "Edit file" on that submodule file from the "Files changed" tab of the pull request page caused a 404 error.
  • It was not possible to add users to an organization, or delete the organization, following the bulk removal of all users and admins from that organization.
  • Review comments against files containing diacritics and non-Latin characters in the filename on the "Files changed" page would disappear when the page is reloaded.
  • The state of the "Viewed" checkbox was not retained for files containing diacritics and non-Latin characters in the filename on the "Files changed" page.
  • Pull requests showed the "Approved" badge when not all required reviews were in place.
  • The tag dropdown was empty when searching for a tag in repositories with more than 100 tags.
  • Pull request pages showing annotations with non UTF-8 titles could encounter encoding errors in view rendering.
  • A race condition for refresh on the OAuth page could cause a redirect to be executed twice.
  • The "Personal Access Tokens" page would timeout if there are more than 10 tokens.
  • Scheduled LDAP User and Team Sync jobs could be started while previously scheduled Sync jobs were still in process. A locking mechanism has been implemented to prevent new Sync jobs from starting if one is still running.

Changes

  • The web notifications interface, including new states , filters and shortcuts have been updated.
  • It is now possible to disable reactivation of LDAP users on LDAP sync.
  • The push protected branch wording has been updated to clarify that admins can always push and that users with the Maintain role can push when status checks pass.
  • Prevent blank commit when suggestion is identical to original text.
  • Pagination is supported as a way to get more files in the diff associated with a commit via the REST API.
  • Admins can enable, disable, delete, and search for webhooks using the webhook ID from the command line using ghe-webhook-manage.
  • Automatic base retargeting will happen after manual head reference cleanup for a merged pull request.
  • SVG files are handled as text and as images in the diff viewer.
  • The "auto delete branches on merge" setting can be set when creating and updating repositories using the REST API.
  • A new endpoint has been added to delete a deployment through the REST API.
  • Admins can enable security alerts but disable all notifications from those alerts.
  • The Pages log shows the user login accessing the GitHub Pages site.
  • Enterprise members can see all of the organizations they belong to as part of their Enterprise account from one view by navigating to https://[ghes-hostname]/enterprises/[account-name].
  • REST API support for triage and maintain roles has been expanded.
  • A user can create and share search queries that resolve to the current user by using the @me search syntax.
  • New issue template configuration options have been added.
  • MySQL backup and restore reliability and time to completion has been improved.
  • Improved visibility of pull requests and issue references in the issue sidebar, issue cards and issue list.
  • Users can filter and search by linked:pr or linked:issue.
  • Automatic failover of MySQL within a single region for Cluster deployments is now possible.
  • A user can compare tags between two releases to determine what changes have been made on the releases page.
  • Outdated comments are no longer collapsed by default on the Pull Request timeline. They can be collapsed by resolving the thread.
  • Admins can view a list of logins reserved for internal use by navigating to the "Reserved logins" stafftools tab.

Backups and Disaster Recovery

GitHub Enterprise Server 2.21 requires at least GitHub Enterprise Backup Utilities 2.21.0 for Backups and Disaster Recovery.

Deprecations of User Interface Support for Older Browsers

We have deprecated user interface support for Microsoft Edge 16, Microsoft Edge 17 and Firefox versions 60 - 67. People using these browsers will see a notice on the sign-in page. Users are encouraged to use a newer version of these browsers.

Upcoming Deprecation of Password Authentication and Other APIs

In a future release, we will be deprecating a set of APIs to improve the security of the Authentication and Authorization APIs. When the deprecation is applied to Github Enterprise Server, an announcement will be included in the release notes. At this time, please note that a deprecation process is underway. You can read more about the coming changes here.

Deprecation of Legacy GitHub App Webhook Events

Starting with GitHub Enterprise Server 2.21.0, two legacy GitHub Apps-related webhook events are deprecated and will be removed in GitHub Enterprise Server 2.25.0. The deprecated events integration_installation and integration_installation_repositories have equivalent events which will be supported. More information is available in the deprecation announcement blog post.

Deprecation of Legacy GitHub Apps Endpoint

Starting with GitHub Enterprise Server 2.21.0, the legacy GitHub Apps endpoint for creating installation access tokens is deprecated and will be removed in GitHub Enterprise Server 2.25.0. More information is available in the deprecation announcement blog post.

Deprecation of Mapbox Studio Classic style support for GeoJSON rendering

GeoJSON map files will no longer render on instances running GitHub Enterprise prior to version 2.21, due to a third-party deprecation. If the instance was configured to use a custom Mapbox Studio Classic style, the default basemap will be used until the instance is configured to use a modern Mapbox Studio style. Instances that are configured to use a Mapbox Atlas server are unaffected.

Upcoming Deprecation of GitHub Enterprise Server 2.18

GitHub Enterprise Server 2.18 will be deprecated as of August 20, 2020. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise Server as soon as possible.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • When pushing to a gist, an exception could be triggered during the post-receive hook.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
  • Security alerts are not reported when pushing to a repository on the command line. (updated 2020-06-23)

Thanks!

The GitHub Team