GitHub Enterprise Server 2.22.4 November 17, 2020 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • The babeld logs were missing a separator between seconds and microseconds.
  • After upgrading GHES with a hotpatch, the ghe-actions-precheck and ghe-packages-precheck commands would fail with the error "docker load" accepts no arguments.
  • When the enterprise account "Repository visibility change" policy was set to "Enabled", organization owners could not change the visibility of repositories within the organization.
  • Audit logs could be attributed to 127.0.0.1 instead of the actual source IP address.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

Thanks!

The GitHub Team

GitHub Enterprise Server 2.22.3 November 03, 2020 Download

Security Fixes

  • LOW: High CPU usage could be triggered by a specially crafted request to the SVN bridge resulting in Denial of Service (DoS) on the SVN bridge service. (updated 2020-11-16)
  • LOW: Incorrect token validation resulted in a reduced entropy for matching tokens during authentication. Analysis shows that in practice there's no significant security risk here.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • GitHub Actions could fail to start up successfully if it was previously enabled on an instance running 2.22.0 and was upgraded to 2.22.1 or 2.22.2.
  • Configuration files for GitHub Actions were not copied to the replica when setting up high availability replicas potentially leading to errors during ghe-repl-promote.
  • On a freshly set up 2.22.1 or 2.22.2 instance or after upgrading to 2.22.1 or 2.22.2, the activity feed on an organization's dashboard would not update.
  • Editing issues templates with filenames containing non-ASCII characters would fail with a "500 Internal Server Error".
  • A metric gathering method for background jobs increased CPU utilization. (updated 2020-11-03)

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
  • Audit logs may be attributed to 127.0.0.1 instead of the actual source IP address.

Thanks!

The GitHub Team

GitHub Enterprise Server 2.22.2 October 20, 2020 Download

Security Fixes

  • Packages have been updated to the latest security versions.

Bug Fixes

  • If the storage account settings failed to validate while configuring GitHub Actions, running ghe-actions-teardown was required before making a new attempt.
  • A custom proxy configuration could adversely affect the GitHub Actions environment.
  • On a change of an address on eth0, Nomad and Consul could get unresponsive.
  • When using self-signed certificates, GHES could have SSL validation exceptions upon configuring GitHub Actions.
  • Using a GitHub Action from a branch name with a + or / character resulted in an error: Unable to resolve action.
  • The enterprise account "Confirm two-factor requirement policy" messaging was incorrect.
  • On certain requests above 100MB, Kafka's buffer could be over-allocated.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
  • GitHub Actions can fail to start up successfully if it was previously enabled on an instance running 2.22.0 and is upgraded to 2.22.2. (updated 2020-10-23)
  • On a freshly set up 2.22.2 instance or after upgrading to 2.22.2, the activity feed on an organization's dashboard will no longer update. (updated 2020-10-27)
  • Audit logs may be attributed to 127.0.0.1 instead of the actual source IP address. (updated 2020-11-02)

Thanks!

The GitHub Team

GitHub Enterprise Server 2.22.1 October 09, 2020 Download

Security Fixes

  • MEDIUM: ImageMagick has been updated to address DSA-4715-1.
  • Requests from a GitHub App integration to refresh an OAuth access token would be accepted if sent with a different, valid OAuth client ID and client secret than was used to create the refresh token.
  • A user whose LDAP directory username standardizes to an existing GHES account login could authenticate into the existing account.
  • Packages have been updated to the latest security versions.

Bug Fixes

  • The NameID Format dropdown in the Management Console would be reset to "unspecified" after setting it to "persistent".
  • Upgrading using a hotpatch could fail with an error: 'libdbi1' was not found
  • Saving settings via the management console would append a newline to the TLS/SSL certificate and key files which triggered unnecessary reloading of some services.
  • System logs for Dependency Graph were not rotating, allowing unbounded storage growth.
  • The MS SQL Server performance graph showed statistics from the primary instance even when a replica was selected.
  • ghe-actions-precheck would silently exit without running the storage checks if Actions was not enabled.
  • Upgrade could fail if the resqued workers override setting is in use.
  • Some services running in containers were not sending logs to the journal.
  • Links to GitHub Security Advisories would use a URL with the hostname of the GitHub Enterprise Server instance instead of GitHub.com, directing the user to a nonexistent URL.
  • When importing a repository with ghe-migrator, an unexpected exception could occur when inconsistent data is present.
  • The enterprise account security settings page showed a "View your organizations' current configurations" link for the "Two-factor authentication" setting when the authentication mode in use does not support built in two-factor authentication.
  • OAuth refresh tokens would be removed prematurely.
  • Search repair tasks would generate exceptions during the migration phase of configuration.
  • On the settings page for GitHub Apps, the "Beta Features" tab was not visible in some circumstances.
  • When using ghe-migrator to import PR review requests, records associated with deleted users would result in extraneous database records.
  • When importing users with ghe-migrator, an error of "Emails is invalid" would occur if the system-generated email address were longer than 100 characters.
  • Logging webhook activity could use large amounts of disk space and cause the root disk to become full.
  • Users experienced slower Git clone and fetch performance on an instance with high availability replicas due to reads being forwarded to a different node.
  • The repository Settings page of a repository for a user or organization GitHub Pages sites would fail with a "500 Internal Server Error".
  • Repository network maintenance operations could become stuck in a running state.
  • A repository being deleted immediately after uploading a code scanning result could cause a stall in the processing of code scanning results for all repositories.
  • When a large number of code scanning results were submitted at the same time, processing of batches could time out resulting in a stall in processing of code scanning results.
  • Creating a GitHub App from a manifest would fail.
  • GitHub usernames were changed unintentionally when using SAML authentication, when the GitHub username did not match the value of the attribute mapped to the username field in the Management Console.

Changes

  • Support is added for the AWS EC2 instance type m5.16xlarge.
  • Remove the requirement for SSH fingerprints in ghe-migrator archives as it can always be computed.
  • GitHub App Manifests now include the request_oauth_on_install field.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
  • Configuration updates will fail when restoring data to a GitHub Actions-enabled instance if the original backup source did not have the feature enabled.
  • GitHub Actions can fail to start up successfully if it was previously enabled on an instance running 2.22.0 and is upgraded to 2.22.1. (updated 2020-10-23)
  • On a freshly set up 2.22.1 instance or after upgrading to 2.22.1, the activity feed on an organization's dashboard will no longer update. (updated 2020-10-27)
  • Audit logs may be attributed to 127.0.0.1 instead of the actual source IP address. (updated 2020-11-02)

Thanks!

The GitHub Team

GitHub Enterprise Server 2.22.0 September 23, 2020 Download

GitHub is excited to present GitHub Enterprise Server 2.22.0.

New Beta Features

GitHub Actions Beta

GitHub Actions is a powerful, flexible solution for CI/CD and workflow automation. GitHub Actions on Enteprise Server includes tools to help you manage the service, including key metrics in the Management Console, audit logs and access controls to help you control the roll out.

You will need to provide your own storage and runners for GitHub Actions. AWS S3, Azure Blob Storage and MinIO are supported. Please review the updated minimum requirements for your platform before you turn on GitHub Actions. To learn more, contact the GitHub Sales team or sign up for the beta.

GitHub Packages Beta

GitHub Packages is a package hosting service, natively integrated with GitHub APIs, Actions, and webhooks. Create an end-to-end DevOps workflow that includes your code, continuous integration, and deployment solutions.

Supported storage back ends include AWS S3 and MinIO with support for Azure blob coming in a future release. Please note that the current Docker support will be replaced by a beta of the new GitHub Container Registry in the next release. Please review the updated minimum requirements for your platform before you turn on GitHub Packages. To learn more, contact the GitHub Sales team or sign up for the beta.

Advanced Security Code Scanning Beta

GitHub Advanced Security code scanning is a developer-first, GitHub-native static application security testing (SAST). Easily find security vulnerabilities before they reach production, all powered by the world’s most powerful code analysis engine: CodeQL.

Administrators using GitHub Advanced Security can sign up for and enable GitHub Advanced Security code scanning beta. Please review the updated minimum requirements for your platform before you turn on GitHub Advanced Security code scanning.

Features

Pull Request Retargeting

When a pull request's head branch is merged and deleted, all other open pull requests in the same repository that target this branch are now retargeted to the merged pull request's base branch. Previously these pull requests were closed.

Suspend and Unsuspend an App Installation

Administrators and users can suspend any GitHub App’s access for as long as needed, and unsuspend the app on command through Settings and the API. Suspended apps cannot access the GitHub API or webhook events. You can use this instead of uninstalling an application, which deauthorises every user.

Improved Large Scale Performance

We have revised the approach we take to scheduling network maintenance for repositories, ensuring large monorepos are able to avoid failure states.

Passive replicas are now supported and configurable on GitHub Enterprise Server cluster deployments. These changes will enable faster failover, reducing RTO and RPO.

View All of Your Users

For exceptionally large teams, administrators can adjust the 1,500 default maximum for user lists.

Changes

Administration Changes

Security Changes

Developer Changes

Users and organizations can add Twitter usernames to their GitHub profiles

API Changes

Graduated Previews

The following previews are now an official part of the API:

  • The GitHub Apps API and endpoints that returned the performed_via_github_app property no longer require the machine-man preview header.
  • To add and view a lock reason to an issue, you no longer need to use the sailor-v preview header.

GraphQL Schema Changes

Bug Fixes

  • The stafftools page for viewing pending collaborator showed a 500 Internal Server Error when there was a pending email invite.
  • The Repository Health Check in stafftools could give incorrect results on busy repositories.
  • A logged in user trying to accept an email invitation could get a 404 Not Found error.
  • If a user navigated to a repository whose name started with "repositories.", they were redirected to the owner's "Repositories" tab instead of landing on the repository overview page.
  • Labels in the dashboard timeline did not have enough contrast.

Deprecations

Upcoming Deprecation of GitHub Enterprise Server 2.19

GitHub Enterprise Server 2.19 will be deprecated as of November 12, 2020 That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise Server as soon as possible.

Deprecation of Legacy GitHub App Webhook Events

Starting with GitHub Enterprise Server 2.21.0 two legacy GitHub Apps-related webhook events have been deprecated and will be removed in GitHub Enterprise Server 2.25.0. The deprecated events integration_installation and integration_installation_repositories have equivalent events which will be supported. More information is available in the deprecation announcement blog post.

Deprecation of Legacy GitHub Apps Endpoint

Starting with GitHub Enterprise Server 2.21.0 the legacy GitHub Apps endpoint for creating installation access tokens was deprecated and will be removed in GitHub Enterprise Server 2.25.0. More information is available in the deprecation announcement blog post.

Deprecation of OAuth Application API

GitHub no longer supports the OAuth application endpoints and have replaced them with a version that moves the access token to the request body for improved security. Brownouts will start in March 2021 and all calls to the old version of the OAuth application endpoints will return a status code of 404 starting on May 5, 2021 at 16:00 UTC.

Backups and Disaster Recovery

GitHub Enterprise Server 2.22 requires at least GitHub Enterprise Backup Utilities 2.22.0 for Backups and Disaster Recovery.

Known Issues

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
  • Custom firewall rules are not maintained during an upgrade.
  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
  • The Name ID Format dropdown in the Management Console resets to "unspecified" after setting instance to "persistent".
  • The repository Settings page of a repository for a user or organization GitHub Pages sites will fail with a "500 Internal Server Error".
  • Users may experience slower Git clone and fetch performance on an instance with high availability replicas due to reads being forwarded to a different node.
  • Creating a GitHub App from a manifest fails. To work around this issue, users can follow the manual instructions for creating a GitHub App.
  • GitHub usernames may change unintentionally when using SAML authentication, if the GitHub username does not match the value of the attribute mapped to the username field in the Management Console. (updated 2020-10-08)
  • On a freshly set up 2.22.0 instance or after upgrading to 2.22.0, the activity feed on an organization's dashboard will no longer update. (updated 2020-10-27)
  • Audit logs may be attributed to 127.0.0.1 instead of the actual source IP address. (updated 2020-11-02)

Thanks!

The GitHub Team