Release notes for the 2.3 series

Security Fixes

• Packages have been updated to the latest security versions.

Changes

• GitHub Enterprise is now available in the US East (Ohio) AWS region.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Email can't be sent over TLS when SSL is disabled.
• Deleting a user doesn't delete their gists, which can cause problems with replication.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.
• Management console sessions can expire too quickly for Safari users.
• Gist repositories are not garbage collected by the maintenance scheduler.
• Custom firewall rules aren't maintained during an upgrade.
• Repositories that are in an incomplete state, which is a rare problem, can cause the migration to the new repository disk layout to fail.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• When a fork is detached from its repository network by an administrator or by changing visibility, its filesystem path won't be updated on a high availability replica until at least one commit has been pushed.
• Viewing raw files in repositories owned by a user or organization named "github" fails with a 400 error.

Deprecation of GitHub Enterprise 2.3

GitHub Enterprise 2.3 is now deprecated. That means that no patch releases will be made, even for critical security issues, after this release. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.

Thanks!

The GitHub Team

Security Fixes

• Packages have been updated to the latest security versions.

Bug Fixes

• Changing the default branch of a repository was not synchronized to a high availability replica, so the wrong branch was set as default after fail over.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Email can't be sent over TLS when SSL is disabled.
• Deleting a user doesn't delete their gists, which can cause problems with replication.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.
• Management console sessions can expire too quickly for Safari users.
• Gist repositories are not garbage collected by the maintenance scheduler.
• Custom firewall rules aren't maintained during an upgrade.
• Repositories that are in an incomplete state, which is a rare problem, can cause the migration to the new repository disk layout to fail.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• When a fork is detached from its repository network by an administrator or by changing visibility, its filesystem path won't be updated on a high availability replica until at least one commit has been pushed.
• Viewing raw files in repositories owned by a user or organization named "github" fails with a 400 error.

Thanks!

The GitHub Team

Pre-generated SSH Host Keys in GitHub Enterprise

A CRITICAL issue was identified for all 2.x versions of GitHub Enterprise. The GitHub Enterprise images contain pre-generated SSH host keys that were not regenerated upon installation for all supported platforms:

• Hyper-V (VHD)
• OpenStack KVM (QCOW2)
• VMware ESXi/vSphere (OVA)
• Xen (VHD)
• Amazon Web Services (See the ssh_host_ed25519_key in GitHub Enterprise section below)
• Microsoft Azure

This means an attacker with the capability to perform a man-in-the-middle attack on SSH traffic can intercept and modify network traffic to the GitHub Enterprise appliance.

The affected supported versions are:

• 2.7.0 - 2.7.3
• 2.6.0 - 2.6.8
• 2.5.0 - 2.5.13
• 2.4.0 - 2.4.16
• 2.3.0 - 2.3.20

This vulnerability was found and reported internally and we have no evidence that it has been exploited in the wild.

We strongly recommend upgrading your GitHub Enterprise appliance to the latest patch release in your series, GitHub Enterprise 2.7.4, 2.6.9, 2.5.14, 2.4.17, or 2.3.21. In addition, with backup-utils-2.7.1, ghe-backup and ghe-restore will check for any leaked SSH host keys in the snapshot(s).

Please contact GitHub Enterprise Support if you have questions.

--

Verification and Mitigation on GitHub Enterprise 2.7.4, 2.6.9, 2.5.14, 2.4.17, 2.3.21, or greater

If you've upgraded to the latest patch release, GitHub Enterprise 2.7.4, 2.6.9, 2.5.14, 2.4.17, 2.3.21, or greater,

1. SSH to your primary GitHub Enterprise appliance.

2. Check for leaked SSH host keys using the ghe-ssh-check-host-keys utility.

   $ ghe-ssh-check-host-keys
   

   The utility should output either:

   One or more of your SSH host keys were found in the blacklist.
   Please reset your host keys using ghe-ssh-roll-host-keys.
   

   --

   The SSH host keys were not found in the SSH host key blacklist.
   No additional steps are needed/recommended at this time.
   

3. If one or more SSH host keys were found in the blacklist, continue to the next step. Otherwise, your GitHub Enterprise environment is not vulnerable.

4. Put your GitHub Enterprise environment in Maintenance Mode.

5. Rotate all SSH host keys using the ghe-ssh-roll-host-keys utility.

   $ sudo ghe-ssh-roll-host-keys
   $ sudo ssh-keygen -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key
   

   The utility should output:

   $ SSH host keys have successfully been rolled.
   

If you've upgraded to GitHub Enterprise 2.7.4, 2.6.9, or greater, and you are using the High Availability Configuration, there are no additional steps to take on your replica appliance.

If you've upgraded to GitHub Enterprise 2.5.14, 2.4.17, 2.3.21, or greater, and you are using the High Availability Configuration,

6. After completing steps 1-5, stop replication on the replica appliance.

   $ ghe-repl-stop
   

7. Synchronize the SSH host keys from the primary appliance.

   $ ghe-repl-setup
   

8. Resume replication on the replica appliance.

   $ ghe-repl-start
   

--

Verification and Mitigation if Immediate Upgrade is not Possible

If you're unable to upgrade immediately to the latest patch release, GitHub Enterprise 2.7.4, 2.6.9, 2.5.14, 2.4.17, 2.3.21, or greater,

1. SSH to your primary GitHub Enterprise appliance.

2. Download the list of leaked SSH host keys and verify its content using any of the provided hashes.

   $ curl -O https://enterprise.github.com/security/2016-09-20/ghe-ssh-leaked-host-keys-list.txt
   $ sha256sum ghe-ssh-leaked-host-keys-list.txt
   3bb29658784a4059a41f1a77cffba9586baab179ba07b795f80e12a9f10c5665  ghe-ssh-leaked-host-keys-list.txt
   $ sha1sum ghe-ssh-leaked-host-keys-list.txt
   5db799da044da9aae0bcfc523d22e7ce0fe72550  ghe-ssh-leaked-host-keys-list.txt
   $ md5sum ghe-ssh-leaked-host-keys-list.txt
   de75bcb0bf1d13e15620952c0af8da41  ghe-ssh-leaked-host-keys-list.txt
   

3. Print the fingerprint of your GitHub Enterprise appliance's SSH host keys.
   Note: The ssh_host_ed25519_key may exist on your GitHub Enterprise appliance but is only used in 2.7.4 or greater.

   $ ssh-keygen -lf /etc/ssh/ssh_host_dsa_key.pub
   1024 b2:69:82:2f:25:48:bb:fc:62:c7:9a:de:41:42:13:55 /etc/ssh/ssh_host_dsa_key.pub (DSA)
   $ ssh-keygen -lf /etc/ssh/ssh_host_ecdsa_key.pub
   256 c0:cb:fd:07:33:e9:62:14:6b:fb:d5:26:54:f3:c5:0d /etc/ssh/ssh_host_ecdsa_key.pub (ECDSA)
   $ ssh-keygen -lf /etc/ssh/ssh_host_ed25519_key.pub
   256 d6:92:21:4b:04:3b:22:f5:ee:85:0a:63:bf:b3:fe:9b /etc/ssh/ssh_host_ed25519_key.pub (ED25519)
   $ ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub
   2048 0f:ee:8d:02:2d:e1:76:f3:eb:f5:af:cb:38:9a:1c:33 /etc/ssh/ssh_host_rsa_key.pub (RSA)
   

4. Check for leaked SSH host keys by comparing against the downloaded list of leaked SSH host keys.

5. If one or more SSH host keys were found in the blacklist, continue to the next step. Otherwise, your GitHub Enterprise environment is not vulnerable.

6. Put your GitHub Enterprise environment in Maintenance Mode.

7. Remove all SSH host keys.

   $ sudo rm -f /etc/ssh/ssh_host_*
   

8. Regenerate the SSH host keys.
   Note: The ssh_host_ed25519_key may exist on your GitHub Enterprise appliance but is only used and regenerated for in 2.7.4 or greater.

   $ sudo ssh-keygen -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key
   $ sudo dpkg-reconfigure openssh-server
   

9. Apply the changes to the ssh and babeld service.

   $ sudo cp /etc/ssh/ssh_host_{rsa,dsa,ecdsa,ed25519}_key{,.pub} /data/user/common/
   $ sudo chown babeld:babeld /data/user/common/ssh_host_{rsa,dsa,ecdsa,ed25519}_key{,.pub}
   

If you're unable to upgrade immediately to GitHub Enterprise 2.7.4, 2.6.9, 2.5.14, 2.4.17, 2.3.21, or greater, and you are using the High Availability Configuration,

10. After completing steps 1-9, stop replication on the replica appliance.

$ ghe-repl-stop

11. Synchronize the SSH host keys from the primary appliance.

$ ghe-repl-setup

12. Resume replication on the replica appliance.

$ ghe-repl-start

--

Post SSH Host Key Rotation

After rotating the SSH host keys, your GitHub Enterprise environment can exit Maintenance Mode.

Your end-users will receive an error message when attempting to use the Administrative Shell (SSH) or the SSH protocol for Git activity. The rotation does not affect users using the HTTPS protocol for Git activity.

For example, the following is an output from the command-line,

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:seFT9eIOmAZWbfcO9yU1sXiEYIqcrdi0qttbtmNm0Io.
Please contact your system administrator.
Add correct host key in /Users/monalisa/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /Users/monalisa/.ssh/known_hosts:42
ECDSA host key for [github.example.com]:122 has changed and you have requested strict checking.
Host key verification failed.

After updating the known_hosts, end-users will be prompted to accept a new fingerprint.

$ ssh -p 122 admin@github.example.com
The authenticity of host '[github.example.com]:122 ([169.254.1.1]:122)' can't be established.
ECDSA key fingerprint is SHA256:seFT9eIOmAZWbfcO9yU1sXiEYIqcrdi0qttbtmNm0Io.
Are you sure you want to continue connecting (yes/no)?

We strongly recommend publishing your GitHub Enterprise appliance's SSH host key fingerprints in a location that is accessible to all your end-users. For example, for GitHub.com, we publish the SSH fingerprints at https://help.github.com/articles/what-are-github-s-ssh-key-fingerprints/.

If you'd like to to give end-users notice before rotating the SSH host keys, follow the instructions in the Verification and Mitigation if Immediate Upgrade is not Possible skipping step 7 and replacing step 8 with,

8. Regenerate the SSH host keys.
   Note: The ssh_host_ed25519_key may exist on your GitHub Enterprise appliance but is only used and regenerated for in 2.7.4 or greater.

   i. Pre-generate new SSH host keys to a temporary directory.

   $ ssh-keygen -t dsa -N "" -f /var/tmp/ssh_host_dsa_key
   $ ssh-keygen -t rsa -N "" -f /var/tmp/ssh_host_rsa_key
   $ ssh-keygen -t ecdsa -N "" -f /var/tmp/ssh_host_ecdsa_key
   $ ssh-keygen -t ed25519 -N "" -f /var/tmp/ssh_host_ed25519_key
   

   ii. Print the fingerprint of your GitHub Enterprise appliance's SSH host keys for tentative rotation.

   $ ssh-keygen -lf /var/tmp/ssh_host_dsa_key.pub
    1024 b2:69:82:2f:25:48:bb:fc:62:c7:9a:de:41:42:13:55 /var/tmp/ssh_host_dsa_key.pub (DSA)
   $ ssh-keygen -lf /var/tmp/ssh_host_ecdsa_key.pub
    256 c0:cb:fd:07:33:e9:62:14:6b:fb:d5:26:54:f3:c5:0d /var/tmp/ssh_host_ecdsa_key.pub (ECDSA)
   $ ssh-keygen -lf /var/tmp/ssh_host_ed25519_key.pub
    256 d6:92:21:4b:04:3b:22:f5:ee:85:0a:63:bf:b3:fe:9b /var/tmp/ssh_host_ed25519_key.pub (ED25519)
   $ ssh-keygen -lf /var/tmp/ssh_host_rsa_key.pub
   248 0f:ee:8d:02:2d:e1:76:f3:eb:f5:af:cb:38:9a:1c:33 /var/tmp/ssh_host_rsa_key.pub (RSA)
   

   iii. Once you are ready to migrate to the new, rotated SSH host keys, move the host keys from the temporary directory and apply the changes to the ssh service.

   $ sudo mv /var/tmp/ssh_host_{rsa,dsa,ecdsa,ed25519}_key{,.pub} /etc/ssh
   $ sudo service ssh restart
   

   iv. Continue with steps 9 in the Verification and Mitigation if Immediate Upgrade is not Possible section.

ssh_host_ed25519_key in GitHub Enterprise

The 2.x versions of GitHub Enterprise on all supported platforms:

• Hyper-V (VHD)
• OpenStack KVM (QCOW2)
• VMware ESXi/vSphere (OVA)
• Xen (VHD)
• Amazon Web Services
• Microsoft Azure

contain a pre-generated ssh_host_ed25519_key. However, only GitHub Enterprise 2.7.4 or greater use the ssh_host_ed25519_key. This can be verified by checking your GitHub Enterprise appliance's /etc/ssh/sshd_config, which added HostKey /etc/ssh/ssh_host_ed25519_key in 2.7.4 or greater.

The ssh_host_ed25519_key may exist on your GitHub Enterprise appliance but is only used in 2.7.4 or greater.

If you've upgraded your appliance to 2.7.4 or greater on any of the supported platforms including Amazon Web Services, please follow the instructions in the Verification and Mitigation on GitHub Enterprise 2.7.4, 2.6.9, 2.5.14, 2.4.17, 2.3.21, or greater section.

Security Fixes

• CRITICAL Pre-generated SSH host keys were not regenerated when installing appliances from GitHub Enterprise 2.x images.
• Packages have been updated to the latest security versions.

Bug Fixes

• Users were unable to add or remove deploy keys when LDAP sync is enabled.

Changes

• GitHub Enterprise is now available in the Asia Pacific (Mumbai) AWS region.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Email can't be sent over TLS when SSL is disabled.
• Deleting a user doesn't delete their gists, which can cause problems with replication.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.
• Management console sessions can expire too quickly for Safari users.
• Gist repositories are not garbage collected by the maintenance scheduler.
• Custom firewall rules aren't maintained during an upgrade.
• Repositories that are in an incomplete state, which is a rare problem, can cause the migration to the new repository disk layout to fail.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• When a fork is detached from its repository network by an administrator or by changing visibility, its filesystem path won't be updated on a high availability replica until at least one commit has been pushed.
• Viewing raw files in repositories owned by a user or organization named "github" fails with a 400 error.

Errata

• The Pre-generated SSH Host Keys in GitHub Enterprise vulnerability disclosure added the ssh_host_ed25519_key in GitHub Enterprise for GitHub Enterprise 2.7.4 or greater appliances on the Amazon Web Services platform. (updated 2016-09-22)

Thanks!

The GitHub Team

Security Fixes

• Packages have been updated to the latest security versions.

Bug Fixes

• Gist IDs could incorrectly collide when MySQL restarted.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Email can't be sent over TLS when SSL is disabled.
• Deleting a user doesn't delete their gists, which can cause problems with replication.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.
• Management console sessions can expire too quickly for Safari users.
• Gist repositories are not garbage collected by the maintenance scheduler.
• Custom firewall rules aren't maintained during an upgrade.
• Repositories that are in an incomplete state, which is a rare problem, can cause the migration to the new repository disk layout to fail.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• When a fork is detached from its repository network by an administrator or by changing visibility, its filesystem path won't be updated on a high availability replica until at least one commit has been pushed.
• Viewing raw files in repositories owned by a user or organization named "github" fails with a 400 error.

Thanks!

The GitHub Team

Security Fixes

• HIGH: Worked around Microsoft Internet Explorer bug causing redirects to the incorrect hostname during OAuth negotiation.
• MEDIUM: Users were able to delete SSH and/or GPG keys when LDAP sync is enabled.
• Packages have been updated to the latest security versions.

Bug Fixes

• An appliance would enter maintenance mode earlier than expected if scheduled more than a week in advance.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Email can't be sent over TLS when SSL is disabled.
• Deleting a user doesn't delete their gists, which can cause problems with replication.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.
• Management console sessions can expire too quickly for Safari users.
• Gist repositories are not garbage collected by the maintenance scheduler.
• Custom firewall rules aren't maintained during an upgrade.
• Repositories that are in an incomplete state, which is a rare problem, can cause the migration to the new repository disk layout to fail.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• When a fork is detached from its repository network by an administrator or by changing visibility, its filesystem path won't be updated on a high availability replica until at least one commit has been pushed.
• Viewing raw files in repositories owned by a user or organization named "github" fails with a 400 error.

Thanks!

The GitHub Team

Security Fixes

• LOW The permissions on rbenv, used by many components of GitHub Enterprise, have been tightened.
• Packages have been updated to the latest security versions.

Bug Fixes

• Organizations could be suspended using the ghe-user-suspend command.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Email can't be sent over TLS when SSL is disabled.
• Deleting a user doesn't delete their gists, which can cause problems with replication.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.
• Management console sessions can expire too quickly for Safari users.
• Gist repositories are not garbage collected by the maintenance scheduler.
• Custom firewall rules aren't maintained during an upgrade.
• Repositories that are in an incomplete state, which is a rare problem, can cause the migration to the new repository disk layout to fail.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• When a fork is detached from its repository network by an administrator or by changing visibility, its filesystem path won't be updated on a high availability replica until at least one commit has been pushed.
• Viewing raw files in repositories owned by a user or organization named "github" fails with a 400 error.

Thanks!

The GitHub Team

Security Fixes

• HIGH Due to the way that email addresses with Unicode in the 'local part' are handled, it was possible to generate a password reset token for an email address and have it delivered to a separate email address with Unicode homoglyphs that normalized to the original email address.
• LOW Admin users could still access user reports after being suspended.
• Packages have been updated to the latest security versions.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Email can't be sent over TLS when SSL is disabled.
• Deleting a user doesn't delete their gists, which can cause problems with replication.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.
• Management console sessions can expire too quickly for Safari users.
• Gist repositories are not garbage collected by the maintenance scheduler.
• Custom firewall rules aren't maintained during an upgrade.
• Repositories that are in an incomplete state, which is a rare problem, can cause the migration to the new repository disk layout to fail.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• When a fork is detached from its repository network by an administrator or by changing visibility, its filesystem path won't be updated on a high availability replica until at least one commit has been pushed.
• Viewing raw files in repositories owned by a user or organization named "github" fails with a 400 error.

Thanks!

The GitHub Team

Security Fixes

• Packages have been updated to the latest security versions.

Bug Fixes

• Authenticating using SAML could fail if the authentication process took too long, for example when a user is performing two-factor authentication with the SAML server.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Email can't be sent over TLS when SSL is disabled.
• Deleting a user doesn't delete their gists, which can cause problems with replication.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.
• Management console sessions can expire too quickly for Safari users.
• Gist repositories are not garbage collected by the maintenance scheduler.
• Custom firewall rules aren't maintained during an upgrade.
• Repositories that are in an incomplete state, which is a rare problem, can cause the migration to the new repository disk layout to fail.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• When a fork is detached from its repository network by an administrator or by changing visibility, its filesystem path won't be updated on a high availability replica until at least one commit has been pushed.
• Viewing raw files in repositories owned by a user or organization named "github" fails with a 400 error.

Thanks!

The GitHub Team

Security Fixes

• Packages have been updated to the latest security versions.

Bug Fixes

• OAuth application callback hostnames were limited to no longer than 63 characters, which caused some OAuth applications to stop working.
• A missing Git repository on a high availability replica could block Git replication.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Email can't be sent over TLS when SSL is disabled.
• Deleting a user doesn't delete their gists, which can cause problems with replication.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.
• Management console sessions can expire too quickly for Safari users.
• Gist repositories are not garbage collected by the maintenance scheduler.
• Custom firewall rules aren't maintained during an upgrade.
• Repositories that are in an incomplete state, which is a rare problem, can cause the migration to the new repository disk layout to fail.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• When a fork is detached from its repository network by an administrator or by changing visibility, its filesystem path won't be updated on a high availability replica until at least one commit has been pushed.
• Viewing raw files in repositories owned by a user or organization named "github" fails with a 400 error.

Thanks!

The GitHub Team

Security Fixes

• MEDIUM Release assets could be accessed by unauthenticated users in private mode.
• Packages have been updated to the latest security versions.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Email can't be sent over TLS when SSL is disabled.
• Deleting a user doesn't delete their gists, which can cause problems with replication.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.
• Management console sessions can expire too quickly for Safari users.
• Gist repositories are not garbage collected by the maintenance scheduler.
• Custom firewall rules aren't maintained during an upgrade.
• Repositories that are in an incomplete state, which is a rare problem, can cause the migration to the new repository disk layout to fail.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• When a fork is detached from its repository network by an administrator or by changing visibility, its filesystem path won't be updated on a high availability replica until at least one commit has been pushed.
• Viewing raw files in repositories owned by a user or organization named "github" fails with a 400 error.

Thanks!

The GitHub Team

Security Fixes

• CRITICAL ImageMagick policies have been updated to address CVE-2016-3714.
• HIGH OpenSSL packages have been updated to address multiple vulnerabilities, including CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, and CVE-2016-2109.

Remote Code Execution in ImageMagick

Several vulnerabilities in ImageMagick, a package commonly used by web services to process images, have been discovered and disclosed by members of the Mail.ru Security team. One of the vulnerabilities is critical and can lead to remote code execution when processing user submitted images.

Final patches for all the disclosed vulnerabilities within ImageMagick are still pending. This release mitigates the remote code execution vulnerability by implementing the recommended policy to disable the vulnerable ImageMagick coders.

This vulnerability exists in ImageMagick but there is no evidence that it has been exploited on GitHub Enterprise.

We strongly recommend that all GitHub Enterprise customers upgrade their instances as soon as possible.

Mitigation
If you can't immediately upgrade, the issue can be mitigated by implementing the policy changes as follows:

1. SSH to your GitHub Enterprise appliance.

2. Edit the /etc/ImageMagick/policy.xml file:

   sudo vi /etc/ImageMagick/policy.xml
   

3. Disable the vulnerable coders by replacing the <policymap> section with:

   <policymap>
     <policy domain="coder" rights="none" pattern="EPHEMERAL" />
     <policy domain="coder" rights="none" pattern="URL" />
     <policy domain="coder" rights="none" pattern="HTTPS" />
     <policy domain="coder" rights="none" pattern="MVG" />
     <policy domain="coder" rights="none" pattern="MSL" />
   </policymap>
   

There is no need to reboot or restart any services; the changes will take effect immediately.

Please contact GitHub Enterprise Support if you have any questions.

Bug Fixes

• Memcached didn't log warnings or errors.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Email can't be sent over TLS when SSL is disabled.
• Deleting a user doesn't delete their gists, which can cause problems with replication.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.
• Management console sessions can expire too quickly for Safari users.
• Gist repositories are not garbage collected by the maintenance scheduler.
• Custom firewall rules aren't maintained during an upgrade.
• Repositories that are in an incomplete state, which is a rare problem, can cause the migration to the new repository disk layout to fail.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• When a fork is detached from its repository network by an administrator or by changing visibility, its filesystem path won't be updated on a high availability replica until at least one commit has been pushed.
• Viewing raw files in repositories owned by a user or organization named "github" fails with a 400 error.

Thanks!

The GitHub Team

Bug Fixes

• User sessions were not properly revoked when they reached the expiry limit set by the SAML identity provider (IdP).

Changes

• Shell history is written after each command.

Security Fixes

• MEDIUM Resolved a cross-site scripting (XSS) vulnerability in task lists.
• MEDIUM Implemented mitigation for a URI decoding vulnerability that affects modern versions of Microsoft Internet Explorer.
• Packages have been updated to the latest security versions.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Email can't be sent over TLS when SSL is disabled.
• Deleting a user doesn't delete their gists, which can cause problems with replication.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.
• Management console sessions can expire too quickly for Safari users.
• Gist repositories are not garbage collected by the maintenance scheduler.
• Custom firewall rules aren't maintained during an upgrade.
• Repositories that are in an incomplete state, which is a rare problem, can cause the migration to the new repository disk layout to fail.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• When a fork is detached from its repository network by an administrator or by changing visibility, its filesystem path won't be updated on a high availability replica until at least one commit has been pushed.
• Viewing raw files in repositories owned by a user or organization named "github" fails with a 400 error.

Thanks!

The GitHub Team

Bug Fixes

• Migrating wikis to the new repository layout could fail if the original migration was interrupted before completion.
• Custom certificate authority (CA) certificates were not maintained across upgrades with SSL disabled.

Security Fixes

• MEDIUM Resolved a cross-site scripting (XSS) vulnerability.
• LOW The secure flag was not set for the _gh_render cookie, potentially allowing the render cookie to be sent in plaintext HTTP requests. However, Enterprise sets the Strict-Transport-Security header for modern browsers when SSL is enabled, which largely mitigates the issue.
• Packages have been updated to the latest security versions.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Email can't be sent over TLS when SSL is disabled.
• Deleting a user doesn't delete their gists, which can cause problems with replication.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.
• Management console sessions can expire too quickly for Safari users.
• Gist repositories are not garbage collected by the maintenance scheduler.
• Custom firewall rules aren't maintained during an upgrade.
• Repositories that are in an incomplete state, which is a rare problem, can cause the migration to the new repository disk layout to fail.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• When a fork is detached from its repository network by an administrator or by changing visibility, its filesystem path won't be updated on a high availability replica until at least one commit has been pushed.
• Viewing raw files in repositories owned by a user or organization named "github" fails with a 400 error.

Thanks!

The GitHub Team

Bug Fixes

• Changing a public repository to private would cause Git operations to stop replicating to the high availability replica.

Security Fixes

• MEDIUM OpenSSL packages have been updated to address multiple vulnerabilities, including CVE-2016-0800, known as DROWN, which did not affect GitHub Enterprise.
• MEDIUM Ruby on Rails packages have been updated to address multiple vulnerabilities.
• MEDIUM Implemented mitigation for a cross-site scripting (XSS) vulnerability in Microsoft Internet Explorer 9 through 11 (CVE-2015-0072).
• MEDIUM Implemented mitigation for a cross-site scripting (XSS) vulnerability where plain text or other content types could be parsed as HTML.
• Packages have been updated to the latest security versions.
• The ca-certificates package has been updated to remove outdated certificate authority (CA) certificates. This update refreshes the included certificates and removes the SPI CA and CA certificates with 1024-bit RSA keys.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Email can't be sent over TLS when SSL is disabled.
• Deleting a user doesn't delete their gists, which can cause problems with replication.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.
• Management console sessions can expire too quickly for Safari users.
• Gist repositories are not garbage collected by the maintenance scheduler.
• Custom firewall rules aren't maintained during an upgrade.
• Repositories that are in an incomplete state, which is a rare problem, can cause the migration to the new repository disk layout to fail.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• When a fork is detached from its repository network by an administrator or by changing visibility, its filesystem path won't be updated on a high availability replica until at least one commit has been pushed.
• Viewing raw files in repositories owned by a user or organization named "github" fails with a 400 error.

Thanks!

The GitHub Team

Security Fixes

• HIGH glibc packages have been updated to address CVE-2015-7547, a getaddrinfo stack-based buffer overflow.
• HIGH libssh packages have been updated to address CVE-2016-0739, a weakness in diffie-hellman secret key generation.
• MEDIUM nss packages have been updated to address CVE-2016-1938.
• Packages have been updated to the latest security versions.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Email can't be sent over TLS when SSL is disabled.
• Deleting a user doesn't delete their gists, which can cause problems with replication.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.
• Management console sessions can expire too quickly for Safari users.
• Gist repositories are not garbage collected by the maintenance scheduler.
• Custom firewall rules aren't maintained during an upgrade.
• Repositories that are in an incomplete state, which is a rare problem, can cause the migration to the new repository disk layout to fail.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• When a fork is detached from its repository network by an administrator or by changing visibility, its filesystem path won't be updated on a high availability replica until at least one commit has been pushed.
• Viewing raw files in repositories owned by a user or organization named "github" fails with a 400 error.

Thanks!

The GitHub Team

Bug Fixes

• Repository maintenance was not run on the high availability replica. This could lead to high load while repositories were repacked when first promoting the replica.
• Accessing the raw URL for a file named 'policies' would fail with a 404 error.
• Downloading the diagnostics via the Management Console could time out on instances with many release or Git LFS assets.

Security Fixes

• HIGH OpenSSH packages have been updated to address multiple vulnerabilities.
• MED libxml2 and related packages have been updated to address multiple vulnerabilities.
• MED rsync has been updated to address a recently identified vulnerability.
• LOW Passwords and two-factor authentication one-time passwords could be written to the exceptions log.
• Packages have been updated to the latest security versions.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.

• Email can't be sent over TLS when SSL is disabled.

• Deleting a user doesn't delete their gists, which can cause problems with replication.

• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.

• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.

• The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.

• Management console sessions can expire too quickly for Safari users.

• Gist repositories are not garbage collected by the maintenance scheduler.

• Custom firewall rules aren't maintained during an upgrade.

• Repositories that are in an incomplete state, which is a rare problem, can cause the migration to the new repository disk layout to fail.

• Enqueued background jobs are sometimes not purged when a repository is deleted.

• When a fork is detached from its repository network by an administrator or by changing visibility, its filesystem path won't be updated on a high availability replica until at least one commit has been pushed.

• Viewing raw files in repositories owned by a user or organization named "github" fails with a 400 error. (updated 2015-12-15)

• HIGH (CVE-2015-7547) 2.3 is vulnerable to glibc getaddrinfo stack-based buffer overflow. To manually patch your appliance, apply the hotfix by connecting to your appliance via SSH and running these commands: (updated 2016-02-17)

  $ curl -O https://github-enterprise.s3.amazonaws.com/patches/github-enterprise-libc-precise.hpkg
  $ md5sum github-enterprise-libc-precise.hpkg # c068256696f2775579e2cd8223f82306
  $ chmod +x github-enterprise-libc-precise.hpkg
  $ ./github-enterprise-libc-precise.hpkg
  

Thanks!

The GitHub Team

Bug Fixes

• High availability replication could fail to automatically start after a reboot.

Security Fixes

• HIGH An integer overflow in Git could result in incorrect memory allocation values (CVE-2016-2315, CVE-2016-2324). (updated 2016-03-17)
• MED libxml2 and related packages have been updated to address multiple vulnerabilities.
• MED OpenSSL packages have been updated to address multiple vulnerabilities.
• LOW Auto-completion within several fields of the management console settings could cause SNMP and LDAP secrets to be logged in plaintext.
• Packages have been updated to the latest security versions.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Email can't be sent over TLS when SSL is disabled.
• Deleting a user doesn't delete their gists, which can cause problems with replication.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.
• Management console sessions can expire too quickly for Safari users.
• Gist repositories are not garbage collected by the maintenance scheduler.
• Custom firewall rules aren't maintained during an upgrade.
• Repositories that are in an incomplete state, which is a rare problem, can cause the migration to the new repository disk layout to fail.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• When a fork is detached from its repository network by an administrator or by changing visibility, its filesystem path won't be updated on a high availability replica until at least one commit has been pushed.
• Viewing raw files in repositories owned by a user or organization named "github" fails with a 400 error. (updated 2015-12-15)
• Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails. (updated 2016-01-14)

Git LFS Client Vulnerability

An issue has been identified that could allow an attacker to execute arbitrary commands on a user’s computer if they had Git LFS installed and cloned a malicious repository. Git LFS supports a per-repository configuration file to customize how certain aspects of Git LFS function. However, this file also allowed arbitrary Git configuration options to be modified. We have addressed the vulnerability by whitelisting the set of per-repository Git LFS configuration options that can be used to a safe subset.

GitHub Enterprise is not directly affected as this is a client-side vulnerability and Git LFS is disabled on GitHub Enterprise by default. If you have enabled Git LFS on your appliance, we recommend you upgrade your clients to Git LFS 1.0.1 or later to address this vulnerability.

Thanks!

The GitHub Team

Bug Fixes

• Deleting an impersonation OAuth token via the API would fail.

Security Fixes

• Packages have been updated to the latest security versions.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Email can't be sent over TLS when SSL is disabled.
• Deleting a user doesn't delete their gists, which can cause problems with replication.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.
• Management console sessions can expire too quickly for Safari users.
• Gist repositories are not garbage collected by the maintenance scheduler.
• Custom firewall rules aren't maintained during an upgrade.
• Repositories that are in an incomplete state, which is a rare problem, can cause the migration to the new repository disk layout to fail.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• When a fork is detached from its repository network by an administrator or by changing visibility, its filesystem path won't be updated on a high availability replica until at least one commit has been pushed.
• Viewing raw files in repositories owned by a user or organization named "github" fails with a 400 error. (updated 2015-12-15)
• Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails. (updated 2016-01-14)

Thanks!

The GitHub Team

Bug Fixes

• The high availability replication status as reported by ghe-repl-status would not report a failure if ElasticSearch was not running.
• The temporary support bundle archive wasn't removed after a successful upload.
• ghe-upgrade would fail with a GPG signature error if run as the root user.
• The slider handle would not show when viewing an SVG diff.

Security Fixes

• MED OpenJDK has been updated to address multiple vulnerabilities related to information disclosure, data integrity and availability.
• MED NTP packages have been updated to address multiple vulnerabilities.
• Packages have been updated to the latest security versions.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Email can't be sent over TLS when SSL is disabled.
• Deleting a user doesn't delete their gists, which can cause problems with replication.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.
• Management console sessions can expire too quickly for Safari users.
• Gist repositories are not garbage collected by the maintenance scheduler.
• Custom firewall rules aren't maintained during an upgrade.
• Repositories that are in an incomplete state, which is a rare problem, can cause the migration to the new repository disk layout to fail.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• When a fork is detached from its repository network by an administrator or by changing visibility, its filesystem path won't be updated on a high availability replica until at least one commit has been pushed.
• Viewing raw files in repositories owned by a user or organization named "github" fails with a 400 error. (updated 2015-12-15)
• Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails. (updated 2016-01-14)

Thanks!

The GitHub Team

Bug Fixes

• We didn't accept OAuth application credentials using Basic Authentication when exchanging the code for a token. This meant developers couldn't use the standard Go OAuth2 library with GitHub Enterprise forcing developers to maintain their own fork of the library.
• When a member of a team with admin access tried to add a new team member, it failed without an error. Only the Owners team could add new team members.
• SNMP did not start on the high availability replica.
• It was not possible to upload files larger than 1GB with Git LFS.
• GitHub Pages reported a vague error message when page builds failed due to the use of an unsupported syntax highlighter.
• Some repositories could have temporary merge-trees directories left from git operations that timed out but weren't automatically cleaned up.

Security Fixes

• MED Unvalidated parameters passed to the GitHub Enterprise metrics could be used to generate a denial of service attack against the appliance.
• LOW Large Git updates could trigger an overflow in Git xdiff.
• Packages have been updated to the latest security versions.

Changes

• We now retain more of the MySQL binlog files. This helps ensure MySQL replication can be automatically setup following an extended period without any replication.
• Setting up high availability replication can sometimes fail when establishing the VPN connection. We've made the output more verbose to help with determining the cause of these failures.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Email can't be sent over TLS when SSL is disabled.
• Deleting a user doesn't delete their gists, which can cause problems with replication.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.
• Management console sessions can expire too quickly for Safari users.
• Gist repositories are not garbage collected by the maintenance scheduler.
• Custom firewall rules aren't maintained during an upgrade.
• Repositories that are in an incomplete state, which is a rare problem, can cause the migration to the new repository disk layout to fail.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• When a fork is detached from its repository network by an administrator or by changing visibility, its filesystem path won't be updated on a high availability replica until at least one commit has been pushed.
• Viewing raw files in repositories owned by a user or organization named "github" fails with a 400 error. (updated 2015-12-15)
• Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails. (updated 2016-01-14)

Errata

• Not deleting a user's gists when deleting the user was fixed in 2.3.0. (updated 2015-10-12)

Thanks!

The GitHub Team

Bug Fixes

• The instance could reboot before MySQL had completely stopped. This could lead to database inconsistencies that may have only come to light during an upgrade.
• The warning message shown when making a public repository on instances with private mode enabled was a little vague and could lead to uncertainly about how public the repository would really be.
• The Elasticsearch logs could contain socket exception errors caused by a health check exiting prematurely.
• Pull request .patch and .diff URLs would fail on instances with subdomain isolation disabled.
• In our instructions to merge a pull request on the command line, we showed the steps to merge using the Git protocol even when private mode is on. Private mode forces authentication but the Git protocol is unauthenticated so the steps would always fail. We also didn't show the steps to merge using SSH.
• The installation preflight check didn't make it clear that two block devices are required.
• The maintenance page on the high availability replica instance used the incorrect information from the primary instance in the link to the primary instance. This led to a confusing experience for users following this link.
• Updates to Wiki pages by users without a primary email address set would throw errors – the updates are now refused.
• The audit log was missing useful Git activity information.
• Postfix allowed local user and address verification using the RCPT and VRFY commands potentially exposing operating system-level user information.
• Semicolons were allowed to be used in the LDAP Base name settings within the management console leading to problems authenticating users via LDAP.
• The core.package-version variable in the appliance configuration file was not updated to reflect the new appliance version during an upgrade.
• Viewing a repository's push log in a web browser displayed the warning "Reflog Sync disabled on this repository. Results maybe out of date." This was cosmetic only and did not indicate an issue with the push log or repository storage.

Security Fixes

• HIGH Read access to public API endpoints of private-mode instances and to specific reporting endpoints can be authenticated by connecting via local trusted ports. This authentication could be bypassed by manipulating specific HTTP headers and lead to information disclosure.
• HIGH The Markdown syntax highlighter allowed malicious users to inject unsanitized HTML into comments and Markdown documents.
• Kernel and packages have been updated to the latest security versions.
• Mediawiki Math markup within Gists and repository files with the .mediawiki suffix could leak information to the Google Chart API when they were displayed.
• Raw Gist URLs didn't include an expiring token when private mode is enabled. This meant raw Gists were always accessible without authentication if you knew the full URL.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Email can't be sent over TLS when SSL is disabled.
• Deleting a user doesn't delete their gists, which can cause problems with replication.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.
• Management console sessions can expire too quickly for Safari users.
• Gist repositories are not garbage collected by the maintenance scheduler.
• Custom firewall rules aren't maintained during an upgrade.
• Repositories that are in an incomplete state, which is a rare problem, can cause the migration to the new repository disk layout to fail.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• When a member of a team with admin access tries to add a new team member, it fails without an error. Only the Owners team can add new team members.
• Viewing raw files in repositories owned by a user or organization named "github" fails with a 400 error. (updated 2015-12-15)
• Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails. (updated 2016-01-14)

Errata

• Not deleting a user's gists when deleting the user was fixed in 2.3.0. (updated 2015-10-12)

Thanks!

The GitHub Team

Bug Fixes

• We showed a warning in the site admin that an email address wasn't verified, but email verification is disabled in GitHub Enterprise.
• User profile names containing certain Unicode characters wouldn't display when synced from an LDAP directory.
• The longpoll service, which provides live updates to Issues and Pull Requests pages, didn't restart properly if it was terminated.
• Logs for some background jobs were not forwarded.
• Double quotes were being stripped from admin SSH keys added via the management console.
• Deploy keys could not be deleted when LDAP Sync was enabled.
• The ghe-storage-extend command, which resizes the storage volume, could fail with a Volume group name ghe_storage_* has invalid characters error under some circumstances.
• Several actions of the admin API related to LDAP were not working as documented.

Security Fixes

• Kernel and packages have been updated to the latest security versions.

Known Issues

• When a fork is detached from its repository network by an administrator or by changing visibility, its filesystem path won't be updated on a high availability replica until at least one commit has been pushed.
• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Email can't be sent over TLS when SSL is disabled.
• Deleting a user doesn't delete their gists, which can cause problems with replication.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.
• Management console sessions can expire too quickly for Safari users.
• Gist repositories are not garbage collected by the maintenance scheduler.
• Custom firewall rules aren't maintained during an upgrade.
• Repositories that are in an incomplete state, which is a rare problem, can cause the migration to the new repository disk layout to fail.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• In our instructions to merge a pull request on the command line, we don't show the steps to merge using SSH.
• Updates to Wiki pages by users without a primary email address set throw errors.
• Viewing a repository's push log in a web browser displays the warning "Reflog Sync disabled on this repository. Results maybe out of date." This is cosmetic only and does not indicate an issue with the push log or repository storage. (updated 2015-08-28)
• When a member of a team with admin access tries to add a new team member, it fails without an error. Only the Owners team can add new team members. (updated 2015-09-08)
• Viewing raw files in repositories owned by a user or organization named "github" fails with a 400 error. (updated 2015-12-15)
• Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails. (updated 2016-01-14)

Errata

• Not deleting a user's gists when deleting the user was fixed in 2.3.0. (updated 2015-10-12)

Thanks!

The GitHub Team

Bug Fixes

• Packages have been updated to the latest bugfix versions.
• Administrators couldn't promote or demote SAML users from the command line.
• Settings downloaded using the management console API couldn't be applied using the management console API.
• An error in the VMware tools configuration caused excessive logging.
• Organization owners could be prompted to sign up for an early access feature that is not part of GitHub Enterprise.
• During an upgrade, checking the validity of the SSL certificate and key could output an error message. There is nothing wrong, but the error message can look scary.
• Suspended user accounts could be created when unauthorized LDAP users attempted to sign in to GitHub Enterprise.
• A failed login attempt caused multiple LDAP authentication failures, which could cause accounts to be locked on the LDAP server side.
• Gist-specific keyboard shortcuts were not shown when you pressed the ? key on Gist pages.
• Clicking on line numbers in the second file of a multi-file Gist would highlight a code line in the first file, if that code line number exists in the first file.

Known Issues

• Repositories that are in an incomplete state, which is a rare problem, can cause the migration to the new repository disk layout to fail.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• Management console sessions can expire too quickly for Safari users.
• Gist repositories are not garbage collected by the maintenance scheduler.
• Custom firewall rules aren't maintained during an upgrade.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• Deleting a user doesn't delete their gists, which can cause problems with replication.
• In our instructions to merge a pull request on the command line, we show the steps to merge using the Git protocol even when private mode is on. Private mode forces authentication but the Git protocol is unauthenticated so the steps will always fail. We also don't show the steps to merge using SSH.
• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Email can't be sent over TLS when SSL is disabled.
• It is not possible to modify the LDAP DN mapping for a user using the administrator LDAP API.
• When a fork is detached from its repository network by an administrator or by changing visibility, its filesystem path won't be updated on a high availability replica until at least one commit has been pushed. (updated 2015-08-13)
• Updates to Wiki pages by users without a primary email address set throw errors. (updated 2015-08-25)
• Viewing a repository's push log in a web browser displays the warning "Reflog Sync disabled on this repository. Results maybe out of date." This is cosmetic only and does not indicate an issue with the push log or repository storage. (updated 2015-08-28)
• When a member of a team with admin access tries to add a new team member, it fails without an error. Only the Owners team can add new team members. (updated 2015-09-08)
• Viewing raw files in repositories owned by a user or organization named "github" fails with a 400 error. (updated 2015-12-15)
• Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails. (updated 2016-01-14)

Errata

• Not deleting a user's gists when deleting the user was fixed in 2.3.0. (updated 2015-10-12)

Thanks!

The GitHub Team

New Features

With the new features added in GitHub Enterprise 2.3.0, you can:

• Use the API to create new users and organizations.
• Impersonate a user when making API calls, just as you can through the web interface.
• Have finer control over permissions with read-only deploy keys.
• Migrate complete repositories from one GitHub instance to another with ghe-migrator.
• Configure an HTTP proxy for outbound traffic, such as webhooks.

Changes

• Updates to the Authorizations API include breaking changes. If you use the Authorizations API, you should review the changes and update your usage before upgrading. (updated 2015-08-06)
• We no longer send email invitations when adding a user to an organization.
• The queues for background jobs can now be paused and resumed using the ghe-resque-info command line utility.
• Browsers no longer send a Referer header on requests originating from the GitHub Enterprise to prevent leaking the location of your Enterprise instance.
• The search index definitions have changed. Some searches will return partial results while the search indices are rebuilt. (updated 2015-10-07)

Upgrading

Upgrading to the 2.3 release series is supported from GitHub Enterprise 2.1.0 and above.

Bug Fixes

• Ubuntu packages have been updated to the latest bugfix versions.
• When displaying a commit made with an email address that doesn't belong to an existing GitHub Enterprise user, we loaded a default avatar from a GitHub.com subdomain.
• During an upgrade, checking the validity of the SSL certificate and key could output an error message. There is nothing wrong, but the error message can look scary.
• Using uppercase characters in the hostname caused a redirect loop.
• CSV files on Pages sites were transferred uncompressed.
• We didn't show an error if you uploaded an invalid license when the current license was expired.
• The page displayed when GitHub Enterprise is in maintenance mode could show an out of date support email address.
• Gist profile pages didn't have proper styling when subdomain isolation was disabled.
• Global notices weren't displayed on mobile devices.
• We didn't properly show user details in the search section of a user's profile in the site admin.
• Dashboard activity feed links pointed to the wrong hostname after restoring from backup if the hostname had changed.
• We displayed the time in the scheduled maintenance banner in UTC instead of the viewer's timezone.
• Replication setup failed for IPv6 hosts.
• Gists couldn't be created when using Safari 8.x in Private Mode.
• Users with LDAP DNs longer than 255 characters were suspended if LDAP Sync was enabled. (updated 2015-08-20)
• Deleting a user didn't delete their gists, which could cause problems with replication. (updated 2015-10-12)

Security Fixes

• Ubuntu kernel and packages have been updated to the latest security versions.
• MEDIUM: Cached form objects could cause CSRF tokens to be shared across users.

Upcoming deprecation of authentication using GitHub OAuth

User authentication via GitHub OAuth is being deprecated and will be removed in a future feature release. It will be removed no sooner than November 2015.

GitHub Enterprise includes support for authenticating users via OAuth to accounts on GitHub.com because it provides a simple way to set up external authentication. However, after speaking with many customers, we've found that organizations commonly have other sources they want to use to automate identity and access management.

We want to focus on features that best meet the needs of our users, so we're planning to remove support for GitHub OAuth in a future feature release and focus on making ongoing improvements to other authentication methods like SAML and LDAP.

Note that this change will only affect user authentication via GitHub.com and not personal access tokens or OAuth applications added to your GitHub Enterprise instance.

Known Issues

• Repositories that are in an incomplete state, which is a rare problem, can cause the migration to the new repository disk layout to fail.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• Management console sessions can expire too quickly for Safari users.
• Gist repositories are not garbage collected by the maintenance scheduler.
• Custom firewall rules aren't maintained during an upgrade.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• Deleting a user doesn't delete their gists, which can cause problems with replication.
• In our instructions to merge a pull request on the command line, we show the steps to merge using the Git protocol even when private mode is on. Private mode forces authentication but the Git protocol is unauthenticated so the steps will always fail. We also don't show the steps to merge using SSH.
• We incorrectly redirect to the dashboard if you access GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Email can't be sent over TLS when SSL is disabled.
• During an upgrade, checking the validity of the SSL certificate and key could output an error message. There is nothing wrong, but the error message can look scary.
• When a fork is detached from its repository network by an administrator or by changing visibility, its filesystem path won't be updated on a high availability replica until at least one commit has been pushed. (updated 2015-08-13)
• Updates to Wiki pages by users without a primary email address set throw errors. (updated 2015-08-25)
• Viewing a repository's push log in a web browser displays the warning "Reflog Sync disabled on this repository. Results maybe out of date." This is cosmetic only and does not indicate an issue with the push log or repository storage. (updated 2015-08-28)
• When a member of a team with admin access tries to add a new team member, it fails without an error. Only the Owners team can add new team members. (updated 2015-09-08)
• Viewing raw files in repositories owned by a user or organization named "github" fails with a 400 error. (updated 2015-12-15)
• Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails. (updated 2016-01-14)

Errata

• Under some circumstances, it is still possible to trigger a harmless error message when checking the validity of the SSL certificate and key during an upgrade.
• Not deleting a user's gists when deleting the user was fixed in 2.3.0. (updated 2015-10-12)

Thanks!

The GitHub Team