Release notes for the 2.4 series

SAML authentication bypass with XML signature wrapping in GitHub Enterprise

A CRITICAL issue was identified that allows an attacker to bypass SAML authentication. The vulnerability is applicable if the attacker has access to a validly signed SAML assertion or response against the configured Verification certificate. When applicable, an attacker can sign in as any user, including administrators.

The affected supported versions are:

• 2.8.0 - 2.8.6
• 2.7.0 - 2.7.10
• 2.6.0 - 2.6.15
• 2.5.0 - 2.5.20
• 2.4.0 - 2.4.22

Note: This is a different vulnerability than the one addressed in GitHub Enterprise 2.8.6, 2.7.10, 2.6.15, and 2.5.20.

Remote code execution with server side request forgery in GitHub Enterprise

A CRITICAL issue was identified that allows an attacker to execute arbitrary commands on the GitHub Enterprise appliance. The vulnerability is applicable if the attacker has access to configure a repository's Webhooks - owner or admin privileges to a repository.

The affected supported versions are:

• 2.8.0 - 2.8.6
• 2.7.0 - 2.7.10
• 2.6.0 - 2.6.15
• 2.5.0 - 2.5.20
• 2.4.0 - 2.4.22

Next steps

We strongly recommend upgrading your GitHub Enterprise appliance to the latest patch release in your series, GitHub Enterprise 2.8.7, 2.7.11, 2.6.16, 2.5.21, or 2.4.23.

Additionally, if SAML authentication is configured in your appliance, all existing SAML user sessions should be destroyed:

1. Put your GitHub Enterprise environment in Maintenance Mode.

2. SSH to your primary GitHub Enterprise appliance.

3. Destroy the existing SAML sessions.

   $ echo SAML::Session.destroy_all | ghe-console-github
   

4. Upgrade to the latest patch release in your series, GitHub Enterprise 2.8.7, 2.7.11, 2.6.16, 2.5.21, or 2.4.23.

If possible, we also recommend restricting Management Console access to your site administrators.

These vulnerabilities were reported through the GitHub Security Bug Bounty program and we have no evidence that they have been exploited in the wild. To learn more about the Bug Bounty program for GitHub Enterprise, visit https://bounty.github.com/targets/github-enterprise.html and our recent blog post about the inclusion of GitHub Enterprise, Bug Bounty anniversary promotion: bigger bounties in January and February.

Please contact GitHub Enterprise Support if you have any questions.

Security Fixes

• CRITICAL: An attacker could bypass SAML authentication via XML signature wrapping and log in as any other user.
• CRITICAL: There was a remote code execution vulnerability via server side request forgery.
• HIGH: With built-in authentication, suspended users could log in.
• Packages have been updated to the latest security versions.

Upcoming deprecation of GitHub Enterprise 2.4

GitHub Enterprise 2.4 will be deprecated as of February 2017. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails.
• On instances upgraded from 2.3 and earlier, restoring an archived protected branch will not restore all the settings correctly. This does not affect new instances.
• An issue or pull request comment containing the string "User-Agent: GitHub-Hookshot" incorrectly triggers a firewall rule and causes an internal server error on several pages, including the author's profile page. (updated 2017-03-30)

Thanks!

The GitHub Team

Security Fixes

• Packages have been updated to the latest security versions.

Upcoming deprecation of GitHub Enterprise 2.4

GitHub Enterprise 2.4 will be deprecated as of February 2017. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails.
• On instances upgraded from 2.3 and earlier, restoring an archived protected branch will not restore all the settings correctly. This does not affect new instances.

Thanks!

The GitHub Team

Security Fixes

• Packages have been updated to the latest security versions.

Bug Fixes

• Appliance settings saved using the /setup/api/settings API endpoint failed to apply when applying at the same time as uploading the license for the first time.

Changes

• GitHub Enterprise is now available in the EU West (London) and Canada (Central) AWS regions.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails.
• On instances upgraded from 2.3 and earlier, restoring an archived protected branch will not restore all the settings correctly. This does not affect new instances.

Thanks!

The GitHub Team

Security Fixes

• Packages have been updated to the latest security versions.

Bug Fixes

• Merge button was disabled for protected branches when memcached was stopped.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails.
• On instances upgraded from 2.3 and earlier, restoring an archived protected branch will not restore all the settings correctly. This does not affect new instances.

Thanks!

The GitHub Team

Security Fixes

• Packages have been updated to the latest security versions.

Changes

• GitHub Enterprise is now available in the US East (Ohio) AWS region.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails.
• On instances upgraded from 2.3 and earlier, restoring an archived protected branch will not restore all the settings correctly. This does not affect new instances.

Thanks!

The GitHub Team

Security Fixes

• Packages have been updated to the latest security versions.

Bug Fixes

• Changing the default branch of a repository was not synchronized to a high availability replica, so the wrong branch was set as default after fail over.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails.
• On instances upgraded from 2.3 and earlier, restoring an archived protected branch will not restore all the settings correctly. This does not affect new instances.

Thanks!

The GitHub Team

Pre-generated SSH Host Keys in GitHub Enterprise

A CRITICAL issue was identified for all 2.x versions of GitHub Enterprise. The GitHub Enterprise images contain pre-generated SSH host keys that were not regenerated upon installation for all supported platforms:

• Hyper-V (VHD)
• OpenStack KVM (QCOW2)
• VMware ESXi/vSphere (OVA)
• Xen (VHD)
• Amazon Web Services (See the ssh_host_ed25519_key in GitHub Enterprise section below)
• Microsoft Azure

This means an attacker with the capability to perform a man-in-the-middle attack on SSH traffic can intercept and modify network traffic to the GitHub Enterprise appliance.

The affected supported versions are:

• 2.7.0 - 2.7.3
• 2.6.0 - 2.6.8
• 2.5.0 - 2.5.13
• 2.4.0 - 2.4.16
• 2.3.0 - 2.3.20

This vulnerability was found and reported internally and we have no evidence that it has been exploited in the wild.

We strongly recommend upgrading your GitHub Enterprise appliance to the latest patch release in your series, GitHub Enterprise 2.7.4, 2.6.9, 2.5.14, 2.4.17, or 2.3.21. In addition, with backup-utils-2.7.1, ghe-backup and ghe-restore will check for any leaked SSH host keys in the snapshot(s).

Please contact GitHub Enterprise Support if you have questions.

--

Verification and Mitigation on GitHub Enterprise 2.7.4, 2.6.9, 2.5.14, 2.4.17, 2.3.21, or greater

If you've upgraded to the latest patch release, GitHub Enterprise 2.7.4, 2.6.9, 2.5.14, 2.4.17, 2.3.21, or greater,

1. SSH to your primary GitHub Enterprise appliance.

2. Check for leaked SSH host keys using the ghe-ssh-check-host-keys utility.

   $ ghe-ssh-check-host-keys
   

   The utility should output either:

   One or more of your SSH host keys were found in the blacklist.
   Please reset your host keys using ghe-ssh-roll-host-keys.
   

   --

   The SSH host keys were not found in the SSH host key blacklist.
   No additional steps are needed/recommended at this time.
   

3. If one or more SSH host keys were found in the blacklist, continue to the next step. Otherwise, your GitHub Enterprise environment is not vulnerable.

4. Put your GitHub Enterprise environment in Maintenance Mode.

5. Rotate all SSH host keys using the ghe-ssh-roll-host-keys utility.

   $ sudo ghe-ssh-roll-host-keys
   $ sudo ssh-keygen -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key
   

   The utility should output:

   $ SSH host keys have successfully been rolled.
   

If you've upgraded to GitHub Enterprise 2.7.4, 2.6.9, or greater, and you are using the High Availability Configuration, there are no additional steps to take on your replica appliance.

If you've upgraded to GitHub Enterprise 2.5.14, 2.4.17, 2.3.21, or greater, and you are using the High Availability Configuration,

6. After completing steps 1-5, stop replication on the replica appliance.

   $ ghe-repl-stop
   

7. Synchronize the SSH host keys from the primary appliance.

   $ ghe-repl-setup
   

8. Resume replication on the replica appliance.

   $ ghe-repl-start
   

--

Verification and Mitigation if Immediate Upgrade is not Possible

If you're unable to upgrade immediately to the latest patch release, GitHub Enterprise 2.7.4, 2.6.9, 2.5.14, 2.4.17, 2.3.21, or greater,

1. SSH to your primary GitHub Enterprise appliance.

2. Download the list of leaked SSH host keys and verify its content using any of the provided hashes.

   $ curl -O https://enterprise.github.com/security/2016-09-20/ghe-ssh-leaked-host-keys-list.txt
   $ sha256sum ghe-ssh-leaked-host-keys-list.txt
   3bb29658784a4059a41f1a77cffba9586baab179ba07b795f80e12a9f10c5665  ghe-ssh-leaked-host-keys-list.txt
   $ sha1sum ghe-ssh-leaked-host-keys-list.txt
   5db799da044da9aae0bcfc523d22e7ce0fe72550  ghe-ssh-leaked-host-keys-list.txt
   $ md5sum ghe-ssh-leaked-host-keys-list.txt
   de75bcb0bf1d13e15620952c0af8da41  ghe-ssh-leaked-host-keys-list.txt
   

3. Print the fingerprint of your GitHub Enterprise appliance's SSH host keys.
   Note: The ssh_host_ed25519_key may exist on your GitHub Enterprise appliance but is only used in 2.7.4 or greater.

   $ ssh-keygen -lf /etc/ssh/ssh_host_dsa_key.pub
   1024 b2:69:82:2f:25:48:bb:fc:62:c7:9a:de:41:42:13:55 /etc/ssh/ssh_host_dsa_key.pub (DSA)
   $ ssh-keygen -lf /etc/ssh/ssh_host_ecdsa_key.pub
   256 c0:cb:fd:07:33:e9:62:14:6b:fb:d5:26:54:f3:c5:0d /etc/ssh/ssh_host_ecdsa_key.pub (ECDSA)
   $ ssh-keygen -lf /etc/ssh/ssh_host_ed25519_key.pub
   256 d6:92:21:4b:04:3b:22:f5:ee:85:0a:63:bf:b3:fe:9b /etc/ssh/ssh_host_ed25519_key.pub (ED25519)
   $ ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub
   2048 0f:ee:8d:02:2d:e1:76:f3:eb:f5:af:cb:38:9a:1c:33 /etc/ssh/ssh_host_rsa_key.pub (RSA)
   

4. Check for leaked SSH host keys by comparing against the downloaded list of leaked SSH host keys.

5. If one or more SSH host keys were found in the blacklist, continue to the next step. Otherwise, your GitHub Enterprise environment is not vulnerable.

6. Put your GitHub Enterprise environment in Maintenance Mode.

7. Remove all SSH host keys.

   $ sudo rm -f /etc/ssh/ssh_host_*
   

8. Regenerate the SSH host keys.
   Note: The ssh_host_ed25519_key may exist on your GitHub Enterprise appliance but is only used and regenerated for in 2.7.4 or greater.

   $ sudo ssh-keygen -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key
   $ sudo dpkg-reconfigure openssh-server
   

9. Apply the changes to the ssh and babeld service.

   $ sudo cp /etc/ssh/ssh_host_{rsa,dsa,ecdsa,ed25519}_key{,.pub} /data/user/common/
   $ sudo chown babeld:babeld /data/user/common/ssh_host_{rsa,dsa,ecdsa,ed25519}_key{,.pub}
   

If you're unable to upgrade immediately to GitHub Enterprise 2.7.4, 2.6.9, 2.5.14, 2.4.17, 2.3.21, or greater, and you are using the High Availability Configuration,

10. After completing steps 1-9, stop replication on the replica appliance.

$ ghe-repl-stop

11. Synchronize the SSH host keys from the primary appliance.

$ ghe-repl-setup

12. Resume replication on the replica appliance.

$ ghe-repl-start

--

Post SSH Host Key Rotation

After rotating the SSH host keys, your GitHub Enterprise environment can exit Maintenance Mode.

Your end-users will receive an error message when attempting to use the Administrative Shell (SSH) or the SSH protocol for Git activity. The rotation does not affect users using the HTTPS protocol for Git activity.

For example, the following is an output from the command-line,

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:seFT9eIOmAZWbfcO9yU1sXiEYIqcrdi0qttbtmNm0Io.
Please contact your system administrator.
Add correct host key in /Users/monalisa/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /Users/monalisa/.ssh/known_hosts:42
ECDSA host key for [github.example.com]:122 has changed and you have requested strict checking.
Host key verification failed.

After updating the known_hosts, end-users will be prompted to accept a new fingerprint.

$ ssh -p 122 admin@github.example.com
The authenticity of host '[github.example.com]:122 ([169.254.1.1]:122)' can't be established.
ECDSA key fingerprint is SHA256:seFT9eIOmAZWbfcO9yU1sXiEYIqcrdi0qttbtmNm0Io.
Are you sure you want to continue connecting (yes/no)?

We strongly recommend publishing your GitHub Enterprise appliance's SSH host key fingerprints in a location that is accessible to all your end-users. For example, for GitHub.com, we publish the SSH fingerprints at https://help.github.com/articles/what-are-github-s-ssh-key-fingerprints/.

If you'd like to to give end-users notice before rotating the SSH host keys, follow the instructions in the Verification and Mitigation if Immediate Upgrade is not Possible skipping step 7 and replacing step 8 with,

8. Regenerate the SSH host keys.
   Note: The ssh_host_ed25519_key may exist on your GitHub Enterprise appliance but is only used and regenerated for in 2.7.4 or greater.

   i. Pre-generate new SSH host keys to a temporary directory.

   $ ssh-keygen -t dsa -N "" -f /var/tmp/ssh_host_dsa_key
   $ ssh-keygen -t rsa -N "" -f /var/tmp/ssh_host_rsa_key
   $ ssh-keygen -t ecdsa -N "" -f /var/tmp/ssh_host_ecdsa_key
   $ ssh-keygen -t ed25519 -N "" -f /var/tmp/ssh_host_ed25519_key
   

   ii. Print the fingerprint of your GitHub Enterprise appliance's SSH host keys for tentative rotation.

   $ ssh-keygen -lf /var/tmp/ssh_host_dsa_key.pub 1024 b2:69:82:2f:25:48:bb:fc:62:c7:9a:de:41:42:13:55 /var/tmp/ssh_host_dsa_key.pub (DSA)
   $ ssh-keygen -lf /var/tmp/ssh_host_ecdsa_key.pub
    256 c0:cb:fd:07:33:e9:62:14:6b:fb:d5:26:54:f3:c5:0d /var/tmp/ssh_host_ecdsa_key.pub (ECDSA)
   $ ssh-keygen -lf /var/tmp/ssh_host_ed25519_key.pub
    256 d6:92:21:4b:04:3b:22:f5:ee:85:0a:63:bf:b3:fe:9b /var/tmp/ssh_host_ed25519_key.pub (ED25519)
   $ ssh-keygen -lf /var/tmp/ssh_host_rsa_key.pub
   248 0f:ee:8d:02:2d:e1:76:f3:eb:f5:af:cb:38:9a:1c:33 /var/tmp/ssh_host_rsa_key.pub (RSA)
   

   iii. Once you are ready to migrate to the new, rotated SSH host keys, move the host keys from the temporary directory and apply the changes to the ssh service.

   $ sudo mv /var/tmp/ssh_host_{rsa,dsa,ecdsa,ed25519}_key{,.pub} /etc/ssh
   $ sudo service ssh restart
   

   iv. Continue with steps 9 in the Verification and Mitigation if Immediate Upgrade is not Possible section.

ssh_host_ed25519_key in GitHub Enterprise

The 2.x versions of GitHub Enterprise on all supported platforms:

• Hyper-V (VHD)
• OpenStack KVM (QCOW2)
• VMware ESXi/vSphere (OVA)
• Xen (VHD)
• Amazon Web Services
• Microsoft Azure

contain a pre-generated ssh_host_ed25519_key. However, only GitHub Enterprise 2.7.4 or greater use the ssh_host_ed25519_key. This can be verified by checking your GitHub Enterprise appliance's /etc/ssh/sshd_config, which added HostKey /etc/ssh/ssh_host_ed25519_key in 2.7.4 or greater.

The ssh_host_ed25519_key may exist on your GitHub Enterprise appliance but is only used in 2.7.4 or greater.

If you've upgraded your appliance to 2.7.4 or greater on any of the supported platforms including Amazon Web Services, please follow the instructions in the Verification and Mitigation on GitHub Enterprise 2.7.4, 2.6.9, 2.5.14, 2.4.17, 2.3.21, or greater section.

Security Fixes

• CRITICAL Pre-generated SSH host keys were not regenerated when installing appliances from GitHub Enterprise 2.x images.
• Packages have been updated to the latest security versions.

Bug Fixes

• Users were unable to add or remove deploy keys when LDAP sync is enabled.

Changes

• GitHub Enterprise is now available in the Asia Pacific (Mumbai) AWS region.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails.
• On instances upgraded from 2.3 and earlier, restoring an archived protected branch will not restore all the settings correctly. This does not affect new instances.

Errata

• The Pre-generated SSH Host Keys in GitHub Enterprise vulnerability disclosure added the ssh_host_ed25519_key in GitHub Enterprise for GitHub Enterprise 2.7.4 or greater appliances on the Amazon Web Services platform. (updated 2016-09-22)

Thanks!

The GitHub Team

Security Fixes

• Packages have been updated to the latest security versions.

Bug Fixes

• Gist IDs could incorrectly collide when MySQL restarted.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails.
• On instances upgraded from 2.3 and earlier, restoring an archived protected branch will not restore all the settings correctly. This does not affect new instances.

Thanks!

The GitHub Team

Security Fixes

• HIGH: Worked around Microsoft Internet Explorer bug causing redirects to the incorrect hostname during OAuth negotiation.
• MEDIUM: Users were able to delete SSH and/or GPG keys when LDAP sync is enabled.
• Packages have been updated to the latest security versions.

Bug Fixes

• An appliance would enter maintenance mode earlier than expected if scheduled more than a week in advance.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails.
• On instances upgraded from 2.3 and earlier, restoring an archived protected branch will not restore all the settings correctly. This does not affect new instances.

Thanks!

The GitHub Team

Security Fixes

• LOW The permissions on rbenv, used by many components of GitHub Enterprise, have been tightened.
• Packages have been updated to the latest security versions.

Bug Fixes

• The schema for requests to and responses from the LFS API has been relaxed to allow additional properties. This will allow the API to be extended in the future.
• Organizations could be suspended using the ghe-user-suspend command.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails.
• On instances upgraded from 2.3 and earlier, restoring an archived protected branch will not restore all the settings correctly. This does not affect new instances.

Thanks!

The GitHub Team

Security Fixes

• HIGH Due to the way that email addresses with Unicode in the 'local part' are handled, it was possible to generate a password reset token for an email address and have it delivered to a separate email address with Unicode homoglyphs that normalized to the original email address.
• LOW Admin users could still access user reports after being suspended.
• Packages have been updated to the latest security versions.

Bug Fixes

• LDAP sync failed on suspended users if restricted groups are not configured.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails.
• On instances upgraded from 2.3 and earlier, restoring an archived protected branch will not restore all the settings correctly. This does not affect new instances.

Thanks!

The GitHub Team

Security Fixes

• Packages have been updated to the latest security versions.

Bug Fixes

• Authenticating using SAML could fail if the authentication process took too long, for example when a user is performing two-factor authentication with the SAML server.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails.
• On instances upgraded from 2.3 and earlier, restoring an archived protected branch will not restore all the settings correctly. This does not affect new instances.

Thanks!

The GitHub Team

Security Fixes

• Packages have been updated to the latest security versions.

Bug Fixes

• OAuth application callback hostnames were limited to no longer than 63 characters, which caused some OAuth applications to stop working.
• A missing Git repository on a high availability replica could block Git replication.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails.
• On instances upgraded from 2.3 and earlier, restoring an archived protected branch will not restore all the settings correctly. This does not affect new instances.

Thanks!

The GitHub Team

Security Fixes

• MEDIUM Release assets could be accessed by unauthenticated users in private mode.
• Packages have been updated to the latest security versions.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails.
• On instances upgraded from 2.3 and earlier, restoring an archived protected branch will not restore all the settings correctly. This does not affect new instances.

Thanks!

The GitHub Team

Security Fixes

• CRITICAL ImageMagick policies have been updated to address CVE-2016-3714.
• HIGH OpenSSL packages have been updated to address multiple vulnerabilities, including CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, and CVE-2016-2109.

Remote Code Execution in ImageMagick

Several vulnerabilities in ImageMagick, a package commonly used by web services to process images, have been discovered and disclosed by members of the Mail.ru Security team. One of the vulnerabilities is critical and can lead to remote code execution when processing user submitted images.

Final patches for all the disclosed vulnerabilities within ImageMagick are still pending. This release mitigates the remote code execution vulnerability by implementing the recommended policy to disable the vulnerable ImageMagick coders.

This vulnerability exists in ImageMagick but there is no evidence that it has been exploited on GitHub Enterprise.

We strongly recommend that all GitHub Enterprise customers upgrade their instances as soon as possible.

Mitigation
If you can't immediately upgrade, the issue can be mitigated by implementing the policy changes as follows:

1. SSH to your GitHub Enterprise appliance.

2. Edit the /etc/ImageMagick/policy.xml file:

   sudo vi /etc/ImageMagick/policy.xml
   

3. Disable the vulnerable coders by replacing the <policymap> section with:

   <policymap>
     <policy domain="coder" rights="none" pattern="EPHEMERAL" />
     <policy domain="coder" rights="none" pattern="URL" />
     <policy domain="coder" rights="none" pattern="HTTPS" />
     <policy domain="coder" rights="none" pattern="MVG" />
     <policy domain="coder" rights="none" pattern="MSL" />
   </policymap>
   

There is no need to reboot or restart any services; the changes will take effect immediately.

Please contact GitHub Enterprise Support if you have any questions.

Bug Fixes

• Memcached didn't log warnings or errors.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails.
• On instances upgraded from 2.3 and earlier, restoring an archived protected branch will not restore all the settings correctly. This does not affect new instances.

Thanks!

The GitHub Team

Bug Fixes

• User sessions were not properly revoked when they reached the expiry limit set by the SAML identity provider (IdP).

Changes

• Shell history is written after each command.

Security Fixes

• MEDIUM Resolved a cross-site scripting (XSS) vulnerability in task lists.
• MEDIUM Implemented mitigation for a URI decoding vulnerability that affects modern versions of Microsoft Internet Explorer.
• Packages have been updated to the latest security versions.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails.
• On instances upgraded from 2.3 and earlier, restoring an archived protected branch will not restore all the settings correctly. This does not affect new instances.

Thanks!

The GitHub Team

Bug Fixes

• Migrating wikis to the new repository layout could fail if the original migration was interrupted before completion.
• Custom certificate authority (CA) certificates were not maintained across upgrades with SSL disabled.
• Protected branches could be updated when making a Git force push against multiple identical branches.

Changes

• Automatic Update Checking and downloading now checks for feature releases.

Security Fixes

• MEDIUM Resolved a cross-site scripting (XSS) vulnerability.
• LOW The secure flag was not set for the _gh_render cookie, potentially allowing the render cookie to be sent in plaintext HTTP requests. However, Enterprise sets the Strict-Transport-Security header for modern browsers when SSL is enabled, which largely mitigates the issue.
• Packages have been updated to the latest security versions.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails.
• On instances upgraded from 2.3 and earlier, restoring an archived protected branch will not restore all the settings correctly. This does not affect new instances.
• Automatic update checks fail to download the latest ESX package.

Thanks!

The GitHub Team

Bug Fixes

• Changing a public repository to private would cause Git operations to stop replicating to the high availability replica.

Changes

• High availability replication now runs with four workers. This will lead to quicker synchronization when initially starting replication and ongoing replication on very busy instances.

Security Fixes

• MEDIUM OpenSSL packages have been updated to address multiple vulnerabilities, including CVE-2016-0800, known as DROWN, which did not affect GitHub Enterprise.
• MEDIUM Ruby on Rails packages have been updated to address multiple vulnerabilities.
• MEDIUM Implemented mitigation for a cross-site scripting (XSS) vulnerability in Microsoft Internet Explorer 9 through 11 (CVE-2015-0072).
• MEDIUM Implemented mitigation for a cross-site scripting (XSS) vulnerability where plain text or other content types could be parsed as HTML.
• Packages have been updated to the latest security versions.
• The ca-certificates package has been updated to remove outdated certificate authority (CA) certificates. This update refreshes the included certificates and removes the SPI CA and CA certificates with 1024-bit RSA keys.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails.
• On instances upgraded from 2.3 and earlier, restoring an archived protected branch will not restore all the settings correctly. This does not affect new instances.

Thanks!

The GitHub Team

Bug Fixes

• The Collectd log file was not rotated and could grow quite large.
• Duplicate Pages sites in /data/user/pages differing only by case could cause an upgrade to fail. This may occur if a background job for a rename or deletion had failed on a previous Enterprise release.

Security Fixes

• HIGH glibc packages have been updated to address CVE-2015-7547, a getaddrinfo stack-based buffer overflow.
• HIGH libssh packages have been updated to address CVE-2016-0739, a weakness in diffie-hellman secret key generation.
• MEDIUM nss packages have been updated to address CVE-2016-1938.
• Packages have been updated to the latest security versions.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails.
• On instances upgraded from 2.3 and earlier, restoring an archived protected branch will not restore all the settings correctly. This does not affect new instances.

Thanks!

The GitHub Team

Bug Fixes

• Repository maintenance was not run on the high availability replica. This could lead to high load while repositories were repacked when first promoting the replica.
• Accessing the raw URL for a file named 'policies' would fail with a 404 error.
• Downloading the diagnostics via the Management Console could time out on instances with many release or Git LFS assets.
• We tried to log timing statistics to an inaccessible statsd server when downloading release assets.
• Repository milestones weren't updated on repositories migrated from GitHub.com.
• Viewing the Pages section in admin tools would cause a 500 error if no Pages site existed.
• Incorrect permissions could be set on certificate authority certificates installed with ghe-ssl-ca-certificate-install. This could cause webhooks to fail as the certificates could not be read.
• Backups could fail to restore if a previous Pages migration had failed on the destination appliance.

Security Fixes

• HIGH OpenSSH packages have been updated to address multiple vulnerabilities.
• MED libxml2 and related packages have been updated to address multiple vulnerabilities.
• MED rsync has been updated to address a recently identified vulnerability.
• LOW Passwords and two-factor authentication one-time passwords could be written to the exceptions log.
• Packages have been updated to the latest security versions.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.

• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.

• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.

• The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.

• Custom firewall rules aren't maintained during an upgrade.

• Enqueued background jobs are sometimes not purged when a repository is deleted.

• Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails.

• On instances upgraded from 2.3 and earlier, restoring an archived protected branch will not restore all the settings correctly. This does not affect new instances.

• HIGH (CVE-2015-7547) 2.4 is vulnerable to glibc getaddrinfo stack-based buffer overflow. To manually patch your appliance, apply the hotfix by connecting to your appliance via SSH and running these commands: (updated 2016-02-17)

  $ curl -O https://github-enterprise.s3.amazonaws.com/patches/github-enterprise-libc-precise.hpkg
  $ md5sum github-enterprise-libc-precise.hpkg # c068256696f2775579e2cd8223f82306
  $ chmod +x github-enterprise-libc-precise.hpkg
  $ ./github-enterprise-libc-precise.hpkg
  

Thanks!

The GitHub Team

Bug Fixes

• High availability replication could fail to automatically start after a reboot.
• Viewing raw files in repositories owned by a user or organization named "github" failed with a 400 error.
• A high availability replica that's been promoted to primary and then set up as a replica again showed the 'Starting...'' page instead of the replica status page following a reboot.
• Starting high availability replication printed verbose MySQL status information.
• The connection limit for the longpoll service (used for providing live updates to Issues and Pull Requests) could be exhausted on very busy appliances.
• A team membership invitation email was incorrectly sent to the user when they were added to an Organization's team using the Add team membership API.
• Git LFS server maintenance jobs could fail to run and throw an exception error.

Changes

• X11Forwarding for administrative SSH connections is now disabled.
• The management console now displays a warning when the appliance time is significantly different from the time reported by the browser. This large time different can lead to management console sessions expiring too quickly.
• The LDAP authorization state is now included in the user suspension reason within the LDAP logs. This will help administrators determine why a LDAP user has been suspended.
• Legacy organization admin teams, those teams with 'admin' permissions before GitHub Enterprise 2.4.0, are now clearly shown in the organization teams page.
• Management console sessions could expire too quickly for Safari users.

Security Fixes

• HIGH An integer overflow in Git could result in incorrect memory allocation values (CVE-2016-2315, CVE-2016-2324). (updated 2016-03-17)
• MED libxml2 and related packages have been updated to address multiple vulnerabilities.
• MED OpenSSL packages have been updated to address multiple vulnerabilities.
• LOW Auto-completion within several fields of the management console settings could cause SNMP and LDAP secrets to be logged in plaintext.
• Packages have been updated to the latest security versions.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails. (updated 2016-01-14)

Git LFS Client Vulnerability

An issue has been identified that could allow an attacker to execute arbitrary commands on a user’s computer if they had Git LFS installed and cloned a malicious repository. Git LFS supports a per-repository configuration file to customize how certain aspects of Git LFS function. However, this file also allowed arbitrary Git configuration options to be modified. We have addressed the vulnerability by whitelisting the set of per-repository Git LFS configuration options that can be used to a safe subset.

GitHub Enterprise is not directly affected as this is a client-side vulnerability and Git LFS is disabled on GitHub Enterprise by default. If you have enabled Git LFS on your appliance, we recommend you upgrade your clients to Git LFS 1.0.1 or later to address this vulnerability.

Thanks!

The GitHub Team

Bug Fixes

• Running the ghe-diagnostics command line utility would report a harmless permission denied error.
• The 'Enable sign-up' option was displayed in the Management Console when external authentication was configured. Account creation is controlled by your external authentication, so the setting had no effect.
• Old builds of GitHub Pages sites weren't garbage collected, so they could build up and waste disk space.
• An administrative SSH key was accidentally created and added to the Management Console.
• Alambic and Pages high availability replication reported 'UNKNOWN' status for delays less than 30 seconds.
• High availability replication sometimes failed to set the correct master identifier during an upgrade. This prevented MySQL replication from starting.
• Restoring backups taken from previous versions to GitHub Enterprise 2.4 would fail.
• Deleting an impersonation OAuth token via the API would fail.

Changes

• An Organization's event log now reports changes to the default permissions and who made the changes.

Security Fixes

• Packages have been updated to the latest security versions.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.
• Management console sessions can expire too quickly for Safari users.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• Viewing raw files in repositories owned by a user or organization named "github" fails with a 400 error. (updated 2015-12-15)
• Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails. (updated 2016-01-14)

Thanks!

The GitHub Team

Bug Fixes

• The high availability replication status as reported by ghe-repl-status would not report a failure if ElasticSearch was not running.
• The temporary support bundle archive wasn't removed after a successful upload.
• ghe-upgrade would fail with a GPG signature error if run as the root user.
• High availability replication sometimes failed to set the MySQL password correctly which prevented MySQL replication from starting.
• Non-push events for Organization webhooks failed to be recorded in the 'Recent Deliveries' list.
• A configuration option in the /etc/ssh/sshd_config file contained an equals sign which caused cloud-init user data scripts to fail.
• Migrating user, organization, and repository data using ghe-migrator could fail to import a migration archive if it contained empty records.
• Migrating user, organization, and repository data using ghe-migrator could fail to set the team maintainer role on the destination team during the import.
• Log forwarding did not include the GitHub application's Nginx log.
• The tokens added to gist raw links in private mode expired in 30 seconds. These now expire after a week.
• The merge button could remain disabled on pull requests with protected branches and required statuses when all Travis-initiated status checks had passed.
• Pages URLs without a trailing slash redirected incorrectly.
• The default branch selector within the repository settings didn't correctly search for branches.
• Adding a second unnamed file to a gist would overwrite the first unnamed file added to that gist.

Changes

• ghe-support-bundle can now be used to upload arbitrary files directly to GitHub using a new -f path option.
• Admin Tools now shows whether protected branch status checks are enforced for admin users or not.

Security Fixes

• MED OpenJDK has been updated to address multiple vulnerabilities related to information disclosure, data integrity and availability.
• MED NTP packages have been updated to address multiple vulnerabilities.
• Packages have been updated to the latest security versions.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.
• Management console sessions can expire too quickly for Safari users.
• Custom firewall rules aren't maintained during an upgrade.
• Repositories that are in an incomplete state, which is a rare problem, can cause the migration to the new repository disk layout to fail.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• Restoring backups from previous versions fail. As a workaround, create an instance matching the version the backup was taken from, restore the backup, then upgrade. (updated 2015-11-05)
• High availability replication sometimes fails to set the correct master identifier during an upgrade. This prevents MySQL replication from starting. (updated 2015-11-11)
• Viewing raw files in repositories owned by a user or organization named "github" fails with a 400 error. (updated 2015-12-15)
• Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails. (updated 2016-01-14)

Errata

• The failure to migrate repositories in an incomplete state to the new repository disk layout was resolved in 2.4.0. (updated 2015-12-01)

Thanks!

The GitHub Team

New Features

With the new features added in GitHub Enterprise 2.4.0, you can:

• Protect branches and require status checks to pass on pull requests before they can be merged. We've also made changes to the merge button so you can clearly see how your build is progressing.
• Powerfully collaborate with improved organization permissions.
• Version large files in production with all of the new Git Large File Storage v1.0 features and enhancements, including batch mode. Git LFS is now production ready.
• Render, browse and interact with maps annotated with your geographic data in GeoJSON files.
• View Pages sites hosted on your appliance even if private mode is enabled, and use the Jekyll-feed plugin to automatically create an Atom feed of your most recent posts.
• Configure your appliance to automatically check for updates and download them ready for you to upgrade when you're ready to do so.
• Use the API to delete users.
• Secure your user accounts using FIDO Universal 2nd Factor (U2F)—a rapidly growing open authentication standard.

Changes

• In private mode, deploy keys now only give access to the repository they are assigned to. The behavior of deploy keys was previously vague and allowed access to every public repository on the appliance in private mode. This behavior wasn't documented, and is considered unexpected behavior.
• Fullscreen (Zen mode) editing has been removed.

Upgrading

Upgrading to the 2.4 release series is supported from GitHub Enterprise 2.2.0 and above.

Bug Fixes

• Email couldn't be sent over TLS when SSL was disabled.
• Viewing a repository's push log in a web browser displayed the warning 'Reflog Sync disabled on this repository. Results maybe out of date.' This was cosmetic only and did not indicate an issue with the push log or repository storage.
• Improved the efficiency of Git LFS operations.
• When a fork was detached from its repository network by an administrator or by changing visibility, its filesystem path wasn't updated on a high availability replica until at least one commit had been pushed.
• DNS responses are cached to speed up lookups and to reduce the load on DNS servers.
• Gist repositories were not garbage collected by the maintenance scheduler.

Security Fixes

• Packages have been updated to the latest security versions.
• LOW: Organization user lookup could reveal private members of other organizations.
• LOW: DES-based SSH ciphers are disabled for Git operations over SSH.

Upcoming deprecation of authentication using GitHub OAuth

User authentication via GitHub OAuth is being deprecated and will be removed in a future feature release. It will be removed no sooner than November 2015.

GitHub Enterprise includes support for authenticating users via OAuth to accounts on GitHub.com because it provides a simple way to set up external authentication. However, after speaking with many customers, we've found that organizations commonly have other sources they want to use to automate identity and access management.

We want to focus on features that best meet the needs of our users, so we're planning to remove support for GitHub OAuth in a future feature release and focus on making ongoing improvements to other authentication methods like SAML and LDAP.

Note that this change will only affect user authentication via GitHub.com and not personal access tokens or OAuth applications added to your GitHub Enterprise instance.

Upcoming deprecation of GitHub Enterprise 2.0

GitHub Enterprise 2.0 will be deprecated as of January 1, 2016. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.
• Management console sessions can expire too quickly for Safari users.
• Custom firewall rules aren't maintained during an upgrade.
• Repositories that are in an incomplete state, which is a rare problem, can cause the migration to the new repository disk layout to fail.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• Restoring backups from previous versions fail. As a workaround, create an instance matching the version the backup was taken from, restore the backup, then upgrade. (updated 2015-11-05)
• High availability replication sometimes fails to set the MySQL password correctly which prevents MySQL replication from starting. (updated 2015-11-11)
• High availability replication sometimes fails to set the correct master identifier during an upgrade. This prevents MySQL replication from starting. (updated 2015-11-11)
• Viewing raw files in repositories owned by a user or organization named "github" fails with a 400 error. (updated 2015-12-15)
• Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails. (updated 2016-01-14)

Errata

• The failure to migrate repositories in an incomplete state to the new repository disk layout was resolved in 2.4.0. (updated 2015-12-01)

Thanks!

The GitHub Team