Release notes for the 2.5 series

Security Fixes

• LOW: New, invited users received their initial passwords in clear text via e-mail. A password reset link, valid for 24 hours, is sent to the user instead.
• Packages have been updated to the latest security versions.

Bug Fixes

• The initial import of the VMware OVA image would fail when deployed via vCenter Server 6.0 or 6.5.

Deprecation of GitHub Enterprise 2.5

GitHub Enterprise 2.5 is now deprecated as of March 14, 2017. That means that no patch releases will be made, even for critical security issues, after this release. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.

Upcoming deprecation of GitHub Enterprise 2.6

GitHub Enterprise 2.6 will be deprecated as of April 26, 2017. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• On instances upgraded from 2.3 and earlier, restoring an archived protected branch will not restore all the settings correctly. This does not affect new instances.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Console text is difficult to read on OpenStack KVM.
• An issue or pull request comment containing the string "User-Agent: GitHub-Hookshot" incorrectly triggers a firewall rule and causes an internal server error on several pages, including the author's profile page. (updated 2017-03-30)

Thanks!

The GitHub Team

Security Fixes

• LOW: An internal upload policies API disclosed which users had push access to a repository.
• Packages have been updated to the latest security versions.

Bug Fixes

• Git LFS objects could take up to an hour to replicate in a High Availability configuration.
• Migrations failed to preserve a label with a / character.
• The Management Console Add new SSH key field incorrectly allowed an SSH fingerprint instead of the contents of the key.

Changes

• The <Destination> element is no longer optional in the SAML response.

Deprecation of GitHub Enterprise 2.4

GitHub Enterprise 2.4 is now deprecated as of February 9, 2017. That means that no patch releases will be made, even for critical security issues, after this release. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.

Upcoming deprecation of GitHub Enterprise 2.5

GitHub Enterprise 2.5 will be deprecated as of March 14, 2017. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• On instances upgraded from 2.3 and earlier, restoring an archived protected branch will not restore all the settings correctly. This does not affect new instances.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Console text is difficult to read on OpenStack KVM.
• The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host.
• An issue or pull request comment containing the string "User-Agent: GitHub-Hookshot" incorrectly triggers a firewall rule and causes an internal server error on several pages, including the author's profile page. (updated 2017-03-30)

Thanks!

The GitHub Team

SAML authentication bypass with XML signature wrapping in GitHub Enterprise

A CRITICAL issue was identified that allows an attacker to bypass SAML authentication. The vulnerability is applicable if the attacker has access to a validly signed SAML assertion or response against the configured Verification certificate. When applicable, an attacker can sign in as any user, including administrators.

The affected supported versions are:

• 2.8.0 - 2.8.6
• 2.7.0 - 2.7.10
• 2.6.0 - 2.6.15
• 2.5.0 - 2.5.20
• 2.4.0 - 2.4.22

Note: This is a different vulnerability than the one addressed in GitHub Enterprise 2.8.6, 2.7.10, 2.6.15, and 2.5.20.

Remote code execution with server side request forgery in GitHub Enterprise

A CRITICAL issue was identified that allows an attacker to execute arbitrary commands on the GitHub Enterprise appliance. The vulnerability is applicable if the attacker has access to configure a repository's Webhooks - owner or admin privileges to a repository.

The affected supported versions are:

• 2.8.0 - 2.8.6
• 2.7.0 - 2.7.10
• 2.6.0 - 2.6.15
• 2.5.0 - 2.5.20
• 2.4.0 - 2.4.22

Next steps

We strongly recommend upgrading your GitHub Enterprise appliance to the latest patch release in your series, GitHub Enterprise 2.8.7, 2.7.11, 2.6.16, 2.5.21, or 2.4.23.

Additionally, if SAML authentication is configured in your appliance, all existing SAML user sessions should be destroyed:

1. Put your GitHub Enterprise environment in Maintenance Mode.

2. SSH to your primary GitHub Enterprise appliance.

3. Destroy the existing SAML sessions.

   $ echo SAML::Session.destroy_all | ghe-console-github
   

4. Upgrade to the latest patch release in your series, GitHub Enterprise 2.8.7, 2.7.11, 2.6.16, 2.5.21, or 2.4.23.

If possible, we also recommend restricting Management Console access to your site administrators.

These vulnerabilities were reported through the GitHub Security Bug Bounty program and we have no evidence that they have been exploited in the wild. To learn more about the Bug Bounty program for GitHub Enterprise, visit https://bounty.github.com/targets/github-enterprise.html and our recent blog post about the inclusion of GitHub Enterprise, Bug Bounty anniversary promotion: bigger bounties in January and February.

Please contact GitHub Enterprise Support if you have any questions.

Security Fixes

• CRITICAL: An attacker could bypass SAML authentication via XML signature wrapping and log in as any other user.
• CRITICAL: There was a remote code execution vulnerability via server side request forgery.
• HIGH: With built-in authentication, suspended users could log in.
• Packages have been updated to the latest security versions.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• On instances upgraded from 2.3 and earlier, restoring an archived protected branch will not restore all the settings correctly. This does not affect new instances.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Console text is difficult to read on OpenStack KVM.
• The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host. (updated 2017-02-23)
• Git LFS objects may take up to an hour to replicate in a High Availability configuration. (updated 2017-02-23)
• An issue or pull request comment containing the string "User-Agent: GitHub-Hookshot" incorrectly triggers a firewall rule and causes an internal server error on several pages, including the author's profile page. (updated 2017-03-30)

Thanks!

The GitHub Team

SAML authentication bypass in GitHub Enterprise

A CRITICAL issue was identified that allows an attacker to bypass SAML authentication by creating a fake response. This could allow the attacker to sign in as any user, including administrators.

The affected supported versions are:

• 2.8.0 - 2.8.5
• 2.7.0 - 2.7.9
• 2.6.0 - 2.6.14
• 2.5.0 - 2.5.19

If you are using SAML as your authentication method, we strongly recommend upgrading your GitHub Enterprise appliance to the latest patch release in your series, GitHub Enterprise 2.8.6, 2.7.10, 2.6.15, or 2.5.20.

Additionally, all existing user sessions should be destroyed:

1. Put your GitHub Enterprise environment in Maintenance Mode.

2. SSH to your primary GitHub Enterprise appliance.

3. Destroy the existing SAML sessions.

   $ echo SAML::Session.destroy_all | ghe-console-github
   

4. Upgrade to the latest patch release in your series, GitHub Enterprise 2.8.6, 2.7.10, 2.6.15, or 2.5.20.

This vulnerability was reported through the GitHub Security Bug Bounty program and we have no evidence that it has been exploited in the wild.

Please contact GitHub Enterprise Support if you have any questions.

Security Fixes

• CRITICAL: Users could bypass SAML authentication and log in as any other user
• Packages have been updated to the latest security versions.

Changes

• ghe-migrator now scrubs access tokens from the logs.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• On instances upgraded from 2.3 and earlier, restoring an archived protected branch will not restore all the settings correctly. This does not affect new instances.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Console text is difficult to read on OpenStack KVM.
• The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host. (updated 2017-02-23)
• Git LFS objects may take up to an hour to replicate in a High Availability configuration. (updated 2017-02-23)

Thanks!

The GitHub Team

Security Fixes

• Packages have been updated to the latest security versions.

Changes

• Added cron job to compress core files.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• On instances upgraded from 2.3 and earlier, restoring an archived protected branch will not restore all the settings correctly. This does not affect new instances.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Console text is difficult to read on OpenStack KVM.
• The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host. (updated 2017-02-23)
• Git LFS objects may take up to an hour to replicate in a High Availability configuration. (updated 2017-02-23)

Thanks!

The GitHub Team

Security Fixes

• Packages have been updated to the latest security versions.

Bug Fixes

• Appliance settings saved using the /setup/api/settings API endpoint failed to apply when applying at the same time as uploading the license for the first time.

Changes

• GitHub Enterprise is now available in the EU West (London) and Canada (Central) AWS regions.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• On instances upgraded from 2.3 and earlier, restoring an archived protected branch will not restore all the settings correctly. This does not affect new instances.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Console text is difficult to read on OpenStack KVM.
• The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host. (updated 2017-02-23)
• Git LFS objects may take up to an hour to replicate in a High Availability configuration. (updated 2017-02-23)

Thanks!

The GitHub Team

Security Fixes

• Packages have been updated to the latest security versions.

Bug Fixes

• Merge button was disabled for protected branches when memcached was stopped.
• Disallow administrators from renaming system accounts.
• Users were unable to update their primary e-mail address after migrating data with ghe-migrator.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• On instances upgraded from 2.3 and earlier, restoring an archived protected branch will not restore all the settings correctly. This does not affect new instances.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Console text is difficult to read on OpenStack KVM.
• The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host. (updated 2017-02-23)
• Git LFS objects may take up to an hour to replicate in a High Availability configuration. (updated 2017-02-23)

Thanks!

The GitHub Team

Security Fixes

• Packages have been updated to the latest security versions.

Changes

• GitHub Enterprise is now available in the US East (Ohio) AWS region.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• On instances upgraded from 2.3 and earlier, restoring an archived protected branch will not restore all the settings correctly. This does not affect new instances.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Migration data exported from GitHub Enterprise with ghe-migrator does not include issue file attachments, which may cause imports to another server to fail. (updated 2016-11-15)
• Console text is difficult to read on OpenStack KVM.
• The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host. (updated 2017-02-23)
• Git LFS objects may take up to an hour to replicate in a High Availability configuration. (updated 2017-02-23)

Errata

• We didn't include the fix for the issue that migration data exported from GitHub Enterprise with ghe-migrator does not include issue file attachments, which may cause imports to another server to fail. (updated 2016-11-15)

Thanks!

The GitHub Team

Security Fixes

• Packages have been updated to the latest security versions.

Bug Fixes

• Changing the default branch of a repository was not synchronized to a high availability replica, so the wrong branch was set as default after fail over.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• On instances upgraded from 2.3 and earlier, restoring an archived protected branch will not restore all the settings correctly. This does not affect new instances.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Migration data exported from GitHub Enterprise with ghe-migrator does not include issue file attachments, which may cause imports to another server to fail. (updated 2016-11-15)
• Console text is difficult to read on OpenStack KVM.
• The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host. (updated 2017-02-23)
• Git LFS objects may take up to an hour to replicate in a High Availability configuration. (updated 2017-02-23)

Errata

• We didn't include the fix for the issue that migration data exported from GitHub Enterprise with ghe-migrator does not include issue file attachments, which may cause imports to another server to fail. (updated 2016-11-15)

Thanks!

The GitHub Team

Pre-generated SSH Host Keys in GitHub Enterprise

A CRITICAL issue was identified for all 2.x versions of GitHub Enterprise. The GitHub Enterprise images contain pre-generated SSH host keys that were not regenerated upon installation for all supported platforms:

• Hyper-V (VHD)
• OpenStack KVM (QCOW2)
• VMware ESXi/vSphere (OVA)
• Xen (VHD)
• Amazon Web Services (See the ssh_host_ed25519_key in GitHub Enterprise section below)
• Microsoft Azure

This means an attacker with the capability to perform a man-in-the-middle attack on SSH traffic can intercept and modify network traffic to the GitHub Enterprise appliance.

The affected supported versions are:

• 2.7.0 - 2.7.3
• 2.6.0 - 2.6.8
• 2.5.0 - 2.5.13
• 2.4.0 - 2.4.16
• 2.3.0 - 2.3.20

This vulnerability was found and reported internally and we have no evidence that it has been exploited in the wild.

We strongly recommend upgrading your GitHub Enterprise appliance to the latest patch release in your series, GitHub Enterprise 2.7.4, 2.6.9, 2.5.14, 2.4.17, or 2.3.21. In addition, with backup-utils-2.7.1, ghe-backup and ghe-restore will check for any leaked SSH host keys in the snapshot(s).

Please contact GitHub Enterprise Support if you have questions.

--

Verification and Mitigation on GitHub Enterprise 2.7.4, 2.6.9, 2.5.14, 2.4.17, 2.3.21, or greater

If you've upgraded to the latest patch release, GitHub Enterprise 2.7.4, 2.6.9, 2.5.14, 2.4.17, 2.3.21, or greater,

1. SSH to your primary GitHub Enterprise appliance.

2. Check for leaked SSH host keys using the ghe-ssh-check-host-keys utility.

   $ ghe-ssh-check-host-keys
   

   The utility should output either:

   One or more of your SSH host keys were found in the blacklist.
   Please reset your host keys using ghe-ssh-roll-host-keys.
   

   --

   The SSH host keys were not found in the SSH host key blacklist.
   No additional steps are needed/recommended at this time.
   

3. If one or more SSH host keys were found in the blacklist, continue to the next step. Otherwise, your GitHub Enterprise environment is not vulnerable.

4. Put your GitHub Enterprise environment in Maintenance Mode.

5. Rotate all SSH host keys using the ghe-ssh-roll-host-keys utility.

   $ sudo ghe-ssh-roll-host-keys
   $ sudo ssh-keygen -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key
   

   The utility should output:

   $ SSH host keys have successfully been rolled.
   

If you've upgraded to GitHub Enterprise 2.7.4, 2.6.9, or greater, and you are using the High Availability Configuration, there are no additional steps to take on your replica appliance.

If you've upgraded to GitHub Enterprise 2.5.14, 2.4.17, 2.3.21, or greater, and you are using the High Availability Configuration,

6. After completing steps 1-5, stop replication on the replica appliance.

   $ ghe-repl-stop
   

7. Synchronize the SSH host keys from the primary appliance.

   $ ghe-repl-setup
   

8. Resume replication on the replica appliance.

   $ ghe-repl-start
   

If you've upgraded to GitHub Enterprise 2.7.4, 2.6.9, 2.5.14 or greater, and you are using Clustering,

6. After completing steps 1-5, apply the changes to all cluster nodes.

   $ ghe-cluster-config-apply
   

--

Verification and Mitigation if Immediate Upgrade is not Possible

If you're unable to upgrade immediately to the latest patch release, GitHub Enterprise 2.7.4, 2.6.9, 2.5.14, 2.4.17, 2.3.21, or greater,

1. SSH to your primary GitHub Enterprise appliance.

2. Download the list of leaked SSH host keys and verify its content using any of the provided hashes.

   $ curl -O https://enterprise.github.com/security/2016-09-20/ghe-ssh-leaked-host-keys-list.txt
   $ sha256sum ghe-ssh-leaked-host-keys-list.txt
   3bb29658784a4059a41f1a77cffba9586baab179ba07b795f80e12a9f10c5665  ghe-ssh-leaked-host-keys-list.txt
   $ sha1sum ghe-ssh-leaked-host-keys-list.txt
   5db799da044da9aae0bcfc523d22e7ce0fe72550  ghe-ssh-leaked-host-keys-list.txt
   $ md5sum ghe-ssh-leaked-host-keys-list.txt
   de75bcb0bf1d13e15620952c0af8da41  ghe-ssh-leaked-host-keys-list.txt
   

3. Print the fingerprint of your GitHub Enterprise appliance's SSH host keys.
   Note: The ssh_host_ed25519_key may exist on your GitHub Enterprise appliance but is only used in 2.7.4 or greater.

   $ ssh-keygen -lf /etc/ssh/ssh_host_dsa_key.pub
   1024 b2:69:82:2f:25:48:bb:fc:62:c7:9a:de:41:42:13:55 /etc/ssh/ssh_host_dsa_key.pub (DSA)
   $ ssh-keygen -lf /etc/ssh/ssh_host_ecdsa_key.pub
   256 c0:cb:fd:07:33:e9:62:14:6b:fb:d5:26:54:f3:c5:0d /etc/ssh/ssh_host_ecdsa_key.pub (ECDSA)
   $ ssh-keygen -lf /etc/ssh/ssh_host_ed25519_key.pub
   256 d6:92:21:4b:04:3b:22:f5:ee:85:0a:63:bf:b3:fe:9b /etc/ssh/ssh_host_ed25519_key.pub (ED25519)
   $ ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub
   2048 0f:ee:8d:02:2d:e1:76:f3:eb:f5:af:cb:38:9a:1c:33 /etc/ssh/ssh_host_rsa_key.pub (RSA)
   

4. Check for leaked SSH host keys by comparing against the downloaded list of leaked SSH host keys.

5. If one or more SSH host keys were found in the blacklist, continue to the next step. Otherwise, your GitHub Enterprise environment is not vulnerable.

6. Put your GitHub Enterprise environment in Maintenance Mode.

7. Remove all SSH host keys.

   $ sudo rm -f /etc/ssh/ssh_host_*
   

8. Regenerate the SSH host keys.
   Note: The ssh_host_ed25519_key may exist on your GitHub Enterprise appliance but is only used and regenerated for in 2.7.4 or greater.

   $ sudo ssh-keygen -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key
   $ sudo dpkg-reconfigure openssh-server
   

9. Apply the changes to the ssh and babeld service.

   $ sudo cp /etc/ssh/ssh_host_{rsa,dsa,ecdsa,ed25519}_key{,.pub} /data/user/common/
   $ sudo chown babeld:babeld /data/user/common/ssh_host_{rsa,dsa,ecdsa,ed25519}_key{,.pub}
   

If you're unable to upgrade immediately to GitHub Enterprise 2.7.4, 2.6.9, 2.5.14, 2.4.17, 2.3.21, or greater, and you are using the High Availability Configuration,

10. After completing steps 1-9, stop replication on the replica appliance.

$ ghe-repl-stop

11. Synchronize the SSH host keys from the primary appliance.

$ ghe-repl-setup

12. Resume replication on the replica appliance.

$ ghe-repl-start

If you're unable to upgrade immediately to GitHub Enterprise 2.7.4, 2.6.9, 2.5.14, or greater, and you are using Clustering,

10. After completing steps 1-9, apply the changes to all cluster nodes.

$ ghe-cluster-config-apply

--

Post SSH Host Key Rotation

After rotating the SSH host keys, your GitHub Enterprise environment can exit Maintenance Mode.

Your end-users will receive an error message when attempting to use the Administrative Shell (SSH) or the SSH protocol for Git activity. The rotation does not affect users using the HTTPS protocol for Git activity.

For example, the following is an output from the command-line,

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:seFT9eIOmAZWbfcO9yU1sXiEYIqcrdi0qttbtmNm0Io.
Please contact your system administrator.
Add correct host key in /Users/monalisa/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /Users/monalisa/.ssh/known_hosts:42
ECDSA host key for [github.example.com]:122 has changed and you have requested strict checking.
Host key verification failed.

After updating the known_hosts, end-users will be prompted to accept a new fingerprint.

$ ssh -p 122 admin@github.example.com
The authenticity of host '[github.example.com]:122 ([169.254.1.1]:122)' can't be established.
ECDSA key fingerprint is SHA256:seFT9eIOmAZWbfcO9yU1sXiEYIqcrdi0qttbtmNm0Io.
Are you sure you want to continue connecting (yes/no)?

We strongly recommend publishing your GitHub Enterprise appliance's SSH host key fingerprints in a location that is accessible to all your end-users. For example, for GitHub.com, we publish the SSH fingerprints at https://help.github.com/articles/what-are-github-s-ssh-key-fingerprints/.

If you'd like to to give end-users notice before rotating the SSH host keys, follow the instructions in the Verification and Mitigation if Immediate Upgrade is not Possible skipping step 7 and replacing step 8 with,

8. Regenerate the SSH host keys.
   Note: The ssh_host_ed25519_key may exist on your GitHub Enterprise appliance but is only used and regenerated for in 2.7.4 or greater.

   i. Pre-generate new SSH host keys to a temporary directory.

   $ ssh-keygen -t dsa -N "" -f /var/tmp/ssh_host_dsa_key
   $ ssh-keygen -t rsa -N "" -f /var/tmp/ssh_host_rsa_key
   $ ssh-keygen -t ecdsa -N "" -f /var/tmp/ssh_host_ecdsa_key
   $ ssh-keygen -t ed25519 -N "" -f /var/tmp/ssh_host_ed25519_key
   

   ii. Print the fingerprint of your GitHub Enterprise appliance's SSH host keys for tentative rotation.

   $ ssh-keygen -lf /var/tmp/ssh_host_dsa_key.pub
    1024 b2:69:82:2f:25:48:bb:fc:62:c7:9a:de:41:42:13:55 /var/tmp/ssh_host_dsa_key.pub (DSA)
   $ ssh-keygen -lf /var/tmp/ssh_host_ecdsa_key.pub
    256 c0:cb:fd:07:33:e9:62:14:6b:fb:d5:26:54:f3:c5:0d /var/tmp/ssh_host_ecdsa_key.pub (ECDSA)
   $ ssh-keygen -lf /var/tmp/ssh_host_ed25519_key.pub
    256 d6:92:21:4b:04:3b:22:f5:ee:85:0a:63:bf:b3:fe:9b /var/tmp/ssh_host_ed25519_key.pub (ED25519)
   $ ssh-keygen -lf /var/tmp/ssh_host_rsa_key.pub
   248 0f:ee:8d:02:2d:e1:76:f3:eb:f5:af:cb:38:9a:1c:33 /var/tmp/ssh_host_rsa_key.pub (RSA)
   

   iii. Once you are ready to migrate to the new, rotated SSH host keys, move the host keys from the temporary directory and apply the changes to the ssh service.

   $ sudo mv /var/tmp/ssh_host_{rsa,dsa,ecdsa,ed25519}_key{,.pub} /etc/ssh
   $ sudo service ssh restart
   

   iv. Continue with steps 9 in the Verification and Mitigation if Immediate Upgrade is not Possible section.

ssh_host_ed25519_key in GitHub Enterprise

The 2.x versions of GitHub Enterprise on all supported platforms:

• Hyper-V (VHD)
• OpenStack KVM (QCOW2)
• VMware ESXi/vSphere (OVA)
• Xen (VHD)
• Amazon Web Services
• Microsoft Azure

contain a pre-generated ssh_host_ed25519_key. However, only GitHub Enterprise 2.7.4 or greater use the ssh_host_ed25519_key. This can be verified by checking your GitHub Enterprise appliance's /etc/ssh/sshd_config, which added HostKey /etc/ssh/ssh_host_ed25519_key in 2.7.4 or greater.

The ssh_host_ed25519_key may exist on your GitHub Enterprise appliance but is only used in 2.7.4 or greater.

If you've upgraded your appliance to 2.7.4 or greater on any of the supported platforms including Amazon Web Services, please follow the instructions in the Verification and Mitigation on GitHub Enterprise 2.7.4, 2.6.9, 2.5.14, 2.4.17, 2.3.21, or greater section.

Security Fixes

• CRITICAL Pre-generated SSH host keys were not regenerated when installing appliances from GitHub Enterprise 2.x images.
• Packages have been updated to the latest security versions.

Bug Fixes

• In a clustering environment, storage assets that were not replicated or marked for deletion were not properly maintained.
• Users were unable to add or remove deploy keys when LDAP sync is enabled.

Changes

• GitHub Enterprise is now available in the Asia Pacific (Mumbai) AWS region.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• On instances upgraded from 2.3 and earlier, restoring an archived protected branch will not restore all the settings correctly. This does not affect new instances.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Migration data exported from GitHub Enterprise with ghe-migrator does not include issue file attachments, which may cause imports to another server to fail. (updated 2016-11-15)
• Console text is difficult to read on OpenStack KVM.
• The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host. (updated 2017-02-23)
• Git LFS objects may take up to an hour to replicate in a High Availability configuration. (updated 2017-02-23)

Errata

• The Pre-generated SSH Host Keys in GitHub Enterprise vulnerability disclosure added the ssh_host_ed25519_key in GitHub Enterprise for GitHub Enterprise 2.7.4 or greater appliances on the Amazon Web Services platform. (updated 2016-09-22)
• We didn't include the fix for the issue that migration data exported from GitHub Enterprise with ghe-migrator does not include issue file attachments, which may cause imports to another server to fail. (updated 2016-11-15)

Thanks!

The GitHub Team

Security Fixes

• Packages have been updated to the latest security versions.

Bug Fixes

• In a clustering environment, Gists were not being replicated to new nodes.
• git-lfs pull could cause high MySQL CPU usage.
• Gist IDs could incorrectly collide when MySQL restarted.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• On instances upgraded from 2.3 and earlier, restoring an archived protected branch will not restore all the settings correctly. This does not affect new instances.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Migration data exported from GitHub Enterprise with ghe-migrator does not include issue file attachments, which may cause imports to another server to fail. (updated 2016-11-15)
• Console text is difficult to read on OpenStack KVM.
• The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host. (updated 2017-02-23)
• Git LFS objects may take up to an hour to replicate in a High Availability configuration. (updated 2017-02-23)

Errata

• We didn't include the fix for the issue that migration data exported from GitHub Enterprise with ghe-migrator does not include issue file attachments, which may cause imports to another server to fail. (updated 2016-11-15)

Thanks!

The GitHub Team

Security Fixes

• HIGH: Worked around Microsoft Internet Explorer bug causing redirects to the incorrect hostname during OAuth negotiation.
• MEDIUM: Users were able to delete SSH and/or GPG keys when LDAP sync is enabled.
• Packages have been updated to the latest security versions.

Bug Fixes

• An appliance would enter maintenance mode earlier than expected if scheduled more than a week in advance.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• On instances upgraded from 2.3 and earlier, restoring an archived protected branch will not restore all the settings correctly. This does not affect new instances.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Migration data exported from GitHub Enterprise with ghe-migrator does not include issue file attachments, which may cause imports to another server to fail. (updated 2016-11-15)
• Console text is difficult to read on OpenStack KVM.
• The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host. (updated 2017-02-23)
• Git LFS objects may take up to an hour to replicate in a High Availability configuration. (updated 2017-02-23)

Errata

• We didn't include the fix for the issue that migration data exported from GitHub Enterprise with ghe-migrator does not include issue file attachments, which may cause imports to another server to fail. (updated 2016-11-15)

Thanks!

The GitHub Team

Security Fixes

• LOW The permissions on rbenv, used by many components of GitHub Enterprise, have been tightened.
• Packages have been updated to the latest security versions.

Bug Fixes

• The schema for requests to and responses from the LFS API has been relaxed to allow additional properties. This will allow the API to be extended in the future.
• Organizations could be suspended using the ghe-user-suspend command.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• On instances upgraded from 2.3 and earlier, restoring an archived protected branch will not restore all the settings correctly. This does not affect new instances.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Migration data exported from GitHub Enterprise with ghe-migrator does not include issue file attachments, which may cause imports to another server to fail. (updated 2016-11-15)
• Console text is difficult to read on OpenStack KVM.
• The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host. (updated 2017-02-23)
• Git LFS objects may take up to an hour to replicate in a High Availability configuration. (updated 2017-02-23)

Errata

• We didn't include the fix for the issue that migration data exported from GitHub Enterprise with ghe-migrator does not include issue file attachments, which may cause imports to another server to fail. (updated 2016-11-15)

Thanks!

The GitHub Team

Security Fixes

• HIGH Due to the way that email addresses with Unicode in the 'local part' are handled, it was possible to generate a password reset token for an email address and have it delivered to a separate email address with Unicode homoglyphs that normalized to the original email address.
• LOW Admin users could still access user reports after being suspended.
• Packages have been updated to the latest security versions.

Bug Fixes

• LDAP sync failed on suspended users if restricted groups are not configured.
• Pushing Git LFS objects to a fork of a repository the user only has read access to would fail.
• PSD files stored in LFS failed to render.
• Alambic services would not run on job-server cluster nodes.
• Downloading identical user or repository reports in quick succession could lead to a build up in duplicate jobs that could affect the performance of the appliance.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• On instances upgraded from 2.3 and earlier, restoring an archived protected branch will not restore all the settings correctly. This does not affect new instances.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Migration data exported from GitHub Enterprise with ghe-migrator does not include issue file attachments, which may cause imports to another server to fail. (updated 2016-11-15)
• Console text is difficult to read on OpenStack KVM. (updated 2016-08-03)
• The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host. (updated 2017-02-23)
• Git LFS objects may take up to an hour to replicate in a High Availability configuration. (updated 2017-02-23)

Errata

• We didn't include the fix for the issue that migration data exported from GitHub Enterprise with ghe-migrator does not include issue file attachments, which may cause imports to another server to fail. (updated 2016-11-15)

Thanks!

The GitHub Team

Security Fixes

• Packages have been updated to the latest security versions.

Bug Fixes

• Authenticating using SAML could fail if the authentication process took too long, for example when a user is performing two-factor authentication with the SAML server.
• Importing or restoring a Redis database using ghe-import-redis or setting up a cluster, could fail if reading in the data takes longer than 30 seconds to complete.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• On instances upgraded from 2.3 and earlier, restoring an archived protected branch will not restore all the settings correctly. This does not affect new instances.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Migration data exported from GitHub Enterprise with ghe-migrator does not include issue file attachments, which may cause imports to another server to fail.
• Console text is difficult to read on OpenStack KVM. (updated 2016-08-03)
• The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host. (updated 2017-02-23)
• Git LFS objects may take up to an hour to replicate in a High Availability configuration. (updated 2017-02-23)

Thanks!

The GitHub Team

Security Fixes

• Packages have been updated to the latest security versions.

Bug Fixes

• The Redis database was not properly cleared when restoring with the backup utilities more than once to GitHub Enterprise in a Cluster configuration. This could waste disk space and cause restores to be slow.
• Deleting Git LFS files from the site admin dashboard failed with a 500 error.
• Uploading a support bundle with a ticket reference using ghe-cluster-support-bundle -t [ticket reference] failed on a GitHub Enterprise Cluster.
• OAuth application callback hostnames were limited to no longer than 63 characters, which caused some OAuth applications to stop working.
• A missing Git repository on a high availability replica could block Git replication.

Known issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• On instances upgraded from 2.3 and earlier, restoring an archived protected branch will not restore all the settings correctly. This does not affect new instances.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Migration data exported from GitHub Enterprise with ghe-migrator does not include issue file attachments, which may cause imports to another server to fail. (updated 2016-06-09)
• Console text is difficult to read on OpenStack KVM. (updated 2016-08-03)
• The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host. (updated 2017-02-23)
• Git LFS objects may take up to an hour to replicate in a High Availability configuration. (updated 2017-02-23)

Thanks!

The GitHub Team

Security Fixes

• CRITICAL Final policies that were pending for the ImageMagick vulnerability (first applied in GitHub Enterprise 2.5.6) have now been applied, to address
  CVE-2016-3714. Note that GitHub Enterprise only uses ImageMagick for PSD files to which the vulnerability did not apply. (updated 2016-07-13)
• HIGH Release assets from a public repository could be accessed by unauthenticated users in private mode. (updated 2016-05-27)
• Packages have been updated to the latest security versions.

Bug Fixes

• CAS logout failed when the CAS server URL includes a path.

Known issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• On instances upgraded from 2.3 and earlier, restoring an archived protected branch will not restore all the settings correctly. This does not affect new instances.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed. (updated 2016-05-24)
• Migration data exported from GitHub Enterprise with ghe-migrator does not include issue file attachments, which may cause imports to another server to fail. (updated 2016-06-09)
• Console text is difficult to read on OpenStack KVM. (updated 2016-08-03)
• The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host. (updated 2017-02-23)
• Git LFS objects may take up to an hour to replicate in a High Availability configuration. (updated 2017-02-23)

Thanks!

The GitHub Team

Security Fixes

• CRITICAL ImageMagick policies have been updated to address CVE-2016-3714.
• HIGH OpenSSL packages have been updated to address multiple vulnerabilities, including CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, and CVE-2016-2109.

Remote Code Execution in ImageMagick

Several vulnerabilities in ImageMagick, a package commonly used by web services to process images, have been discovered and disclosed by members of the Mail.ru Security team. One of the vulnerabilities is critical and can lead to remote code execution when processing user submitted images.

Final patches for all the disclosed vulnerabilities within ImageMagick are still pending. This release mitigates the remote code execution vulnerability by implementing the recommended policy to disable the vulnerable ImageMagick coders.

This vulnerability exists in ImageMagick but there is no evidence that it has been exploited on GitHub Enterprise.

We strongly recommend that all GitHub Enterprise customers upgrade their instances as soon as possible.

Mitigation
If you can't immediately upgrade, the issue can be mitigated by implementing the policy changes as follows:

1. SSH to your GitHub Enterprise appliance.

2. Edit the /etc/ImageMagick/policy.xml file:

   sudo vi /etc/ImageMagick/policy.xml
   

3. Disable the vulnerable coders by replacing the <policymap> section with:

   <policymap>
     <policy domain="coder" rights="none" pattern="EPHEMERAL" />
     <policy domain="coder" rights="none" pattern="URL" />
     <policy domain="coder" rights="none" pattern="HTTPS" />
     <policy domain="coder" rights="none" pattern="MVG" />
     <policy domain="coder" rights="none" pattern="MSL" />
   </policymap>
   

There is no need to reboot or restart any services; the changes will take effect immediately.

Please contact GitHub Enterprise Support if you have any questions.

Bug Fixes

• Memcached didn't log warnings or errors.
• Harmless empty lines were added to the admin user's authorized_keys file every time the configuration was saved.

Known issues

• HIGH Release assets from a public repository can be accessed by unauthenticated users in private mode. (updated 2016-05-27)
• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• On instances upgraded from 2.3 and earlier, restoring an archived protected branch will not restore all the settings correctly. This does not affect new instances.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed. (updated 2016-05-24)
• Migration data exported from GitHub Enterprise with ghe-migrator does not include issue file attachments, which may cause imports to another server to fail. (updated 2016-06-09)
• Console text is difficult to read on OpenStack KVM. (updated 2016-08-03)
• The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host. (updated 2017-02-23)
• Git LFS objects may take up to an hour to replicate in a High Availability configuration. (updated 2017-02-23)

Thanks!

The GitHub Team

Bug Fixes

• A migration archive with @mentions in issues or comments that contain dashes were not correctly rewritten when imported on the destination appliance.
• User sessions were not properly revoked when they reached the expiry limit set by the SAML identity provider (IdP).
• User web browser sessions were revoked after 14 days of inactivity instead of 30 days.
• Initial checkouts using SVN could be slow.

Changes

• The number of simultaneous connections tracked by the appliance firewall has been increased to 524288.
• Cluster mode now runs with more workers based on the amount of memory assigned to the node.

Security Fixes

• MEDIUM Resolved a cross-site scripting (XSS) vulnerability in task lists.
• MEDIUM Implemented mitigation for a URI decoding vulnerability that affects modern versions of Microsoft Internet Explorer.
• Packages have been updated to the latest security versions.

Known issues

• HIGH Release assets from a public repository can be accessed by unauthenticated users in private mode. (updated 2016-05-27)
• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• On instances upgraded from 2.3 and earlier, restoring an archived protected branch will not restore all the settings correctly. This does not affect new instances.
• Duplicate uploads are stored in more than three hosts in a cluster with more than three replica file servers.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed. (updated 2016-05-24)
• Migration data exported from GitHub Enterprise with ghe-migrator does not include issue file attachments, which may cause imports to another server to fail. (updated 2016-06-09)
• Console text is difficult to read on OpenStack KVM. (updated 2016-08-03)
• The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host. (updated 2017-02-23)
• Git LFS objects may take up to an hour to replicate in a High Availability configuration. (updated 2017-02-23)

Thanks!

The GitHub Team

Remote Code Execution in GitHub Enterprise Management Console

An issue was identified that could allow an attacker to execute arbitrary commands on the GitHub Enterprise appliance. This vulnerability exists in the Management Console which is accessible from port 8080 and 8443. This is only applicable to GitHub Enterprise 2.5.0, 2.5.1, 2.5.2, and 2.5.3.

We strongly recommend you upgrade your GitHub Enterprise appliance to GitHub Enterprise 2.5.4 immediately.

This vulnerability was reported to our GitHub Security Bug Bounty program and we have no evidence that it has been exploited in the wild.

If you're unable to upgrade immediately, the issue can be mitigated by blocking traffic to port 8080 and 8443 from any untrusted IP addresses. If your GitHub Enterprise appliance is behind a firewall device, you can block inbound requests to port 8443 and 8080 and allow trusted IP addresses. Alternatively, you can do this directly in the appliance,

1. SSH to your GitHub Enterprise appliancee

2. Block all traffic to ports 8080 and 8443

   $ sudo ufw insert 1 deny proto tcp from any to any port 8080,8443
   

3. Allow a trusted IP address to access the Management Console by replacing <IPADDRESS>

   $ sudo ufw insert 1 allow proto tcp from <IPADDRESS> to any port 8080,8443
   

To remove the mitigation on your appliance,

1. SSH to your GitHub Enterprise appliance

2. Identify the numbered firewall rule to remove

   $ sudo ufw status numbered | grep '8080,8443/tcp' | grep DENY | head -n1
   

3. Remove the firewall rule by replacing <NUMBER>

   $ sudo ufw delete <NUMBER>
   

4. Run steps 2 and 3 until the firewall rules from step 2 are removed.

Please contact GitHub Enterprise Support if you have any questions.

Security Fixes

• CRITICAL There was a remote code execution vulnerability through the Management Console.

Bug Fixes

• The Management Console email test could fail due to certificate validation errors. Emails sent from the GitHub application would still be successfully delivered.

Changes

• Shell history is written after each command.

Known issues

• HIGH Release assets from a public repository can be accessed by unauthenticated users in private mode. (updated 2016-05-27)
• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• On instances upgraded from 2.3 and earlier, restoring an archived protected branch will not restore all the settings correctly. This does not affect new instances.
• Duplicate uploads are stored in more than three hosts in a cluster with more than three replica file servers.
• User sessions are not properly revoked when they reach the expiry limit set by the SAML IdP.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed. (updated 2016-05-24)
• Migration data exported from GitHub Enterprise with ghe-migrator does not include issue file attachments, which may cause imports to another server to fail. (updated 2016-06-09)
• Console text is difficult to read on OpenStack KVM. (updated 2016-08-03)
• The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host. (updated 2017-02-23)
• Git LFS objects may take up to an hour to replicate in a High Availability configuration. (updated 2017-02-23)

Thanks!

The GitHub Team

Bug Fixes

• Migrating wikis to the new repository layout could fail if the original migration was interrupted before completion.
• Custom certificate authority (CA) certificates were not maintained across upgrades with SSL disabled.
• Protected branches could be updated when making a Git force push against multiple identical branches.
• Forking a Gist failed with a 500 error.
• ghe-support-bundle could report harmless warning messages.
• GitHub Importer API endpoints were enabled but GitHub Enterprise doesn't support the Importer.
• A quota limit warning email could be incorrectly triggered when transferring repositories with Git LFS objects.

Changes

• Automatic Update Checking and downloading now checks for feature releases.

Security Fixes

• MEDIUM Resolved a cross-site scripting (XSS) vulnerability.
• LOW The secure flag was not set for the _gh_render cookie, potentially allowing the render cookie to be sent in plaintext HTTP requests. However, Enterprise sets the Strict-Transport-Security header for modern browsers when SSL is enabled, which largely mitigates the issue.
• Packages have been updated to the latest security versions.

Known issues

• CRITICAL There is a remote code execution vulnerability through the Management Console, patched in GitHub Enterprise 2.5.4. (updated 2016-03-31)
• HIGH Release assets from a public repository can be accessed by unauthenticated users in private mode. (updated 2016-05-27)
• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• On instances upgraded from 2.3 and earlier, restoring an archived protected branch will not restore all the settings correctly. This does not affect new instances.
• Duplicate uploads are stored in more than three hosts in a cluster with more than three replica file servers.
• User sessions are not properly revoked when they reach the expiry limit set by the SAML IdP.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed. (updated 2016-05-24)
• Migration data exported from GitHub Enterprise with ghe-migrator does not include issue file attachments, which may cause imports to another server to fail. (updated 2016-06-09)
• Console text is difficult to read on OpenStack KVM. (updated 2016-08-03)
• The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host. (updated 2017-02-23)
• Git LFS objects may take up to an hour to replicate in a High Availability configuration. (updated 2017-02-23)

Thanks!

The GitHub Team

Bug Fixes

• Changing a public repository to private would cause Git operations to stop replicating to the high availability replica.
• Downloading a release asset from a private repository with the Releases API failed with an internal server error.
• Automatic update checks failed to locate an upgrade package.
• Upgrading to 2.5 could take a very long time on instances with a large number of assets, such as release downloads, Git LFS objects, Avatars, and image attachments to wikis and issues.
• In cluster mode, restoring backups to the nodes of a cluster required storage-server and git-server roles to be on the same machine.
• Upgrading to 2.5 could fail during the transition of recently deleted Gists.
• Images in Issue comment emails would not be displayed if private mode is enabled.
• Replication conflicts could occur if cluster nodes are initialized in the wrong order.
• Cluster support bundles could fail to generate.
• Restoring Redis data from a backup could report a "LOADING: integer expression expected" error.
• Importing a migration archive using gh-migrator with unresolved conflicts could fail with an "undefined method" error.
• The Issues Events API returned the incorrect actor for an issue assignment event.

Changes

• High availability replication now runs with four workers. This will lead to quicker synchronization when initially starting replication and ongoing replication on very busy instances.
• The global Maximum Object Size advanced setting can now be set in the Admin Center.

Security Fixes

• MEDIUM OpenSSL packages have been updated to address multiple vulnerabilities, including CVE-2016-0800, known as DROWN, which did not affect GitHub Enterprise.
• MEDIUM Ruby on Rails packages have been updated to address multiple vulnerabilities.
• MEDIUM Implemented mitigation for a cross-site scripting (XSS) vulnerability in Microsoft Internet Explorer 9 through 11 (CVE-2015-0072).
• MEDIUM Implemented mitigation for a cross-site scripting (XSS) vulnerability where plain text or other content types could be parsed as HTML.
• Packages have been updated to the latest security versions.
• The ca-certificates package has been updated to remove outdated certificate authority (CA) certificates. This update refreshes the included certificates and removes the SPI CA and CA certificates with 1024-bit RSA keys.

Known issues

• CRITICAL There is a remote code execution vulnerability through the Management Console, patched in GitHub Enterprise 2.5.4. (updated 2016-03-31)
• HIGH Release assets from a public repository can be accessed by unauthenticated users in private mode. (updated 2016-05-27)
• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• On instances upgraded from 2.3 and earlier, restoring an archived protected branch will not restore all the settings correctly. This does not affect new instances.
• Duplicate uploads are stored in more than three hosts in a cluster with more than three replica file servers.
• A quota limit warning email can be incorrectly triggered when transferring repositories with Git LFS objects.
• User sessions are not properly revoked when they reach the expiry limit set by the SAML IdP.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed. (updated 2016-05-24)
• Migration data exported from GitHub Enterprise with ghe-migrator does not include issue file attachments, which may cause imports to another server to fail. (updated 2016-06-09)
• Console text is difficult to read on OpenStack KVM. (updated 2016-08-03)
• The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host. (updated 2017-02-23)
• Git LFS objects may take up to an hour to replicate in a High Availability configuration. (updated 2017-02-23)

Thanks!

The GitHub Team

Bug Fixes

• The Collectd log file was not rotated and could grow quite large.
• Duplicate Pages sites in /data/user/pages differing only by case could cause an upgrade to fail. This may occur if a background job for a rename or deletion had failed on a previous Enterprise release.
• The Audit Log map could fail to render correctly.
• The Audit Log dashboard could fail to load.
• Periodic LDAP user and group memberships synchronization jobs did not run automatically.
• LDAP Sync didn't remove a user that was no longer a member of an LDAP group.
• LDAP authentication attempted bind multiple times using the same credentials. If these credentials are incorrect, this could cause accounts to be locked on the LDAP server.
• Incorrect permissions on /data/repositories/info/svn-v4-upgraded could cause restores to fail.
• Saving settings in the management console could overwrite the SAML Issuer with the value of the SAML certificate issuer, causing authentication to fail.
• Upgrading directly from any 2.3 release to 2.5.0 could result in the removal of all personal access tokens.
• Repository disk usage could be incorrectly calculated in the site admin.
• If Git LFS was globally disabled prior to upgrading, manual configuration was required to re-enabled it.
• ghe-check-disk-usage could fail to display filesystem information.
• ghe-cluster-status could exit early without printing the status of all nodes in the cluster.

Security Fixes

• HIGH glibc packages have been updated to address CVE-2015-7547, a getaddrinfo stack-based buffer overflow.
• HIGH libssh packages have been updated to address CVE-2016-0739, a weakness in diffie-hellman secret key generation.
• MEDIUM nss packages have been updated to address CVE-2016-1938.
• Packages have been updated to the latest security versions.

Known issues

• CRITICAL There is a remote code execution vulnerability through the Management Console, patched in GitHub Enterprise 2.5.4. (updated 2016-03-31)
• HIGH Release assets from a public repository can be accessed by unauthenticated users in private mode. (updated 2016-05-27)
• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• On instances upgraded from 2.3 and earlier, restoring an archived protected branch will not restore all the settings correctly. This does not affect new instances.
• Duplicate uploads are stored in more than three hosts in a cluster with more than three replica file servers.
• In cluster mode, restoring backups to the nodes of a cluster require storage-server and git-server roles to be on the same machine.
• Downloading a release asset from a private repository with the Releases API fails with an internal server error. (updated 2016-02-23)
• Automatic update checks fail to locate an upgrade package.
• User sessions are not properly revoked when they reach the expiry limit set by the SAML IdP.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed. (updated 2016-05-24)
• Migration data exported from GitHub Enterprise with ghe-migrator does not include issue file attachments, which may cause imports to another server to fail. (updated 2016-06-09)
• Console text is difficult to read on OpenStack KVM. (updated 2016-08-03)
• The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host. (updated 2017-02-23)
• Git LFS objects may take up to an hour to replicate in a High Availability configuration. (updated 2017-02-23)

Thanks!

The GitHub Team

New Features

With the new features added in GitHub Enterprise 2.5.0, you can:

• Increase scalability with GitHub Clustering.
• Configure Advanced Settings in the new Admin Center.
• Configure Protected Branches using the preview API.
• Enjoy a new look for repositories and a simplified sign-up and sign-in flow.
• Take full advantage of SVN 1.8 and 1.9.
• Be more resilient to the specific problem of a lot of clients fetching the same data at almost the same time.

Changes

• Wikis are only editable by collaborators by default.
• Markdown can now be used in the announcement banner.
• Pushes that attempt to delete a repository's default branch are rejected.
• LDAP Sync now gracefully handles user DN changes.
• Git LFS is enabled on all repositories by default.
• The search index definitions have changed. Some searches will return partial results while the search indices are rebuilt. (updated 2016-02-18)
• The SAML authentication flow has been tightened to better conform to the SAML specification. This means all responses from your SAML server for SP-initiated authentication must include the RelayState parameter as sent from the appliance. For IdP-initiated authentication you must ensure the "IdP initiated SSO (disables AuthnRequest)" setting is checked within the management console. You may experience a redirect loop between your appliance and your SAML server if either of these conditions are not met. (updated 2016-02-29)

Upgrading

Upgrading to the 2.5 release series is supported from GitHub Enterprise 2.3.0 and above.

Backup & Restore

In order to backup and restore GitHub Enterprise 2.5, you will need to upgrade backup-utils to version 2.5.0.

Bug Fixes

• Repository maintenance was not run on the high availability replica. This could lead to high load while repositories were repacked when first promoting the replica.
• Accessing the raw URL for a file named 'policies' would fail with a 404 error.
• Downloading the diagnostics via the Management Console could time out on instances with many release or Git LFS assets.
• We tried to log timing statistics to an inaccessible statsd server when downloading release assets.
• Repository milestones weren't updated on repositories migrated from GitHub.com.
• Viewing the Pages section in admin tools would cause a 500 error if no Pages site existed.
• Incorrect permissions could be set on certificate authority certificates installed with ghe-ssl-ca-certificate-install. This could cause webhooks to fail as the certificates could not be read.
• Backups could fail to restore if a previous Pages migration had failed on the destination appliance.
• The incorrect Pages domain was shown in Pages section of a repository in Admin Tools.
• Two-factor authentication screens and emails would refer to using SMS fallback recovery.
• The management console settings interface didn't clearly show if you have previously uploaded certificate files or a private key. (updated 2016-02-10)

Security Fixes

• HIGH OpenSSH packages have been updated to address multiple vulnerabilities.
• HIGH An integer overflow in Git could result in incorrect memory allocation values (CVE-2016-2315, CVE-2016-2324). (updated 2016-03-17)
• MED libxml2 and related packages have been updated to address multiple vulnerabilities.
• MED rsync has been updated to address a recently identified vulnerability.
• LOW Passwords and two-factor authentication one-time passwords could be written to the exceptions log.

Git LFS Client Vulnerability

An issue was identified that could allow an attacker to execute arbitrary commands on a user’s computer if they had Git LFS installed and cloned a malicious repository. Git LFS supports a per-repository configuration file to customize how certain aspects of Git LFS function. However, this file also allowed arbitrary Git configuration options to be modified. We have addressed the vulnerability by whitelisting the set of per-repository Git LFS configuration options that can be used to a safe subset.

GitHub Enterprise is not directly affected as this is a client-side vulnerability but as Git LFS is now enabled by default, we recommend you upgrade your clients to Git LFS 1.0.1 or later to address this vulnerability.

Asset storage changes (updated 2016-02-24)

To prepare for GitHub Clustering, this release changes the way GitHub Enterprise stores assets, such as release downloads, Git LFS objects, Avatars, and image attachments to wikis and issues. On instalations with many large assets, moving assets to their new location can take a long time. As always, we encourage you to test the upgrade in a staging environment before upgrading your production instance.

Deprecation of GitHub Enterprise 2.0

GitHub Enterprise 2.0 is now deprecated. That means that no patch releases will be made, even for critical security issues, after this release. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.

Upcoming deprecation of GitHub Enterprise 2.1

GitHub Enterprise 2.1 will be deprecated as of April 4, 2016. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.

Deprecation of Support for Internet Explorer 9 and 10

Support for Internet Explorer 9 and 10 will be deprecated in a future release. There will be no changes in site functionality, but a warning banner will be displayed to Internet Explorer 9 and 10 users.

Known Issues

• CRITICAL There is a remote code execution vulnerability through the Management Console, patched in GitHub Enterprise 2.5.4. (updated 2016-03-31)

• HIGH Release assets from a public repository can be accessed by unauthenticated users in private mode. (updated 2016-05-27)

• Saving settings in the management console can overwrite the SAML Issuer with the value of the SAML certificate issuer, causing authentication to fail. The SAML Issuer must be set manually each time any settings are saved if a certificate has been uploaded. (updated 2016-02-12)

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.

• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.

• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.

• The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key. (updated 2016-02-10)

• Custom firewall rules aren't maintained during an upgrade.

• Enqueued background jobs are sometimes not purged when a repository is deleted.

• If Git LFS was globally disabled prior to upgrading, manual configuration may be required to re-enabled it.

• On instances upgraded from 2.3 and earlier, restoring an archived protected branch will not restore all the settings correctly. This does not affect new instances.

• Upgrading directly from any 2.3 release to 2.5.0 can result in the removal of all personal access tokens. This can be prevented by upgrading to any 2.4 release first. (updated 2016-02-15)

• HIGH (CVE-2015-7547) 2.5.0 is vulnerable to glibc getaddrinfo stack-based buffer overflow. To manually patch your appliance, apply the hotfix by connecting to your appliance via SSH and running these commands: (updated 2016-02-17)

  $ curl -O https://github-enterprise.s3.amazonaws.com/patches/github-enterprise-libc-trusty.hpkg
  $ md5sum github-enterprise-libc-trusty.hpkg # 9deaf87e3313e9239e42179b78cd024a
  $ chmod +x github-enterprise-libc-trusty.hpkg
  $ ./github-enterprise-libc-trusty.hpkg
  

• Periodic LDAP user and group memberships synchronization jobs do not run automatically. Synchronization can still be triggered manually. (updated 2016-02-18)

• Downloading a release asset from a private repository with the Releases API fails with an internal server error. (updated 2016-02-23)

• Automatic update checks fail to locate an upgrade package.

• User sessions are not properly revoked when they reach the expiry limit set by the SAML IdP.

• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed. (updated 2016-05-24)

• Migration data exported from GitHub Enterprise with ghe-migrator does not include issue file attachments, which may cause imports to another server to fail. (updated 2016-06-09)

• Console text is difficult to read on OpenStack KVM. (updated 2016-08-03)

• The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host. (updated 2017-02-23)

• Git LFS objects may take up to an hour to replicate in a High Availability configuration. (updated 2017-02-23)

Errata

• The management console displays a summary of any previously uploaded certificate and private key files as of 2.5.0. (updated 2016-02-10)

Thanks!

The GitHub Team