GitHub Enterprise 2.6.20 April 18, 2017 Download

Security Fixes

MEDIUM: Local privileged MySQL credentials and Alambic HMAC/API keys were exposed in log files included in the support bundle.
None of the currently supported releases of GitHub Enterprise are affected by the Linux kernel UDP remote code execution vulnerability issued 4 April 2017 (CVE-2016-10229).
Packages have been updated to the latest security versions.

Bug Fixes

An issue or pull request comment containing the string "User-Agent: GitHub-Hookshot" incorrectly triggered a firewall rule that caused an internal server error on several pages, including the author's profile page.
Collectd statistics were collected for the temporary pre-receive hook environment mount points.

Changes

More colors are used in the monitoring graphs in a high availability environment, making them more legible.

Deprecation of GitHub Enterprise 2.6

GitHub Enterprise 2.6 is now deprecated as of April 26, 2017. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.

Known Issues

We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
Custom firewall rules aren't maintained during an upgrade.
Enqueued background jobs are sometimes not purged when a repository is deleted.
On instances upgraded from 2.3 and earlier, restoring a protected branch archived whilst running 2.3, will not restore all the settings correctly. This does not affect new instances or protected branches archived on later releases.
Editing custom messages in the Admin Center doesn't provide emoji suggestions.
Native emoji are lost when saving custom messages in the Admin Center.
Repository push logs don't record whether a push was forced.
svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
Uploading PNG images with through the web interface can fail with the error 'Something went really wrong, and we can't process that file.'
GitHub Enterprise clustering can not be configured without https.
Console text is difficult to read on OpenStack KVM.
Deleting a search index doesn't delete all associated metadata, which are then incorrectly reused if a new search index is created. This causes search index repair jobs to be reported as finished in the site admin when they were not.

Thanks!

The GitHub Team

GitHub Enterprise 2.6.19 March 29, 2017 Download

Security Fixes

LOW: Detect and reject any Git content that shows evidence of being part of a SHA-1 collision attack.
Packages have been updated to the latest security versions.

Bug Fixes

The /trending page could incorrectly display a Sign up for free button.
The total number of organizations was incorrect because the count included trusted OAuth applications.
Administrators couldn't restore deleted LFS objects.

Upcoming deprecation of GitHub Enterprise 2.6

GitHub Enterprise 2.6 will be deprecated as of April 26, 2017. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.

Known Issues

We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
Custom firewall rules aren't maintained during an upgrade.
Enqueued background jobs are sometimes not purged when a repository is deleted.
On instances upgraded from 2.3 and earlier, restoring a protected branch archived whilst running 2.3, will not restore all the settings correctly. This does not affect new instances or protected branches archived on later releases.
Editing custom messages in the Admin Center doesn't provide emoji suggestions.
Native emoji are lost when saving custom messages in the Admin Center.
Repository push logs don't record whether a push was forced.
svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
Uploading PNG images with through the web interface can fail with the error 'Something went really wrong, and we can't process that file.'
GitHub Enterprise clustering can not be configured without https.
Console text is difficult to read on OpenStack KVM.
Deleting a search index doesn't delete all associated metadata, which are then incorrectly reused if a new search index is created. This causes search index repair jobs to be reported as finished in the site admin when they were not. (updated 2017-03-30)
An issue or pull request comment containing the string "User-Agent: GitHub-Hookshot" incorrectly triggers a firewall rule and causes an internal server error on several pages, including the author's profile page. (updated 2017-03-30)

Thanks!

The GitHub Team

GitHub Enterprise 2.6.18 March 14, 2017 Download

Security Fixes

LOW: New, invited users received their initial passwords in clear text via e-mail. A password reset link, valid for 24 hours, is sent to the user instead.
Packages have been updated to the latest security versions.

Bug Fixes

The initial import of the VMware OVA image would fail when deployed via vCenter Server 6.0 or 6.5.

Deprecation of GitHub Enterprise 2.5

GitHub Enterprise 2.5 is now deprecated as of March 14, 2017. That means that no patch releases will be made, even for critical security issues, after this release. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.

Upcoming deprecation of GitHub Enterprise 2.6

Known Issues

We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
Custom firewall rules aren't maintained during an upgrade.
Enqueued background jobs are sometimes not purged when a repository is deleted.
On instances upgraded from 2.3 and earlier, restoring a protected branch archived whilst running 2.3, will not restore all the settings correctly. This does not affect new instances or protected branches archived on later releases.
Editing custom messages in the Admin Center doesn't provide emoji suggestions.
Native emoji are lost when saving custom messages in the Admin Center.
Repository push logs don't record whether a push was forced.
svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
Uploading PNG images with through the web interface can fail with the error 'Something went really wrong, and we can't process that file.'
GitHub Enterprise clustering can not be configured without https.
Console text is difficult to read on OpenStack KVM.
An issue or pull request comment containing the string "User-Agent: GitHub-Hookshot" incorrectly triggers a firewall rule and causes an internal server error on several pages, including the author's profile page. (updated 2017-03-30)

Thanks!

The GitHub Team

GitHub Enterprise 2.6.17 March 01, 2017 Download

Security Fixes

LOW: An internal upload policies API disclosed which users had push access to a repository.
LOW: An internal administrative API was vulnerable to cross-site request forgery (CSRF).
Packages have been updated to the latest security versions.

Bug Fixes

Git LFS objects could take up to an hour to replicate in a High Availability configuration.
Migrations failed to preserve a label with a / character.
The Management Console Add new SSH key field incorrectly allowed an SSH fingerprint instead of the contents of the key.
A former primary appliance failed to create or update pre-receive hook environments.

Changes

The <Destination> element is no longer optional in the SAML response.

Deprecation of GitHub Enterprise 2.4

GitHub Enterprise 2.4 is now deprecated as of February 9, 2017. That means that no patch releases will be made, even for critical security issues, after this release. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.

Upcoming deprecation of GitHub Enterprise 2.5

GitHub Enterprise 2.5 will be deprecated as of March 14, 2017. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.

Known Issues

We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
Custom firewall rules aren't maintained during an upgrade.
Enqueued background jobs are sometimes not purged when a repository is deleted.
On instances upgraded from 2.3 and earlier, restoring a protected branch archived whilst running 2.3, will not restore all the settings correctly. This does not affect new instances or protected branches archived on later releases.
Editing custom messages in the Admin Center doesn't provide emoji suggestions.
Native emoji are lost when saving custom messages in the Admin Center.
Repository push logs don't record whether a push was forced.
svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
Uploading PNG images with through the web interface can fail with the error 'Something went really wrong, and we can't process that file.'
GitHub Enterprise clustering can not be configured without https.
Console text is difficult to read on OpenStack KVM.
The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host.
An issue or pull request comment containing the string "User-Agent: GitHub-Hookshot" incorrectly triggers a firewall rule and causes an internal server error on several pages, including the author's profile page. (updated 2017-03-30)

Thanks!

The GitHub Team

GitHub Enterprise 2.6.16 January 31, 2017 Download

SAML authentication bypass with XML signature wrapping in GitHub Enterprise

A CRITICAL issue was identified that allows an attacker to bypass SAML authentication. The vulnerability is applicable if the attacker has access to a validly signed SAML assertion or response against the configured Verification certificate. When applicable, an attacker can sign in as any user, including administrators.

The affected supported versions are:

2.8.0 - 2.8.6
2.7.0 - 2.7.10
2.6.0 - 2.6.15
2.5.0 - 2.5.20
2.4.0 - 2.4.22

Note: This is a different vulnerability than the one addressed in GitHub Enterprise 2.8.6, 2.7.10, 2.6.15, and 2.5.20.

Remote code execution with server side request forgery in GitHub Enterprise

A CRITICAL issue was identified that allows an attacker to execute arbitrary commands on the GitHub Enterprise appliance. The vulnerability is applicable if the attacker has access to configure a repository's Webhooks - owner or admin privileges to a repository.

The affected supported versions are:

2.8.0 - 2.8.6
2.7.0 - 2.7.10
2.6.0 - 2.6.15
2.5.0 - 2.5.20
2.4.0 - 2.4.22

Next steps

We strongly recommend upgrading your GitHub Enterprise appliance to the latest patch release in your series, GitHub Enterprise 2.8.7, 2.7.11, 2.6.16, 2.5.21, or 2.4.23.

Additionally, if SAML authentication is configured in your appliance, all existing SAML user sessions should be destroyed:

Put your GitHub Enterprise environment in Maintenance Mode.
SSH to your primary GitHub Enterprise appliance.

Destroy the existing SAML sessions.

$ echo SAML::Session.destroy_all | ghe-console -y

Upgrade to the latest patch release in your series, GitHub Enterprise 2.8.7, 2.7.11, 2.6.16, 2.5.21, or 2.4.23.

If possible, we also recommend restricting Management Console access to your site administrators.

These vulnerabilities were reported through the GitHub Security Bug Bounty program and we have no evidence that they have been exploited in the wild. To learn more about the Bug Bounty program for GitHub Enterprise, visit https://bounty.github.com/targets/github-enterprise.html and our recent blog post about the inclusion of GitHub Enterprise, Bug Bounty anniversary promotion: bigger bounties in January and February.

Please contact GitHub Enterprise Support if you have any questions.

Security Fixes

CRITICAL: An attacker could bypass SAML authentication via XML signature wrapping and log in as any other user.
CRITICAL: There was a remote code execution vulnerability via server side request forgery.
HIGH: With built-in authentication, suspended users could log in.
Packages have been updated to the latest security versions.

Known Issues

We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
Custom firewall rules aren't maintained during an upgrade.
Enqueued background jobs are sometimes not purged when a repository is deleted.
On instances upgraded from 2.3 and earlier, restoring a protected branch archived whilst running 2.3, will not restore all the settings correctly. This does not affect new instances or protected branches archived on later releases.
Editing custom messages in the Admin Center doesn't provide emoji suggestions.
Native emoji are lost when saving custom messages in the Admin Center.
Repository push logs don't record whether a push was forced.
svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
Uploading PNG images with through the web interface can fail with the error 'Something went really wrong, and we can't process that file.'
GitHub Enterprise clustering can not be configured without https.
Console text is difficult to read on OpenStack KVM.
The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host. (updated 2017-02-23)
Git LFS objects may take up to an hour to replicate in a High Availability configuration. (updated 2017-02-23)
An issue or pull request comment containing the string "User-Agent: GitHub-Hookshot" incorrectly triggers a firewall rule and causes an internal server error on several pages, including the author's profile page. (updated 2017-03-30)

Thanks!

The GitHub Team

GitHub Enterprise 2.6.15 January 12, 2017 Download

SAML authentication bypass in GitHub Enterprise

A CRITICAL issue was identified that allows an attacker to bypass SAML authentication by creating a fake response. This could allow the attacker to sign in as any user, including administrators.

The affected supported versions are:

2.8.0 - 2.8.5
2.7.0 - 2.7.9
2.6.0 - 2.6.14
2.5.0 - 2.5.19

If you are using SAML as your authentication method, we strongly recommend upgrading your GitHub Enterprise appliance to the latest patch release in your series, GitHub Enterprise 2.8.6, 2.7.10, 2.6.15, or 2.5.20.

Additionally, all existing user sessions should be destroyed:

Put your GitHub Enterprise environment in Maintenance Mode.
SSH to your primary GitHub Enterprise appliance.

Destroy the existing SAML sessions.

$ echo SAML::Session.destroy_all | ghe-console -y

Upgrade to the latest patch release in your series, GitHub Enterprise 2.8.6, 2.7.10, 2.6.15, or 2.5.20.

This vulnerability was reported through the GitHub Security Bug Bounty program and we have no evidence that it has been exploited in the wild.

Please contact GitHub Enterprise Support if you have any questions.

Security Fixes

CRITICAL: Users could bypass SAML authentication and log in as any other user
Packages have been updated to the latest security versions.

Known Issues

We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
Custom firewall rules aren't maintained during an upgrade.
Enqueued background jobs are sometimes not purged when a repository is deleted.
On instances upgraded from 2.3 and earlier, restoring a protected branch archived whilst running 2.3, will not restore all the settings correctly. This does not affect new instances or protected branches archived on later releases.
Editing custom messages in the Admin Center doesn't provide emoji suggestions.
Native emoji are lost when saving custom messages in the Admin Center.
Repository push logs don't record whether a push was forced.
svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
Uploading PNG images with through the web interface can fail with the error 'Something went really wrong, and we can't process that file.'
GitHub Enterprise clustering can not be configured without https.
Console text is difficult to read on OpenStack KVM.
The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host. (updated 2017-02-23)
Git LFS objects may take up to an hour to replicate in a High Availability configuration. (updated 2017-02-23)

Thanks!

The GitHub Team

GitHub Enterprise 2.6.14 January 04, 2017 Download

Security Fixes

Packages have been updated to the latest security versions.

Bug Fixes

Alambic crashed resizing user avatars.

Changes

ghe-migrator now scrubs access tokens from the logs.
Added cron job to compress core files.

Known Issues

We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
Custom firewall rules aren't maintained during an upgrade.
Enqueued background jobs are sometimes not purged when a repository is deleted.
On instances upgraded from 2.3 and earlier, restoring a protected branch archived whilst running 2.3, will not restore all the settings correctly. This does not affect new instances or protected branches archived on later releases.
Editing custom messages in the Admin Center doesn't provide emoji suggestions.
Native emoji are lost when saving custom messages in the Admin Center.
Repository push logs don't record whether a push was forced.
svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
Uploading PNG images with through the web interface can fail with the error 'Something went really wrong, and we can't process that file.'
GitHub Enterprise clustering can not be configured without https.
Console text is difficult to read on OpenStack KVM.
The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host. (updated 2017-02-23)
Git LFS objects may take up to an hour to replicate in a High Availability configuration. (updated 2017-02-23)

Thanks!

The GitHub Team

GitHub Enterprise 2.6.13 December 21, 2016 Download

Security Fixes

Packages have been updated to the latest security versions.

Bug Fixes

Pushing an update could cause the babeld service to segment fault under certain circumstances.
The deletion of branches and tags rejected by a pre-receive hook would have failed with the error "Something went wrong with the request. Please try again."
Appliance settings saved using the /setup/api/settings API endpoint failed to apply when applying at the same time as uploading the license for the first time.

Changes

GitHub Enterprise is now available in the EU West (London) and Canada (Central) AWS regions.

Known Issues

We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
Custom firewall rules aren't maintained during an upgrade.
Enqueued background jobs are sometimes not purged when a repository is deleted.
On instances upgraded from 2.3 and earlier, restoring a protected branch archived whilst running 2.3, will not restore all the settings correctly. This does not affect new instances or protected branches archived on later releases.
Editing custom messages in the Admin Center doesn't provide emoji suggestions.
Native emoji are lost when saving custom messages in the Admin Center.
Repository push logs don't record whether a push was forced.
svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
Uploading PNG images with through the web interface can fail with the error 'Something went really wrong, and we can't process that file.'
GitHub Enterprise clustering can not be configured without https.
Console text is difficult to read on OpenStack KVM.
The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host. (updated 2017-02-23)
Git LFS objects may take up to an hour to replicate in a High Availability configuration. (updated 2017-02-23)

Thanks!

The GitHub Team

GitHub Enterprise 2.6.12 November 22, 2016 Download

Security Fixes

Packages have been updated to the latest security versions.

Bug Fixes

LFS push failed with a 0-byte file.
In a clustering environment, LFS file uploads failed due to an internal HTTP timeout.
Merge button was disabled for protected branches when memcached was stopped.
Disallow administrators from renaming system accounts.
Users were unable to update their primary e-mail address after migrating data with ghe-migrator.
The ghe-update-check utility returned an incorrect message, you must first upgrade to, when it was not necessary.

Known Issues

We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
Custom firewall rules aren't maintained during an upgrade.
Enqueued background jobs are sometimes not purged when a repository is deleted.
On instances upgraded from 2.3 and earlier, restoring a protected branch archived whilst running 2.3, will not restore all the settings correctly. This does not affect new instances or protected branches archived on later releases.
Editing custom messages in the Admin Center doesn't provide emoji suggestions.
Native emoji are lost when saving custom messages in the Admin Center.
Repository push logs don't record whether a push was forced.
svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
Uploading PNG images with through the web interface can fail with the error 'Something went really wrong, and we can't process that file.'
GitHub Enterprise clustering can not be configured without https.
Console text is difficult to read on OpenStack KVM.
The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host. (updated 2017-02-23)
Git LFS objects may take up to an hour to replicate in a High Availability configuration. (updated 2017-02-23)

Thanks!

The GitHub Team

GitHub Enterprise 2.6.11 November 01, 2016 Download

Security Fixes

Packages have been updated to the latest security versions.

Bug Fixes

In a clustering environment, a clustering node made unnecessary internal API calls through the load balancer.

Changes

GitHub Enterprise is now available in the US East (Ohio) AWS region.

Known Issues

We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
Custom firewall rules aren't maintained during an upgrade.
Enqueued background jobs are sometimes not purged when a repository is deleted.
On instances upgraded from 2.3 and earlier, restoring a protected branch archived whilst running 2.3, will not restore all the settings correctly. This does not affect new instances or protected branches archived on later releases.
Editing custom messages in the Admin Center doesn't provide emoji suggestions.
Native emoji are lost when saving custom messages in the Admin Center.
Repository push logs don't record whether a push was forced.
svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
Uploading PNG images with through the web interface can fail with the error 'Something went really wrong, and we can't process that file.'
GitHub Enterprise clustering can not be configured without https.
Console text is difficult to read on OpenStack KVM.
The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host. (updated 2017-02-23)
Git LFS objects may take up to an hour to replicate in a High Availability configuration. (updated 2017-02-23)

Thanks!

The GitHub Team

GitHub Enterprise 2.6.10 October 18, 2016 Download

Security Fixes

Packages have been updated to the latest security versions.

Bug Fixes

In a clustering environment, the web application service could fail to start after cluster configuration run.
Background jobs were deleted and lost when stopping replication. This happens when failing over to a high availability replica and during a cluster configuration run.
Forking a repository could fail if the maintenance job for the repository's network ran at the same time.
Running git symbolic-ref would hang when resolving references with broken symlinks.
LDAP Sync suspended users that were already suspended users, causing unnecessary audit log entries.
Changing the default branch of a repository was not synchronized to a high availability replica, so the wrong branch was set as default after fail over.
LDAP Sync removed and re-added users or teams when their distinguished name contained upper case characters.
After restarting a crashed process, writing data to the management console monitoring graphs may not have immediately restarted.
An error was thrown when trying to access audit logs containing authentication attempts using two-factor authentication.

Known Issues

We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
Custom firewall rules aren't maintained during an upgrade.
Enqueued background jobs are sometimes not purged when a repository is deleted.
On instances upgraded from 2.3 and earlier, restoring a protected branch archived whilst running 2.3, will not restore all the settings correctly. This does not affect new instances or protected branches archived on later releases.
Editing custom messages in the Admin Center doesn't provide emoji suggestions.
Native emoji are lost when saving custom messages in the Admin Center.
Repository push logs don't record whether a push was forced.
svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
Uploading PNG images with through the web interface can fail with the error 'Something went really wrong, and we can't process that file.'
GitHub Enterprise clustering can not be configured without https.
Console text is difficult to read on OpenStack KVM.
The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host. (updated 2017-02-23)
Git LFS objects may take up to an hour to replicate in a High Availability configuration. (updated 2017-02-23)

Thanks!

The GitHub Team

GitHub Enterprise 2.6.9 September 20, 2016 Download

Pre-generated SSH Host Keys in GitHub Enterprise

A CRITICAL issue was identified for all 2.x versions of GitHub Enterprise. The GitHub Enterprise images contain pre-generated SSH host keys that were not regenerated upon installation for all supported platforms:

Hyper-V (VHD)
OpenStack KVM (QCOW2)
VMware ESXi/vSphere (OVA)
Xen (VHD)
Amazon Web Services (See the ssh_host_ed25519_key in GitHub Enterprise section below)
Microsoft Azure

This means an attacker with the capability to perform a man-in-the-middle attack on SSH traffic can intercept and modify network traffic to the GitHub Enterprise appliance.

The affected supported versions are:

2.7.0 - 2.7.3
2.6.0 - 2.6.8
2.5.0 - 2.5.13
2.4.0 - 2.4.16
2.3.0 - 2.3.20

This vulnerability was found and reported internally and we have no evidence that it has been exploited in the wild.

We strongly recommend upgrading your GitHub Enterprise appliance to the latest patch release in your series, GitHub Enterprise 2.7.4, 2.6.9, 2.5.14, 2.4.17, or 2.3.21. In addition, with backup-utils-2.7.1, ghe-backup and ghe-restore will check for any leaked SSH host keys in the snapshot(s).

Please contact GitHub Enterprise Support if you have questions.

Verification and Mitigation on GitHub Enterprise 2.7.4, 2.6.9, 2.5.14, 2.4.17, 2.3.21, or greater

If you've upgraded to the latest patch release, GitHub Enterprise 2.7.4, 2.6.9, 2.5.14, 2.4.17, 2.3.21, or greater,

SSH to your primary GitHub Enterprise appliance.

Check for leaked SSH host keys using the ghe-ssh-check-host-keys utility.

$ ghe-ssh-check-host-keys

The utility should output either:

One or more of your SSH host keys were found in the blacklist.
Please reset your host keys using ghe-ssh-roll-host-keys.

The SSH host keys were not found in the SSH host key blacklist.
No additional steps are needed/recommended at this time.

If one or more SSH host keys were found in the blacklist, continue to the next step. Otherwise, your GitHub Enterprise environment is not vulnerable.
Put your GitHub Enterprise environment in Maintenance Mode.

Rotate all SSH host keys using the ghe-ssh-roll-host-keys utility.

$ sudo ghe-ssh-roll-host-keys
$ sudo ssh-keygen -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key

The utility should output:

$ SSH host keys have successfully been rolled.

If you've upgraded to GitHub Enterprise 2.7.4, 2.6.9, or greater, and you are using the High Availability Configuration, there are no additional steps to take on your replica appliance.

If you've upgraded to GitHub Enterprise 2.5.14, 2.4.17, 2.3.21, or greater, and you are using the High Availability Configuration,

After completing steps 1-5, stop replication on the replica appliance.
```
$ ghe-repl-stop
```
Synchronize the SSH host keys from the primary appliance.
```
$ ghe-repl-setup
```
Resume replication on the replica appliance.
```
$ ghe-repl-start
```

If you've upgraded to GitHub Enterprise 2.7.4, 2.6.9, 2.5.14 or greater, and you are using Clustering,

After completing steps 1-5, apply the changes to all cluster nodes.
```
$ ghe-cluster-config-apply
```

Verification and Mitigation if Immediate Upgrade is not Possible

If you're unable to upgrade immediately to the latest patch release, GitHub Enterprise 2.7.4, 2.6.9, 2.5.14, 2.4.17, 2.3.21, or greater,

SSH to your primary GitHub Enterprise appliance.

Download the list of leaked SSH host keys and verify its content using any of the provided hashes.

$ curl -O https://enterprise.github.com/security/2016-09-20/ghe-ssh-leaked-host-keys-list.txt
$ sha256sum ghe-ssh-leaked-host-keys-list.txt
3bb29658784a4059a41f1a77cffba9586baab179ba07b795f80e12a9f10c5665  ghe-ssh-leaked-host-keys-list.txt
$ sha1sum ghe-ssh-leaked-host-keys-list.txt
5db799da044da9aae0bcfc523d22e7ce0fe72550  ghe-ssh-leaked-host-keys-list.txt
$ md5sum ghe-ssh-leaked-host-keys-list.txt
de75bcb0bf1d13e15620952c0af8da41  ghe-ssh-leaked-host-keys-list.txt

Print the fingerprint of your GitHub Enterprise appliance's SSH host keys.
Note: The ssh_host_ed25519_key may exist on your GitHub Enterprise appliance but is only used in 2.7.4 or greater.

$ ssh-keygen -lf /etc/ssh/ssh_host_dsa_key.pub
1024 b2:69:82:2f:25:48:bb:fc:62:c7:9a:de:41:42:13:55 /etc/ssh/ssh_host_dsa_key.pub (DSA)
$ ssh-keygen -lf /etc/ssh/ssh_host_ecdsa_key.pub
256 c0:cb:fd:07:33:e9:62:14:6b:fb:d5:26:54:f3:c5:0d /etc/ssh/ssh_host_ecdsa_key.pub (ECDSA)
$ ssh-keygen -lf /etc/ssh/ssh_host_ed25519_key.pub
256 d6:92:21:4b:04:3b:22:f5:ee:85:0a:63:bf:b3:fe:9b /etc/ssh/ssh_host_ed25519_key.pub (ED25519)
$ ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub
2048 0f:ee:8d:02:2d:e1:76:f3:eb:f5:af:cb:38:9a:1c:33 /etc/ssh/ssh_host_rsa_key.pub (RSA)

Check for leaked SSH host keys by comparing against the downloaded list of leaked SSH host keys.
If one or more SSH host keys were found in the blacklist, continue to the next step. Otherwise, your GitHub Enterprise environment is not vulnerable.
Put your GitHub Enterprise environment in Maintenance Mode.
Remove all SSH host keys.
```
$ sudo rm -f /etc/ssh/ssh_host_*
```
Regenerate the SSH host keys.
Note: The ssh_host_ed25519_key may exist on your GitHub Enterprise appliance but is only used and regenerated for in 2.7.4 or greater.
```
$ sudo ssh-keygen -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key
$ sudo dpkg-reconfigure openssh-server
```

Apply the changes to the ssh and babeld service.

$ sudo cp /etc/ssh/ssh_host_{rsa,dsa,ecdsa,ed25519}_key{,.pub} /data/user/common/
$ sudo chown babeld:babeld /data/user/common/ssh_host_{rsa,dsa,ecdsa,ed25519}_key{,.pub}

If you're unable to upgrade immediately to GitHub Enterprise 2.7.4, 2.6.9, 2.5.14, 2.4.17, 2.3.21, or greater, and you are using the High Availability Configuration,

After completing steps 1-9, stop replication on the replica appliance.

$ ghe-repl-stop

Synchronize the SSH host keys from the primary appliance.

$ ghe-repl-setup

Resume replication on the replica appliance.

$ ghe-repl-start

If you're unable to upgrade immediately to GitHub Enterprise 2.7.4, 2.6.9, 2.5.14, or greater, and you are using Clustering,

After completing steps 1-9, apply the changes to all cluster nodes.

$ ghe-cluster-config-apply

Post SSH Host Key Rotation

After rotating the SSH host keys, your GitHub Enterprise environment can exit Maintenance Mode.

Your end-users will receive an error message when attempting to use the Administrative Shell (SSH) or the SSH protocol for Git activity. The rotation does not affect users using the HTTPS protocol for Git activity.

For example, the following is an output from the command-line,

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:seFT9eIOmAZWbfcO9yU1sXiEYIqcrdi0qttbtmNm0Io.
Please contact your system administrator.
Add correct host key in /Users/monalisa/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /Users/monalisa/.ssh/known_hosts:42
ECDSA host key for [github.example.com]:122 has changed and you have requested strict checking.
Host key verification failed.

After updating the known_hosts, end-users will be prompted to accept a new fingerprint.

$ ssh -p 122 admin@github.example.com
The authenticity of host '[github.example.com]:122 ([169.254.1.1]:122)' can't be established.
ECDSA key fingerprint is SHA256:seFT9eIOmAZWbfcO9yU1sXiEYIqcrdi0qttbtmNm0Io.
Are you sure you want to continue connecting (yes/no)?

We strongly recommend publishing your GitHub Enterprise appliance's SSH host key fingerprints in a location that is accessible to all your end-users. For example, for GitHub.com, we publish the SSH fingerprints at https://help.github.com/articles/what-are-github-s-ssh-key-fingerprints/.

If you'd like to to give end-users notice before rotating the SSH host keys, follow the instructions in the Verification and Mitigation if Immediate Upgrade is not Possible skipping step 7 and replacing step 8 with,

Regenerate the SSH host keys.
Note: The ssh_host_ed25519_key may exist on your GitHub Enterprise appliance but is only used and regenerated for in 2.7.4 or greater.

i. Pre-generate new SSH host keys to a temporary directory.

$ ssh-keygen -t dsa -N "" -f /var/tmp/ssh_host_dsa_key
$ ssh-keygen -t rsa -N "" -f /var/tmp/ssh_host_rsa_key
$ ssh-keygen -t ecdsa -N "" -f /var/tmp/ssh_host_ecdsa_key
$ ssh-keygen -t ed25519 -N "" -f /var/tmp/ssh_host_ed25519_key

ii. Print the fingerprint of your GitHub Enterprise appliance's SSH host keys for tentative rotation.

$ ssh-keygen -lf /var/tmp/ssh_host_dsa_key.pub
 1024 b2:69:82:2f:25:48:bb:fc:62:c7:9a:de:41:42:13:55 /var/tmp/ssh_host_dsa_key.pub (DSA)
$ ssh-keygen -lf /var/tmp/ssh_host_ecdsa_key.pub
 256 c0:cb:fd:07:33:e9:62:14:6b:fb:d5:26:54:f3:c5:0d /var/tmp/ssh_host_ecdsa_key.pub (ECDSA)
$ ssh-keygen -lf /var/tmp/ssh_host_ed25519_key.pub
 256 d6:92:21:4b:04:3b:22:f5:ee:85:0a:63:bf:b3:fe:9b /var/tmp/ssh_host_ed25519_key.pub (ED25519)
$ ssh-keygen -lf /var/tmp/ssh_host_rsa_key.pub
248 0f:ee:8d:02:2d:e1:76:f3:eb:f5:af:cb:38:9a:1c:33 /var/tmp/ssh_host_rsa_key.pub (RSA)

iii. Once you are ready to migrate to the new, rotated SSH host keys, move the host keys from the temporary directory and apply the changes to the ssh service.

$ sudo mv /var/tmp/ssh_host_{rsa,dsa,ecdsa,ed25519}_key{,.pub} /etc/ssh
$ sudo service ssh restart

iv. Continue with steps 9 in the Verification and Mitigation if Immediate Upgrade is not Possible section.

`ssh_host_ed25519_key` in GitHub Enterprise

The 2.x versions of GitHub Enterprise on all supported platforms:

Hyper-V (VHD)
OpenStack KVM (QCOW2)
VMware ESXi/vSphere (OVA)
Xen (VHD)
Amazon Web Services
Microsoft Azure

contained a pre-generated ssh_host_ed25519_key. However, only GitHub Enterprise 2.7.4 or greater use the ssh_host_ed25519_key. This can be verified by checking your GitHub Enterprise appliance's /etc/ssh/sshd_config, which added HostKey /etc/ssh/ssh_host_ed25519_key in 2.7.4 or greater.

The ssh_host_ed25519_key may exist on your GitHub Enterprise appliance but is only used in 2.7.4 or greater.

If you've upgraded your appliance to 2.7.4 or greater on any of the supported platforms including Amazon Web Services, please follow the instructions in the Verification and Mitigation on GitHub Enterprise 2.7.4, 2.6.9, 2.5.14, 2.4.17, 2.3.21, or greater section.

Security Fixes

CRITICAL Pre-generated SSH host keys were not regenerated when installing appliances from GitHub Enterprise 2.x images.
Packages have been updated to the latest security versions.

Bug Fixes

When rejected from a pre-receive hook, API merge requests incorrectly returned Internal Server Error.
Webhooks failed to deliver when the external server could only be resolved by the configured proxy server.
The ghe-system-info command line utility was not available to run because the utility was missing from the $PATH.
In a clustering environment, storage assets that were not replicated or marked for deletion were not properly maintained.
Users were unable to add or remove deploy keys when LDAP sync is enabled.
In a clustering environment, the ghe-cluster-config-check command line utility terminated early from unsuccessful cURL checks.
The root API endpoint incorrectly returned Not Found when the trailing slash was omitted.
The initial push of a repository with many Git refs could time out.
Elasticsearch logs could grow very large due to incorrect HTTP and HTTPS connection management.
The ghe-ssl-ca-certificate-install command line utility did not accept a piped certificate as input.

Changes

GitHub Enterprise is now available in the Asia Pacific (Mumbai) AWS region.

Known Issues

We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
Custom firewall rules aren't maintained during an upgrade.
Enqueued background jobs are sometimes not purged when a repository is deleted.
On instances upgraded from 2.3 and earlier, restoring a protected branch archived whilst running 2.3, will not restore all the settings correctly. This does not affect new instances or protected branches archived on later releases.
Editing custom messages in the Admin Center doesn't provide emoji suggestions.
Native emoji are lost when saving custom messages in the Admin Center.
Repository push logs don't record whether a push was forced.
svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
Uploading PNG images with through the web interface can fail with the error 'Something went really wrong, and we can't process that file.'
GitHub Enterprise clustering can not be configured without https.
Console text is difficult to read on OpenStack KVM.
The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host. (updated 2017-02-23)
Git LFS objects may take up to an hour to replicate in a High Availability configuration. (updated 2017-02-23)

Errata

The Pre-generated SSH Host Keys in GitHub Enterprise vulnerability disclosure added the ssh_host_ed25519_key in GitHub Enterprise for GitHub Enterprise 2.7.4 or greater appliances on the Amazon Web Services platform. (updated 2016-09-22)

Thanks!

The GitHub Team

GitHub Enterprise 2.6.8 August 30, 2016 Download

Security Fixes

Packages have been updated to the latest security versions.

Bug Fixes

In a clustering environment, Git pushes could time out while waiting for the server to replicate data.
In a clustering environment, Gist were not being replicated to new nodes.
LFS files with spaces in the file path were not rendered properly.
git-lfs pull could cause high MySQL CPU usage.
Unsuspending users did not check for available license seats.
Purging an archived repository could fail.
Gist IDs could incorrectly collide when MySQL restarted.
The Git proxy service, babeld, did not scale the number of workers when memory was added.
Pre-receive hooks failed when using an environment with incorrect /tmp permissions.

Known Issues

We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
Custom firewall rules aren't maintained during an upgrade.
Enqueued background jobs are sometimes not purged when a repository is deleted.
On instances upgraded from 2.3 and earlier, restoring a protected branch archived whilst running 2.3, will not restore all the settings correctly. This does not affect new instances or protected branches archived on later releases.
Editing custom messages in the Admin Center doesn't provide emoji suggestions.
Native emoji are lost when saving custom messages in the Admin Center.
Repository push logs don't record whether a push was forced.
svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
Uploading PNG images with through the web interface can fail with the error 'Something went really wrong, and we can't process that file.'
GitHub Enterprise clustering can not be configured without https.
Console text is difficult to read on OpenStack KVM.
The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host. (updated 2017-02-23)
Git LFS objects may take up to an hour to replicate in a High Availability configuration. (updated 2017-02-23)

Thanks!

The GitHub Team

GitHub Enterprise 2.6.7 August 16, 2016 Download

Security Fixes

HIGH: Worked around Microsoft Internet Explorer bug causing redirects to the incorrect hostname during OAuth negotiation.
MEDIUM: Users were able to delete SSH and/or GPG keys when LDAP sync is enabled.
Packages have been updated to the latest security versions.

Bug Fixes

An appliance would enter maintenance mode earlier than expected if scheduled more than a week in advance.
Pre-receive hooks using the curl and/or gpg command may have failed using the default hook environment due to missing libraries.
Git pushes were denied if the pre-receive hook timed out on repositories with a non-enforced exit-status.
Avatars may have failed to render in a clustering environment.
Large file uploads may have timed out in a clustering environment.
Unable to delete, transfer, or change the visibility of a repository from incorrect input validation.

Known Issues

We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
Custom firewall rules aren't maintained during an upgrade.
Enqueued background jobs are sometimes not purged when a repository is deleted.
On instances upgraded from 2.3 and earlier, restoring a protected branch archived whilst running 2.3, will not restore all the settings correctly. This does not affect new instances or protected branches archived on later releases.
Editing custom messages in the Admin Center doesn't provide emoji suggestions.
Native emoji are lost when saving custom messages in the Admin Center.
Repository push logs don't record whether a push was forced.
svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
Uploading PNG images with through the web interface can fail with the error 'Something went really wrong, and we can't process that file.'
GitHub Enterprise clustering can not be configured without https.
Console text is difficult to read on OpenStack KVM.
The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host. (updated 2017-02-23)
Git LFS objects may take up to an hour to replicate in a High Availability configuration. (updated 2017-02-23)

Thanks!

The GitHub Team

GitHub Enterprise 2.6.6 August 03, 2016 Download

Security Fixes

CRITICAL In versions 2.6.0 through 2.6.5 of GitHub Enterprise, a CAS authenticated user may log in as another user if they have full control of the login value registered with the external authentication provider. While this issue only affects specific installations, we have released this as a CRITICAL issue given its impact when external authentication configurations allow user control of registered logins.
LOW The permissions on rbenv, used by many components of GitHub Enterprise, have been tightened.
Packages have been updated to the latest security versions.

Bug Fixes

Built Pages sites on a cluster node became inaccessible if the database master role was migrated to the node.
The schema for requests to and responses from the LFS API has been relaxed to allow additional properties. This will allow the API to be extended in the future.
Organizations could be suspended using the ghe-user-suspend command.
Adding a new node to a cluster would fail if another node was unavailable.
Updates to user avatars may not have been visible for up to five minutes on clustered installations.

Known Issues

We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
Custom firewall rules aren't maintained during an upgrade.
Enqueued background jobs are sometimes not purged when a repository is deleted.
On instances upgraded from 2.3 and earlier, restoring a protected branch archived whilst running 2.3, will not restore all the settings correctly. This does not affect new instances or protected branches archived on later releases.
Editing custom messages in the Admin Center doesn't provide emoji suggestions.
Native emoji are lost when saving custom messages in the Admin Center.
Repository push logs don't record whether a push was forced.
svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
Uploading PNG images with through the web interface can fail with the error 'Something went really wrong, and we can't process that file.'
GitHub Enterprise clustering can not be configured without https.
Console text is difficult to read on OpenStack KVM.
The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host. (updated 2017-02-23)
Git LFS objects may take up to an hour to replicate in a High Availability configuration. (updated 2017-02-23)

Thanks!

The GitHub Team

GitHub Enterprise 2.6.5 July 12, 2016 Download

Security Fixes

HIGH Due to the way that email addresses with Unicode in the 'local part' are handled, it was possible to generate a password reset token for an email address and have it delivered to a separate email address with Unicode homoglyphs that normalized to the original email address.
LOW Admin users could still access user reports after being suspended.
Packages have been updated to the latest security versions.

Bug Fixes

Migration data exported from GitHub Enterprise with ghe-migrator did not include issue file attachments, which could cause imports to another server to fail.
SAML reauthentication could fail if the SAML identity provider returned large headers in the authentication response.
LDAP sync could fail on suspended users if restricted groups are not configured.
Pushing Git LFS objects to a fork of a repository the user only has read access to would fail.
PSD files stored in LFS failed to render.
The settings would fail to be copied to the high availability replica if NTP has not been configured.
SSH keys added or removed via the management console after high availability replication has started could fail to be copied to the replica.
Hostnames that contain hyphens could not be used in the proxy exclusion list in the management console settings.
Alambic services would not run on job-server cluster nodes.
ElasticSearch on cluster nodes could enter a split-brain state in the event of a network partition or failure.
Pre-receive hook environment variables were not all set on repository initialization. This could lead to pre-receive hooks running incorrectly on the first commit that takes place when creating a repository via a web browser. (updated 2016-07-13)
Downloading identical user or repository reports in quick succession could lead to a build up in duplicate jobs that could affect the performance of the appliance.

Changes

The automatic update check will only download the latest release that the appliance can upgrade directly to.

Known Issues

We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
Custom firewall rules aren't maintained during an upgrade.
Enqueued background jobs are sometimes not purged when a repository is deleted.
On instances upgraded from 2.3 and earlier, restoring a protected branch archived whilst running 2.3, will not restore all the settings correctly. This does not affect new instances or protected branches archived on later releases.
Editing custom messages in the Admin Center doesn't provide emoji suggestions.
Native emoji are lost when saving custom messages in the Admin Center.
Repository push logs don't record whether a push was forced.
svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
Uploading PNG images with through the web interface can fail with the error 'Something went really wrong, and we can't process that file.'
GitHub Enterprise clustering can not be configured without https. (updated 2016-08-01)
Console text is difficult to read on OpenStack KVM. (updated 2016-08-03)
The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host. (updated 2017-02-23)
Git LFS objects may take up to an hour to replicate in a High Availability configuration. (updated 2017-02-23)

Thanks!

The GitHub Team

GitHub Enterprise 2.6.4 June 21, 2016 Download

Security Fixes

Packages have been updated to the latest security versions.

Bug Fixes

The proxy configuration was not picked up by the update check initiated from the the management console.
The merge pull request button could remain disabled for an extended period of time following a force-push on a repository with protected branches and required statuses enabled.
It was not possible to ignore whitespace in diffs by appending ?w=1 to the URL.
Authenticating using SAML could fail if the authentication process took too long, for example when a user is performing two-factor authentication with the SAML server.
Importing or restoring a Redis database using ghe-import-redis or setting up a cluster, could fail if reading in the data takes longer than 30 seconds to complete.
Repository file uploads would fail if SSL is not enabled on the appliance.
Redownloading and extracting an existing pre-receive hook environment could fail due to incorrect file permissions.
Migration data exported from GitHub Enterprise with ghe-migrator did not include issue file attachments, which could cause imports to another server to fail.
Custom environments for pre-receive hooks failed to install correctly on a cluster.

Changes

Prompt-less upgrades can now be performed by passing the -y argument to ghe-upgrade.
Restoring repositories from backups of cluster nodes has been sped up.

Known Issues

We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
Custom firewall rules aren't maintained during an upgrade.
Enqueued background jobs are sometimes not purged when a repository is deleted.
On instances upgraded from 2.3 and earlier, restoring a protected branch archived whilst running 2.3, will not restore all the settings correctly. This does not affect new instances or protected branches archived on later releases.
Editing custom messages in the Admin Center doesn't provide emoji suggestions.
Native emoji are lost when saving custom messages in the Admin Center.
Repository push logs don't record whether a push was forced.
svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
GitHub Enterprise clustering can not be configured without https. (updated 2016-08-01)
Console text is difficult to read on OpenStack KVM. (updated 2016-08-03)
The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host. (updated 2017-02-23)
Git LFS objects may take up to an hour to replicate in a High Availability configuration. (updated 2017-02-23)

Thanks!

The GitHub Team

GitHub Enterprise 2.6.3 May 31, 2016 Download

Security Fixes

Packages have been updated to the latest security versions.

Bug Fixes

The Redis database was not properly cleared when restoring with the backup utilities more than once to GitHub Enterprise Cluster configuration. This could cause the Redis database to become very large, slowing down restores.
The $GITHUB_REPO_PUBLIC variable wasn't available to pre-receive hook scripts when edits were made via the web UI.
ghe-migrator failed to import users without an email address, which could cause the whole import to fail.
Deleting Git LFS files from the site admin dashboard failed with a 500 error.
Uploading a support bundle with a ticket reference using ghe-cluster-support-bundle -t [ticket reference] failed on a GitHub Enterprise Cluster.
Increasing the size of the data volume using ghe-storage-extend could fail.
OAuth application callback hostnames were limited to no longer than 63 characters, which caused some OAuth applications to stop working.
A missing Git repository on a high availability replica could block Git replication.
Pre-receive hooks in the default environment failed after upgrading.

Changes

Pre-receive hook scripts in the default environment now execute as Bash if no shebang program is specified.

Known Issues

We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
Custom firewall rules aren't maintained during an upgrade.
Enqueued background jobs are sometimes not purged when a repository is deleted.
On instances upgraded from 2.3 and earlier, restoring a protected branch archived whilst running 2.3, will not restore all the settings correctly. This does not affect new instances or protected branches archived on later releases.
Editing custom messages in the Admin Center doesn't provide emoji suggestions.
Native emoji are lost when saving custom messages in the Admin Center.
Repository push logs don't record whether a push was forced.
svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
Migration data exported from GitHub Enterprise with ghe-migrator does not include issue file attachments, which may cause imports to another server to fail. (updated 2016-06-09)
GitHub Enterprise clustering can not be configured without https. (updated 2016-08-01)
Console text is difficult to read on OpenStack KVM. (updated 2016-08-03)
The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host. (updated 2017-02-23)
Git LFS objects may take up to an hour to replicate in a High Availability configuration. (updated 2017-02-23)

Thanks!

The GitHub Team

GitHub Enterprise 2.6.2 May 17, 2016 Download

Security Fixes

HIGH Release assets from a public repository could be accessed by unauthenticated users in private mode. (updated 2016-05-27)
Packages have been updated to the latest security versions.

Bug Fixes

The custom messages Markdown editor in the Admin Center included buttons for non-applicable functionality.
Custom messages within the Admin Center were not disabled when SAML authentication was used, even though they had no effect since the SAML server is responsible for displaying the relevant messages to users.
CAS logout failed when the CAS server URL includes a path.
Using a deploy key to fetch Git LFS assets prompted for password authentication.
The "explore" and "trending" pages included a "Sign in" button when you're already signed in.
We didn't display errors when updating a pre-receive hook failed.
Admins couldn't manage Gist comments in the site admin.
The pre-receive hook permissions text described the wrong scope.
The GitHub Enterprise version wasn't displayed when hovering over the Octocat icon in the footer.
Background jobs in the languages queue weren't run. This caused repository language statistics to be inaccurate.

Known Issues

We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
Custom firewall rules aren't maintained during an upgrade.
Enqueued background jobs are sometimes not purged when a repository is deleted.
On instances upgraded from 2.3 and earlier, restoring a protected branch archived whilst running 2.3, will not restore all the settings correctly. This does not affect new instances or protected branches archived on later releases.
Editing custom messages in the Admin Center doesn't provide emoji suggestions.
Native emoji are lost when saving custom messages in the Admin Center.
Repository push logs don't record whether a push was forced.
svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed. (updated 2016-05-24)
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository. (updated 2016-05-24)
Migration data exported from GitHub Enterprise with ghe-migrator does not include issue file attachments, which may cause imports to another server to fail. (updated 2016-06-09)
GitHub Enterprise clustering can not be configured without https. (updated 2016-08-01)
Console text is difficult to read on OpenStack KVM. (updated 2016-08-03)
The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host. (updated 2017-02-23)
Git LFS objects may take up to an hour to replicate in a High Availability configuration. (updated 2017-02-23)

Thanks!

The GitHub Team

GitHub Enterprise 2.6.1 May 04, 2016 Download

Security Fixes

CRITICAL ImageMagick policies have been updated to address CVE-2016-3714.
HIGH OpenSSL packages have been updated to address multiple vulnerabilities, including CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, and CVE-2016-2109.

Remote Code Execution in ImageMagick

Several vulnerabilities in ImageMagick, a package commonly used by web services to process images, have been discovered and disclosed by members of the Mail.ru Security team. One of the vulnerabilities is critical and can lead to remote code execution when processing user submitted images.

Final patches for all the disclosed vulnerabilities within ImageMagick are still pending. This release mitigates the remote code execution vulnerability by implementing the recommended policy to disable the vulnerable ImageMagick coders.

This vulnerability exists in ImageMagick but there is no evidence that it has been exploited on GitHub Enterprise.

We strongly recommend that all GitHub Enterprise customers upgrade their instances as soon as possible.

Mitigation
If you can't immediately upgrade, the issue can be mitigated by implementing the policy changes as follows:

SSH to your GitHub Enterprise appliance.
Edit the /etc/ImageMagick/policy.xml file:
```
sudo vi /etc/ImageMagick/policy.xml
```

Disable the vulnerable coders by replacing the <policymap> section with:

<policymap>
  <policy domain="coder" rights="none" pattern="EPHEMERAL" />
  <policy domain="coder" rights="none" pattern="URL" />
  <policy domain="coder" rights="none" pattern="HTTPS" />
  <policy domain="coder" rights="none" pattern="MVG" />
  <policy domain="coder" rights="none" pattern="MSL" />
</policymap>

There is no need to reboot or restart any services; the changes will take effect immediately.

Please contact GitHub Enterprise Support if you have any questions.

Bug Fixes

Memcached didn't log warnings or errors.
Harmless empty lines were added to the admin user's authorized_keys file every time the configuration was saved.
The find command was missing in the default pre-receive hook environment.

Known Issues

HIGH Release assets from a public repository can be accessed by unauthenticated users in private mode. (updated 2016-05-27)
We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
Custom firewall rules aren't maintained during an upgrade.
Enqueued background jobs are sometimes not purged when a repository is deleted.
On instances upgraded from 2.3 and earlier, restoring a protected branch archived whilst running 2.3, will not restore all the settings correctly. This does not affect new instances or protected branches archived on later releases.
Editing custom messages in the Admin Center doesn't provide emoji suggestions.
Native emoji are lost when saving custom messages in the Admin Center.
Custom messages within the Admin Center are not disabled when SAML authentication is used, even though they have no effect since the SAML server is responsible for displaying the relevant messages to users.
The custom messages Markdown editor in the Admin Center includes buttons for non-applicable functionality.
Background jobs in the languages queue aren't run. This causes repository language statistics to be inaccurate.
Repository push logs don't record whether a push was forced. (updated 2016-05-13)
svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed. (updated 2016-05-24)
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository. (updated 2016-05-24)
Migration data exported from GitHub Enterprise with ghe-migrator does not include issue file attachments, which may cause imports to another server to fail. (updated 2016-06-09)
GitHub Enterprise clustering can not be configured without https. (updated 2016-08-01)
Console text is difficult to read on OpenStack KVM. (updated 2016-08-03)
The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host. (updated 2017-02-23)
Git LFS objects may take up to an hour to replicate in a High Availability configuration. (updated 2017-02-23)

Thanks!

The GitHub Team

GitHub Enterprise 2.6.0 April 26, 2016 Download

New Features

With the new features added in GitHub Enterprise 2.6.0, you can:

Enforce push policies and optimize workflows with pre-receive hooks.
Create Issue and pull request templates.
Take advantage of more flexibility with protected branches.
Add custom messages to the sign in and suspended user pages.
Flexibly review pull requests.
Merge pull requests with squash commits.
Add reactions to Pull Requests, Issues, and Comments.
Save time writing frequently used responses with saved replies.
Use a markdown toolbar to style text in comments and issues without learning Markdown.
Upload files into repositories using GitHub's interface.
Serve GitHub Pages faster and simpler with Jekyll 3.0.
Configure an Advanced Setting to automatically reactivate suspended LDAP users on their next successful authentication.

Changes

The cross-origin resource sharing (CORS) policy has been updated to bring it inline with W3C recommendations.
Auto-complete is disabled on the password configuration fields in the management console.
It is no longer possible to filter members of an organization using the is:inactive filter.
Admin Tools now has a 'Disabled repositories' page.
The number of simultaneous connections tracked by the appliance firewall has been increased to 524288.
When the protected branch policy is not fulfilled, we report different states depending on the protected branch required status checks policy.
Unused scripts have been removed and internal-only scripts have been moved out of the default path.
All customer-facing scripts print usage information when called with -h or --help.
SAML requests can now be configured to use SHA-256 and other common hashing algorithms for the signature and digest methods. The default is now SHA-256. You may need to update your configuration and select SHA-1 if your identity provider does not support SHA-256.
The management console now contains inline links to the configuration documentation for each section.
A proxy exclusion (no_proxy) list can now be configured in the management console.
Logs can be forwarded to multiple locations.
ghe-repl-start will report if high availability replication is still starting following a reboot.
ghe-repl-status displays which host is the high availability replica when run on the primary node.
The license, SSH keys and settings are copied to the high availability replica as and when they're modified on the primary.
Custom certificate authority certificates added to the appliance using ghe-ssl-ca-certificate-install are automatically replicated to the high availability replica.
All certificates included in the certificate file uploaded via the management console are automatically imported.
Custom certificate authority certificates are saved with descriptive names for easier identification when running ghe-ssl-ca-certificate-install -l.
The self-signed certificate generated by the appliance when first configured now includes a wildcard subject alternate name (SAN) entry for the appliance hostname for use with sub-domain isolation.
Previously built Pages sites are no longer displayed if Pages is subsequently disabled.
GitHub Pages has been updated to Jekyll 3.0.
A reason for an email notification is now included in the footer of the email.
The search index definitions have changed. Some searches may return partial results while the search indices are rebuilt. (updated 2016-04-27)
GitHub Pages now verifies the SSL connection when cloning sites, so builds will fail if your SSL certificate is invalid. (updated 2016-05-10)

Upgrading

Upgrading to the 2.6 release series is supported from GitHub Enterprise 2.4.0 and above.

Backup & Restore

In order to backup and restore GitHub Enterprise 2.6, you will need to upgrade backup-utils to version 2.6.0.

Bug Fixes

Changing a repository's parent allowed you to reparent onto a folk of the repository being reparented. This would lead to a loop that would fail and leave the repository network in an inconsistent state.
A migration archive with @mentions in issues or comments that contain dashes were not correctly rewritten when imported using ghe-migrator on the destination appliance.
Migrating a repository with issue attachments using ghe-migrator could fail to import on the destination appliance.
User sessions were not properly revoked when they reached the expiry limit set by the SAML identity provider (IdP).
User web browser sessions were revoked after 14 days of inactivity instead of 30 days.
ghe-support-bundle displayed harmless messages.

Security Fixes

MEDIUM Resolved a cross-site scripting (XSS) vulnerability in task lists.
MEDIUM Implemented mitigation for a URI decoding vulnerability that affects modern versions of Microsoft Internet Explorer.
User sessions were not properly revoked when they reached the expiry limit set by the SAML identity provider (IdP).
Packages have been updated to the latest security versions.

Deprecation of GitHub Enterprise 2.1

GitHub Enterprise 2.1 is now deprecated. That means that no patch releases will be made, even for critical security issues, after this release. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.

Upcoming deprecation of GitHub Enterprise 2.2

GitHub Enterprise 2.2 will be deprecated as of August 2016. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.

Deprecation of Support for Internet Explorer 9 and 10

Support for Internet Explorer 9 and 10 will be deprecated in a future release. There will be no changes in site functionality, but a warning banner will be displayed to Internet Explorer 9 and 10 users.

Upcoming deprecation of Markdown engines

GitHub Pages on GitHub Enterprise 2.7 and later will only support kramdown, Jekyll's default Markdown engine. If you are currently using Rdiscount or Redcarpet we've enabled kramdown's GitHub-flavored Markdown support by default, meaning kramdown should have all the features of the two deprecated Markdown engines, so the transition should be as simple as updating the Markdown setting to kramdown in your site's configuration (or removing it entirely).

Known Issues

HIGH Release assets from a public repository can be accessed by unauthenticated users in private mode. (updated 2016-05-27)
We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
Custom firewall rules aren't maintained during an upgrade.
Enqueued background jobs are sometimes not purged when a repository is deleted.
On instances upgraded from 2.3 and earlier, restoring a protected branch archived whilst running 2.3, will not restore all the settings correctly. This does not affect new instances or protected branches archived on later releases.
Duplicate uploads are stored in more than three hosts in a cluster with more than three replica file servers.
Editing custom messages in the Admin Center doesn't provide emoji suggestions.
Native emoji are lost when saving custom messages in the Admin Center.
The custom messages setting within the Admin Center is not disabled when SAML authentication is used. The setting has no effect when using SAML as the SAML server is responsible for displaying the relevant pages to users.
The custom messages Markdown editor in the Admin Center includes buttons for non-applicable functionality.
Background jobs in the languages queue aren't run. This causes repository language statistics to be inaccurate. (updated 2015-04-28)
The find command isn't available in the default pre-receive hook environment. (updated 2015-04-28)
Repository push logs don't record whether a push was forced. (updated 2016-05-13)
svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed. (updated 2016-05-24)
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository. (updated 2016-05-24)
Migration data exported from GitHub Enterprise with ghe-migrator does not include issue file attachments, which may cause imports to another server to fail. (updated 2016-06-09)
GitHub Enterprise clustering can not be configured without https. (updated 2016-08-01)
Console text is difficult to read on OpenStack KVM. (updated 2016-08-03)
The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host. (updated 2017-02-23)
Git LFS objects may take up to an hour to replicate in a High Availability configuration. (updated 2017-02-23)

Thanks!

The GitHub Team

Release notes for the 2.6 series

GitHub Enterprise 2.6.20 April 18, 2017 Download

Security Fixes

Bug Fixes

Changes

Deprecation of GitHub Enterprise 2.6

Known Issues

GitHub Enterprise 2.6.19 March 29, 2017 Download

Security Fixes

Bug Fixes

Upcoming deprecation of GitHub Enterprise 2.6

Known Issues

GitHub Enterprise 2.6.18 March 14, 2017 Download

Security Fixes

Bug Fixes

Deprecation of GitHub Enterprise 2.5

Upcoming deprecation of GitHub Enterprise 2.6

Known Issues

GitHub Enterprise 2.6.17 March 01, 2017 Download

Security Fixes

Bug Fixes

Changes

Deprecation of GitHub Enterprise 2.4

Upcoming deprecation of GitHub Enterprise 2.5

Known Issues

GitHub Enterprise 2.6.16 January 31, 2017 Download

SAML authentication bypass with XML signature wrapping in GitHub Enterprise

Remote code execution with server side request forgery in GitHub Enterprise

Next steps

Security Fixes

Known Issues

GitHub Enterprise 2.6.15 January 12, 2017 Download

SAML authentication bypass in GitHub Enterprise

Security Fixes

Known Issues

GitHub Enterprise 2.6.14 January 04, 2017 Download

Security Fixes

Bug Fixes

Changes

Known Issues

GitHub Enterprise 2.6.13 December 21, 2016 Download

Security Fixes

Bug Fixes

Changes

Known Issues

GitHub Enterprise 2.6.12 November 22, 2016 Download

Security Fixes

Bug Fixes

Known Issues

GitHub Enterprise 2.6.11 November 01, 2016 Download

Security Fixes

Bug Fixes

Changes

Known Issues

GitHub Enterprise 2.6.10 October 18, 2016 Download

Security Fixes

Bug Fixes

Known Issues

GitHub Enterprise 2.6.9 September 20, 2016 Download

Pre-generated SSH Host Keys in GitHub Enterprise

Verification and Mitigation on GitHub Enterprise 2.7.4, 2.6.9, 2.5.14, 2.4.17, 2.3.21, or greater

Verification and Mitigation if Immediate Upgrade is not Possible

Post SSH Host Key Rotation

ssh_host_ed25519_key in GitHub Enterprise

Security Fixes

Bug Fixes

Changes

Known Issues

Errata

GitHub Enterprise 2.6.8 August 30, 2016 Download

Security Fixes

Bug Fixes

Known Issues

GitHub Enterprise 2.6.7 August 16, 2016 Download

Security Fixes

Bug Fixes

Known Issues

GitHub Enterprise 2.6.6 August 03, 2016 Download

Security Fixes

Bug Fixes

`ssh_host_ed25519_key` in GitHub Enterprise