Release notes for the 2.7 series

Security Fixes

• Packages have been updated to the latest security versions.
• CRITICAL: Pages and Git have been updated to handle maliciously constructed ssh:// URLs during submodule cloning. This mitigates the vulnerability detailed in CVE-2017-100117 which could have allowed an authenticated attacker to run arbitrary commands on a GitHub Enterprise environment through Pages builds. (updated 2017-08-10)

Bug Fixes

• Pre-receive hooks with spaces in their paths failed to run.

Deprecation of GitHub Enterprise 2.7

GitHub Enterprise 2.7 is now deprecated as of August 3, 2017. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
• GitHub Enterprise clustering can not be configured without https.
• Additional white spacing can sometimes be seen above the Admin center header.
• Deleting a search index doesn't delete all associated metadata, which are then incorrectly reused if a new search index is created. This causes search index repair jobs to be reported as finished in the site admin when they were not.

Thanks!

The GitHub Team

Security Fixes

• Packages have been updated to their latest security versions.
• LOW: OAuth application access tokens and personal access tokens weren't sanitized from support bundles.

Bug Fixes

• collectd metric paths could be truncated, which caused multiple write attempts to the same file for different metrics.
• Password reset emails incorrectly displayed reset links were valid for 24 hours when they are only valid for three hours.
• Pre-receive hooks could not be updated after moving to a new GitHub Enterprise instance, for example after failing over to a replica.
• Fetches or pushes that transferred more than 2 GB of data were incorrectly recorded as much larger in the logs for the Git proxy service, babeld.
• Users could receive a temporary "bad pack header" error when fetching a very large repository if the repository was being repacked at the same time.

Changes

• The ghe-support-bundle command now honors the http_proxy environment variable.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
• GitHub Enterprise clustering can not be configured without https.
• Additional white spacing can sometimes be seen above the Admin center header.
• Deleting a search index doesn't delete all associated metadata, which are then incorrectly reused if a new search index is created. This causes search index repair jobs to be reported as finished in the site admin when they were not.
• Creating a support bundle fails with a “File exists” error if HAproxy logs have been rotated. (updated 2017-07-24)

Thanks!

The GitHub Team

Security Fixes

• Packages have been updated to their latest security versions.
• LOW: Tokens were contained in support bundles when they were used in GET requests as a URL parameter.

Bug Fixes

• On a 404 page with an appliance configured to use public mode and SAML, the "Sign in" button was illegible.
• contributions_backfill background jobs were enqueued on every additional push to a repository, even if it contained no commits from users of the appliance.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
• GitHub Enterprise clustering can not be configured without https.
• Additional white spacing can sometimes be seen above the Admin center header.
• Deleting a search index doesn't delete all associated metadata, which are then incorrectly reused if a new search index is created. This causes search index repair jobs to be reported as finished in the site admin when they were not.
• collectd metric paths can be truncated, which causes multiple write attempts to the same file for different metrics. (updated 2017-07-10)

Thanks!

The GitHub Team

Security Fixes

• Packages have been updated to the latest security versions.

Bug Fixes

• After the parent repository has been deleted, the Git LFS objects from the forks were inaccessible.
• Adding a user as a collaborator via the API incorrectly sent an invitation without adding the user.
• Graphs in the Management Console displayed the sum instead of an average value. As a result, graphs had incorrectly displayed an increasing metric over time.
• ghe-upgrade.log contained harmless /proc/... No such file or directory messages.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
• GitHub Enterprise clustering can not be configured without https.
• Additional white spacing can sometimes be seen above the Admin center header.
• Deleting a search index doesn't delete all associated metadata, which are then incorrectly reused if a new search index is created. This causes search index repair jobs to be reported as finished in the site admin when they were not.
• collectd metric paths can be truncated, which causes multiple write attempts to the same file for different metrics. (updated 2017-07-10)

Thanks!

The GitHub Team

Note about Git LFS v2.1.1

A CRITICAL security fix for the Git LFS client was released on 19 May. The remote code execution vulnerability can be exploited if:

• a repository contains a .lfsconfig with:

    ...
      url = ssh://-oProxyCommand=command
    ...
  

• a user clones the malicious repository with a vulnerable Git LFS client

This vulnerability exists in the Git LFS client and not GitHub Enterprise. However, we strongly encourage all users of GitHub Enterprise to upgrade their Git LFS client to v2.1.1 (or greater) from https://git-lfs.github.com/.

Please contact GitHub Enterprise Support if you have any questions.

Note: GitHub Enterprise supports broadcasting messages directly on the application with ghe-announce and Creating a custom sign in message.

Security Fixes

• This release and previous releases of GitHub Enterprise are not affected by the Git shell vulnerability announced 10 May 2017 (CVE-2017-8386).
• Packages have been updated to the latest security versions.

Bug Fixes

• In a clustering environment, restoring a backup to a cluster not meeting the minimum recommended number of pages-server and storage-server nodes would fail.

Changes

• The SAML authentication logs no longer contain debug information by default. Debugging information can be enabled in the Admin Center.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
• GitHub Enterprise clustering can not be configured without https.
• Additional white spacing can sometimes be seen above the Admin center header.
• Deleting a search index doesn't delete all associated metadata, which are then incorrectly reused if a new search index is created. This causes search index repair jobs to be reported as finished in the site admin when they were not.
• collectd metric paths can be truncated, which causes multiple write attempts to the same file for different metrics. (updated 2017-07-10)

Thanks!

The GitHub Team

Security Fixes

• MEDIUM: When using 2FA, the recovery codes could be brute forced on browsers that do not implement the X-Content-Type-Options HTTP header correctly.
• Packages have been updated to the latest security versions.

Bug Fixes

• Service hooks were blocked from accessing the API endpoint of the local instance.
• Processes could be leaked if Collectd exited unexpectedly.
• Custom sysctl settings were not taking effect when saving the settings.

Changes

• Support bundles are now built and stored in /data/user/tmp to preserve free space on the root filesystem.

Deprecation of GitHub Enterprise 2.6

GitHub Enterprise 2.6 is now deprecated as of April 26, 2017. That means that no patch releases will be made, even for critical security issues. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
• GitHub Enterprise clustering can not be configured without https.
• Additional white spacing can sometimes be seen above the Admin center header.
• Deleting a search index doesn't delete all associated metadata, which are then incorrectly reused if a new search index is created. This causes search index repair jobs to be reported as finished in the site admin when they were not.
• collectd metric paths can be truncated, which causes multiple write attempts to the same file for different metrics. (updated 2017-07-10)

Thanks!

The GitHub Team

Security Fixes

• MEDIUM: Local privileged MySQL credentials and Alambic HMAC/API keys were exposed in log files included in the support bundle.
• None of the currently supported releases of GitHub Enterprise are affected by the Linux kernel UDP remote code execution vulnerability issued 4 April 2017 (CVE-2016-10229).
• Packages have been updated to the latest security versions.

Bug Fixes

• An issue or pull request comment containing the string 'User-Agent: GitHub-Hookshot' incorrectly triggered a firewall rule that caused an internal server error on several pages, including the author's profile page.
• Collectd statistics were collected for the temporary pre-receive hook environment mount points.
• Users could be added to a team if they don't satisfy the Organization's 2FA requirements.
• Very large release or Git LFS assets failed to replicate due to a timeout in a high availability environment.
• In a clustering environment, several services failed to start following a reboot.
• In a clustering environment, configuring multiple nodes in parallel could lead to nodes overwriting each other's MySQL seed data.

Changes

• The jq utility has been added to the default pre-receive hook environment.
• More colors are used in the monitoring graphs in a high availability environment, making them more legible.
• Backups of cluster environments with a large number of archived repositories has been optimized for improved performance.

Upcoming deprecation of GitHub Enterprise 2.6

GitHub Enterprise 2.6 will be deprecated as of April 26, 2017. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
• GitHub Enterprise clustering can not be configured without https.
• Additional white spacing can sometimes be seen above the Admin center header.
• Deleting a search index doesn't delete all associated metadata, which are then incorrectly reused if a new search index is created. This causes search index repair jobs to be reported as finished in the site admin when they were not.
• collectd metric paths can be truncated, which causes multiple write attempts to the same file for different metrics. (updated 2017-07-10)

Thanks!

The GitHub Team

Security Fixes

• LOW: Detect and reject any Git content that shows evidence of being part of a SHA-1 collision attack.
• Packages have been updated to the latest security versions.

Bug Fixes

• The /trending page could incorrectly display a Sign up for free button.
• The total number of organizations was incorrect because the count included trusted OAuth applications.
• ghe-check-disk-usage incorrectly defaulted to a --verbose run.
• Administrators couldn't restore deleted LFS objects.
• A configuration run could revert an SSL certificate to an automatically generated self-signed certificate.
• Graphs in the Management Console monitoring page were incorrectly sorted.

Upcoming deprecation of GitHub Enterprise 2.6

GitHub Enterprise 2.6 will be deprecated as of April 26, 2017. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
• GitHub Enterprise clustering can not be configured without https.
• Additional white spacing can sometimes be seen above the Admin center header.
• Deleting a search index doesn't delete all associated metadata, which are then incorrectly reused if a new search index is created. This causes search index repair jobs to be reported as finished in the site admin when they were not. (updated 2017-03-30)
• An issue or pull request comment containing the string "User-Agent: GitHub-Hookshot" incorrectly triggers a firewall rule and causes an internal server error on several pages, including the author's profile page. (updated 2017-03-30)
• collectd metric paths can be truncated, which causes multiple write attempts to the same file for different metrics. (updated 2017-07-10)

Thanks!

The GitHub Team

Security Fixes

• LOW: New, invited users received their initial passwords in clear text via e-mail. A password reset link, valid for 24 hours, is sent to the user instead.
• Packages have been updated to the latest security versions.

Bug Fixes

• A search index that was not marked as the primary index, for example when a new index was being built after an upgrade, could be incorrectly deleted.
• The initial import of the VMware OVA image would fail when deployed via vCenter Server 6.0 or 6.5.

Deprecation of GitHub Enterprise 2.5

GitHub Enterprise 2.5 is now deprecated as of March 14, 2017. That means that no patch releases will be made, even for critical security issues, after this release. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.

Upcoming deprecation of GitHub Enterprise 2.6

GitHub Enterprise 2.6 will be deprecated as of April 26, 2017. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
• GitHub Enterprise clustering can not be configured without https.
• Additional white spacing can sometimes be seen above the Admin center header.
• Graphs in the Management Console monitoring page are incorrectly sorted.
• An issue or pull request comment containing the string "User-Agent: GitHub-Hookshot" incorrectly triggers a firewall rule and causes an internal server error on several pages, including the author's profile page. (updated 2017-03-30)
• collectd metric paths can be truncated, which causes multiple write attempts to the same file for different metrics. (updated 2017-07-10)

Thanks!

The GitHub Team

Security Fixes

• LOW: An internal upload policies API disclosed which users had push access to a repository.
• LOW: An internal administrative API was vulnerable to cross-site request forgery (CSRF).
• Packages have been updated to the latest security versions.

Bug Fixes

• Git LFS objects could take up to an hour to replicate in a High Availability configuration.
• Pre-receive hooks failed to output UTF-8 characters.
• Migrations failed to preserve a label with a / character.
• A previously configured replica appliance excessively logged errors during High Availability initialization.
• The Management Console Add new SSH key field incorrectly allowed an SSH fingerprint instead of the contents of the key.
• A former primary appliance failed to create or update pre-receive hook environments.
• An updated SAML Verification certificate did not take effect until the github-unicorn service was restarted.

Changes

• The Reactivate suspended users configuration has changed to reflect the current configured state.
• The <Destination> element is no longer optional in the SAML response.

Deprecation of GitHub Enterprise 2.4

GitHub Enterprise 2.4 is now deprecated as of February 9, 2017. That means that no patch releases will be made, even for critical security issues, after this release. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.

Upcoming deprecation of GitHub Enterprise 2.5

GitHub Enterprise 2.5 will be deprecated as of March 14, 2017. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
• GitHub Enterprise clustering can not be configured without https.
• Additional white spacing can sometimes be seen above the Admin center header.
• Graphs in the Management Console monitoring page are incorrectly sorted.
• The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host.
• An issue or pull request comment containing the string "User-Agent: GitHub-Hookshot" incorrectly triggers a firewall rule and causes an internal server error on several pages, including the author's profile page. (updated 2017-03-30)
• collectd metric paths can be truncated, which causes multiple write attempts to the same file for different metrics. (updated 2017-07-10)

Thanks!

The GitHub Team

SAML authentication bypass with XML signature wrapping in GitHub Enterprise

A CRITICAL issue was identified that allows an attacker to bypass SAML authentication. The vulnerability is applicable if the attacker has access to a validly signed SAML assertion or response against the configured Verification certificate. When applicable, an attacker can sign in as any user, including administrators.

The affected supported versions are:

• 2.8.0 - 2.8.6
• 2.7.0 - 2.7.10
• 2.6.0 - 2.6.15
• 2.5.0 - 2.5.20
• 2.4.0 - 2.4.22

Note: This is a different vulnerability than the one addressed in GitHub Enterprise 2.8.6, 2.7.10, 2.6.15, and 2.5.20.

Remote code execution with server side request forgery in GitHub Enterprise

A CRITICAL issue was identified that allows an attacker to execute arbitrary commands on the GitHub Enterprise appliance. The vulnerability is applicable if the attacker has access to configure a repository's Webhooks - owner or admin privileges to a repository.

The affected supported versions are:

• 2.8.0 - 2.8.6
• 2.7.0 - 2.7.10
• 2.6.0 - 2.6.15
• 2.5.0 - 2.5.20
• 2.4.0 - 2.4.22

Next steps

We strongly recommend upgrading your GitHub Enterprise appliance to the latest patch release in your series, GitHub Enterprise 2.8.7, 2.7.11, 2.6.16, 2.5.21, or 2.4.23.

Additionally, if SAML authentication is configured in your appliance, all existing SAML user sessions should be destroyed:

1. Put your GitHub Enterprise environment in Maintenance Mode.

2. SSH to your primary GitHub Enterprise appliance.

3. Destroy the existing SAML sessions.

   $ echo SAML::Session.destroy_all | ghe-console -y
   

4. Upgrade to the latest patch release in your series, GitHub Enterprise 2.8.7, 2.7.11, 2.6.16, 2.5.21, or 2.4.23.

If possible, we also recommend restricting Management Console access to your site administrators.

These vulnerabilities were reported through the GitHub Security Bug Bounty program and we have no evidence that they have been exploited in the wild. To learn more about the Bug Bounty program for GitHub Enterprise, visit https://bounty.github.com/targets/github-enterprise.html and our recent blog post about the inclusion of GitHub Enterprise, Bug Bounty anniversary promotion: bigger bounties in January and February.

Please contact GitHub Enterprise Support if you have any questions.

Security Fixes

• CRITICAL: An attacker could bypass SAML authentication via XML signature wrapping and log in as any other user.
• CRITICAL: There was a remote code execution vulnerability via server side request forgery.
• HIGH: With built-in authentication, suspended users could log in.
• Packages have been updated to the latest security versions.

Bug Fixes

• In a clustering environment, services would not automatically start after reboot.
  Thanks!

Upcoming deprecation of GitHub Enterprise 2.5

GitHub Enterprise 2.5 will be deprecated as of March 2017. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
• GitHub Enterprise clustering can not be configured without https.
• Additional white spacing can sometimes be seen above the Admin center header.
• Graphs in the Management Console monitoring page are incorrectly sorted.
• The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host. (updated 2017-02-23)
• Git LFS objects may take up to an hour to replicate in a High Availability configuration. (updated 2017-02-23)
• An issue or pull request comment containing the string "User-Agent: GitHub-Hookshot" incorrectly triggers a firewall rule and causes an internal server error on several pages, including the author's profile page. (updated 2017-03-30)
• collectd metric paths can be truncated, which causes multiple write attempts to the same file for different metrics. (updated 2017-07-10)

The GitHub Team

SAML authentication bypass in GitHub Enterprise

A CRITICAL issue was identified that allows an attacker to bypass SAML authentication by creating a fake response. This could allow the attacker to sign in as any user, including administrators.

The affected supported versions are:

• 2.8.0 - 2.8.5
• 2.7.0 - 2.7.9
• 2.6.0 - 2.6.14
• 2.5.0 - 2.5.19

If you are using SAML as your authentication method, we strongly recommend upgrading your GitHub Enterprise appliance to the latest patch release in your series, GitHub Enterprise 2.8.6, 2.7.10, 2.6.15, or 2.5.20.

Additionally, all existing user sessions should be destroyed:

1. Put your GitHub Enterprise environment in Maintenance Mode.

2. SSH to your primary GitHub Enterprise appliance.

3. Destroy the existing SAML sessions.

   $ echo SAML::Session.destroy_all | ghe-console -y
   

4. Upgrade to the latest patch release in your series, GitHub Enterprise 2.8.6, 2.7.10, 2.6.15, or 2.5.20.

This vulnerability was reported through the GitHub Security Bug Bounty program and we have no evidence that it has been exploited in the wild.

Please contact GitHub Enterprise Support if you have any questions.

Security Fixes

• CRITICAL: Users could bypass SAML authentication and log in as any other user
• Packages have been updated to the latest security versions.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
• GitHub Enterprise clustering can not be configured without https.
• Additional white spacing can sometimes be seen above the Admin center header.
• Graphs in the Management Console monitoring page are incorrectly sorted. (updated 2017-01-18)
• The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host. (updated 2017-02-23)
• Git LFS objects may take up to an hour to replicate in a High Availability configuration. (updated 2017-02-23)
• collectd metric paths can be truncated, which causes multiple write attempts to the same file for different metrics. (updated 2017-07-10)

Thanks!

The GitHub Team

Security Fixes

• HIGH: Fix SQL injection in pre-receive hook APIs.
• Packages have been updated to the latest security versions.

Bug Fixes

• Alambic crashed resizing user avatars.

Changes

• ghe-migrator now scrubs access tokens from the logs.
• Added cron job to compress core files.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
• GitHub Enterprise clustering can not be configured without https.
• Additional white spacing can sometimes be seen above the Admin center header.
• Graphs in the Management Console monitoring page are incorrectly sorted. (updated 2017-01-18)
• The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host. (updated 2017-02-23)
• Git LFS objects may take up to an hour to replicate in a High Availability configuration. (updated 2017-02-23)
• collectd metric paths can be truncated, which causes multiple write attempts to the same file for different metrics. (updated 2017-07-10)

Thanks!

The GitHub Team

Security Fixes

• Packages have been updated to the latest security versions.

Bug Fixes

• Pushing an update could cause the babeld service to segment fault under certain circumstances.
• The deletion of branches and tags rejected by a pre-receive hook would have failed with the error "Something went wrong with the request. Please try again."
• Attempts were prematurely made to gather redis performance statistics. This resulted in excessive logging to the collectd log files.
• Appliance settings saved using the /setup/api/settings API endpoint failed to apply when applying at the same time as uploading the license for the first time.
• Access to a repository granted to teams during a transfer to an organization didn't take effect.

Changes

• GitHub Enterprise is now available in the EU West (London) and Canada (Central) AWS regions.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
• GitHub Enterprise clustering can not be configured without https.
• Additional white spacing can sometimes be seen above the Admin center header.
• The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host. (updated 2017-02-23)
• Git LFS objects may take up to an hour to replicate in a High Availability configuration. (updated 2017-02-23)
• collectd metric paths can be truncated, which causes multiple write attempts to the same file for different metrics. (updated 2017-07-10)

Thanks!

The GitHub Team

Security Fixes

• Packages have been updated to the latest security versions.

Bug Fixes

• Unable to view webhook delivery logs when the delivery GUID collided.
• The upload-pack events were missing from audit.log.
• In a clustering environment, ghe-cluster-config-apply could restart services when the application configuration has not changed.
• LFS push failed with a 0-byte file.
• Merge button was disabled for protected branches when memcached was stopped.
• Disallow administrators from renaming system accounts.
• Users were unable to update their primary e-mail address after migrating data with ghe-migrator.
• Management Console was not redirecting to the previously navigated page after authentication.
• Unable to change an organization owned repository's visibility from public to private if the repository had collaborators.
• The ghe-update-check utility returned an incorrect message, you must first upgrade to, when it was not necessary.
• The memcached would remain stopped after a crash (e.g. via OOM kill).

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
• GitHub Enterprise clustering can not be configured without https.
• Additional white spacing can sometimes be seen above the Admin center header.
• The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host. (updated 2017-02-23)
• Git LFS objects may take up to an hour to replicate in a High Availability configuration. (updated 2017-02-23)
• collectd metric paths can be truncated, which causes multiple write attempts to the same file for different metrics. (updated 2017-07-10)

Thanks!

The GitHub Team

Security Fixes

• Packages have been updated to the latest security versions.

Bug Fixes

• In a clustering environment, LFS file uploads failed due to an internal HTTP timeout.
• In a clustering environment, uploading avatars would fail if a proxy was configured.
• In a clustering environment, a clustering node made unnecessary internal API calls through the load balancer.

Changes

• GitHub Enterprise is now available in the US East (Ohio) AWS region.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
• GitHub Enterprise clustering can not be configured without https.
• Additional white spacing can sometimes be seen above the Admin center header.
• The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host. (updated 2017-02-23)
• Git LFS objects may take up to an hour to replicate in a High Availability configuration. (updated 2017-02-23)
• collectd metric paths can be truncated, which causes multiple write attempts to the same file for different metrics. (updated 2017-07-10)

Thanks!

The GitHub Team

Security Fixes

• Packages have been updated to the latest security versions.

Bug Fixes

• Background jobs were deleted and lost when stopping replication. This happens when failing over to a high availability replica and during a cluster configuration run.
• Webhook delivery logs were not accessible and logged when a proxy was configured.
• It was possible to change the parent repository to itself.
• SVN checkout failed if a repository has symlinks.
• Running git symbolic-ref would hang when resolving references with broken symlinks.
• LDAP Sync suspended users that were already suspended, causing unnecessary audit log entries.
• Changing the default branch of a repository was not synchronized to a high availability replica, so the wrong branch was set as default after fail over.
• Webhook delivery logs were not pruned causing unnecessary storage usage.
• Webhook delivery logs may not be accessible and logged if the first webhook event for the day was a push event.
• Custom messaging for suspended users was not displayed to suspended SAML users.
• LDAP Sync removed and re-added users or teams when their distinguished name contained upper case characters.
• Forking a repository could fail if the maintenance job for the repository's network ran at the same time.
• After restarting a crashed process, writing data to the management console monitoring graphs may not have immediately restarted.
• An error was thrown when trying to access audit logs containing authentication attempts using two-factor authentication.
• In a clustering environment, the web application service could fail to start after cluster configuration run.
• Upgrade to 2.7.4 failed on Running Migration if there were multiple OAuth applications named GitHub Desktop.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
• GitHub Enterprise clustering can not be configured without https.
• Additional white spacing can sometimes be seen above the Admin center header.
• The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host. (updated 2017-02-23)
• Git LFS objects may take up to an hour to replicate in a High Availability configuration. (updated 2017-02-23)
• collectd metric paths can be truncated, which causes multiple write attempts to the same file for different metrics. (updated 2017-07-10)

Thanks!

The GitHub Team

Pre-generated SSH Host Keys in GitHub Enterprise

A CRITICAL issue was identified for all 2.x versions of GitHub Enterprise. The GitHub Enterprise images contain pre-generated SSH host keys that were not regenerated upon installation for all supported platforms:

• Hyper-V (VHD)
• OpenStack KVM (QCOW2)
• VMware ESXi/vSphere (OVA)
• Xen (VHD)
• Amazon Web Services (See the ssh_host_ed25519_key in GitHub Enterprise section below)
• Microsoft Azure

This means an attacker with the capability to perform a man-in-the-middle attack on SSH traffic can intercept and modify network traffic to the GitHub Enterprise appliance.

The affected supported versions are:

• 2.7.0 - 2.7.3
• 2.6.0 - 2.6.8
• 2.5.0 - 2.5.13
• 2.4.0 - 2.4.16
• 2.3.0 - 2.3.20

This vulnerability was found and reported internally and we have no evidence that it has been exploited in the wild.

We strongly recommend upgrading your GitHub Enterprise appliance to the latest patch release in your series, GitHub Enterprise 2.7.4, 2.6.9, 2.5.14, 2.4.17, or 2.3.21. In addition, with backup-utils-2.7.1, ghe-backup and ghe-restore will check for any leaked SSH host keys in the snapshot(s).

Please contact GitHub Enterprise Support if you have questions.

--

Verification and Mitigation on GitHub Enterprise 2.7.4, 2.6.9, 2.5.14, 2.4.17, 2.3.21, or greater

If you've upgraded to the latest patch release, GitHub Enterprise 2.7.4, 2.6.9, 2.5.14, 2.4.17, 2.3.21, or greater,

1. SSH to your primary GitHub Enterprise appliance.

2. Check for leaked SSH host keys using the ghe-ssh-check-host-keys utility.

   $ ghe-ssh-check-host-keys
   

   The utility should output either:

   One or more of your SSH host keys were found in the blacklist.
   Please reset your host keys using ghe-ssh-roll-host-keys.
   

   --

   The SSH host keys were not found in the SSH host key blacklist.
   No additional steps are needed/recommended at this time.
   

3. If one or more SSH host keys were found in the blacklist, continue to the next step. Otherwise, your GitHub Enterprise environment is not vulnerable.

4. Put your GitHub Enterprise environment in Maintenance Mode.

5. Rotate all SSH host keys using the ghe-ssh-roll-host-keys utility.

   $ sudo ghe-ssh-roll-host-keys
   

   The utility should output:

   $ SSH host keys have successfully been rolled.
   

If you've upgraded to GitHub Enterprise 2.7.4, 2.6.9, or greater, and you are using the High Availability Configuration, there are no additional steps to take on your replica appliance.

If you've upgraded to GitHub Enterprise 2.5.14, 2.4.17, 2.3.21, or greater, and you are using the High Availability Configuration,

6. After completing steps 1-5, stop replication on the replica appliance.

   $ ghe-repl-stop
   

7. Synchronize the SSH host keys from the primary appliance.

   $ ghe-repl-setup
   

8. Resume replication on the replica appliance.

   $ ghe-repl-start
   

If you've upgraded to GitHub Enterprise 2.7.4, 2.6.9, 2.5.14 or greater, and you are using Clustering,

6. After completing steps 1-5, apply the changes to all cluster nodes.

   $ ghe-cluster-config-apply
   

--

Verification and Mitigation if Immediate Upgrade is not Possible

If you're unable to upgrade immediately to the latest patch release, GitHub Enterprise 2.7.4, 2.6.9, 2.5.14, 2.4.17, 2.3.21, or greater,

1. SSH to your primary GitHub Enterprise appliance.

2. Download the list of leaked SSH host keys and verify its content using any of the provided hashes.

   $ curl -O https://enterprise.github.com/security/2016-09-20/ghe-ssh-leaked-host-keys-list.txt
   $ sha256sum ghe-ssh-leaked-host-keys-list.txt
   3bb29658784a4059a41f1a77cffba9586baab179ba07b795f80e12a9f10c5665  ghe-ssh-leaked-host-keys-list.txt
   $ sha1sum ghe-ssh-leaked-host-keys-list.txt
   5db799da044da9aae0bcfc523d22e7ce0fe72550  ghe-ssh-leaked-host-keys-list.txt
   $ md5sum ghe-ssh-leaked-host-keys-list.txt
   de75bcb0bf1d13e15620952c0af8da41  ghe-ssh-leaked-host-keys-list.txt
   

3. Print the fingerprint of your GitHub Enterprise appliance's SSH host keys.
   Note: The ssh_host_ed25519_key may exist on your GitHub Enterprise appliance but is only used in 2.7.4 or greater.

   $ ssh-keygen -lf /etc/ssh/ssh_host_dsa_key.pub
   1024 b2:69:82:2f:25:48:bb:fc:62:c7:9a:de:41:42:13:55 /etc/ssh/ssh_host_dsa_key.pub (DSA)
   $ ssh-keygen -lf /etc/ssh/ssh_host_ecdsa_key.pub
   256 c0:cb:fd:07:33:e9:62:14:6b:fb:d5:26:54:f3:c5:0d /etc/ssh/ssh_host_ecdsa_key.pub (ECDSA)
   $ ssh-keygen -lf /etc/ssh/ssh_host_ed25519_key.pub
   256 d6:92:21:4b:04:3b:22:f5:ee:85:0a:63:bf:b3:fe:9b /etc/ssh/ssh_host_ed25519_key.pub (ED25519)
   $ ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub
   2048 0f:ee:8d:02:2d:e1:76:f3:eb:f5:af:cb:38:9a:1c:33 /etc/ssh/ssh_host_rsa_key.pub (RSA)
   

4. Check for leaked SSH host keys by comparing against the downloaded list of leaked SSH host keys.

5. If one or more SSH host keys were found in the blacklist, continue to the next step. Otherwise, your GitHub Enterprise environment is not vulnerable.

6. Put your GitHub Enterprise environment in Maintenance Mode.

7. Remove all SSH host keys.

   $ sudo rm -f /etc/ssh/ssh_host_*
   

8. Regenerate the SSH host keys.
   Note: The ssh_host_ed25519_key may exist on your GitHub Enterprise appliance but is only used and regenerated for in 2.7.4 or greater.

   $ sudo ssh-keygen -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key
   $ sudo dpkg-reconfigure openssh-server
   

9. Apply the changes to the ssh and babeld service.

   $ sudo cp /etc/ssh/ssh_host_{rsa,dsa,ecdsa,ed25519}_key{,.pub} /data/user/common/
   $ sudo chown babeld:babeld /data/user/common/ssh_host_{rsa,dsa,ecdsa,ed25519}_key{,.pub}
   

If you're unable to upgrade immediately to GitHub Enterprise 2.7.4, 2.6.9, 2.5.14, 2.4.17, 2.3.21, or greater, and you are using the High Availability Configuration,

10. After completing steps 1-9, stop replication on the replica appliance.

$ ghe-repl-stop

11. Synchronize the SSH host keys from the primary appliance.

$ ghe-repl-setup

12. Resume replication on the replica appliance.

$ ghe-repl-start

If you're unable to upgrade immediately to GitHub Enterprise 2.7.4, 2.6.9, 2.5.14, or greater, and you are using Clustering,

10. After completing steps 1-9, apply the changes to all cluster nodes.

$ ghe-cluster-config-apply

--

Post SSH Host Key Rotation

After rotating the SSH host keys, your GitHub Enterprise environment can exit Maintenance Mode.

Your end-users will receive an error message when attempting to use the Administrative Shell (SSH) or the SSH protocol for Git activity. The rotation does not affect users using the HTTPS protocol for Git activity.

For example, the following is an output from the command-line,

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:seFT9eIOmAZWbfcO9yU1sXiEYIqcrdi0qttbtmNm0Io.
Please contact your system administrator.
Add correct host key in /Users/monalisa/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /Users/monalisa/.ssh/known_hosts:42
ECDSA host key for [github.example.com]:122 has changed and you have requested strict checking.
Host key verification failed.

After updating the known_hosts, end-users will be prompted to accept a new fingerprint.

$ ssh -p 122 admin@github.example.com
The authenticity of host '[github.example.com]:122 ([169.254.1.1]:122)' can't be established.
ECDSA key fingerprint is SHA256:seFT9eIOmAZWbfcO9yU1sXiEYIqcrdi0qttbtmNm0Io.
Are you sure you want to continue connecting (yes/no)?

We strongly recommend publishing your GitHub Enterprise appliance's SSH host key fingerprints in a location that is accessible to all your end-users. For example, for GitHub.com, we publish the SSH fingerprints at https://help.github.com/articles/what-are-github-s-ssh-key-fingerprints/.

If you'd like to to give end-users notice before rotating the SSH host keys, follow the instructions in the Verification and Mitigation if Immediate Upgrade is not Possible skipping step 7 and replacing step 8 with,

8. Regenerate the SSH host keys.
   Note: The ssh_host_ed25519_key may exist on your GitHub Enterprise appliance but is only used and regenerated for in 2.7.4 or greater.

   i. Pre-generate new SSH host keys to a temporary directory.

   $ ssh-keygen -t dsa -N "" -f /var/tmp/ssh_host_dsa_key
   $ ssh-keygen -t rsa -N "" -f /var/tmp/ssh_host_rsa_key
   $ ssh-keygen -t ecdsa -N "" -f /var/tmp/ssh_host_ecdsa_key
   $ ssh-keygen -t ed25519 -N "" -f /var/tmp/ssh_host_ed25519_key
   

   ii. Print the fingerprint of your GitHub Enterprise appliance's SSH host keys for tentative rotation.

   $ ssh-keygen -lf /var/tmp/ssh_host_dsa_key.pub
    1024 b2:69:82:2f:25:48:bb:fc:62:c7:9a:de:41:42:13:55 /var/tmp/ssh_host_dsa_key.pub (DSA)
   $ ssh-keygen -lf /var/tmp/ssh_host_ecdsa_key.pub
    256 c0:cb:fd:07:33:e9:62:14:6b:fb:d5:26:54:f3:c5:0d /var/tmp/ssh_host_ecdsa_key.pub (ECDSA)
   $ ssh-keygen -lf /var/tmp/ssh_host_ed25519_key.pub
    256 d6:92:21:4b:04:3b:22:f5:ee:85:0a:63:bf:b3:fe:9b /var/tmp/ssh_host_ed25519_key.pub (ED25519)
   $ ssh-keygen -lf /var/tmp/ssh_host_rsa_key.pub
   248 0f:ee:8d:02:2d:e1:76:f3:eb:f5:af:cb:38:9a:1c:33 /var/tmp/ssh_host_rsa_key.pub (RSA)
   

   iii. Once you are ready to migrate to the new, rotated SSH host keys, move the host keys from the temporary directory and apply the changes to the ssh service.

   $ sudo mv /var/tmp/ssh_host_{rsa,dsa,ecdsa,ed25519}_key{,.pub} /etc/ssh
   $ sudo service ssh restart
   

   iv. Continue with steps 9 in the Verification and Mitigation if Immediate Upgrade is not Possible section.

ssh_host_ed25519_key in GitHub Enterprise

The 2.x versions of GitHub Enterprise on all supported platforms:

• Hyper-V (VHD)
• OpenStack KVM (QCOW2)
• VMware ESXi/vSphere (OVA)
• Xen (VHD)
• Amazon Web Services
• Microsoft Azure

contain a pre-generated ssh_host_ed25519_key. However, only GitHub Enterprise 2.7.4 or greater use the ssh_host_ed25519_key. This can be verified by checking your GitHub Enterprise appliance's /etc/ssh/sshd_config, which added HostKey /etc/ssh/ssh_host_ed25519_key in 2.7.4 or greater.

The ssh_host_ed25519_key may exist on your GitHub Enterprise appliance but is only used in 2.7.4 or greater.

If you've upgraded your appliance to 2.7.4 or greater on any of the supported platforms including Amazon Web Services, please follow the instructions in the Verification and Mitigation on GitHub Enterprise 2.7.4, 2.6.9, 2.5.14, 2.4.17, 2.3.21, or greater section.

Security Fixes

• CRITICAL Pre-generated SSH host keys were not regenerated when installing appliances from GitHub Enterprise 2.x images.
• Packages have been updated to the latest security versions.

Bug Fixes

• When rejected from a pre-receive hook, API merge requests incorrectly returned Internal Server Error.
• Webhooks failed to deliver when the external server could only be resolved by the configured proxy server.
• The snmpd service did not automatically start on replica instances.
• The ghe-system-info command line utility was not available to run because the utility was missing from the $PATH.
• In a clustering environment, the redis-server role may not have dedicated memory allocated to the redis service.
• In a clustering environment, storage assets that were not replicated or marked for deletion were not properly maintained.
• Users were unable to add or remove deploy keys when LDAP sync is enabled.
• In a clustering environment, the ghe-cluster-config-check command line utility terminated early from unsuccessful cURL checks.
• Pre-receive hooks using the git-grep command may have failed using the default hook environment due to missing libraries.
• The initial push of a repository with many Git refs could time out.
• The root API endpoint incorrectly returned Not Found when the trailing slash was omitted.
• Repository maintenance could time out for large repositories, so the timeout was increased to 120 minutes.
• Upgrades could incorrectly output upgrade failed! after a successful upgrade.
• After upgrading, the site admin page on replica instances could incorrectly show Verifying ElasticSearch indexes.
• Elasticsearch logs could grow very large due to incorrect HTTP and HTTPS connection management.
• SSH forced commands containing ${}, were not configurable from the Management Console.
• The ghe-ssl-ca-certificate-install command line utility did not accept a piped certificate as input.

Changes

• GitHub Enterprise is now available in the Asia Pacific (Mumbai) AWS region.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
• GitHub Enterprise clustering can not be configured without https.
• Additional white spacing can sometimes be seen above the Admin center header.
• Upgrade to 2.7.4 will fail on Running Migration if there are multiple OAuth applications named GitHub Desktop. (updated 2016-09-22)
• The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host. (updated 2017-02-23)
• Git LFS objects may take up to an hour to replicate in a High Availability configuration. (updated 2017-02-23)
• collectd metric paths can be truncated, which causes multiple write attempts to the same file for different metrics. (updated 2017-07-10)

Errata

• The Pre-generated SSH Host Keys in GitHub Enterprise vulnerability disclosure added the ssh_host_ed25519_key in GitHub Enterprise for GitHub Enterprise 2.7.4 or greater appliances on the Amazon Web Services platform. (updated 2016-09-22)
• Editing custom messages in the Admin center doesn't provide emoji suggestions was resolved in 2.7.0. (updated 2016-09-21)
• Native emoji are lost when saving custom messages in the Admin center was resolved in 2.7.0. (updated 2016-09-21)

Thanks!

The GitHub Team

Security Fixes

• Packages have been updated to the latest security versions.

Bug Fixes

• In a clustering environment, Gists were not being replicated to new nodes.
• In a clustering environment, Git pushes could time out while waiting for the server to replicate data.
• LFS files with spaces in the file path were not rendered properly.
• git-lfs pull could cause high MySQL CPU usage.
• Unsuspending users did not check for available license seats.
• Gist IDs could incorrectly collide when MySQL restarted.
• The Git proxy service, babeld, did not scale the number of workers when memory was added.
• Pre-receive hooks failed when using an environment with incorrect /tmp permissions.
• Issue assignees assigned in GitHub Enterprise 2.6 or earlier weren't visible.
• Dynamic worker optimizations could exhaust the maximum number of allowed MySQL connections. MySQL's max_connections was increased to 2000.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
• GitHub Enterprise clustering can not be configured without https.
• Additional white spacing can sometimes be seen above the Admin center header.
• The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host. (updated 2017-02-23)
• Git LFS objects may take up to an hour to replicate in a High Availability configuration. (updated 2017-02-23)
• collectd metric paths can be truncated, which causes multiple write attempts to the same file for different metrics. (updated 2017-07-10)

Errata

• Editing custom messages in the Admin center doesn't provide emoji suggestions was resolved in 2.7.0. (updated 2016-09-21)
• Native emoji are lost when saving custom messages in the Admin center was resolved in 2.7.0. (updated 2016-09-21)

Thanks!

The GitHub Team

Security Fixes

• CRITICAL: Fixed a buffer overflow vulnerability in a network accessible service. Exploitation could result in remote code execution or denial of service. This vulnerability was identified internally and currently no known exploits exist.
• HIGH: Worked around Microsoft Internet Explorer bug causing redirects to the incorrect hostname during OAuth negotiation.
• MEDIUM: Users were able to delete SSH and/or GPG keys when LDAP sync is enabled.
• Packages have been updated to the latest security versions.

Bug Fixes

• An appliance would enter maintenance mode earlier than expected if scheduled more than a week in advance.
• ghe-diagnostics printed a benign unrecognised disk label error message.
• Pre-receive hooks using the curl and/or gpg command may have failed using the default hook environment due to missing libraries.
• Git pushes were denied if the pre-receive hook timed out on repositories with a non-enforced exit-status.
• Public Pages could not be configured when Private Mode is enabled.
• The Pages preview API showed incorrect values for html_url and erroneously used cname when subdomain isolation is enabled.
• sudo and commands that call sudo, like the ghe-repl-* commands, would print a harmless sudo: unable to resolve host message when run on AWS-hosted high availability replicas.
• Avatars may have failed to render in a clustering environment.
• Large file uploads may have timed out in a clustering environment.
• git operations may have blocked indefinitely if the data volume had less than 10% free disk space.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
• GitHub Enterprise clustering can not be configured without https.
• Additional white spacing can sometimes be seen above the Admin center header.
• Issue assignees assigned in GitHub Enterprise 2.6 or earlier aren't visible. (updated 2016-08-27)
• The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host. (updated 2017-02-23)
• Git LFS objects may take up to an hour to replicate in a High Availability configuration. (updated 2017-02-23)
• collectd metric paths can be truncated, which causes multiple write attempts to the same file for different metrics. (updated 2017-07-10)

Errata

• Editing custom messages in the Admin center doesn't provide emoji suggestions was resolved in 2.7.0. (updated 2016-09-21)
• Native emoji are lost when saving custom messages in the Admin center was resolved in 2.7.0. (updated 2016-09-21)

Thanks!

The GitHub Team

Bug Fixes

• Pre-receive hooks using the awk command in the default hook environment would fail with a cannot open shared object file message.
• The network information displayed on the hypervisor console didn't display correctly if the instance did not have an IP address.
• Updated glibc to fix an assertion error during DNS lookups which occured in very specific network setups. See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=825699 for more details.
• The task_list_instrumentation queue in the output from ghe-resque-info would show harmless unprocessed jobs. These are now being correctly processed.
• When LDAP sync is enabled for SSH and/or GPG keys, users were still able to add new keys via the web UI.
• New and upgraded AWS-hosted instances would default to using 8.8.8.8 for the DNS server. This could cause issues if that DNS server is not reachable.
• Language breakdown for an empty repository would fail with a HTTP 500 error.
• Administrators could not view a user's GPG keys via the Site Admin dashboard.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
• GitHub Enterprise clustering can not be configured without https.
• Additional white spacing can sometimes be seen above the Admin center header.
• git operations may block indefinitely if the data volume has less than 10% free disk space. (updated 2016-08-16)
• Issue assignees assigned in GitHub Enterprise 2.6 or earlier aren't visible. (updated 2016-08-27)
• The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host. (updated 2017-02-23)
• Git LFS objects may take up to an hour to replicate in a High Availability configuration. (updated 2017-02-23)
• collectd metric paths can be truncated, which causes multiple write attempts to the same file for different metrics. (updated 2017-07-10)

Backups and Disaster Recovery

GitHub Enterprise 2.7 requires at least GitHub Enterprise Backup Utilities 2.7.0 for Backups and Disaster Recovery. (updated 2016-08-15)

Errata

• Editing custom messages in the Admin center doesn't provide emoji suggestions was resolved in 2.7.0. (updated 2016-09-21)
• Native emoji are lost when saving custom messages in the Admin center was resolved in 2.7.0. (updated 2016-09-21)

Thanks!

The GitHub Team

Features

With the new features added in GitHub Enterprise 2.7.0, you can:

• Sign commits and tags using verified GPG keys.
• Keep track of comment edits with edit badges, a label indicating a post was edited.
• Add up to 10 people to an issue or pull request with multiple assignees.
• Move checklist items around by dragging and dropping them.
• Display up to five public repositories in the "Pinned repositories" section on your profile.
• Squash a pull request in the Pull Request Merge API during the preview period.
• Use the endpoints for Reactions to react and unreact via the API.
• Lock an issue's conversation via the API.
• Receive email notifications about your GitHub activity.
• Use the branches API to specify which members and teams can push to a protected branch.
• Publicize or hide your private contributions on your profile.
• Add a bio to your profile to share information about yourself with other GitHub users.
• Integrate Pre-receive hooks into your workflow using the Pre-receive environments and Pre-receive hooks API.
• Use more webhook event actions to notify when changes are made to issues and pull requests and if a repository's public visibility changes.

Security Fixes

• CRITICAL: In current (less than 2.7) versions of GitHub Enterprise, a SAML or CAS authenticated user may log in as another user if they have full control of the login value registered with the external authentication provider. While this issue only affects specific installations, we have released this as a CRITICAL issue given its impact when external authentication configurations allow user control of registered logins.
• LOW: The permissions on rbenv, used by many components of GitHub Enterprise, have been tightened.
• Packages have been updated to the latest security versions.

Bug Fixes

• Webhook responses that were not encoded as UTF-8 would not be viewable in the delivery log.
• Organizations could be suspended using the ghe-user-suspend command.
• Transparent avatars were rendered with an opaque white background.
• Clicking the rocket icon led to the current repository administration page instead of the intended Site admin page.
• The first part of the fully qualified hostname was used in the system logs instead of the normalized hostname.
• Uploading PNG images with drag and drop could fail with the error 'Something went really wrong, and we can't process that file.'.
• The mobile view of a repository didn't show the total number of commits.
• Repository push logs didn't record whether a push was forced.
• Avatars may not have been displayed on preview.
• Console text was difficult to read on OpenStack KVM.
• The "Revert" button was missing when a pull request was squash merged. (updated 2016-09-21)

Changes

• Upgrading of Elasticsearch indices is now a background process. Searching will continue to operate normally during this time.
• The speed of some SVN to Git operations has been improved.
• The ghe-webhook-logs command line utility, a command-line viewer for webhook logs has been introduced.
• Unsubscribe links now require authentication. The logged in user must match the user the link was originally sent to in order for the unsubscribe to occur.
• RequestDenied SAML responses are better handled and a descriptive message is returned to the user.
• Webhooks can now be migrated along with repository and user data using gh-migrator.
• GitHub Pages uses Jekyll 3.1.

Backups and Disaster Recovery

GitHub Enterprise 2.7 requires at least GitHub Enterprise Backup Utilities 2.7.0 for Backups and Disaster Recovery. (updated 2016-08-15)

Deprecation of GitHub Enterprise 2.2

GitHub Enterprise 2.2 is now deprecated. That means that no patch releases will be made, even for critical security issues, after this release. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.

Upcoming deprecation of GitHub Enterprise 2.3

GitHub Enterprise 2.3 will be deprecated as of October 2016. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.

Upcoming deprecation of Markdown engines

GitHub Pages on GitHub Enterprise 2.8 and later will only support kramdown, Jekyll's default Markdown engine. If you are currently using Rdiscount or Redcarpet we've enabled kramdown's GitHub-flavored Markdown support by default, meaning kramdown should have all the features of the two deprecated Markdown engines, so the transition should be as simple as updating the Markdown setting to kramdown in your site's configuration (or removing it entirely).

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
• GitHub Enterprise clustering can not be configured without https.
• Administrators cannot view a user's GPG keys via the Site Admin dashboard.
• Additional white spacing can sometimes be seen above the Admin center header.
• When LDAP sync is enabled for SSH and/or GPG keys, users are still able to add new keys via the web UI.
• New and upgraded AWS-hosted instances will default to using 8.8.8.8 for the DNS server. This can cause issues if that DNS server is not reachable. Run: sudo rm /etc/resolv.conf && sudo ln -s /etc/resolvconf/run/resolv.conf /etc/resolv.conf and then reboot to workaround this issue. (updated 2016-08-04)
• Pre-receive hooks using the awk command in the default hook environment will fail with a cannot open shared object file message. (updated 2016-08-08)
• git operations may block indefinitely if the data volume has less than 10% free disk space. (updated 2016-08-16)
• Issue assignees assigned in GitHub Enterprise 2.6 or earlier aren't visible. (updated 2016-08-27)
• The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host. (updated 2017-02-23)
• Git LFS objects may take up to an hour to replicate in a High Availability configuration. (updated 2017-02-23)
• collectd metric paths can be truncated, which causes multiple write attempts to the same file for different metrics. (updated 2017-07-10)

Errata

• Editing custom messages in the Admin center doesn't provide emoji suggestions was resolved in 2.7.0. (updated 2016-09-21)
• Native emoji are lost when saving custom messages in the Admin center was resolved in 2.7.0. (updated 2016-09-21)

Thanks!

The GitHub Team