GitHub Enterprise 2.8 will be deprecated as of November 9, 2017. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.
ghe-repl-status-pages
showed a critical status if run while a sync is in progress.ghe-set-password
when the appliance is in recovery mode.ghe-diagnostics
could output Connection refused
line items when Redis, Memcached, or Elasticsearch services aren't running.svn checkout
may timeout while the repository data cache is being built. In most cases, subsequent svn checkout
attempts will succeed.Thanks!
The GitHub Team
In response to CVE-2017-15361, certain SSH authentication RSA keys that were generated by some Yubikey 4 devices are vulnerable to private key factorization. Such keys are considered cryptographically weak and therefore in need of replacement. To help users avoid vulnerable keys, GitHub Enterprise has added capabilities to detect and reject them from being configured for user authentication. GitHub Enterprise now includes an administration utility, ghe-ssh-weak-fingerprints
, to enable admins to list any affected keys and, optionally, perform a bulk revocation.
The affected supported versions are:
This vulnerability was found and reported internally and we have no evidence that it has been exploited in the wild.
We strongly recommend upgrading your GitHub Enterprise appliance to the latest patch release in your series, GitHub Enterprise 2.8.22, 2.9.14, 2.10.9, or 2.11.3.
Please contact GitHub Enterprise Support if you have questions.
GitHub Enterprise 2.8 will be deprecated as of November 9, 2017. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.
svn checkout
may timeout while the repository data cache is being built. In most cases, subsequent svn checkout
attempts will succeed.Thanks!
The GitHub Team
ghe-migrator
.svn checkout
may timeout while the repository data cache is being built. In most cases, subsequent svn checkout
attempts will succeed.Thanks!
The GitHub Team
This release has been withdrawn and is no longer available. Please upgrade to a newer version or contact support for assistance.
If you have already upgraded your appliance to GitHub Enterprise 2.8.20, please contact support for assistance.
ghe-migrator
.svn checkout
may timeout while the repository data cache is being built. In most cases, subsequent svn checkout
attempts will succeed.Thanks!
The GitHub Team
admin:pre_receive_hook
scope wasn't displayed when authorizing an Oauth application requesting this particular scope.GitHub Enterprise 2.8 will be deprecated as of November 9, 2017. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.
svn checkout
may timeout while the repository data cache is being built. In most cases, subsequent svn checkout
attempts will succeed.Thanks!
The GitHub Team
ghe-update-check --help
would fail if ghe-update-check
was already running.longpoll
service, which provides live updates to Issues and Pull Requests pages, has been lowered.svn checkout
may timeout while the repository data cache is being built. In most cases, subsequent svn checkout
attempts will succeed.Thanks!
The GitHub Team
ssh://
URLs during submodule cloning. This mitigates the vulnerability detailed in CVE-2017-100117 which could have allowed an authenticated attacker to run arbitrary commands on a GitHub Enterprise environment through Pages builds. (updated 2017-08-10)svn checkout
may timeout while the repository data cache is being built. In most cases, subsequent svn checkout
attempts will succeed.Thanks!
The GitHub Team
babeld
.ghe-support-bundle
command now honors the http_proxy
environment variable.X-Forwarded-For
header will now be recorded in the HAproxy log.svn checkout
may timeout while the repository data cache is being built. In most cases, subsequent svn checkout
attempts will succeed.Thanks!
The GitHub Team
404
page with an appliance configured to use public mode and SAML, the "Sign in" button was illegible.contributions_backfill
background jobs were enqueued on every additional push to a repository, even if it contained no commits from users of the appliance.svn checkout
may timeout while the repository data cache is being built. In most cases, subsequent svn checkout
attempts will succeed.Thanks!
The GitHub Team
sed: couldn't flush stdout: Broken pipe
.mount: can't find ...
error messages.ghe-upgrade.log
contained harmless /proc/... No such file or directory
messages.svn checkout
may timeout while the repository data cache is being built. In most cases, subsequent svn checkout
attempts will succeed.Thanks!
The GitHub Team
A CRITICAL security fix for the Git LFS client was released on 19 May. The remote code execution vulnerability can be exploited if:
a repository contains a .lfsconfig
with:
...
url = ssh://-oProxyCommand=command
...
a user clones the malicious repository with a vulnerable Git LFS client
This vulnerability exists in the Git LFS client and not GitHub Enterprise. However, we strongly encourage all users of GitHub Enterprise to upgrade their Git LFS client to v2.1.1 (or greater) from https://git-lfs.github.com/.
Please contact GitHub Enterprise Support if you have any questions.
Note: GitHub Enterprise supports broadcasting messages directly on the application with ghe-announce
and Creating a custom sign in message.
ghe-cluster-status
would use the configured proxy when querying each node.pages-server
and storage-server
nodes would fail.svn checkout
may timeout while the repository data cache is being built. In most cases, subsequent svn checkout
attempts will succeed.Thanks!
The GitHub Team
X-Content-Type-Options
HTTP header correctly./data/user/tmp
to preserve free space on the root filesystem.GitHub Enterprise 2.6 is now deprecated as of April 26, 2017. That means that no patch releases will be made, even for critical security issues. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.
svn checkout
may timeout while the repository data cache is being built. In most cases, subsequent svn checkout
attempts will succeed.Thanks!
The GitHub Team
jq
utility has been added to the default pre-receive hook environment.GitHub Enterprise 2.6 will be deprecated as of April 26, 2017. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.
svn checkout
may timeout while the repository data cache is being built. In most cases, subsequent svn checkout
attempts will succeed.Thanks!
The GitHub Team
/trending
page could incorrectly display a Sign up for free
button.ghe-check-disk-usage
incorrectly defaulted to a --verbose
run.@
could cause comments to be truncated.GitHub Enterprise 2.6 will be deprecated as of April 26, 2017. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.
svn checkout
may timeout while the repository data cache is being built. In most cases, subsequent svn checkout
attempts will succeed.Thanks!
The GitHub Team
metrics-server
s.GitHub Enterprise 2.5 is now deprecated as of March 14, 2017. That means that no patch releases will be made, even for critical security issues, after this release. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.
GitHub Enterprise 2.6 will be deprecated as of April 26, 2017. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.
svn checkout
may timeout while the repository data cache is being built. In most cases, subsequent svn checkout
attempts will succeed.Thanks!
The GitHub Team
svn checkout
could incorrectly fail with a 429 HTTP error code./
character.Device or resource busy
.Encoding::Compatibility
error occurred when viewing a webhook from /stafftools
.storage-server
is removed.storage-server
repair jobs took a long time when a new storage-server
is added.enterprise-manage
and resolvconf
service were incorrectly stopped after ghe-cluster-config-apply
.github-unicorn
service was restarted.<Destination>
element is no longer optional in the SAML response.GitHub Enterprise 2.4 is now deprecated as of February 9, 2017. That means that no patch releases will be made, even for critical security issues, after this release. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.
GitHub Enterprise 2.5 will be deprecated as of March 14, 2017. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.
svn checkout
may timeout while the repository data cache is being built. In most cases, subsequent svn checkout
attempts will succeed.Thanks!
The GitHub Team
A CRITICAL issue was identified that allows an attacker to bypass SAML authentication. The vulnerability is applicable if the attacker has access to a validly signed SAML assertion or response against the configured Verification certificate. When applicable, an attacker can sign in as any user, including administrators.
The affected supported versions are:
Note: This is a different vulnerability than the one addressed in GitHub Enterprise 2.8.6, 2.7.10, 2.6.15, and 2.5.20.
A CRITICAL issue was identified that allows an attacker to execute arbitrary commands on the GitHub Enterprise appliance. The vulnerability is applicable if the attacker has access to configure a repository's Webhooks - owner or admin privileges to a repository.
The affected supported versions are:
A CRITICAL issue was identified that allows an attacker to execute arbitrary commands on the GitHub Enterprise appliance. This vulnerability exists in the Management Console which is accessible from port 8080 and 8443. This is only applicable to GitHub Enterprise 2.8.0 - 2.8.6.
We strongly recommend upgrading your GitHub Enterprise appliance to the latest patch release in your series, GitHub Enterprise 2.8.7, 2.7.11, 2.6.16, 2.5.21, or 2.4.23.
Additionally, if SAML authentication is configured in your appliance, all existing SAML user sessions should be destroyed:
Put your GitHub Enterprise environment in Maintenance Mode.
SSH to your primary GitHub Enterprise appliance.
Destroy the existing SAML sessions.
$ echo SAML::Session.destroy_all | ghe-console -y
Upgrade to the latest patch release in your series, GitHub Enterprise 2.8.7, 2.7.11, 2.6.16, 2.5.21, or 2.4.23.
If possible, we also recommend restricting Management Console access to your site administrators.
These vulnerabilities were reported through the GitHub Security Bug Bounty program and we have no evidence that they have been exploited in the wild. To learn more about the Bug Bounty program for GitHub Enterprise, visit https://bounty.github.com/targets/github-enterprise.html and our recent blog post about the inclusion of GitHub Enterprise, Bug Bounty anniversary promotion: bigger bounties in January and February.
Please contact GitHub Enterprise Support if you have any questions.
ghe-migrator
failed to import when running on node with the git-server
role./stafftools
notification could incorrectly link to a deleted user's page./repos/:owner/:repo/collaborators
.GitHub Enterprise 2.5 will be deprecated as of March 2017. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.
svn checkout
may timeout while the repository data cache is being built. In most cases, subsequent svn checkout
attempts will succeed.Thanks!
The GitHub Team
A CRITICAL issue was identified that allows an attacker to bypass SAML authentication by creating a fake response. This could allow the attacker to sign in as any user, including administrators.
The affected supported versions are:
If you are using SAML as your authentication method, we strongly recommend upgrading your GitHub Enterprise appliance to the latest patch release in your series, GitHub Enterprise 2.8.6, 2.7.10, 2.6.15, or 2.5.20.
Additionally, all existing user sessions should be destroyed:
Put your GitHub Enterprise environment in Maintenance Mode.
SSH to your primary GitHub Enterprise appliance.
Destroy the existing SAML sessions.
$ echo SAML::Session.destroy_all | ghe-console -y
Upgrade to the latest patch release in your series, GitHub Enterprise 2.8.6, 2.7.10, 2.6.15, or 2.5.20.
This vulnerability was reported through the GitHub Security Bug Bounty program and we have no evidence that it has been exploited in the wild.
Please contact GitHub Enterprise Support if you have any questions.
babeld
, codeload
, and ruby
processes could crash.svn checkout
may timeout while the repository data cache is being built. In most cases, subsequent svn checkout
attempts will succeed.Thanks!
The GitHub Team
ghe-migrator
now scrubs access tokens from the logs.svn checkout
may timeout while the repository data cache is being built. In most cases, subsequent svn checkout
attempts will succeed.Thanks!
The GitHub Team
svn checkout
may timeout while the repository data cache is being built. In most cases, subsequent svn checkout
attempts will succeed.Thanks!
The GitHub Team
babeld
service to segment fault under certain circumstances.pre-receive
hook would have failed with the error "Something went wrong with the request. Please try again."redis
performance statistics. This resulted in excessive logging to the collectd log files./setup/api/settings
API endpoint failed to apply when applying at the same time as uploading the license for the first time.git
operations with the SSH protocol. In GitHub Enterprise 2.8, the remote URL for SSH only works for the git
user. (updated 2016-12-12)svn checkout
may timeout while the repository data cache is being built. In most cases, subsequent svn checkout
attempts will succeed.Thanks!
The GitHub Team
404 Not Found
page incorrectly referred to status.github.com.audit.log
.upload-pack
events were missing from audit.log
.ghe-cluster-config-apply
could restart services when the application configuration has not changed.memcached
was stopped.site_admin
scope for personal access tokens.ghe-migrator
./stafftools
page.git
operations with the SSH protocol. In GitHub Enterprise 2.8, the remote URL for SSH only works for the git
user. (updated 2016-12-12)backup-utils-2.8.2
or greater.svn checkout
may timeout while the repository data cache is being built. In most cases, subsequent svn checkout
attempts will succeed.Thanks!
The GitHub Team
git
operations with the SSH protocol. In GitHub Enterprise 2.8, the remote URL for SSH only works for the git
user. (updated 2016-12-12)svn checkout
may timeout while the repository data cache is being built. In most cases, subsequent svn checkout
attempts will succeed.User.failed_login
events aren't recorded in the audit log when using LDAP authentication. (updated 2016-11-18)Thanks!
The GitHub Team
With the new features added in GitHub Enterprise 2.8.0, you can:
LICENSE
file to your project and have it displayed at the top of the repository page.ghe-update-check
utility returned an incorrect message, you must first upgrade to
, when it was not necessary.memcached
would remain stopped after a crash (e.g. via OOM kill).Content-Type
.ghe-console
and ghe-dbconsole
utility has been updated with an interactive disclaimer.memcached
, snmpd
, graphite-web
services run as an unprivileged user.ghe-config
does not require sudo
.git
operations with the SSH protocol. In GitHub Enterprise 2.8, the remote URL for SSH only works for the git
user. (updated 2016-12-12)GitHub Enterprise 2.8 requires at least GitHub Enterprise Backup Utilities 2.8.0 for Backups and Disaster Recovery.
GitHub Enterprise 2.3 was deprecated as of November 1, 2016. That means that no patch releases will be made, even for critical security issues, after this release. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.
GitHub Enterprise 2.4 will be deprecated as of February 2017. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.
svn checkout
may timeout while the repository data cache is being built. In most cases, subsequent svn checkout
attempts will succeed.User.failed_login
events aren't recorded in the audit log when using LDAP authentication. (updated 2016-11-18)Thanks!
The GitHub Team