The 2.1.2 release for GitHub Enterprise is now available for download from https://enterprise.github.com/download. See the 2.1.0 release notes for important changes in this release series. The full release notes for 2.1.2 follow:
ghe-repl-setup
to hang.ghe-repl-promote
.ghe-org-owner-promote
command line utility is currently broken.github_audit
log stream are being logged twice.ghe-upgrade
.Thanks!
The GitHub Team
The 2.1.1 release for GitHub Enterprise is now available for download from https://enterprise.github.com/download. See the 2.1.0 release notes for important changes in this release series. The full release notes for 2.1.1 follow:
NameID
, but didn't include email
as a released attribute, users could sign in the first time but couldn't sign in again after signing out.$
, _
, .
.From:
address was wrong in notification emails if the "no-reply" email address was configued, using the SMTP HELO domain instead.ghe-repl-status
was missing how far behind replication was.undefined
instead of the hostname and Ruby version.nice
so it won't affect anything else).ghe-repl-setup
to hang.ghe-repl-promote
.ghe-org-owner-promote
command line utility is currently broken.github_audit
log stream are being logged twice.ghe-upgrade
.gethostbyname
. Also known as the GHOST vulnerability.Qualys researchers have found a buffer overflow vulnerability in the gethostbyname
function in the C standard library that could allow remote code execution under some circumstances. There is currently no known way to exploit GitHub Enterprise remotely using this vulnerability, as many services don't use gethostbyname
in a way that is exploitable. However, as a precaution we recommend upgrading to this latest patch release or to a later version.
Thanks!
The GitHub Team
https://enterprise.github.com/releases
https://enterprise.github.com/releases/2.1.1
https://enterprise.github.com/staff/releases/2.1.1/edit
https://enterprise.github.com/staff/notifications/211-update-released/
The following important security vulnerabilities have been fixed in the 2.1.1 release:
gethostbyname
. Also known as the GHOST vulnerability.Qualys researchers have found a buffer overflow vulnerability in the gethostbyname
function in the C standard library that could allow remote code execution under some circumstances. There is currently no known way to exploit GitHub Enterprise remotely using this vulnerability, as many services don't use gethostbyname
in a way that is exploitable. However, as a precaution we recommend upgrading to this latest patch release or to a later version.
If you have any questions, please contact support at enterprise@github.com
Thanks!
The GitHub Team
https://enterprise.github.com/staff/notifications/important-security-vulnerabilities-fixed-in-211/
The 2.0.6 release for GitHub Enterprise is now available for download from https://enterprise.github.com/download. The full release notes for 2.0.6 follow:
NameID
, but didn't include email
as a released attribute, users could sign in the first time but couldn't sign in again after signing out.ghe-repl-status
was really slow. We made it faster.ghe-repl-status
was missing how far behind replication was.github_audit
log stream.undefined
instead of the hostname and Ruby version.nice
so it won't affect anything else).ghe-repl-setup
to hang.ghe-repl-promote
.ghe-org-owner-promote
command line utility is currently broken.github_audit
log stream are being logged twice.ghe-upgrade
.gethostbyname
. Also known as the GHOST vulnerability.Qualys researchers have found a buffer overflow vulnerability in the gethostbyname
function in the C standard library that could allow remote code execution under some circumstances. There is currently no known way to exploit GitHub Enterprise remotely using this vulnerability, as many services don't use gethostbyname
in a way that is exploitable. However, as a precaution we recommend upgrading to this latest patch release or to a later version.
Thanks!
The GitHub Team
https://enterprise.github.com/releases
https://enterprise.github.com/releases/2.0.6
https://enterprise.github.com/staff/releases/2.0.6/edit
https://enterprise.github.com/staff/notifications/206-update-released/
The following important security vulnerabilities have been fixed in the 2.0.6 release:
gethostbyname
. Also known as the GHOST vulnerability.Qualys researchers have found a buffer overflow vulnerability in the gethostbyname
function in the C standard library that could allow remote code execution under some circumstances. There is currently no known way to exploit GitHub Enterprise remotely using this vulnerability, as many services don't use gethostbyname
in a way that is exploitable. However, as a precaution we recommend upgrading to this latest patch release or to a later version.
If you have any questions, please contact support at enterprise@github.com
Thanks!
The GitHub Team
The following important security vulnerability has been fixed in the 11.10.352 release:
gethostbyname
. Also known as the GHOST vulnerability.Qualys researchers have found a buffer overflow vulnerability in the gethostbyname
function in the C standard library that could allow remote code execution under some circumstances. There is currently no known way to exploit GitHub Enterprise remotely using this vulnerability, as many services don't use gethostbyname
in a way that is exploitable. However, as a precaution we recommend upgrading to this latest patch release or to a later version.
If you have any questions, please contact support at enterprise@github.com
Thanks!
The GitHub Team
With the new features added in GitHub Enterprise 2.1.0, you can:
/pulls
and /issues
dashboard pages.ghe-btop
command line utility.ghe-repl-status
was really slow. We made it faster.github_audit
log stream.To keep GitHub Enterprise as secure as possible, we have removed support for the cryptographically weak RC4 cipher in our SSL configuration. With the removal of RC4, Internet Explorer on Windows XP will no longer be able to access GitHub Enterprise. You can read more about this change in our announcement on GitHub.com.
ghe-repl-setup
to hang.ghe-repl-promote
.ghe-org-owner-promote
command line utility is currently broken.github_audit
log stream are being logged twice.ghe-upgrade
.The GitHub Team
ntpd
.Critical vulnerabilities in the Network Time Protocol (NTP) have been discovered and disclosed by members of the Google Security Team. These vulnerabilities make it possible for a remote attacker to send a carefully crafted packet with malicious arbitrary code that will execute at the privilege level of the ntpd
process.
This release includes patches to NTP from upstream to make sure it is not exploitable. As an additional measure, we've also updated the firewall rules to be more strict. We strongly recommend that all GitHub Enterprise customers upgrade their instances as soon as possible.
More details on the vulnerabilities can be found in the ICSA-14-353-01 advisory.
Mitigation
If you can't immediately upgrade, the attack can be mitigated by removing the firewall rule that accepts traffic to port 123. To temporarily remove the rule, SSH into the appliance and run:
sudo ufw delete allow ghe-123
If you have any questions, please contact support at enterprise@github.com
ghe-repl-setup
to hang.ghe-repl-promote
.ghe-upgrade
.ghe-upgrade
runs even though the license file is present.ntpd
.Critical vulnerabilities in the Network Time Protocol (NTP) have been discovered and disclosed by members of the Google Security Team. These vulnerabilities make it possible for a remote attacker to send a carefully crafted packet with malicious arbitrary code that will execute at the privilege level of the ntpd
process.
This release includes patches to NTP from upstream to make sure it is not exploitable. As an additional measure, we've also updated the firewall rules to be more strict. We strongly recommend that all GitHub Enterprise customers upgrade their instances as soon as possible.
More details on the vulnerabilities can be found in the ICSA-14-353-01 advisory.
Mitigation
If you can't immediately upgrade, the attack can be mitigated by removing the firewall rule that accepts traffic to port 123. To temporarily remove the rule, SSH into the appliance and run:
sudo ufw delete allow ghe-123
The rule will be re-enabled if settings are saved or a configuration run is performed. To prevent the rule from being restored, SSH into the appliance and run:
sudo rm /data/enterprise/cookbooks/ufw/files/default/ufw_apps/ghe-123
sudo rm /etc/ufw/applications.d/ghe-123
If you have any questions, please contact support at enterprise@github.com
Yesterday a critical Git security vulnerability was announced that affects all versions of the official Git client and all related software that interacts with Git repositories.
While GitHub Enterprise itself is not directly affected, it may be used as a distribution point for an attacker to reach unpatched clients. This release detects and blocks malicious trees from being pushed to an Enterprise instance, eliminating it as an attack vector.
It it critical to note that this release only provides mitigation against low-levels attacks where a user with write access could attempt to push malicious files to a GitHub Enterprise instance. It does not prevent interactions with malicious external Git servers that can open up command-line level attack vectors, as those must be dealt with at the Git client level.
For full protection, we strongly recommend you ensure that all developers update their Git clients, in addition to upgrading to this release. Installing this update alone does not mean your organization is fully safe against this vulnerability. The only way to make sure none of your developers are vulnerable is to have everyone upgrade their Git client.
More details on the vulnerability can be found in the official Git mailing list announcement, on the git-blame blog, and on the GitHub blog.
If you have any questions, please contact support at enterprise@github.com
enterprise@github.com
default.s
rather than any key to start network setup./usr/local/bin/ghe-btop
utility to query the status of babeld
.ghe-repl-setup
to hang.ghe-repl-promote
.ghe-upgrade
.ghe-upgrade
runs even though the license file is present.Yesterday a critical Git security vulnerability was announced that affects all versions of the official Git client and all related software that interacts with Git repositories.
While GitHub Enterprise itself is not directly affected, it may be used as a distribution point for an attacker to reach unpatched clients. This release detects and blocks malicious trees from being pushed to an Enterprise instance, eliminating it as an attack vector.
It it critical to note that this release only provides mitigation against low-levels attacks where a user with write access could attempt to push malicious files to a GitHub Enterprise instance. It does not prevent interactions with malicious external Git servers that can open up command-line level attack vectors, as those must be dealt with at the Git client level.
For full protection, we strongly recommend you ensure that all developers update their Git clients, in addition to upgrading to this release. Installing this update alone does not mean your organization is fully safe against this vulnerability. The only way to make sure none of your developers are vulnerable is to have everyone upgrade their Git client.
More details on the vulnerability can be found in the official Git mailing list announcement, on the git-blame
blog, and on the GitHub blog.
If you have any questions, please contact support at enterprise@github.com
ghe-repl-setup
to hang. ghe-repl-promote
.ghe-upgrade
.ghe-upgrade
runs even though the license file is present.ghe-user-csv
command line utility didn't include email addresses in some circumstances. ghe-restore
, maintenance mode was automatically enabled, which could be confusing. Maintenance mode now has to be enabled manually through the management console, using the management console API, or using the ghe-maintenance
command line utility. ghe-upgrade
expects the upgrade filename to be github-enterprise-esx-2.0.2.pkg
on VMWare or github-enterprise-ami-2.0.2.pkg
on AWS.ghe-repl-setup
to hang. ghe-repl-promote
.ghe-upgrade
.ghe-upgrade
runs even though the license file is present.collectd
and log data are were not preserved through upgrades.Z
for compliance with the SAML Core 1.3.3 standard.ghe-mysql-checksum
script to checksum InnoDB tables.Major change: DNS settings are no longer configured via the the Management Console, and any custom nameservers specified via the console will be lost after upgrading to 2.0.1.
When configured to use DHCP, GitHub Enterprise now relies on the DNS nameservers provided by the DHCP server. This is the default configuration for GitHub on AWS, and no changes are required when upgrading an EC2 instance.
If you are using DHCP on VMWare and your server does not provide nameservers, or if you need custom nameservers that are different from your DHCP lease, please add them to /etc/resolvconf/resolv.conf.d/head
after upgrading.
If you are using a static IP configuration, please reconfigure static network configuration after upgrading to 2.0.1, either via tty1 or sudo ghe-setup-network -v
.
Note: You may also choose to add custom nameservers to /etc/resolvconf/resolv.conf.d/head
before running ghe-upgrade
. These settings will be retained across the upgrade to 2.0.1 and future releases.
The 2.0.1 release ships with some known issues that we were unable to fix before release. If any of these will cause major problems for your organization, we recommending waiting for 2.1.0 or 2.0.2 before upgrading.
ghe-restore
should require that maintenance mode is enabled before restoring.ghe-repl-status-git
is CPU intensive and may be slow on the primary node.ghe-user-csv
script doesn't return valid email addresses.servolux filename:Gemfile
.ghe-upgrade
command-line tool over SSH.sudo
access to perform regular administrative tasks and troubleshooting.Supported LDAP servers are now Active Directory, FreeIPA, Oracle Directory Server Enterprise Edition, OpenLDAP, Open Directory and 389 Directory Server. These are the servers that we will test before shipping a GitHub Enterprise release. If you need support for another LDAP server please contact GitHub Enterprise Support.
Enterprise 2.0 OVAs will no longer run with VirtualBox. VirtualBox has previously offered a poor customer experience for GitHub Enterprise. The supported hypervisors are VMware ESX and Amazon Web Service's EC2. VMware desktop products (e.g. VMware Workstation, VMware Fusion, VMware Player) are supported for trial purposes but should not be used in production.
The 2.0.0 release ships with some known issues that we were unable to fix before release. If any of these will cause major problems for your organization, we recommending waiting for 2.1.0 or 2.0.1 before upgrading.
ghe-restore
should require that maintenance mode is enabled before restoring.ghe-repl-status-git
is CPU intense and may be slow on the primary node.collectd
data is not preserved through upgrades.ghe-user-csv
script doesn't return valid email addresses.A bug in Chrome caused our security middleware to incorrectly forbid file uploads, causing an empty response. This could cause initial installation, upgrades, or unlocking with a license file to fail for all instances using the 11.10.320 OVA. The bug is fixed in the 11.10.320.1 OVA included with this release.
Google researchers have found a critical vulnerability in the SSLv3 protocol. This protocol is very old and has been replaced with TLS 1.0, 1.1 and 1.2. Due to the vulnerability we have disabled SSLv3 support by default in 11.10.348.
We strongly recommend against reenabling SSLv3 but if it is needed after upgrading to 11.10.348 by legacy software the following steps will reenable it:
ghe-unlock
WARNING: This command opens root access to the admin user via sudo. It is
provided as a troubleshooting facility and should be used only under the
guidance of GitHub Enterprise support.
While unlocked, any user with admin SSH access will have full root access to
the VM. Please use with caution and run the ghe-lock command when finished to
prevent accidental modification of system files.
Do you understand? [Y/n] Y
Okay. Full sudo access via the admin user is now enabled.
Replace the line ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
in /etc/nginx/sites-enabled/github.conf
with ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
:
sudo sed 's/ssl_protocols TLSv1 TLSv1.1 TLSv1.2/ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2/' -i /etc/nginx/sites-enabled/github.conf
sudo service nginx reload
You can verify if the change was successful by running the following command from outside the instance:
openssl s_client -connect my-enterprise-instance:443 -ssl3
This should show a message similar to the following:
CONNECTED(00000003)
..
Server certificate
-----BEGIN CERTIFICATE-----
posixGroup
membership checks failed improperly.This release also includes all features and bug fixes from 11.10.340, including:
go-import
meta tag.posixGroup
and groupOfUniqueNames
in addition to the current groupOfNames
.Mirrors
filter on repositories listing.The ChangeCipherSpec vulnerability in the OpenSSL library allows third parties to perform man-in-the-middle attacks. In other words, if attackers can intercept encrypted network traffic they can decrypt it without their victims knowing.
This attack only works on servers that use OpenSSL version 1.0.1 or later. The version at the client doesn't matter. GitHub Enterprise itself is not vulnerable because it ships with OpenSSL 1.0.0.
However, webhooks might be vulnerable to this attack. If the server that is the target of the webhook is running a vulnerable version of OpenSSL and an attacker can intercept network traffic, they would be able to decrypt the communication.
We care about the security of our customers and therefore decided that even though the risk is minimal the best solution is to issue an update.
GitHub Enterprise is not (and was not) affected by the Heartbleed vulnerability. The version of OpenSSL included with the appliance is not vulnerable to the attack. Please contact us at enterprise@github.com if we can help elaborate on this in any way.
rel=facebox
in user-editable content.Last month GitHub launched a Security Bug Bounty program, which has been wildly successful in identifying a number of security vulnerabilities ranging from low to critical risk on GitHub.com. To get these fixes to you more quickly, we've pushed the 11.10.330 Feature Release back to 11.10.340. Between now and then, we'll be using the 11.10.33x series for further security/bugfix releases.
This release addresses the following issues:
dotcom_user
session cookie wasn't being removed on logout.ghe-user-demote
was demoting admins improperly (they still lost admin privileges).audit.log
file was unreadable by the admin SSH user.ghe-es-reindex
utility wasn't applying to all search indexes.ghe-es-reset
utility since its functionality has been superseded by ghe-es-reindex
.Additional information is available here.
packSizeLimit
. This should result in better performance for very large repositories..keep
file check to ghe-cleanup-repos
./applications
API endpoint to fail when Private Mode was enabled..profile
wasn't being managed which could lead to a broken PATH.ghe-import-mysql
would fail with max_allowed_packet
errors.ssh-keygen -lf
output.ghe-export-repositories
.ghe-import
and ghe-export
meta utilities that were broken and shouldn't be used over the more specific ghe-{import,export}-*
utilities./setup/*
by search indexing robots is now prevented.--mirror
git push operations for repositories with large numbers of refs to take extremely long.ghe-cleanup-repos
utility to detect zero byte ref files and fix them when possible.nil
in webhook API payloads if the owner was an organization.auth.log
and production.log
files in the stream.ghe-cleanup-caches
.ghe-cleanup-repos
utility threw errors when trying to cleanup repositories that were in the database, but not on disk.ghe-export-pages
wouldn't provide any feedback when no pages data existed.Additional information is available here.
ghe-ssl-ca-certificate
to install custom root CA certificates.complete
parameter to the configure
Management Console API call to force a full configuration.ohai
error that showed up when generating a Support Bundle via ghe-support-bundle
.ghe-es-status
for detecting and fixing common ElasticSearch issues.ghe-es-reindex
for reindexing all items in ElasticSearch.ghe-check-disk-usage
for finding large files consuming space on the root volume.ghe-user-{promote,demote}
and ghe-user-{suspend,unsuspend}
utilities.Additional information is available here.
Additional information is available here.
Additional information is available here.
ghe-cleanup-repos
utility where affected repos weren't being deleted from the database.ghe-user-csv
utility will now always output all fields. Added repository count, ssh key count, and organization membership count columns. Use -h
flag to view new options.du
command as root)ghe-user-csv
and ghe-grow-root
utilities.Additional information is available here.
Initial release.