Last month GitHub launched a Security Bug Bounty program, which has been wildly successful in identifying a number of security vulnerabilities ranging from low to critical risk on GitHub.com. To get these fixes to you more quickly, we've pushed the 11.10.330 Feature Release back to 11.10.340. Between now and then, we'll be using the 11.10.33x series for further security/bugfix releases.

This release addresses the following issues:

Security

• CRIT: Root exploit vulnerability.
• CRIT: Authentication bypass vulnerability for LDAP under certain conditions.
• HIGH: Gist vulnerability that could grant access to private repos under a targeted chain attack.
• HIGH: Content Security Policy (CSP) bypass vulnerability.
• HIGH: Flash Cross Site Scripting (XSS) vulnerability for raw blobs.
• HIGH: DOM-based XSS + CSP bypass vulnerability.
• MED: JSONP callback vulnerability that could result in arbitrary Flash execution.
• MED: OAuth URL parsing open redirect vulnerability.
• MED: Vulnerability where raw gist content could be viewed without authentication for public gists when Private Mode was enabled.
• LOW: Issue where the dotcom_user session cookie wasn't being removed on logout.
• LOW: Open redirect vulnerability.
• LOW: SSH key audit verification CSRF vulnerability.
• LOW: Contributor Graph XSS vulnerability.
• LOW: OAuth URL parsing path traversal vulnerability.
• LOW: Login open redirect vulnerability.
• LOW: OAuth subdomain bypass vulnerability.
• LOW: Java updated to pull in a variety of security and bug fixes.

General

• ghe-user-demote was demoting admins improperly (they still lost admin privileges).
• The audit.log file was unreadable by the admin SSH user.

GitHub

• Pull request mergeability checks were failing under some conditions when opening new pull requests.
• System emails being sent to a user with no primary email set would cause an error.
• Exceptions weren't being reported properly in some cases.
• Audit log data wasn't being printed as valid JSON.

Authentication

• The first LDAP user who logged in wasn't being auto-promoted to Site Admin if no Admin Group was specified.
• Not all errors were displayed if any were encountered when a user first signed in under LDAP.
• GitHub for Mac would fail to authenticate properly if Private Mode was enabled.
• GitHub for Mac would fail to authenticate properly with user logins that had to be normalized (e.g., had a period or underscore in them).

Git

• Git push performance regression affecting repositories with large numbers of refs (branches/tags).

API

• API scope validation issue producing false positives.