GitHub Enterprise 11.10.351 December 22, 2014 Download

Security Fixes

NTP vulnerability

Critical vulnerabilities in the Network Time Protocol (NTP) have been discovered and disclosed by members of the Google Security Team. These vulnerabilities make it possible for a remote attacker to send a carefully crafted packet with malicious arbitrary code that will execute at the privilege level of the ntpd process.

This release includes patches to NTP from upstream to make sure it is not exploitable. As an additional measure, we've also updated the firewall rules to be more strict. We strongly recommend that all GitHub Enterprise customers upgrade their instances as soon as possible.

More details on the vulnerabilities can be found in the ICSA-14-353-01 advisory.

Mitigation
If you can't immediately upgrade, the attack can be mitigated by removing the firewall rule that accepts traffic to port 123. To temporarily remove the rule, SSH into the appliance and run:

sudo ufw delete allow ghe-123

The rule will be re-enabled if settings are saved or a configuration run is performed. To prevent the rule from being restored, SSH into the appliance and run:

sudo rm /data/enterprise/cookbooks/ufw/files/default/ufw_apps/ghe-123
sudo rm /etc/ufw/applications.d/ghe-123

If you have any questions, please contact support at [email protected]