The 2.13 series release notes contain important changes in this release series.
A file path traversal vulnerability in GitHub Enterprise
A CRITICAL issue was identified that allows an attacker with repository write access to create Pages sites that can display the content of system files. This could used to further escalate the vulnerability to execute arbitrary commands on the GitHub Enterprise appliance.
The affected supported versions are:
- 2.12.0 - 2.12.17
- 2.13.0 - 2.13.9
- 2.14.0 - 2.14.3
GitHub Enterprise 2.11 is not vulnerable.
We strongly recommend upgrading your GitHub Enterprise appliance to the latest patch release in your series, GitHub Enterprise 2.12.18, 2.13.10, 2.14.4, or greater.
Security Fixes
- CRITICAL: A file path traversal vulnerability in GitHub Pages could allow users to display the content of local files.
- MEDIUM: Access may have been inadvertently granted to internal IP addresses of GitHub Enterprise. The fix removed any access grants via an IP address.
- LOW: A malicious user could execute a 'tab-nabbing' attack by exploiting
window.opener
when linking from GitHub Enterprise hosted Markdown content.
- Packages have been updated to the latest security versions.
Bug Fixes
- Corrupted Consul configuration data could prevent appliance configuration changes from completing successfully.
- Deleting an SNMPv3 user via
ghe-snmpv3-remove-user
did not remove all account data, preventing administrators from updating the password for the SNMPv3 user.
- Terminating the
ghe-set-password
command could result in unexpected shell behavior.
- Messages sent from the email service hook failed due to a recent security update.
- Adding a new integration failed if the license seat limit was reached.
Known Issues
- Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
- On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
- Custom firewall rules aren't maintained during an upgrade.
- svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
- Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
- Pull request review comments are missing from an import with
ghe-migrator
.
- The import of protected branches with
ghe-migrator
fails when the creator of the protected branch no longer exists on the source instance. (updated 2018-10-31)
- The import of project boards with
ghe-migrator
fails when the creator of a card on the board no longer exists on the source instance. (updated 2018-11-21)
Thanks!
The GitHub Team