The 2.5 series release notes contain important changes in this release series.
An issue was identified that could allow an attacker to execute arbitrary commands on the GitHub Enterprise appliance. This vulnerability exists in the Management Console which is accessible from port 8080 and 8443. This is only applicable to GitHub Enterprise 2.5.0, 2.5.1, 2.5.2, and 2.5.3.
We strongly recommend you upgrade your GitHub Enterprise appliance to GitHub Enterprise 2.5.4 immediately.
This vulnerability was reported to our GitHub Security Bug Bounty program and we have no evidence that it has been exploited in the wild.
If you're unable to upgrade immediately, the issue can be mitigated by blocking traffic to port 8080 and 8443 from any untrusted IP addresses. If your GitHub Enterprise appliance is behind a firewall device, you can block inbound requests to port 8443 and 8080 and allow trusted IP addresses. Alternatively, you can do this directly in the appliance,
SSH to your GitHub Enterprise appliancee
Block all traffic to ports 8080 and 8443
$ sudo ufw insert 1 deny proto tcp from any to any port 8080,8443
Allow a trusted IP address to access the Management Console by replacing <IPADDRESS>
$ sudo ufw insert 1 allow proto tcp from <IPADDRESS> to any port 8080,8443
To remove the mitigation on your appliance,
SSH to your GitHub Enterprise appliance
Identify the numbered firewall rule to remove
$ sudo ufw status numbered | grep '8080,8443/tcp' | grep DENY | head -n1
Remove the firewall rule by replacing <NUMBER>
$ sudo ufw delete <NUMBER>
Run steps 2 and 3 until the firewall rules from step 2 are removed.
Please contact GitHub Enterprise Support if you have any questions.
svn checkout
may timeout while the repository data cache is being built. In most cases, subsequent svn checkout
attempts will succeed. (updated 2016-05-24)ghe-migrator
does not include issue file attachments, which may cause imports to another server to fail. (updated 2016-06-09)Thanks!
The GitHub Team