我们经常发布文档更新,此页面的翻译可能仍在进行中。有关最新信息,请访问英文文档。如果此页面上的翻译有问题,请告诉我们

此版本的 GitHub Enterprise 已停止服务 2021-02-11. 即使针对重大安全问题,也不会发布补丁。 要获得更好的性能、改进的安全性和新功能,请升级到 GitHub Enterprise 的最新版本。 如需升级方面的帮助,请联系 GitHub Enterprise 支持

2.20 Release notes

2.21

Enterprise Server 2.20.24

Download

March 02, 2021

  • HIGH: An improper access control vulnerability was identified in GitHub Enterprise Server that allowed authenticated users of the instance to gain write access to unauthorized repositories via specifically crafted pull requests and REST API requests. An attacker would need to be able to fork the targeted repository, a setting that is disabled by default for organization owned private repositories. Branch protections such as required pull request reviews or status checks would prevent unauthorized commits from being merged without further review or validation. This vulnerability has been assigned CVE-2021-22861. This issue was reported via the GitHub Bug Bounty Program.

  • HIGH: An improper access control vulnerability was identified in the GitHub Enterprise Server GraphQL API that allowed authenticated users of the instance to modify the maintainer collaboration permission of a pull request without proper authorization. By exploiting this vulnerability, an attacker would be able to gain access to head branches of pull requests opened on repositories of which they are a maintainer. Forking is disabled by default for organization owned private repositories and would prevent this vulnerability. Additionally, branch protections such as required pull request reviews or status checks would prevent unauthorized commits from being merged without further review or validation. This vulnerability has been assigned CVE-2021-22863. This issue was reported via the GitHub Bug Bounty Program.

  • HIGH: A remote code execution vulnerability was identified in GitHub Enterprise Server that could be exploited when building a GitHub Pages site. User-controlled configuration of the underlying parsers used by GitHub Pages were not sufficiently restricted and made it possible to execute commands on the GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability has been assigned CVE-2020-10519.

  • LOW: A specially crafted request to the SVN bridge could trigger a long wait before failure resulting in Denial of Service (DoS).

  • Packages have been updated to the latest security versions.

  • An informational message was unintentionally logged as an error during GitHub Enterprise Backup Utilities snapshots, which resulted in unnecessary emails being sent when backups were scheduled by cron jobs that listen for output to stderr.

  • While restoring a large backup, exception logging related to Redis memory exhaustion could cause the restore to fail due to a full disk.

  • When editing a wiki page a user could experience a 500 error when clicking the Save button.

  • An S/MIME signed commit using a certificate with multiple names in the subject alternative name would incorrectly show as "Unverified" in the commit badge.

  • Suspended user was sent emails when added to a team.

  • When uploading a new license file with a different number of seats from the previous license file, the seat difference was not correctly represented in the enterprise account Settings -> License page.

  • The "Prevent repository admins from changing anonymous Git read access" checkbox available in the enterprise account settings could not be successfully enabled or disabled.

  • During a leap year, the user was getting a 404 response when trying to view Contribution activity on a Monday.

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.

  • Custom firewall rules are not maintained during an upgrade.

  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.

  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

  • Security alerts are not reported when pushing to a repository on the command line.

Enterprise Server 2.20.23

Download

December 17, 2020

  • LOW: High CPU usage could be triggered by a specially crafted request to the SVN bridge resulting in Denial of Service (DoS).

  • Packages have been updated to the latest security versions.

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.

  • Custom firewall rules are not maintained during an upgrade.

  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.

  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

  • Security alerts are not reported when pushing to a repository on the command line.

Enterprise Server 2.20.22

Download

December 03, 2020

  • Authorization service was being detected as unhealthy due to a race condition in the bootstrap which led to restart of the service.

  • An underlying behavior was causing a service to become unavailable during the hotpatch upgrade process.

  • A subset of log forwarding SSL certificates was not being applied correctly.

  • Email notifications sent to suspended users when they were removed from a Team or an Organization.

  • The way SSH certificates were applied between Organizations and Businesses was inconsistent.

  • When an account was rate limited due to using incorrect passwords, it could be locked out for up to 24 hours.

  • Pull request synchronization on repositories with many references could cause worker queues to fall behind.

  • When signing in after attempting to visit a specific page, people were sent to the home page instead of their intended destination.

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.

  • Custom firewall rules are not maintained during an upgrade.

  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.

  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

  • Security alerts are not reported when pushing to a repository on the command line.

Enterprise Server 2.20.21

Download

November 17, 2020

  • Packages have been updated to the latest security versions.

  • The babeld logs were missing a separator between seconds and microseconds.

  • When the enterprise account "Repository visibility change" policy was set to "Enabled", organization owners could not change the visibility of repositories within the organization.

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.

  • Custom firewall rules are not maintained during an upgrade.

  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.

  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

  • Security alerts are not reported when pushing to a repository on the command line.

Enterprise Server 2.20.20

Download

November 03, 2020

  • MEDIUM: High CPU usage could be triggered by a specially crafted request to the SVN bridge resulting in Denial of Service (DoS).

  • LOW: Incorrect token validation resulted in a reduced entropy for matching tokens during authentication. Analysis shows that in practice there's no significant security risk here.

  • Packages have been updated to the latest security versions.

  • Suspended users were included in the list of suggested users, potentially hiding unsuspended users.

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.

  • Custom firewall rules are not maintained during an upgrade.

  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.

  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

  • Security alerts are not reported when pushing to a repository on the command line.

Enterprise Server 2.20.19

Download

October 20, 2020

  • Packages have been updated to the latest security versions.

  • The enterprise account "Confirm two-factor requirement policy" messaging was incorrect.

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.

  • Custom firewall rules are not maintained during an upgrade.

  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.

  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

  • Security alerts are not reported when pushing to a repository on the command line.

Enterprise Server 2.20.18

Download

October 09, 2020

  • A user whose LDAP directory username standardizes to an existing GHES account login could authenticate into the existing account.

  • 包已更新到最新的安全版本。

  • The NameID Format dropdown in the Management Console would be reset to "unspecified" after setting it to "persistent".

  • Saving settings via the management console would append a newline to the TLS/SSL certificate and key files which triggered unnecessary reloading of some services.

  • System logs for Dependency Graph were not rotating, allowing unbounded storage growth.

  • Links to GitHub Security Advisories would use a URL with the hostname of the GitHub Enterprise Server instance instead of GitHub.com, directing the user to a nonexistent URL.

  • When importing a repository with ghe-migrator, an unexpected exception could occur when inconsistent data is present.

  • When using ghe-migrator to import PR review requests, records associated with deleted users would result in extraneous database records.

  • When importing users with ghe-migrator, an error of "Emails is invalid" would occur if the system-generated email address were longer than 100 characters.

  • Logging webhook activity could use large amounts of disk space and cause the root disk to become full.

  • Support is added for the AWS EC2 instance type m5.16xlarge.

  • Remove the requirement for SSH fingerprints in ghe-migrator archives as it can always be computed.

  • GitHub App Manifests now include the request_oauth_on_install field.

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.

  • Custom firewall rules are not maintained during an upgrade.

  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.

  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

  • Security alerts are not reported when pushing to a repository on the command line.

Enterprise Server 2.20.17

Download

September 23, 2020

  • MEDIUM: ImageMagick has been updated to address DSA-4715-1.

  • Packages have been updated to the latest security versions.

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.

  • Custom firewall rules are not maintained during an upgrade.

  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.

  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

  • Security alerts are not reported when pushing to a repository on the command line.

Enterprise Server 2.20.16

Download

September 08, 2020

  • A service health check caused session growth resulting in filesystem inode exhaustion.

  • Upgrading using a hotpatch could fail with an error: 'libdbi1' was not found

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.

  • Custom firewall rules are not maintained during an upgrade.

  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.

  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

  • Security alerts are not reported when pushing to a repository on the command line.

Enterprise Server 2.20.15

Download

August 26, 2020

  • CRITICAL: A remote code execution vulnerability was identified in GitHub Pages that could be exploited when building a GitHub Pages site. User-controlled configuration of the underlying parsers used by GitHub Pages were not sufficiently restricted and made it possible to execute commands on the GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server. The underlying issues contributing to this vulnerability were identified both internally and through the GitHub Security Bug Bounty program. We have issued CVE-2020-10518.

  • MEDIUM: An improper access control vulnerability was identified that allowed authenticated users of the instance to determine the names of unauthorized private repositories given their numerical IDs. This vulnerability did not allow unauthorized access to any repository content besides the name. This vulnerability affected all versions of GitHub Enterprise Server prior to 2.22 and has been assigned CVE-2020-10517. The vulnerability was reported via the GitHub Bug Bounty program.

  • Packages have been updated to the latest security versions.

  • A message was not logged when the ghe-config-apply process had finished running ghe-es-auto-expand.

  • Excessive logging to the syslog file could occur on high-availability replicas if the primary appliance is unavailable.

  • Database re-seeding on a replica could fail with an error: Got packet bigger than 'max_allowed_packet'

  • In some cases duplicate user data could cause a 500 error while running the ghe-license-usage script.

  • In a high availability or geo-replication configuration, replica instances would exit maintenance mode when ghe-config-apply ran.

  • We've added support for the R5a and R5n AWS instance types.

  • Removed the license seat count information on the administrative SSH MOTD due to a performance issue impacting GitHub Enterprise Server clusters.

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.

  • Custom firewall rules are not maintained during an upgrade.

  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.

  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

  • Security alerts are not reported when pushing to a repository on the command line.

Enterprise Server 2.20.14

Download

August 12, 2020

  • Resolved an issue that could lead to high CPU usage while generating system configuration templates.

  • Recent changes to memory allocations could lead to a degradation in system performance

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.

  • Custom firewall rules are not maintained during an upgrade.

  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.

  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

  • Security alerts are not reported when pushing to a repository on the command line.

Enterprise Server 2.20.13

Download

August 11, 2020

  • CRITICAL: A remote code execution vulnerability was identified in GitHub Pages that could allow an attacker to execute commands as part building a GitHub Pages site. This issue was due to an outdated and vulnerable dependency used in the Pages build process. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server. To mitigate this vulnerability, Kramdown has been updated to address CVE-2020-14001.

  • HIGH: An attacker could inject a malicious argument into a Git sub-command when executed on GitHub Enterprise Server. This could allow an attacker to overwrite arbitrary files with partially user-controlled content and potentially execute arbitrary commands on the GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need permission to access repositories within the GitHub Enterprise Server instance. However, due to other protections in place, we could not identify a way to actively exploit this vulnerability. This vulnerability was reported through the GitHub Security Bug Bounty program.

  • Packages have been updated to the latest security versions.

  • A Consul configuration error prevented some background jobs from being processed on standalone instances.

  • The service memory allocation calculation could allocate an incorrect or unbounded memory allocation to a service resulting in poor system performance.

  • The virtualization platform for oVirt KVM systems was not properly detected, causing problems during upgrades.

  • The error message for invalid authentication with a password via Git command line didn't populate the URL linking to adding the appropriate token or SSH key.

  • GitHub Connect was using a deprecated GitHub.com API endpoint.

  • Issues could not be sorted by Recently updated on repositories migrated to a new instance.

  • The 404 page contained GitHub.com contact and status links in the footer.

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.

  • Custom firewall rules are not maintained during an upgrade.

  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.

  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

  • Security alerts are not reported when pushing to a repository on the command line.

Enterprise Server 2.20.12

Download

July 21, 2020

  • Packages have been updated to the latest security versions.

  • The Management Console monitor graphs would sometimes not display correctly on larger screens.

  • GitHub App Manifest creation flow was unusable in some scenarios when a SameSite Cookie policy was applied.

  • Improvements to HAProxy scaling.

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.

  • Custom firewall rules are not maintained during an upgrade.

  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.

  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

  • Security alerts are not reported when pushing to a repository on the command line.

Enterprise Server 2.20.11

Download

July 09, 2020

  • MEDIUM: Updated nginx to 1.16.1 and addressed CVE-2019-20372. (updated 2020-07-22)

  • Packages have been updated to the latest security versions.

  • Dependency graph was not detecting dependencies when deployed in a cluster configuration with multiple Redis nodes.

  • Certain log files did not rotate every 7 days.

  • Rapid reuse of webhook source ports resulted in rejected connections.

  • Incorrect background jobs could attempt to run on instances configured as passive replicas.

  • Internal repositories were not correctly included in search results for SAML-enabled orgs.

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.

  • Custom firewall rules are not maintained during an upgrade.

  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.

  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

  • Security alerts are not reported when pushing to a repository on the command line.

Enterprise Server 2.20.10

Download

June 23, 2020

  • Packages have been updated to the latest security versions.

  • Excessively large log events could lead to log forwarding instability when UDP was used as the transport mechanism.

  • Automatic unsuspension of a user through SSO did not complete if the SSH keys attribute had keys already associated with the user's account.

  • The repository permission hash from the REST API indicated no access for business members who have pull access to internal repositories.

  • Previewing a GitHub App description written in markdown was not properly rendered.

  • The audit log did not include branch protection changes events.

  • Trying to assign code review to a member of an empty team would result in a '500 Internal Server Error'.

  • Code review assignment using the load balancing algorithm could repeatedly assign to the same team member.

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.

  • Custom firewall rules are not maintained during an upgrade.

  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.

  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

  • Security alerts are not reported when pushing to a repository on the command line.

  • Dependency graph is not detecting dependencies when deployed in a cluster configuration with multiple Redis nodes. (updated 2020-06-30)

Enterprise Server 2.20.9

Download

June 02, 2020

  • HIGH: An improper access control vulnerability was identified in the GitHub Enterprise Server API that allowed an organization member to escalate permissions and gain access to unauthorized repositories within an organization. This vulnerability affected all versions of GitHub Enterprise Server prior to 2.21. We have issued CVE-2020-10516 in response to this issue. The vulnerability was reported via the GitHub Bug Bounty program.

  • Packages have been updated to the latest security versions.

  • Internet-facing GitHub Enterprise Server instances could be indexed by search engines.

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.

  • Custom firewall rules are not maintained during an upgrade.

  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.

  • 推送到 gist 时,可能会在后接收挂钩时触发异常。

  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

  • 推送到命令行上的仓库时,不会报告安全警报。(更新时间:2020-06-23)

  • Dependency graph is not detecting dependencies when deployed in a cluster configuration with multiple Redis nodes. (updated 2020-06-30)

Enterprise Server 2.20.8

Download

May 19, 2020

  • Packages have been updated to the latest security versions.

  • After the license file was updated, services were not properly reloaded causing functionality loss.

  • Internal API requests updating Dependency Graph information could fail if the response body was too large.

  • The affiliations argument to some GraphQL repository connections was not respected.

  • Automatic unsuspension of a user through SSO did not complete if the SAML email attribute had different casing than the GitHub user email.

  • Restoring the membership of a user to an organization did not instrument the actor in webhook and audit log payloads.

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.

  • Custom firewall rules are not maintained during an upgrade.

  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.

  • 推送到 gist 时,可能会在后接收挂钩时触发异常。

  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

  • 推送到命令行上的仓库时,不会报告安全警报。(更新时间:2020-06-23)

  • Dependency graph is not detecting dependencies when deployed in a cluster configuration with multiple Redis nodes. (updated 2020-06-30)

Enterprise Server 2.20.7

Download

May 05, 2020

  • Packages have been updated to the latest security versions.

  • ghe-repl-start and ghe-repl-status displayed syntax errors.

  • If a repository has the "automatically delete head branches" setting enabled, the head branch wasn't automatically deleted, when a pull request was merged by a GitHub App installation.

  • When an organization member was reinstated, the webhook payload reported the ghost user as the sender and not the actual user performing the reinstatement.

  • If a repository has the "automatically delete head branches" setting enabled, the head branch wasn't automatically deleted where the head repository was different from the base repository.

  • The garbage collection of temporary files could lead to a license validation error.

  • In some situations, including when a repository is first created, the pre-receive hook would be run without a value populated for the GITHUB_REPO_PUBLIC environment variable.

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.

  • Custom firewall rules are not maintained during an upgrade.

  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.

  • 推送到 gist 时,可能会在后接收挂钩时触发异常。

  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

  • 推送到命令行上的仓库时,不会报告安全警报。(更新时间:2020-06-23)

  • Dependency graph is not detecting dependencies when deployed in a cluster configuration with multiple Redis nodes. (updated 2020-06-30)

Enterprise Server 2.20.6

Download

April 23, 2020

  • HIGH: OpenSSL has been updated to address CVE-2020-1967.

  • HIGH: Git has been updated to address CVE-2020-5260 and CVE-2020-11008. New restrictions prevent malicious repositories from being pushed to the server instance, protecting clients which have not yet been patched.

  • LOW: ImageMagick has been updated to address CVE-2019-10131.

  • Packages have been updated to the latest security versions.

  • The git user lacked permissions to invoke the processes required to convert existing repositories using Subversion, from the v4 format to v3 LRS.

  • A mismatch in MySQL configurations could cause backups to fail in large installations.

  • When upgrading from previous versions, background job workers would sometimes not spawn, preventing essential features such as merging pull requests.

  • When a GitHub Enterprise Server license contained non-ASCII characters, a GET request to the Management Console's API /setup/api/settings endpoint would result in an Internal Server Error.

  • The recovery console would prompt for a root password, even if the root account was locked.

  • A CODEOWNERS file with a leading UTF-8 Byte Order Mark would cause all codeowner rules to be ignored.

  • When the orchestrator-client cron job failed, multiple emails would be sent to the root account.

  • When an external identity provider controlled user's site administrator status, users could not be demoted via the command line utility.

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.

  • Custom firewall rules are not maintained during an upgrade.

  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.

  • 推送到 gist 时,可能会在后接收挂钩时触发异常。

  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

  • 推送到命令行上的仓库时,不会报告安全警报。(更新时间:2020-06-23)

  • Dependency graph is not detecting dependencies when deployed in a cluster configuration with multiple Redis nodes. (updated 2020-06-30)

Enterprise Server 2.20.5

Download

April 07, 2020

  • Packages have been updated to the latest security versions.

  • A maximum Git object size of 100MB option could not be selected for a repository when the global enterprise account had a Git object size option other than 100MB set.

  • Results from the the Issues and Pull Requests API could have inconsistent behaviour when ordering by the updated_at field.

  • The SecurityVulnerability package field could not be queried via the GraphQL API.

  • Changing a repository from public to internal displayed an irrelevant billing message.

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.

  • Custom firewall rules are not maintained during an upgrade.

  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.

  • 推送到 gist 时,可能会在后接收挂钩时触发异常。

  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

  • When upgrading from previous versions, background job workers may not be spawned, preventing essential features such as merging pull requests.

  • 推送到命令行上的仓库时,不会报告安全警报。(更新时间:2020-06-23)

  • Dependency graph is not detecting dependencies when deployed in a cluster configuration with multiple Redis nodes. (updated 2020-06-30)

Enterprise Server 2.20.4

Download

March 25, 2020

  • SAML Authentication requests and Metadata were not strictly encoded, causing some Identity Providers to not correctly process Service Provider initiated Authentication requests.

  • ghe-migrator exports did not contain milestone users, which could break import operations.

  • When pushing to a Gist, an exception could be triggered during the post-receive hook.

  • ghe-repl-status could fail when trying to display repositories that were not fully replicated.

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.

  • Custom firewall rules are not maintained during an upgrade.

  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.

  • 推送到 gist 时,可能会在后接收挂钩时触发异常。

  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

  • 当升级到以前的版本时,背景作业工人可能无法生成,从而阻止基本功能,例如合并拉取请求。(更新时间:2020-04-07)

  • 推送到命令行上的仓库时,不会报告安全警报。(更新时间:2020-06-23)

  • Dependency graph is not detecting dependencies when deployed in a cluster configuration with multiple Redis nodes. (updated 2020-06-30)

Enterprise Server 2.20.3

Download

March 12, 2020

  • Upgrades and settings updates would fail if background worker configurations had been customised.

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.

  • Custom firewall rules are not maintained during an upgrade.

  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.

  • 推送到 gist 时,可能会在后接收挂钩时触发异常。

  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

  • 当升级到以前的版本时,背景作业工人可能无法生成,从而阻止基本功能,例如合并拉取请求。(更新时间:2020-04-07)

  • 推送到命令行上的仓库时,不会报告安全警报。(更新时间:2020-06-23)

  • Dependency graph is not detecting dependencies when deployed in a cluster configuration with multiple Redis nodes. (updated 2020-06-30)

Enterprise Server 2.20.2

Download

March 10, 2020

  • 包已更新到最新的安全版本。

  • 在某些情况下,转发的日志条目(主要用于audit.log)被截断。

  • ghe-license-check 命令行实用程序对某些有效的许可返回“无效的许可文件”错误,导致配置更改失败。

  • Alambic 异常日志没有被 syslog 转发。

  • org_block event 并非不可用,但在 GitHub Enterprise Server 上对 GitHub Apps 显示。

  • GraphQL 查询响应有时返回 ProtectedBranch 对象的不匹配节点标识符。

  • GitHub Connect 使用的 GitHub 应用程序凭据在过期后立即刷新。

  • 在回复拉请求评论时留下评论是间歇性地创建挂起拉请求审查。

  • 使用 GitHub.com 中的 ghe-migrator 或 exporting 时,导出无法导出非图像附件,并且没有提示。

  • 预接收挂钩在遇到 UTF-8 字符时返回 500 错误。

  • ghe-license-usage 命令行实用程序新增了 --unencrypted 选项,用于查看导出的许可使用文件。

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.

  • Custom firewall rules are not maintained during an upgrade.

  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.

  • 推送到 gist 时,可能会在后接收挂钩时触发异常。

  • 如果自定义了后台工作人员配置,则升级和设置更新将失败。

  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

  • 当升级到以前的版本时,背景作业工人可能无法生成,从而阻止基本功能,例如合并拉取请求。(更新时间:2020-04-07)

  • 推送到命令行上的仓库时,不会报告安全警报。(更新时间:2020-06-23)

  • Dependency graph is not detecting dependencies when deployed in a cluster configuration with multiple Redis nodes. (updated 2020-06-30)

Enterprise Server 2.20.1

Download

February 27, 2020

  • Packages have been updated to the latest security versions.

  • Restore from backups would fail with an Invalid RDB version number error.

  • Upgrading an HA replica would stall indefinitely waiting for MySQL to start.

  • PR review comments with unexpected values for "position" or "original_position" caused imports to fail.

  • Duplicate webhook entries in the database could cause upgrades from previous versions to fail.

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.

  • Custom firewall rules are not maintained during an upgrade.

  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.

  • 推送到 gist 时,可能会在后接收挂钩时触发异常。

  • 如果自定义了后台工作人员配置,则升级和设置更新将失败。

  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

  • 当升级到以前的版本时,背景作业工人可能无法生成,从而阻止基本功能,例如合并拉取请求。(更新时间:2020-04-07)

  • 推送到命令行上的仓库时,不会报告安全警报。(更新时间:2020-06-23)

  • Dependency graph is not detecting dependencies when deployed in a cluster configuration with multiple Redis nodes. (updated 2020-06-30)

Enterprise Server 2.20.0

Download

February 11, 2020

  • 在仓库分支上,仓库管理员可以使用 分支保护规则 启用"需要线性历史记录",从而拒绝包含合并提交的任何推送。

  • 仓库管理员可以使用 分支保护规则 启用“允许强制推送”,从而授予所有用户强制推送到受保护的分支的能力。

  • 仓库管理员可以使用 分支保护规则 启用“允许删除”,从而授予所有具有推送权限的用户删除受保护分支的能力。

  • 管理员可以在仓库上设置 maxobjectsize 限制、对不在 Git LFS 中的仓库 限制推送提交的大小

  • 组织所有者在创建新仓库时可以创建一组默认标签。

  • 包已更新到最新的安全版本。

  • 当组织的成员尝试查看该组织的公共仓库时,SSO 提示可能会中断页面显示。

  • 查看用户配置文件时,指向该用户团队的链接可能会断开。

  • 具有“维护”角色的用户无法编辑存储库主题。

  • 不是组织管理员的用户在尝试访问注册页面时将收到 500 个错误。

  • 编辑历史记录弹出窗口不会显示在 Gist 注释上。

  • 使用已注册的电子邮件可以注册新帐户。

  • 存储服务达到文件描述符限制,并导致内核挂起和其他服务记录错误。

  • 当自动链接引用是 Url 的一部分时,可以删除超链接。

  • 向拉取请求添加注释时,侧边栏中的“链接的议题”部分可能会消失。

  • 编辑用户的现有组织邀请时,“团队”表格上可能会显示重复的标头。

  • 当队列变得太大时,resqued 服务可能会停止记录事件。

  • 对于群集和高可用性配置运行 "ghe-config-apply" 命令时,不会自动生成自签名证书。

  • 如果尚未上载主题,则不会显示徽标。

  • 在移动浏览器上查看议题时,议题元数据将列在页面顶部。

  • Consul 的顶级域名从 ".consul" 改为 ".ghe.local"。

  • Hookshot 服务不再依赖 ElasticSearch ,只能使用 MySQL 作为数据库存储。

  • 在项目说明卡上改进了议题、项目及讨论之间的视觉区分。

  • 在拉取请求审阅中,如果多行注释被截断,将显示通知。

  • 用户可以在个人设置页面的“Security Log(安全日志)”选项卡上查看其审核日志。

  • On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.

  • Custom firewall rules are not maintained during an upgrade.

  • Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.

  • Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.

  • 推送到 gist 时,可能会在后接收挂钩时触发异常。

  • 数据库中重复的 web 挂钩条目可能会导致从早期版本的升级失败。(更新时间:2020-02-26)

  • 如果自定义了后台工作人员配置,则升级和设置更新将失败。

  • When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.

  • 当升级到以前的版本时,背景作业工人可能无法生成,从而阻止基本功能,例如合并拉取请求。(更新时间:2020-04-07)

  • 推送到命令行上的仓库时,不会报告安全警报。(更新时间:2020-06-23)

  • Dependency graph is not detecting dependencies when deployed in a cluster configuration with multiple Redis nodes. (updated 2020-06-30)