Enterprise Server 2.22.6
DownloadDecember 17, 2020
-
LOW: High CPU usage could be triggered by a specially crafted request to the SVN bridge resulting in Denial of Service (DoS).
-
Packages have been updated to the latest security versions.
-
Requests for some file resources like a zip archive or raw file could enter a redirection loop.
-
A timeout could prevent some Issues and Pull Requests searches from providing complete search results.
-
Custom tabs with non-alphabetic characters in small screens did not render correctly.
-
An underlying behavior was causing failures when pushing content to a Git LFS-enabled repository.
-
In some rare cases issues could cause a 500 error when accessed via the web interface.
-
On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
-
Custom firewall rules are not maintained during an upgrade.
-
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
-
Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
-
When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
Enterprise Server 2.22.5
DownloadDecember 03, 2020
-
Authorization service was being detected as unhealthy due to a race condition in the bootstrap which led to restart of the service.
-
The Elasticsearch upgrade process was not getting captured by ghe-diagnostics.
-
Enabling GitHub Actions on an upgraded high availability configuration caused errors in replication.
-
An underlying behavior was causing a service to become unavailable during the hotpatch upgrade process.
-
Users connecting to an active replica would get an error connecting to the live updates websocket.
-
A subset of log forwarding SSL certificates was not being applied correctly.
-
Email notifications sent to suspended users when they were removed from a Team or an Organization.
-
The way SSH certificates were applied between Organizations and Businesses was inconsistent.
-
When an account was rate limited due to using incorrect passwords, it could be locked out for up to 24 hours.
-
Pull request synchronization on repositories with many references could cause worker queues to fall behind.
-
When signing in after attempting to visit a specific page, people were sent to the home page instead of their intended destination.
-
For GHES instances using built-in authentication with an internal SAML identity provider, users without an associated email address could not create a commit from the web interface.
-
On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
-
Custom firewall rules are not maintained during an upgrade.
-
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
-
Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
-
When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
Enterprise Server 2.22.4
DownloadNovember 17, 2020
-
Packages have been updated to the latest security versions.
-
The babeld logs were missing a separator between seconds and microseconds.
-
After upgrading GHES with a hotpatch, the
ghe-actions-precheck
andghe-packages-precheck
commands would fail with the error"docker load" accepts no arguments
. -
When the enterprise account "Repository visibility change" policy was set to "Enabled", organization owners could not change the visibility of repositories within the organization.
-
Audit logs could be attributed to 127.0.0.1 instead of the actual source IP address.
-
On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
-
Custom firewall rules are not maintained during an upgrade.
-
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
-
Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
-
When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
Enterprise Server 2.22.3
DownloadNovember 03, 2020
-
LOW: High CPU usage could be triggered by a specially crafted request to the SVN bridge resulting in Denial of Service (DoS) on the SVN bridge service. (updated 2020-11-16)
-
LOW: Incorrect token validation resulted in a reduced entropy for matching tokens during authentication. Analysis shows that in practice there's no significant security risk here.
-
Packages have been updated to the latest security versions.
-
GitHub Actions could fail to start up successfully if it was previously enabled on an instance running 2.22.0 and was upgraded to 2.22.1 or 2.22.2.
-
Configuration files for GitHub Actions were not copied to the replica when setting up high availability replicas potentially leading to errors during
ghe-repl-promote
. -
On a freshly set up 2.22.1 or 2.22.2 instance or after upgrading to 2.22.1 or 2.22.2, the activity feed on an organization's dashboard would not update.
-
Editing issues templates with filenames containing non-ASCII characters would fail with a "500 Internal Server Error".
-
A metric gathering method for background jobs increased CPU utilization. (updated 2020-11-03)
-
On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
-
Custom firewall rules are not maintained during an upgrade.
-
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
-
Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
-
When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
-
Audit logs may be attributed to 127.0.0.1 instead of the actual source IP address.
Enterprise Server 2.22.2
DownloadOctober 20, 2020
-
Packages have been updated to the latest security versions.
-
If the storage account settings failed to validate while configuring GitHub Actions, running
ghe-actions-teardown
was required before making a new attempt. -
A custom proxy configuration could adversely affect the GitHub Actions environment.
-
On a change of an address on eth0, Nomad and Consul could get unresponsive.
-
When using self-signed certificates, GHES could have SSL validation exceptions upon configuring GitHub Actions.
-
Using a GitHub Action from a branch name with a
+
or/
character resulted in an error:Unable to resolve action
. -
The enterprise account "Confirm two-factor requirement policy" messaging was incorrect.
-
On certain requests above 100MB, Kafka's buffer could be over-allocated.
-
On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
-
Custom firewall rules are not maintained during an upgrade.
-
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
-
Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
-
When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
-
GitHub Actions can fail to start up successfully if it was previously enabled on an instance running 2.22.0 and is upgraded to 2.22.2. (updated 2020-10-23)
-
On a freshly set up 2.22.2 instance or after upgrading to 2.22.2, the activity feed on an organization's dashboard will no longer update. (updated 2020-10-27)
-
Audit logs may be attributed to 127.0.0.1 instead of the actual source IP address. (updated 2020-11-02)
Enterprise Server 2.22.1
DownloadOctober 09, 2020
-
MEDIUM: ImageMagick has been updated to address DSA-4715-1.
-
Requests from a GitHub App integration to refresh an OAuth access token would be accepted if sent with a different, valid OAuth client ID and client secret than was used to create the refresh token.
-
A user whose LDAP directory username standardizes to an existing GHES account login could authenticate into the existing account.
-
包已更新到最新的安全版本。
-
The NameID Format dropdown in the Management Console would be reset to "unspecified" after setting it to "persistent".
-
Upgrading using a hotpatch could fail with an error:
'libdbi1' was not found
-
Saving settings via the management console would append a newline to the TLS/SSL certificate and key files which triggered unnecessary reloading of some services.
-
System logs for Dependency Graph were not rotating, allowing unbounded storage growth.
-
The MS SQL Server performance graph showed statistics from the primary instance even when a replica was selected.
-
ghe-actions-precheck
would silently exit without running the storage checks if Actions was not enabled. -
Upgrade could fail if the resqued workers override setting is in use.
-
Some services running in containers were not sending logs to the journal.
-
Links to GitHub Security Advisories would use a URL with the hostname of the GitHub Enterprise Server instance instead of GitHub.com, directing the user to a nonexistent URL.
-
When importing a repository with
ghe-migrator
, an unexpected exception could occur when inconsistent data is present. -
The enterprise account security settings page showed a "View your organizations' current configurations" link for the "Two-factor authentication" setting when the authentication mode in use does not support built in two-factor authentication.
-
OAuth refresh tokens would be removed prematurely.
-
Search repair tasks would generate exceptions during the migration phase of configuration.
-
On the settings page for GitHub Apps, the "Beta Features" tab was not visible in some circumstances.
-
When using
ghe-migrator
to import PR review requests, records associated with deleted users would result in extraneous database records. -
When importing users with
ghe-migrator
, an error of "Emails is invalid" would occur if the system-generated email address were longer than 100 characters. -
Logging webhook activity could use large amounts of disk space and cause the root disk to become full.
-
Users experienced slower Git clone and fetch performance on an instance with high availability replicas due to reads being forwarded to a different node.
-
The repository Settings page of a repository for a user or organization GitHub Pages sites would fail with a "500 Internal Server Error".
-
Repository network maintenance operations could become stuck in a
running
state. -
A repository being deleted immediately after uploading a code scanning result could cause a stall in the processing of code scanning results for all repositories.
-
When a large number of code scanning results were submitted at the same time, processing of batches could time out resulting in a stall in processing of code scanning results.
-
Creating a GitHub App from a manifest would fail.
-
GitHub usernames were changed unintentionally when using SAML authentication, when the GitHub username did not match the value of the attribute mapped to the
username
field in the Management Console.
-
Support is added for the AWS EC2 instance type
m5.16xlarge
. -
Remove the requirement for SSH fingerprints in
ghe-migrator
archives as it can always be computed. -
GitHub App Manifests now include the
request_oauth_on_install
field.
-
On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
-
Custom firewall rules are not maintained during an upgrade.
-
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
-
Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
-
When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
-
Configuration updates will fail when restoring data to a GitHub Actions-enabled instance if the original backup source did not have the feature enabled.
-
GitHub Actions can fail to start up successfully if it was previously enabled on an instance running 2.22.0 and is upgraded to 2.22.1. (updated 2020-10-23)
-
On a freshly set up 2.22.1 instance or after upgrading to 2.22.1, the activity feed on an organization's dashboard will no longer update. (updated 2020-10-27)
-
Audit logs may be attributed to 127.0.0.1 instead of the actual source IP address. (updated 2020-11-02)
Enterprise Server 2.22.0
DownloadSeptember 23, 2020
GitHub is excited to present GitHub Enterprise Server 2.22.0.
-
GitHub Actions Beta
GitHub Actions is a powerful, flexible solution for CI/CD and workflow automation. GitHub Actions on Enterprise Server includes tools to help you manage the service, including key metrics in the Management Console, audit logs and access controls to help you control the roll out.
You will need to provide your own storage and runners for GitHub Actions. AWS S3, Azure Blob Storage and MinIO are supported. Please review the updated minimum requirements for your platform before you turn on GitHub Actions. To learn more, contact the GitHub Sales team or sign up for the beta.
-
GitHub Packages Beta
GitHub Packages is a package hosting service, natively integrated with GitHub APIs, Actions, and webhooks. Create an end-to-end DevOps workflow that includes your code, continuous integration, and deployment solutions.
Supported storage back ends include AWS S3 and MinIO with support for Azure blob coming in a future release. Please note that the current Docker support will be replaced by a beta of the new GitHub Container Registry in the next release. Please review the updated minimum requirements for your platform before you turn on GitHub Packages. To learn more, contact the GitHub Sales team or sign up for the beta.
-
Advanced Security Code Scanning Beta
GitHub Advanced Security code scanning is a developer-first, GitHub-native static application security testing (SAST). Easily find security vulnerabilities before they reach production, all powered by the world’s most powerful code analysis engine: CodeQL.
Administrators using GitHub Advanced Security can sign up for and enable GitHub Advanced Security code scanning beta. Please review the updated minimum requirements for your platform before you turn on GitHub Advanced Security code scanning.
-
Pull Request Retargeting
When a pull request's head branch is merged and deleted, all other open pull requests in the same repository that target this branch are now retargeted to the merged pull request's base branch. Previously these pull requests were closed.
-
Suspend and Unsuspend an App Installation
Administrators and users can suspend any GitHub App’s access for as long as needed, and unsuspend the app on command through Settings and the API. Suspended apps cannot access the GitHub API or webhook events. You can use this instead of uninstalling an application, which deauthorises every user. ''
-
Improved Large Scale Performance
We have revised the approach we take to scheduling network maintenance for repositories, ensuring large monorepos are able to avoid failure states. ''
Passive replicas are now supported and configurable on GitHub Enterprise Server cluster deployments. These changes will enable faster failover, reducing RTO and RPO.
-
View All of Your Users
For exceptionally large teams, administrators can adjust the 1,500 default maximum for user lists. ''
-
Administration Changes
Shared workers have been enabled to make live updates more resilient by sharing connections across tabs.
The "Contact Support" link on
50x
error pages now links to the support email or link configured in the Management Console.It's now possible to manage global announcements and expiration dates through the enterprise account settings.
You can now exempt certain users from the default API rate limits configured in the management console, if necessary.
Repository administrators can now set their repository to any available visibility option from a single dialog in the repository's settings. Previously, you had to navigate separate sections, buttons, and dialog boxes for changing between public and private and between private and internal.
A new Enterprise settings link on the user dropdown menu makes it easier to navigate to Enterprise Account Settings.
The legacy "Admin Center" link on the /stafftools page has been removed. The "Enterprise" link is now the best way to navigate to the Enterprise Account from the /stafftools page.
The Options sub-menu item in the Enterprise Account settings has been moved from the Settings section to the Policies section.
Accessing resources by using a personal access token or SSH key now counts as user activity. This relieves administrators from the burden of filtering out certain users from the user dormancy reports and makes it safer to use the "Suspend all" button without accidentally suspending users who only accessed GitHub in a read-only way over the APIs with a Personal Access Token (PAT) or SSH key.
-
Security Changes
Two-factor recovery codes can no longer be used during the two-factor sign in process. One-Time-Passwords are the only acceptable values.
When a user is signed into GitHub Enterprise Server through single sign-on, the default repository visibility selection is Private.
Owners of GitHub Apps can now choose to have their user-to-server access tokens expire after 8 hours, to help enforce regular token rotation and reduce the impact of a compromised token.
-
Developer Changes
The GitHub UI has undergone a design refresh, and the repositories homepage has been redesigned, including a responsive layout and improved mobile web experience.
In the "Clone with SSH" repository dropdown menu, users will now be notified if they do not have any keys setup.
Commits are now ordered chronologically in the pull request timeline and commits tab. This new ordering is also reflected in the "List commits on a pull request" REST API and GraphQL "PullRequest object" timeline connection.
Users can now set a skin tone default for emoji autocomplete results in comment text areas.
Tree-sitter improves syntax highlighting and is now the default library used for language parsing.
-
Users and organizations can add Twitter usernames to their GitHub profiles
-
API Changes
Graduated Previews
The following previews are now an official part of the API:
- The GitHub Apps API and endpoints that returned the
performed_via_github_app
property no longer require themachine-man
preview header. - To add and view a lock reason to an issue, you no longer need to use the
sailor-v
preview header.
- The GitHub Apps API and endpoints that returned the
GraphQL Schema Changes
- The GraphQL schema changes include backwards-compatible changes, schema previews, and upcoming breaking changes.
-
VMware Network Driver Changes
The GitHub Enterprise Server default network adapter type for VMware customers has been changed from E1000 to VMXNET3, starting with release 2.22.0. When upgrading from an earlier release to 2.22.0 or newer, if an E1000 network adapter is detected during the pre-upgrade check, the following message will be displayed at the command line:
WARNING: Your virtual appliance is currently using an emulated Intel E1000 network adapter. For optimal performance, please update the virtual machine configuration on your VMware host to use the VMXNET3 driver. Proceed with installation? [y/N]
The administrator can choose to update the network adapter type to VMXNET3 either before or after the GitHub Enterprise Server upgrade. The virtual appliance will need to be shutdown for this change. Customers should follow the VMware recommended steps for changing the virtual machine network adapter configuration to VMXNET3. Please note that
VMXNET3
will not be an option if the OS version for the virtual appliance is set toOther Linux (64-bit)
. In that case, the OS version would first need to be changed fromOther Linux (64-bit)
toOther 2.6.x Linux (64-bit)
or if available,Debian GNU/Linux 9
. We recommend testing these changes on a staging instance before it is performed on a production GitHub Enterprise Server.
-
The stafftools page for viewing pending collaborator showed a
500 Internal Server Error
when there was a pending email invite. -
The Repository Health Check in stafftools could give incorrect results on busy repositories.
-
A logged in user trying to accept an email invitation could get a
404 Not Found
error. -
If a user navigated to a repository whose name started with "repositories.", they were redirected to the owner's "Repositories" tab instead of landing on the repository overview page.
-
Labels in the dashboard timeline did not have enough contrast.
-
Upcoming Deprecation of GitHub Enterprise Server 2.19
GitHub Enterprise Server 2.19 will be deprecated as of November 12, 2020 That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise Server as soon as possible.
-
Deprecation of Legacy GitHub App Webhook Events
Starting with GitHub Enterprise Server 2.21.0 two legacy GitHub Apps-related webhook events have been deprecated and will be removed in GitHub Enterprise Server 2.25.0. The deprecated events
integration_installation
andintegration_installation_repositories
have equivalent events which will be supported. More information is available in the deprecation announcement blog post.
-
Deprecation of Legacy GitHub Apps Endpoint
Starting with GitHub Enterprise Server 2.21.0 the legacy GitHub Apps endpoint for creating installation access tokens was deprecated and will be removed in GitHub Enterprise Server 2.25.0. More information is available in the deprecation announcement blog post.
-
Deprecation of OAuth Application API
GitHub no longer supports the OAuth application endpoints that contain
access_token
as a path parameter. We have introduced new endpoints that allow you to securely manage tokens for OAuth Apps by movingaccess_token
to the request body. While deprecated, the endpoints are still accessible in this version. We intend to remove these endpoints on GitHub Enterprise Server 3.4. For more information, see the deprecation announcement blog post.
-
GitHub Enterprise Server 2.22 requires at least GitHub Enterprise Backup Utilities 2.22.0 for Backups and Disaster Recovery.
-
On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
-
Custom firewall rules are not maintained during an upgrade.
-
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
-
Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
-
When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
-
The Name ID Format dropdown in the Management Console resets to "unspecified" after setting instance to "persistent".
-
The repository Settings page of a repository for a user or organization GitHub Pages sites will fail with a "500 Internal Server Error".
-
Users may experience slower Git clone and fetch performance on an instance with high availability replicas due to reads being forwarded to a different node.
-
Creating a GitHub App from a manifest fails. To work around this issue, users can follow the manual instructions for creating a GitHub App.
-
GitHub usernames may change unintentionally when using SAML authentication, if the GitHub username does not match the value of the attribute mapped to the
username
field in the Management Console. (updated 2020-10-08) -
On a freshly set up 2.22.0 instance or after upgrading to 2.22.0, the activity feed on an organization's dashboard will no longer update. (updated 2020-10-27)
-
Audit logs may be attributed to 127.0.0.1 instead of the actual source IP address. (updated 2020-11-02)