GitHub Enterprise - The best way to build and ship software

<!DOCTYPE html> <html> <head><script type="text/javascript" src="/_static/js/bundle-playback.js?v=HxkREWBo" charset="utf-8"></script> <script type="text/javascript" src="/_static/js/wombat.js?v=txqj7nKC" charset="utf-8"></script> <script>window.RufflePlayer=window.RufflePlayer||{};window.RufflePlayer.config={"autoplay":"on","unmuteOverlay":"hidden"};</script> <script type="text/javascript" src="/_static/js/ruffle/ruffle.js"></script> <script type="text/javascript"> __wm.init("https://web.archive.org/web"); __wm.wombat("https://enterprise.github.com/releases/series/2.1","20220930152959","https://web.archive.org/","web","/_static/", "1664551799"); </script> <link rel="stylesheet" type="text/css" href="/_static/css/banner-styles.css?v=S1zqJCYt" /> <link rel="stylesheet" type="text/css" href="/_static/css/iconochive.css?v=3PDvdIFv" />  <title>GitHub Enterprise - The best way to build and ship software</title> <meta name="description" content="The power of GitHub's social coding for your own workgroup. Pricing, tour and more."> <meta http-equiv="Content-type:text/html;charset=utf-8"> <meta charset="utf-8"> <meta name="google-site-verification" content="KT5gs8h0wvaagLKAVWq8bbeNwnZZK1r1XQysX3xurLU"/>  <meta name="twitter:card" content="summary_large_image"> <meta name="twitter:site" content="@github"> <meta name="twitter:creator" content="@github"> <meta name="twitter:title" content="GitHub Enterprise - The best way to build and ship software"> <meta name="twitter:description" content="The power of GitHub's social coding for your own workgroup. Pricing, tour and more."> <meta name="twitter:image" content="/web/20220930152959im_/https://enterprise.github.com/images/opengraph.png">  <meta property="og:url" content="/web/20220930152959/https://enterprise.github.com/releases/series/2.1.html"/> <meta property="og:site_name" content="GitHub Enterprise"/> <meta property="og:title" content="GitHub Enterprise - The best way to build and ship software"/> <meta property="og:description" content="The power of GitHub's social coding for your own workgroup. Pricing, tour and more."/> <meta property="og:type" content="website"/> <meta property="og:image" content="/web/20220930152959im_/https://enterprise.github.com/images/opengraph.png"/> <meta property="og:image:width" content="1200"/> <meta property="og:image:height" content="630"/> <meta name="ha-url" content="https://collector.githubapp.com/enterprise-web/collect"> <link rel="stylesheet" href="/web/20220930152959cs_/https://enterprise.github.com/assets/application-6dbe8e27f22ceaadc468522d577d32570acf0ac562ee89e63d4c8157f13bf09a.css" media="all"> <script src="/web/20220930152959js_/https://enterprise.github.com/assets/application-84f4451c413bb84c67ed32d254381fe54843a987880724be16b6accc53b0fe07.js"></script> <script src="/web/20220930152959js_/https://enterprise.github.com/assets/upgrade_version-7fb8b5912f5aea367dc99827763788f8fc1ea8d83b930faeb1c6e98829478357.js"></script> </head> <body class=""> <div class="site-container js-site-container"> <div class="navbar js-navbar"> <div class="bg"></div> <div class="container"> <a class="site-logo" href="/web/20220930152959/https://enterprise.github.com/"> <svg version="1.1" class="logo-svg" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" width="204" height="29" viewbox="0 0 216 30.4" enable-background="new 0 0 216 30.4" xml:space="preserve"> <path fill="#FFFFFF" d="M105.6,12.3h-9.8v8.8h10.9V23H93.7V0.8h12.9v1.9H95.8v7.8h9.8V12.3z M118.6,12.2c0-1.9-1.1-2.5-3-2.5 c-1.9,0-2.9,0.3-4,0.9V23h-2.1V8.2h1.2l0.4,1.2c1.4-1,2.9-1.5,4.5-1.5c3.5,0,5,1.6,5,4.4V23h-2.1V12.2z M131.8,23.1 c-0.4,0.1-0.9,0.1-1.3,0.1c-2.5,0-4.7-1.1-4.7-4V9.8h-3V8.9l3-0.9V4l2.1-0.6v4.7h4.6v1.6h-4.6V19c0,1.8,1,2.5,2.8,2.5 c0.4,0,0.8,0,1.2-0.1V23.1z M140.3,7.9c5,0,5.6,3.4,5.6,7.7v0.9h-9.8c0.1,2.6,0.8,4.9,4.1,4.9c2.1,0,3.4-0.2,4.9-0.8v1.8 c-1.7,0.7-3.4,0.9-4.9,0.9c-5,0-6.2-3.4-6.2-7.7C134.1,11.3,135.3,7.9,140.3,7.9z M136.2,14.8h7.7c0-2.6-0.1-5.1-3.6-5.1 C136.9,9.7,136.2,12.2,136.2,14.8z M157.1,9.9c-0.4-0.1-1-0.2-1.8-0.2c-2,0-3.2,0.3-4.3,0.9V23h-2.1V8.2h1.2l0.4,1.2 c1.4-1,3.1-1.5,4.8-1.5c0.7,0,1.2,0.1,1.8,0.1V9.9z M161.5,22v8.3h-2.1V8.2h1.2l0.4,1.2c1.5-1,3-1.5,4.6-1.5c4.8,0,6.1,3.4,6.1,7.7 c0,4.3-1.3,7.7-6.1,7.7C164.3,23.3,162.8,22.9,161.5,22z M169.6,15.6c0-2.9-0.4-5.9-4-5.9c-1.9,0-3,0.3-4.1,0.9v9.8 c1.2,0.6,2.2,0.9,4.1,0.9C169.2,21.4,169.6,18.5,169.6,15.6z M182.8,9.9c-0.4-0.1-1-0.2-1.8-0.2c-2,0-3.2,0.3-4.3,0.9V23h-2.1V8.2 h1.2l0.4,1.2c1.4-1,3.1-1.5,4.8-1.5c0.7,0,1.2,0.1,1.8,0.1V9.9z M186.4,2.2c0.8,0,1.5,0.7,1.5,1.5c0,0.8-0.7,1.5-1.5,1.5 c-0.8,0-1.5-0.7-1.5-1.5C184.9,2.9,185.6,2.2,186.4,2.2z M185.4,20V8.2h2v12.1c0,1,0.3,1.3,1.2,1.3v1.7 C186.5,23.3,185.4,22.4,185.4,20z M196.4,14.5c4.2,0.4,5.2,1.8,5.2,4.2c0,2.3-1.5,4.6-6,4.6c-1.4,0-3.5-0.4-4.4-0.7v-1.8 c0.9,0.3,2.3,0.7,4.4,0.7c3.1,0,3.9-1.3,3.9-2.7c0-1.4-0.4-2.3-3.3-2.5c-4.3-0.4-5.2-1.9-5.2-3.9c0-2.1,1.4-4.4,5.5-4.4 c1.4,0,3,0.2,4.3,0.7v1.8c-1.2-0.4-2.3-0.7-4.3-0.7c-2.9,0-3.6,1.1-3.6,2.5C193,13.5,193.6,14.2,196.4,14.5z M210.4,7.9 c5,0,5.6,3.4,5.6,7.7v0.9h-9.8c0.1,2.6,0.8,4.9,4.1,4.9c2.1,0,3.4-0.2,4.9-0.8v1.8c-1.7,0.7-3.4,0.9-4.9,0.9c-5,0-6.2-3.4-6.2-7.7 C204.2,11.3,205.4,7.9,210.4,7.9z M206.2,14.8h7.7c0-2.6-0.1-5.1-3.6-5.1C206.9,9.7,206.3,12.2,206.2,14.8z M0.4,12.5 M16.6,10H9.4 C9.2,10,9,10.1,9,10.3v3.5c0,0.2,0.2,0.3,0.3,0.3h2.8v4.4c0,0-0.6,0.2-2.4,0.2c-2.1,0-5-0.8-5-7.1c0-6.4,3-7.2,5.8-7.2 c2.4,0,3.5,0.4,4.2,0.6c0.2,0.1,0.4-0.1,0.4-0.3l0.8-3.4c0-0.1,0-0.2-0.1-0.3C15.7,0.9,14,0,9.8,0C5,0,0,2.1,0,12 c0,9.9,5.7,11.4,10.5,11.4c4,0,6.4-1.7,6.4-1.7c0.1-0.1,0.1-0.2,0.1-0.3V10.3C17,10.1,16.8,10,16.6,10z M54.3,1.2 c0-0.2-0.1-0.3-0.3-0.3h-4.1c-0.2,0-0.3,0.2-0.3,0.3c0,0,0,7.9,0,7.9h-6.4V1.2c0-0.2-0.2-0.3-0.3-0.3h-4.1c-0.2,0-0.3,0.2-0.3,0.3 v21.4c0,0.2,0.2,0.3,0.3,0.3h4.1c0.2,0,0.3-0.2,0.3-0.3v-9.1h6.4c0,0,0,9.1,0,9.1c0,0.2,0.2,0.3,0.3,0.3H54c0.2,0,0.3-0.2,0.3-0.3 V1.2z M24.5,4c0-1.5-1.2-2.7-2.6-2.7c-1.5,0-2.6,1.2-2.6,2.7c0,1.5,1.2,2.7,2.6,2.7C23.3,6.7,24.5,5.5,24.5,4z M24.2,18.1 c0-0.5,0-9.9,0-9.9c0-0.2-0.2-0.3-0.3-0.3h-4.1c-0.2,0-0.4,0.2-0.4,0.4c0,0,0,11.9,0,14.1c0,0.4,0.3,0.5,0.6,0.5c0,0,1.7,0,3.7,0 c0.4,0,0.5-0.2,0.5-0.5C24.2,21.6,24.2,18.6,24.2,18.1z M70.2,7.9h-4.1c-0.2,0-0.3,0.2-0.3,0.3v10.5c0,0-1,0.8-2.5,0.8 c-1.5,0-1.8-0.7-1.8-2.1c0-1.4,0-9.1,0-9.1c0-0.2-0.2-0.3-0.3-0.3H57c-0.2,0-0.3,0.2-0.3,0.3c0,0,0,5.6,0,9.8c0,4.3,2.4,5.3,5.6,5.3 c2.7,0,4.8-1.5,4.8-1.5s0.1,0.8,0.1,0.9c0,0.1,0.2,0.2,0.3,0.2l2.6,0c0.2,0,0.3-0.2,0.3-0.3l0-14.4C70.5,8,70.4,7.9,70.2,7.9z M81.5,7.4c-2.3,0-3.9,1-3.9,1V1.2c0-0.2-0.2-0.3-0.3-0.3h-4.1c-0.2,0-0.3,0.2-0.3,0.3v21.4c0,0.2,0.2,0.3,0.3,0.3c0,0,2.8,0,2.8,0 c0.1,0,0.2-0.1,0.3-0.2c0.1-0.1,0.2-1,0.2-1s1.7,1.6,4.8,1.6c3.7,0,5.9-1.9,5.9-8.5C87.2,8.3,83.8,7.4,81.5,7.4z M79.9,19.4 c-1.4,0-2.4-0.7-2.4-0.7V12c0,0,0.9-0.6,2.1-0.7c1.5-0.1,2.9,0.3,2.9,3.8C82.5,18.8,81.8,19.5,79.9,19.4z M35.9,7.8h-3.1 c0,0,0-4,0-4c0-0.2-0.1-0.2-0.3-0.2h-4.2c-0.2,0-0.2,0.1-0.2,0.2V8c0,0-2.1,0.5-2.2,0.5c-0.1,0-0.2,0.2-0.2,0.3v2.6 c0,0.2,0.2,0.3,0.3,0.3h2.1c0,0,0,2.7,0,6.3c0,4.7,3.3,5.2,5.5,5.2c1,0,2.2-0.3,2.4-0.4c0.1,0,0.2-0.2,0.2-0.3l0-2.9 c0-0.2-0.2-0.3-0.3-0.3c-0.2,0-0.6,0.1-1.1,0.1c-1.5,0-2-0.7-2-1.6c0-0.9,0-6,0-6h3.1c0.2,0,0.3-0.2,0.3-0.3V8.2 C36.2,8,36,7.8,35.9,7.8z"/> </svg> </a> <ul class="nav-pills"> <li> <a href="/web/20220930152959/https://enterprise.github.com/features">Features</a> </li> <li> <a href="/web/20220930152959/https://enterprise.github.com/case-studies">Case Studies</a> </li> <li> <a href="/web/20220930152959/https://enterprise.github.com/features#pricing">Pricing</a> </li> <li> <a href="/web/20220930152959/https://enterprise.github.com/resources">Resources</a> </li> <li class="ga-trial-button-contact-nav"> <a href="/web/20220930152959/https://enterprise.github.com/contact" class="ga-trial-button-contact-nav">Contact</a> </li> <li> <a href="/web/20220930152959/https://enterprise.github.com/login">Sign in</a> </li> <li> <a href="https://web.archive.org/web/20220930152959/https://github.com/organizations/enterprise_plan" class="btn-primary ga-trial-button-nav">Try it for free</a> </li> </ul> </div> </div> <div class="container"> <div class="page-header"> <h1>Release notes for the 2.1 series</h1> </div> <div class="release" id="release-2.1.23"> <h3> <a href="/web/20220930152959/https://enterprise.github.com/releases/2.1.23">GitHub Enterprise 2.1.23</a> <small class="release-date note">April 26, 2016</small> <small class="right release-actions"> <a href="/web/20220930152959/https://enterprise.github.com/releases/2.1.23/download">Download</a> </small> </h3> <div class="notes"> <h2>Bug Fixes</h2> <ul> <li>OpenVM tools was not properly installed.</li> </ul> <h2>Changes</h2> <ul> <li>Shell history is written after each command.</li> </ul> <h2>Security Fixes</h2> <ul> <li><strong>MEDIUM</strong> Resolved a cross-site scripting (XSS) vulnerability in task lists.</li> <li><strong>MEDIUM</strong> Implemented mitigation for a URI decoding vulnerability that affects modern versions of Microsoft Internet Explorer.</li> <li>Packages have been updated to the latest security versions.</li> </ul> <h2>Known Issues</h2> <ul> <li>Management console sessions can expire too quickly for Safari users.</li> <li>Promoting a high availability replica can fail if Elasticsearch takes too long to restart.</li> <li>A high availability replica that's been promoted to primary and then set up as a replica again doesn't properly show the replica status page, but shows 'Starting...' instead.</li> <li>Some processes continued to write to logs after they were rotated. This could cause the root file system to fill up.</li> <li>Gist profile pages don't have proper styling when subdomain isolation disabled.</li> <li>SNMP can't be run on high availability replicas.</li> <li>Custom firewall rules aren't maintained during an upgrade.</li> <li>Deleting a user doesn't delete their gists, which can cause problems with replication.</li> <li>In our instructions to merge a pull request on the command line, we show the steps to merge using the Git protocol even when private mode is on. Private mode forces authentication but the Git protocol is unauthenticated so the steps will always fail. We also don't show the steps to merge using SSH.</li> <li>Accessing GitHub Enterprise using a hostname alias with private mode enabled as an unauthenticated user will redirect you to the dashboard instead of the page you were trying to visit after you log in.</li> <li>We display the time in the scheduled maintenance banner in UTC instead of the viewer's timezone.</li> <li>Users with LDAP DNs longer than 255 characters are suspended if LDAP Sync is enabled.</li> <li>Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.</li> <li>With private mode enabled, a Pages site with no default page serves a generic error rather than an informative message.</li> <li>Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails.</li> </ul> <h2>Deprecation of GitHub Enterprise 2.1</h2> <p><strong>GitHub Enterprise 2.1 is now deprecated.</strong> That means that no patch releases will be made, even for critical security issues, after this release. For better performance, improved security, and new features, <a href="https://web.archive.org/web/20220930152959/https://help.github.com/enterprise/2.6/admin/guides/installation/upgrading-the-github-enterprise-virtual-machine/">upgrade to the newest version of GitHub Enterprise</a> as soon as possible.</p> <p>Thanks!</p> <p>The GitHub Team</p> </div> </div> <div class="release" id="release-2.1.22"> <h3> <a href="/web/20220930152959/https://enterprise.github.com/releases/2.1.22">GitHub Enterprise 2.1.22</a> <small class="release-date note">March 29, 2016</small> <small class="right release-actions"> <a href="/web/20220930152959/https://enterprise.github.com/releases/2.1.22/download">Download</a> </small> </h3> <div class="notes"> <h2>Security Fixes</h2> <ul> <li><strong>MEDIUM</strong> Resolved a cross-site scripting (XSS) vulnerability.</li> <li><strong>LOW</strong> The secure flag was not set for the <code>_gh_render</code> cookie, potentially allowing the render cookie to be sent in plaintext HTTP requests. However, Enterprise sets the <code>Strict-Transport-Security</code> header for modern browsers when SSL is enabled, which largely mitigates the issue.</li> <li>Packages have been updated to the latest security versions.</li> </ul> <h2>Known Issues</h2> <ul> <li>Management console sessions can expire too quickly for Safari users.</li> <li>Promoting a high availability replica can fail if Elasticsearch takes too long to restart.</li> <li>A high availability replica that's been promoted to primary and then set up as a replica again doesn't properly show the replica status page, but shows 'Starting...' instead.</li> <li>Some processes continued to write to logs after they were rotated. This could cause the root file system to fill up.</li> <li>Gist profile pages don't have proper styling when subdomain isolation disabled.</li> <li>SNMP can't be run on high availability replicas.</li> <li>Custom firewall rules aren't maintained during an upgrade.</li> <li>Deleting a user doesn't delete their gists, which can cause problems with replication.</li> <li>In our instructions to merge a pull request on the command line, we show the steps to merge using the Git protocol even when private mode is on. Private mode forces authentication but the Git protocol is unauthenticated so the steps will always fail. We also don't show the steps to merge using SSH.</li> <li>Accessing GitHub Enterprise using a hostname alias with private mode enabled as an unauthenticated user will redirect you to the dashboard instead of the page you were trying to visit after you log in.</li> <li>We display the time in the scheduled maintenance banner in UTC instead of the viewer's timezone.</li> <li>Users with LDAP DNs longer than 255 characters are suspended if LDAP Sync is enabled.</li> <li>Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.</li> <li>With private mode enabled, a Pages site with no default page serves a generic error rather than an informative message.</li> <li>Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails.</li> </ul> <p>Thanks!</p> <p>The GitHub Team</p> </div> </div> <div class="release" id="release-2.1.21"> <h3> <a href="/web/20220930152959/https://enterprise.github.com/releases/2.1.21">GitHub Enterprise 2.1.21</a> <small class="release-date note">March 15, 2016</small> <small class="right release-actions"> <a href="/web/20220930152959/https://enterprise.github.com/releases/2.1.21/download">Download</a> </small> </h3> <div class="notes"> <h2>Security Fixes</h2> <ul> <li><strong>MEDIUM</strong> OpenSSL packages have been updated to address <a href="https://web.archive.org/web/20220930152959/http://www.ubuntu.com/usn/usn-2914-1/">multiple vulnerabilities</a>, including <a href="https://web.archive.org/web/20220930152959/https://www.openssl.org/news/vulnerabilities.html#2016-0800">CVE-2016-0800</a>, known as known as <a href="https://web.archive.org/web/20220930152959/https://www.drownattack.com/">DROWN</a>, which did not affect GitHub Enterprise.</li> <li><strong>MEDIUM</strong> Ruby on Rails packages have been updated to address <a href="https://web.archive.org/web/20220930152959/http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/">multiple vulnerabilities</a>.</li> <li><strong>MEDIUM</strong> Implemented mitigation for a cross-site scripting (XSS) vulnerability in Microsoft Internet Explorer 9 through 11 (<a href="https://web.archive.org/web/20220930152959/http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0072">CVE-2015-0072</a>).</li> <li><strong>MEDIUM</strong> Implemented mitigation for a cross-site scripting (XSS) vulnerability where plain text or other content types could be parsed as HTML.</li> <li>Packages have been updated to the latest security versions.</li> <li>The <code>ca-certificates</code> package has been updated to remove outdated certificate authority (CA) certificates. This update refreshes the included certificates and removes the SPI CA and CA certificates with 1024-bit RSA keys.</li> </ul> <h2>Known Issues</h2> <ul> <li>Management console sessions can expire too quickly for Safari users.</li> <li>Promoting a high availability replica can fail if Elasticsearch takes too long to restart.</li> <li>A high availability replica that's been promoted to primary and then set up as a replica again doesn't properly show the replica status page, but shows 'Starting...' instead.</li> <li>Some processes continued to write to logs after they were rotated. This could cause the root file system to fill up.</li> <li>Gist profile pages don't have proper styling when subdomain isolation disabled.</li> <li>SNMP can't be run on high availability replicas.</li> <li>Custom firewall rules aren't maintained during an upgrade.</li> <li>Deleting a user doesn't delete their gists, which can cause problems with replication.</li> <li>In our instructions to merge a pull request on the command line, we show the steps to merge using the Git protocol even when private mode is on. Private mode forces authentication but the Git protocol is unauthenticated so the steps will always fail. We also don't show the steps to merge using SSH.</li> <li>Accessing GitHub Enterprise using a hostname alias with private mode enabled as an unauthenticated user will redirect you to the dashboard instead of the page you were trying to visit after you log in.</li> <li>We display the time in the scheduled maintenance banner in UTC instead of the viewer's timezone.</li> <li>Users with LDAP DNs longer than 255 characters are suspended if LDAP Sync is enabled.</li> <li>Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.</li> <li>With private mode enabled, a Pages site with no default page serves a generic error rather than an informative message.</li> <li>Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails.</li> </ul> <p>Thanks!</p> <p>The GitHub Team</p> </div> </div> <div class="release" id="release-2.1.20"> <h3> <a href="/web/20220930152959/https://enterprise.github.com/releases/2.1.20">GitHub Enterprise 2.1.20</a> <small class="release-date note">February 23, 2016</small> <small class="right release-actions"> <a href="/web/20220930152959/https://enterprise.github.com/releases/2.1.20/download">Download</a> </small> </h3> <div class="notes"> <h2>Security Fixes</h2> <ul> <li><strong>HIGH</strong> <code>glibc</code> packages have been updated to address <a href="https://web.archive.org/web/20220930152959/http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7547">CVE-2015-7547</a>, a <code>getaddrinfo</code> stack-based buffer overflow.</li> <li><strong>HIGH</strong> <code>libssh</code> packages have been updated to address <a href="https://web.archive.org/web/20220930152959/http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0739">CVE-2016-0739</a>, a weakness in diffie-hellman secret key generation.</li> <li><strong>MEDIUM</strong> <code>nss</code> packages have been updated to address <a href="https://web.archive.org/web/20220930152959/http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1938">CVE-2016-1938</a>.</li> </ul> <h2>Known Issues</h2> <ul> <li>Management console sessions can expire too quickly for Safari users.</li> <li>Promoting a high availability replica can fail if Elasticsearch takes too long to restart.</li> <li>A high availability replica that's been promoted to primary and then set up as a replica again doesn't properly show the replica status page, but shows 'Starting...' instead.</li> <li>Some processes continued to write to logs after they were rotated. This could cause the root file system to fill up.</li> <li>Gist profile pages don't have proper styling when subdomain isolation disabled.</li> <li>SNMP can't be run on high availability replicas.</li> <li>Custom firewall rules aren't maintained during an upgrade.</li> <li>Deleting a user doesn't delete their gists, which can cause problems with replication.</li> <li>In our instructions to merge a pull request on the command line, we show the steps to merge using the Git protocol even when private mode is on. Private mode forces authentication but the Git protocol is unauthenticated so the steps will always fail. We also don't show the steps to merge using SSH.</li> <li>Accessing GitHub Enterprise using a hostname alias with private mode enabled as an unauthenticated user will redirect you to the dashboard instead of the page you were trying to visit after you log in.</li> <li>We display the time in the scheduled maintenance banner in UTC instead of the viewer's timezone.</li> <li>Users with LDAP DNs longer than 255 characters are suspended if LDAP Sync is enabled.</li> <li>Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.</li> <li>With private mode enabled, a Pages site with no default page serves a generic error rather than an informative message.</li> <li>Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails.</li> </ul> <p>Thanks!</p> <p>The GitHub Team</p> </div> </div> <div class="release" id="release-2.1.19"> <h3> <a href="/web/20220930152959/https://enterprise.github.com/releases/2.1.19">GitHub Enterprise 2.1.19</a> <small class="release-date note">February 09, 2016</small> <small class="right release-actions"> <a href="/web/20220930152959/https://enterprise.github.com/releases/2.1.19/download">Download</a> </small> </h3> <div class="notes"> <h2>Security Fixes</h2> <ul> <li><strong>HIGH</strong> OpenSSH packages have been updated to address multiple vulnerabilities.</li> <li><strong>MED</strong> libxml2 and related packages have been updated to address multiple vulnerabilities.</li> <li><strong>MED</strong> rsync has been updated to address a recently identified vulnerability.</li> <li><strong>LOW</strong> Passwords and two-factor one-time passwords could be written to the exceptions log.</li> <li>Packages have been updated to the latest security versions.</li> </ul> <h2>Known Issues</h2> <ul> <li> <p>Management console sessions can expire too quickly for Safari users.</p> </li> <li> <p>Promoting a high availability replica can fail if Elasticsearch takes too long to restart.</p> </li> <li> <p>A high availability replica that's been promoted to primary and then set up as a replica again doesn't properly show the replica status page, but shows 'Starting...' instead.</p> </li> <li> <p>Some processes continued to write to logs after they were rotated. This could cause the root file system to fill up.</p> </li> <li> <p>Gist profile pages don't have proper styling when subdomain isolation disabled.</p> </li> <li> <p>SNMP can't be run on high availability replicas.</p> </li> <li> <p>Custom firewall rules aren't maintained during an upgrade.</p> </li> <li> <p>Deleting a user doesn't delete their gists, which can cause problems with replication.</p> </li> <li> <p>In our instructions to merge a pull request on the command line, we show the steps to merge using the Git protocol even when private mode is on. Private mode forces authentication but the Git protocol is unauthenticated so the steps will always fail. We also don't show the steps to merge using SSH.</p> </li> <li> <p>Accessing GitHub Enterprise using a hostname alias with private mode enabled as an unauthenticated user will redirect you to the dashboard instead of the page you were trying to visit after you log in.</p> </li> <li> <p>We display the time in the scheduled maintenance banner in UTC instead of the viewer's timezone.</p> </li> <li> <p>Users with LDAP DNs longer than 255 characters are suspended if LDAP Sync is enabled.</p> </li> <li> <p>Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.</p> </li> <li> <p>With private mode enabled, a Pages site with no default page serves a generic error rather than an informative message.</p> </li> <li> <p><strong>HIGH (CVE-2015-7547)</strong> 2.1 is vulnerable to <code>glibc getaddrinfo stack-based buffer overflow</code>. To manually patch your appliance, apply the hotfix by <a href="https://web.archive.org/web/20220930152959/https://help.github.com/enterprise/admin/guides/installation/administrative-shell-ssh-access/">connecting to your appliance via SSH</a> and running these commands: (updated 2016-02-17)</p> <pre lang="bash"><code>$ curl -O https://github-enterprise.s3.amazonaws.com/patches/github-enterprise-libc-precise.hpkg $ md5sum github-enterprise-libc-precise.hpkg # c068256696f2775579e2cd8223f82306 $ chmod +x github-enterprise-libc-precise.hpkg $ ./github-enterprise-libc-precise.hpkg </code></pre> </li> </ul> <h2>Upcoming deprecation of GitHub Enterprise 2.1</h2> <p><strong>GitHub Enterprise 2.1 will be deprecated as of April 4, 2016.</strong> That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, <a href="https://web.archive.org/web/20220930152959/https://help.github.com/enterprise/2.4/admin/guides/installation/upgrading-the-github-enterprise-virtual-machine/">upgrade to the newest version of GitHub Enterprise</a> as soon as possible.</p> <p>Thanks!</p> <p>The GitHub Team</p> </div> </div> <div class="release" id="release-2.1.18"> <h3> <a href="/web/20220930152959/https://enterprise.github.com/releases/2.1.18">GitHub Enterprise 2.1.18</a> <small class="release-date note">December 15, 2015</small> <small class="right release-actions"> <a href="/web/20220930152959/https://enterprise.github.com/releases/2.1.18/download">Download</a> </small> </h3> <div class="notes"> <h2>Security Fixes</h2> <ul> <li><strong>HIGH</strong> An integer overflow in Git could result in incorrect memory allocation values (<a href="https://web.archive.org/web/20220930152959/http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2315">CVE-2016-2315</a>, <a href="https://web.archive.org/web/20220930152959/http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2324">CVE-2016-2324</a>). (updated 2016-03-17)</li> <li><strong>MED</strong> libxml2 and related packages have been updated to address multiple vulnerabilities.</li> <li><strong>MED</strong> OpenSSL packages have been updated to address multiple vulnerabilities.</li> <li><strong>LOW</strong> Auto-completion within several fields of the management console settings could cause SNMP and LDAP secrets to be logged in plaintext.</li> <li>Packages have been updated to the latest security versions.</li> </ul> <h2>Known Issues</h2> <ul> <li>Management console sessions can expire too quickly for Safari users.</li> <li>Promoting a high availability replica can fail if Elasticsearch takes too long to restart.</li> <li>A high availability replica that's been promoted to primary and then set up as a replica again doesn't properly show the replica status page, but shows 'Starting...' instead.</li> <li>Some processes continued to write to logs after they were rotated. This could cause the root file system to fill up.</li> <li>Gist profile pages don't have proper styling when subdomain isolation disabled.</li> <li>SNMP can't be run on high availability replicas.</li> <li>Custom firewall rules aren't maintained during an upgrade.</li> <li>Deleting a user doesn't delete their gists, which can cause problems with replication.</li> <li>In our instructions to merge a pull request on the command line, we show the steps to merge using the Git protocol even when private mode is on. Private mode forces authentication but the Git protocol is unauthenticated so the steps will always fail. We also don't show the steps to merge using SSH.</li> <li>Accessing GitHub Enterprise using a hostname alias with private mode enabled as an unauthenticated user will redirect you to the dashboard instead of the page you were trying to visit after you log in.</li> <li>We display the time in the scheduled maintenance banner in UTC instead of the viewer's timezone.</li> <li>Users with LDAP DNs longer than 255 characters are suspended if LDAP Sync is enabled.</li> <li>Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.</li> <li>With private mode enabled, a Pages site with no default page serves a generic error rather than an informative message.</li> <li>Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails. (updated 2016-01-14)</li> </ul> <p>Thanks!</p> <p>The GitHub Team</p> </div> </div> <div class="release" id="release-2.1.17"> <h3> <a href="/web/20220930152959/https://enterprise.github.com/releases/2.1.17">GitHub Enterprise 2.1.17</a> <small class="release-date note">December 01, 2015</small> <small class="right release-actions"> <a href="/web/20220930152959/https://enterprise.github.com/releases/2.1.17/download">Download</a> </small> </h3> <div class="notes"> <h2>Security Fixes</h2> <ul> <li>Packages have been updated to the latest security versions.</li> </ul> <h2>Known Issues</h2> <ul> <li>Management console sessions can expire too quickly for Safari users.</li> <li>Promoting a high availability replica can fail if Elasticsearch takes too long to restart.</li> <li>A high availability replica that's been promoted to primary and then set up as a replica again doesn't properly show the replica status page, but shows 'Starting...' instead.</li> <li>Some processes continued to write to logs after they were rotated. This could cause the root file system to fill up.</li> <li>Gist profile pages don't have proper styling when subdomain isolation disabled.</li> <li>SNMP can't be run on high availability replicas.</li> <li>Custom firewall rules aren't maintained during an upgrade.</li> <li>Deleting a user doesn't delete their gists, which can cause problems with replication.</li> <li>In our instructions to merge a pull request on the command line, we show the steps to merge using the Git protocol even when private mode is on. Private mode forces authentication but the Git protocol is unauthenticated so the steps will always fail. We also don't show the steps to merge using SSH.</li> <li>Accessing GitHub Enterprise using a hostname alias with private mode enabled as an unauthenticated user will redirect you to the dashboard instead of the page you were trying to visit after you log in.</li> <li>We display the time in the scheduled maintenance banner in UTC instead of the viewer's timezone.</li> <li>Users with LDAP DNs longer than 255 characters are suspended if LDAP Sync is enabled.</li> <li>Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.</li> <li>With private mode enabled, a Pages site with no default page serves a generic error rather than an informative message.</li> <li>Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails. (updated 2016-01-14)</li> </ul> <p>Thanks!</p> <p>The GitHub Team</p> </div> </div> <div class="release" id="release-2.1.16"> <h3> <a href="/web/20220930152959/https://enterprise.github.com/releases/2.1.16">GitHub Enterprise 2.1.16</a> <small class="release-date note">November 03, 2015</small> <small class="right release-actions"> <a href="/web/20220930152959/https://enterprise.github.com/releases/2.1.16/download">Download</a> </small> </h3> <div class="notes"> <h2>Bug Fixes</h2> <ul> <li>The Gist resqued.log file was not regularly rotated.</li> </ul> <h2>Security Fixes</h2> <ul> <li><strong>MED</strong> Oracle Java 7.0 is no longer supported by Oracle. We have switched to OpenJDK 7 and updated to the latest version to address <a href="https://web.archive.org/web/20220930152959/http://www.ubuntu.com/usn/usn-2784-1/">multiple vulnerabilities</a> related to information disclosure, data integrity and availability.</li> <li><strong>MED</strong> NTP packages have been updated to address <a href="https://web.archive.org/web/20220930152959/http://www.ubuntu.com/usn/usn-2783-1/">multiple vulnerabilities</a>.</li> </ul> <h2>Known Issues</h2> <ul> <li>Management console sessions can expire too quickly for Safari users.</li> <li>Promoting a high availability replica can fail if Elasticsearch takes too long to restart.</li> <li>A high availability replica that's been promoted to primary and then set up as a replica again doesn't properly show the replica status page, but shows 'Starting...' instead.</li> <li>Some processes continued to write to logs after they were rotated. This could cause the root file system to fill up.</li> <li>Gist profile pages don't have proper styling when subdomain isolation disabled.</li> <li>SNMP can't be run on high availability replicas.</li> <li>Custom firewall rules aren't maintained during an upgrade.</li> <li>Deleting a user doesn't delete their gists, which can cause problems with replication.</li> <li>In our instructions to merge a pull request on the command line, we show the steps to merge using the Git protocol even when private mode is on. Private mode forces authentication but the Git protocol is unauthenticated so the steps will always fail. We also don't show the steps to merge using SSH.</li> <li>Accessing GitHub Enterprise using a hostname alias with private mode enabled as an unauthenticated user will redirect you to the dashboard instead of the page you were trying to visit after you log in.</li> <li>We display the time in the scheduled maintenance banner in UTC instead of the viewer's timezone.</li> <li>Users with LDAP DNs longer than 255 characters are suspended if LDAP Sync is enabled.</li> <li>Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.</li> <li>With private mode enabled, a Pages site with no default page serves a generic error rather than an informative message.</li> <li>Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails. (updated 2016-01-14)</li> </ul> <p>Thanks!</p> <p>The GitHub Team</p> </div> </div> <div class="release" id="release-2.1.15"> <h3> <a href="/web/20220930152959/https://enterprise.github.com/releases/2.1.15">GitHub Enterprise 2.1.15</a> <small class="release-date note">October 06, 2015</small> <small class="right release-actions"> <a href="/web/20220930152959/https://enterprise.github.com/releases/2.1.15/download">Download</a> </small> </h3> <div class="notes"> <h2>Security Fixes</h2> <ul> <li><strong>MED</strong> Unvalidated parameters passed to the GitHub Enterprise metrics could be used to generate a denial of service attack against the appliance.</li> <li><strong>LOW</strong> Large Git updates could trigger an overflow in Git xdiff.</li> <li>Packages have been updated to the latest security versions.</li> </ul> <h2>Known Issues</h2> <ul> <li>Management console sessions can expire too quickly for Safari users.</li> <li>Promoting a high availability replica can fail if Elasticsearch takes too long to restart.</li> <li>A high availability replica that's been promoted to primary and then set up as a replica again doesn't properly show the replica status page, but shows 'Starting...' instead.</li> <li>Some processes continued to write to logs after they were rotated. This could cause the root file system to fill up.</li> <li>Gist profile pages don't have proper styling when subdomain isolation disabled.</li> <li>SNMP can't be run on high availability replicas.</li> <li>Custom firewall rules aren't maintained during an upgrade.</li> <li>Deleting a user doesn't delete their gists, which can cause problems with replication.</li> <li>In our instructions to merge a pull request on the command line, we show the steps to merge using the Git protocol even when private mode is on. Private mode forces authentication but the Git protocol is unauthenticated so the steps will always fail. We also don't show the steps to merge using SSH.</li> <li>Accessing GitHub Enterprise using a hostname alias with private mode enabled as an unauthenticated user will redirect you to the dashboard instead of the page you were trying to visit after you log in.</li> <li>We display the time in the scheduled maintenance banner in UTC instead of the viewer's timezone.</li> <li>Users with LDAP DNs longer than 255 characters are suspended if LDAP Sync is enabled.</li> <li>Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.</li> <li>With private mode enabled, a Pages site with no default page serves a generic error rather than an informative message.</li> <li>Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails. (updated 2016-01-14)</li> </ul> <p>Thanks!</p> <p>The GitHub Team</p> </div> </div> <div class="release" id="release-2.1.14"> <h3> <a href="/web/20220930152959/https://enterprise.github.com/releases/2.1.14">GitHub Enterprise 2.1.14</a> <small class="release-date note">September 15, 2015</small> <small class="right release-actions"> <a href="/web/20220930152959/https://enterprise.github.com/releases/2.1.14/download">Download</a> </small> </h3> <div class="notes"> <h2>Security Fixes</h2> <ul> <li><strong>HIGH</strong> Read access to public API endpoints of private-mode instances and to specific reporting endpoints can be authenticated by connecting via local trusted ports. This authentication could be bypassed by manipulating specific HTTP headers and lead to information disclosure.</li> <li>Kernel and packages have been updated to the latest security versions.</li> <li>Mediawiki Math markup within Gists and repository files with the <code>.mediawiki</code> suffix could leak information to the Google Chart API when they were displayed.</li> </ul> <h2>Known Issues</h2> <ul> <li>Management console sessions can expire too quickly for Safari users.</li> <li>Promoting a high availability replica can fail if Elasticsearch takes too long to restart.</li> <li>A high availability replica that's been promoted to primary and then set up as a replica again doesn't properly show the replica status page, but shows 'Starting...' instead.</li> <li>Some processes continued to write to logs after they were rotated. This could cause the root file system to fill up.</li> <li>Gist profile pages don't have proper styling when subdomain isolation disabled.</li> <li>SNMP can't be run on high availability replicas.</li> <li>Custom firewall rules aren't maintained during an upgrade.</li> <li>Deleting a user doesn't delete their gists, which can cause problems with replication.</li> <li>In our instructions to merge a pull request on the command line, we show the steps to merge using the Git protocol even when private mode is on. Private mode forces authentication but the Git protocol is unauthenticated so the steps will always fail. We also don't show the steps to merge using SSH.</li> <li>Accessing GitHub Enterprise using a hostname alias with private mode enabled as an unauthenticated user will redirect you to the dashboard instead of the page you were trying to visit after you log in.</li> <li>We display the time in the scheduled maintenance banner in UTC instead of the viewer's timezone.</li> <li>Users with LDAP DNs longer than 255 characters are suspended if LDAP Sync is enabled.</li> <li>Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.</li> <li>With private mode enabled, a Pages site with no default page serves a generic error rather than an informative message.</li> <li>Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails. (updated 2016-01-14)</li> </ul> <p>Thanks!</p> <p>The GitHub Team</p> </div> </div> <div class="release" id="release-2.1.13"> <h3> <a href="/web/20220930152959/https://enterprise.github.com/releases/2.1.13">GitHub Enterprise 2.1.13</a> <small class="release-date note">August 25, 2015</small> <small class="right release-actions"> <a href="/web/20220930152959/https://enterprise.github.com/releases/2.1.13/download">Download</a> </small> </h3> <div class="notes"> <h2>Security Fixes</h2> <ul> <li>Kernel and packages have been updated to the latest security versions.</li> </ul> <h2>Known Issues</h2> <ul> <li>Management console sessions can expire too quickly for Safari users.</li> <li>Promoting a high availability replica can fail if Elasticsearch takes too long to restart.</li> <li>A high availability replica that's been promoted to primary and then set up as a replica again doesn't properly show the replica status page, but shows 'Starting...' instead.</li> <li>Some processes continued to write to logs after they were rotated. This could cause the root file system to fill up.</li> <li>Gist profile pages don't have proper styling when subdomain isolation disabled.</li> <li>SNMP can't be run on high availability replicas.</li> <li>Custom firewall rules aren't maintained during an upgrade.</li> <li>Deleting a user doesn't delete their gists, which can cause problems with replication.</li> <li>In our instructions to merge a pull request on the command line, we show the steps to merge using the Git protocol even when private mode is on. Private mode forces authentication but the Git protocol is unauthenticated so the steps will always fail. We also don't show the steps to merge using SSH.</li> <li>Accessing GitHub Enterprise using a hostname alias with private mode enabled as an unauthenticated user will redirect you to the dashboard instead of the page you were trying to visit after you log in.</li> <li>We display the time in the scheduled maintenance banner in UTC instead of the viewer's timezone.</li> <li>Users with LDAP DNs longer than 255 characters are suspended if LDAP Sync is enabled.</li> <li>Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.</li> <li>With private mode enabled, a Pages site with no default page serves a generic error rather than an informative message.</li> <li>Updates to Wiki pages by users without a primary email address set throw errors.</li> <li>Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails. (updated 2016-01-14)</li> </ul> <p>Thanks!</p> <p>The GitHub Team</p> </div> </div> <div class="release" id="release-2.1.12"> <h3> <a href="/web/20220930152959/https://enterprise.github.com/releases/2.1.12">GitHub Enterprise 2.1.12</a> <small class="release-date note">August 11, 2015</small> <small class="right release-actions"> <a href="/web/20220930152959/https://enterprise.github.com/releases/2.1.12/download">Download</a> </small> </h3> <div class="notes"> <h2>Bug Fixes</h2> <ul> <li>An error in the VMware tools configuration caused excessive logging.</li> </ul> <h2>Security Fixes</h2> <ul> <li>Kernel and packages have been updated to the latest security versions.</li> <li><strong>MEDIUM:</strong> Cached form objects could cause CSRF tokens to be shared across users.</li> </ul> <h2>Known Issues</h2> <ul> <li>Management console sessions can expire too quickly for Safari users.</li> <li>Promoting a high availability replica can fail if Elasticsearch takes too long to restart.</li> <li>A high availability replica that's been promoted to primary and then set up as a replica again doesn't properly show the replica status page, but shows 'Starting...' instead.</li> <li>Some processes continued to write to logs after they were rotated. This could cause the root file system to fill up.</li> <li>Gist profile pages don't have proper styling when subdomain isolation disabled.</li> <li>SNMP can't be run on high availability replicas.</li> <li>Custom firewall rules aren't maintained during an upgrade.</li> <li>Deleting a user doesn't delete their gists, which can cause problems with replication.</li> <li>In our instructions to merge a pull request on the command line, we show the steps to merge using the Git protocol even when private mode is on. Private mode forces authentication but the Git protocol is unauthenticated so the steps will always fail. We also don't show the steps to merge using SSH.</li> <li>Accessing GitHub Enterprise using a hostname alias with private mode enabled as an unauthenticated user will redirect you to the dashboard instead of the page you were trying to visit after you log in.</li> <li>We display the time in the scheduled maintenance banner in UTC instead of the viewer's timezone.</li> <li>Users with LDAP DNs longer than 255 characters are suspended if LDAP Sync is enabled.</li> <li>Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.</li> <li>With private mode enabled, a Pages site with no default page serves a generic error rather than an informative message.</li> <li>Updates to Wiki pages by users without a primary email address set throw errors. (updated 2015-08-25)</li> <li>Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails. (updated 2016-01-14)</li> </ul> <p>Thanks!</p> <p>The GitHub Team</p> </div> </div> <div class="release" id="release-2.1.11"> <h3> <a href="/web/20220930152959/https://enterprise.github.com/releases/2.1.11">GitHub Enterprise 2.1.11</a> <small class="release-date note">July 28, 2015</small> <small class="right release-actions"> <a href="/web/20220930152959/https://enterprise.github.com/releases/2.1.11/download">Download</a> </small> </h3> <div class="notes"> <h2>Security Fixes</h2> <ul> <li>Ubuntu packages have been updated to the latest security versions.</li> </ul> <h2>Known Issues</h2> <ul> <li>Management console sessions can expire too quickly for Safari users.</li> <li>Promoting a high availability replica can fail if Elasticsearch takes too long to restart.</li> <li>A high availability replica that's been promoted to primary and then set up as a replica again doesn't properly show the replica status page, but shows 'Starting...' instead.</li> <li>Some processes continued to write to logs after they were rotated. This could cause the root file system to fill up.</li> <li>Gist profile pages don't have proper styling when subdomain isolation disabled.</li> <li>SNMP can't be run on high availability replicas.</li> <li>Custom firewall rules aren't maintained during an upgrade.</li> <li>Deleting a user doesn't delete their gists, which can cause problems with replication.</li> <li>In our instructions to merge a pull request on the command line, we show the steps to merge using the Git protocol even when private mode is on. Private mode forces authentication but the Git protocol is unauthenticated so the steps will always fail. We also don't show the steps to merge using SSH.</li> <li>Accessing GitHub Enterprise using a hostname alias with private mode enabled as an unauthenticated user will redirect you to the dashboard instead of the page you were trying to visit after you log in.</li> <li>We display the time in the scheduled maintenance banner in UTC instead of the viewer's timezone.</li> <li>Users with LDAP DNs longer than 255 characters are suspended if LDAP Sync is enabled.</li> <li>Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.</li> <li>With private mode enabled, a Pages site with no default page serves a generic error rather than an informative message.</li> <li>Updates to Wiki pages by users without a primary email address set throw errors. (updated 2015-08-25)</li> <li>Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails. (updated 2016-01-14)</li> </ul> <p>Thanks!</p> <p>The GitHub Team</p> </div> </div> <div class="release" id="release-2.1.10"> <h3> <a href="/web/20220930152959/https://enterprise.github.com/releases/2.1.10">GitHub Enterprise 2.1.10</a> <small class="release-date note">July 07, 2015</small> <small class="right release-actions"> <a href="/web/20220930152959/https://enterprise.github.com/releases/2.1.10/download">Download</a> </small> </h3> <div class="notes"> <h2>Security Fixes</h2> <ul> <li>Ubuntu kernel and packages have been updated to the latest security versions.</li> <li><strong>HIGH:</strong> Update HAProxy to address <a href="https://web.archive.org/web/20220930152959/https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3281">CVE-2015-3281</a>, which could allow an attacker to use a specially crafted request to read memory contents that might contain data from a past request or session.</li> <li><strong>MEDIUM:</strong> Scopeless access tokens could list private Gists.</li> <li>This release and previous releases of GitHub Enterprise are not affected by the OpenSSL Advisory issued 9 July 2015 (CVE-2015-1793)</li> </ul> <h2>Bug Fixes</h2> <ul> <li>Ubuntu kernel and packages have been updated to the latest bugfix versions.</li> <li>We could fail to properly create the key for the secure connection between a high availability replica and the primary, which caused replication setup to fail.</li> </ul> <h2>Changes</h2> <ul> <li>Direct root SSH access was not possible in the past, but as an additional measure we've also added PermitRootLogin to no within the SSH configuration.</li> <li>We now gather VMware memory statistics in the diagnostics output.</li> </ul> <h2>Known Issues</h2> <ul> <li>Management console sessions can expire too quickly for Safari users.</li> <li>Promoting a high availability replica can fail if Elasticsearch takes too long to restart.</li> <li>A high availability replica that's been promoted to primary and then set up as a replica again doesn't properly show the replica status page, but shows 'Starting...' instead.</li> <li>Some processes continued to write to logs after they were rotated. This could cause the root file system to fill up.</li> <li>Gist profile pages don't have proper styling when subdomain isolation disabled.</li> <li>SNMP can't be run on high availability replicas.</li> <li>Custom firewall rules aren't maintained during an upgrade.</li> <li>Deleting a user doesn't delete their gists, which can cause problems with replication.</li> <li>In our instructions to merge a pull request on the command line, we show the steps to merge using the Git protocol even when private mode is on. Private mode forces authentication but the Git protocol is unauthenticated so the steps will always fail. We also don't show the steps to merge using SSH.</li> <li>Accessing GitHub Enterprise using a hostname alias with private mode enabled as an unauthenticated user will redirect you to the dashboard instead of the page you were trying to visit after you log in.</li> <li>We display the time in the scheduled maintenance banner in UTC instead of the viewer's timezone.</li> <li>Users with LDAP DNs longer than 255 characters are suspended if LDAP Sync is enabled.</li> <li>Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes. (updated 2015-07-14)</li> <li>With private mode enabled, a Pages site with no default page serves a generic error rather than an informative message. (updated 2015-07-14)</li> <li>Updates to Wiki pages by users without a primary email address set throw errors. (updated 2015-08-25)</li> <li>Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails. (updated 2016-01-14)</li> </ul> <p>Thanks!</p> <p>The GitHub Team</p> </div> </div> <div class="release" id="release-2.1.9"> <h3> <a href="/web/20220930152959/https://enterprise.github.com/releases/2.1.9">GitHub Enterprise 2.1.9</a> <small class="release-date note">June 16, 2015</small> <small class="right release-actions"> <a href="/web/20220930152959/https://enterprise.github.com/releases/2.1.9/download">Download</a> </small> </h3> <div class="notes"> <h2>Bug Fixes</h2> <ul> <li>Ubuntu kernel and packages have been updated to the latest bugfix versions.</li> <li>Avatars, <a href="https://web.archive.org/web/20220930152959/https://help.github.com/enterprise/2.1/user/articles/about-releases/">release downloads</a>, and image attachments to wikis and issues were not copied correctly by high availability replication.</li> </ul> <h2>Security Fixes</h2> <ul> <li>Ubuntu kernel and packages have been updated to the latest security versions.</li> </ul> <h2>Known Issues</h2> <ul> <li>We can fail to properly create the key for the secure connection between a high availability replica and the primary, which causes replication setup to fail.</li> <li>Management console sessions can expire too quickly for Safari users.</li> <li>Promoting a high availability replica can fail if Elasticsearch takes too long to restart.</li> <li>A high availability replica that's been promoted to primary and then set up as a replica again doesn't properly show the replica status page, but shows 'Starting...' instead.</li> <li>Some processes continued to write to logs after they were rotated. This could cause the root file system to fill up.</li> <li>Gist profile pages don't have proper styling when subdomain isolation disabled.</li> <li>SNMP can't be run on high availability replicas.</li> <li>Custom firewall rules aren't maintained during an upgrade.</li> <li>Deleting a user doesn't delete their gists, which can cause problems with replication.</li> <li>In our instructions to merge a pull request on the command line, we show the steps to merge using the Git protocol even when private mode is on. Private mode forces authentication but the Git protocol is unauthenticated so the steps will always fail. We also don't show the steps to merge using SSH.</li> <li>Accessing GitHub Enterprise using a hostname alias with private mode enabled as an unauthenticated user will redirect you to the dashboard instead of the page you were trying to visit after you log in.</li> <li>We display the time in the scheduled maintenance banner in UTC instead of the viewer's timezone. (updated 2015-06-18)</li> <li>Users with LDAP DNs longer than 255 characters are suspended if LDAP Sync is enabled. (updated 2015-06-19)</li> <li>Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes. (updated 2015-07-14)</li> <li>With private mode enabled, a Pages site with no default page serves a generic error rather than an informative message. (updated 2015-07-14)</li> <li>Updates to Wiki pages by users without a primary email address set throw errors. (updated 2015-08-25)</li> <li>Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails. (updated 2016-01-14)</li> </ul> <p>Thanks!</p> <p>The GitHub Team</p> </div> </div> <div class="release" id="release-2.1.8"> <h3> <a href="/web/20220930152959/https://enterprise.github.com/releases/2.1.8">GitHub Enterprise 2.1.8</a> <small class="release-date note">June 02, 2015</small> <small class="right release-actions"> <a href="/web/20220930152959/https://enterprise.github.com/releases/2.1.8/download">Download</a> </small> </h3> <div class="notes"> <h2>Bug Fixes</h2> <ul> <li>The endpoint for marking notifications as read was behind authentication, which caused unneeded traffic and meant that read notifications weren't correctly archived.</li> </ul> <h2>Security Fixes</h2> <ul> <li>Ubuntu kernel has been updated to include security fixes.</li> </ul> <h2>Known Issues</h2> <ul> <li>Promoting a high availability replica can fail if Elasticsearch takes too long to restart.</li> <li>SNMP can't be run on high availability replicas.</li> <li>Custom firewall rules aren't maintained during an upgrade.</li> <li>Management console sessions can expire too quickly for Safari users.</li> <li>We can fail to properly create the key for the secure connection between a high availability replica and the primary, which causes replication setup to fail.</li> <li>A high availability replica that's been promoted to primary and then set up as a replica again doesn't properly show the replica status page, but shows "Starting..." instead.</li> <li>Gist profile pages don't have proper styling when subdomain isolation disabled.</li> <li>Some processes continued to write to logs after they were rotated. This could cause the root file system to fill up.</li> <li>Deleting a user doesn't delete their gists, which can cause problems with replication.</li> <li>In our instructions to merge a pull request on the command line, we show the steps to merge using the Git protocol even when private mode is on. Private mode forces authentication but the Git protocol is unauthenticated so the steps will always fail. We also don't show the steps to merge using SSH.</li> <li>Accessing GitHub Enterprise using a hostname alias with private mode enabled as an unauthenticated user will redirect you to the dashboard instead of the page you were trying to visit after you log in.</li> <li>Individual application logs are not reliably forwarded. (updated 2015-04-20)</li> <li>Avatars, <a href="https://web.archive.org/web/20220930152959/https://help.github.com/enterprise/2.1/user/articles/about-releases/">release downloads</a>, and image attachments to wikis and issues are not copied correctly by high availability replication. (updated 2015-06-13)</li> <li>We show your gravatar or identicon on Gists instead of your custom profile picture. (updated 2015-06-15)</li> <li>Repositories with a leading dot in their name fail to replicate if they were created before replication was set up. (updated 2015-06-16)</li> <li>We display the time in the scheduled maintenance banner in UTC instead of the viewer's timezone. (updated 2015-06-18)</li> <li>Users with LDAP DNs longer than 255 characters are suspended if LDAP Sync is enabled. (updated 2015-06-19)</li> <li>Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes. (updated 2015-07-14)</li> <li>With private mode enabled, a Pages site with no default page serves a generic error rather than an informative message. (updated 2015-07-14)</li> <li>Updates to Wiki pages by users without a primary email address set throw errors. (updated 2015-08-25)</li> <li>Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails. (updated 2016-01-14)</li> </ul> <p>Thanks!</p> <p>The GitHub Team</p> </div> </div> <div class="release" id="release-2.1.7"> <h3> <a href="/web/20220930152959/https://enterprise.github.com/releases/2.1.7">GitHub Enterprise 2.1.7</a> <small class="release-date note">May 19, 2015</small> <small class="right release-actions"> <a href="/web/20220930152959/https://enterprise.github.com/releases/2.1.7/download">Download</a> </small> </h3> <div class="notes"> <h2>Bug Fixes</h2> <ul> <li>Ubuntu packages have been updated to the latest bug fix versions.</li> <li>With LDAP authentication enabled, users who renamed their accounts and then had their DN changed couldn't log in.</li> <li>LDAP user search in the site admin was limited to 1000 results. This performed poorly when searching some directories, and people are more likely to refine the search than to page through so many results, so it's now limited to 150 results.</li> <li>Setting up static networking could fail when trying to stop the DHCP client.</li> <li>Configuring high availability replication incorrectly wrote a key fingerprint to the <code>git</code> user's <em>authorized_keys</em> file, which caused warning messages to be logged on the primary.</li> <li>Logging of notification deliveries was extremely verbose, which could put I/O pressure on busy instances.</li> <li>When maintenance mode was enabled, we ignored the configured support email address and always showed the default.</li> <li>We showed the wrong clone URL when displaying a Gist when subdomain isolation was enabled.</li> <li>Elasticsearch wasn't properly tuned based on available memory.</li> <li>Notification, event, and session database entries weren't properly archived, which could cause those tables to grow very large on busy instances.</li> <li>The activity dashboard graph could dip to zero periodically, creating misleading sawtooth patterns.</li> <li>Checking file size limits for Git pushes could be expensive and time consuming.</li> <li>With LDAP authentication enabled, entering the wrong password could cause a timeout for some users. (updated 2015-09-02)</li> </ul> <h2>Security Fixes</h2> <ul> <li> <p>Ubuntu kernel and packages have been updated to the latest security versions.</p> </li> <li> <p><strong>LOW</strong>: <a href="https://web.archive.org/web/20220930152959/https://launchpad.net/ubuntu/+source/openssl/1.0.1-4ubuntu5.27">OpenSSL 1.0.1-4ubuntu5.27</a>.</p> </li> <li> <p><strong>LOW</strong>: Update <code>libssh</code> to address denial of service vulnerabilities <a href="https://web.archive.org/web/20220930152959/https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8132">CVE-2014-8132</a> and <a href="https://web.archive.org/web/20220930152959/https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3145">CVE-2015-3145</a>.</p> </li> <li> <p><strong>LOW</strong>: Disable SSLv2 and SSLv3 in Postfix.</p> </li> </ul> <h2>SAML response validation changes</h2> <p>We've improved the validation of the SAML responses we receive. A response message must now contain a <code>Recipient</code> set to the Assertion Consumer Service URL, <code>http(s)://[hostname]/saml/consume</code>.</p> <p>In addition to the <code>Recipient</code> attribute, GitHub Enterprise will now also verify the <code>Destination</code> and <code>Audience</code> attributes, if they are supplied in the response message.</p> <p>Most SAML implementations already provide this information in their responses.</p> <h2>Known Issues</h2> <ul> <li>Creating the OpenVPN connection can fail, causing replication set up with <code>ghe-repl-setup</code> to hang.</li> <li>Git replication can be slow and CPU intense during initial push of large or complex repositories.</li> <li>The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.</li> <li>Jobs stuck on code indexing can delay other jobs from running.</li> <li>Dashboard activity feed links point to wrong hostname after restoring from backup if the hostname has changed.</li> <li>On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.</li> <li>Events in the <code>github_audit</code> log stream are being logged twice.</li> <li>Gists can't be created when using Safari 8.x in Private Mode.</li> <li>LDAP Sync fails for groups that have a period in their CN.</li> <li>Replication setup fails for IPv6 hosts.</li> <li>It's not possible to convert a user account to an organization.</li> <li>Accessing GitHub Enterprise using a hostname alias with private mode enabled as an unauthenticated user will redirect you to the dashboard instead of the page you were trying to visit after you log in.</li> <li>In some circumstances, after an upgrade we prompt you to upload a license, even though there's already a valid license.</li> <li>A high availability replica that's been promoted to primary and then set up as a replica again doesn't properly show the replica status page, but shows "Starting..." instead.</li> <li>Gist profile pages don't have proper styling when subdomain isolation disabled.</li> <li>SNMP can't be run on high availability replicas.</li> <li>Custom firewall rules aren't maintained during an upgrade.</li> <li>Management console sessions can expire too quickly for Safari users.</li> <li>Some processes continued to write to logs after they were rotated. This could cause the root file system to fill up.</li> <li>We can fail to properly create the key for the secure connection between a high availability replica and the primary, which causes replication setup to fail.</li> <li>Promoting a high availability replica can fail if Elasticsearch takes too long to restart.</li> <li>Deleting a user doesn't delete their gists, which can cause problems with replication.</li> <li>In our instructions to merge a pull request on the command line, we show the steps to merge using the Git protocol even when private mode is on. Private mode forces authentication but the Git protocol is unauthenticated so the steps will always fail. We also don't show the steps to merge using SSH.</li> <li>Accessing GitHub Enterprise using a hostname alias with private mode enabled as an unauthenticated user will redirect you to the dashboard instead of the page you were trying to visit after you log in.</li> <li>Individual application logs are not reliably forwarded. (updated 2015-04-20)</li> <li>Avatars, <a href="https://web.archive.org/web/20220930152959/https://help.github.com/enterprise/2.1/user/articles/about-releases/">release downloads</a>, and image attachments to wikis and issues are not copied correctly by high availability replication. (updated 2015-05-20)</li> <li>We show your gravatar or identicon on Gists instead of your custom profile picture. (updated 2015-06-15)</li> <li>Repositories with a leading dot in their name fail to replicate if they were created before replication was set up. (updated 2015-06-16)</li> <li>We display the time in the scheduled maintenance banner in UTC instead of the viewer's timezone. (updated 2015-06-18)</li> <li>Users with LDAP DNs longer than 255 characters are suspended if LDAP Sync is enabled. (updated 2015-06-19)</li> <li>Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes. (updated 2015-07-14)</li> <li>With private mode enabled, a Pages site with no default page serves a generic error rather than an informative message. (updated 2015-07-14)</li> <li>Updates to Wiki pages by users without a primary email address set throw errors. (updated 2015-08-25)</li> <li>Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails. (updated 2016-01-14)</li> </ul> <p>Thanks!</p> <p>The GitHub Team</p> </div> </div> <div class="release" id="release-2.1.6"> <h3> <a href="/web/20220930152959/https://enterprise.github.com/releases/2.1.6">GitHub Enterprise 2.1.6</a> <small class="release-date note">April 21, 2015</small> <small class="right release-actions"> <a href="/web/20220930152959/https://enterprise.github.com/releases/2.1.6/download">Download</a> </small> </h3> <div class="notes"> <h2>Bug Fixes</h2> <ul> <li>The organisation creation page gave incorrect details about when LDAP groups could be synced as teams.</li> <li>LDAP users could not be suspended or renamed when LDAP sync was off.</li> <li><code>ghe-btop</code>'s <code>--usage</code> and <code>--help</code> flags were not being passed correctly.</li> <li>WOFF 2.0 font files did not have their content-type set correctly in Pages.</li> <li>The top third party OAuth applications were not displayed.</li> <li>The Owners team was not automatically removed from LDAP sync.</li> <li>Replication was not restarted automatically after an upgrade.</li> <li>Unicorn masters were not always restarted correctly which left behind stale processes.</li> <li>LDAP sync wasn't syncing members of a group where the LDAP group name contained a <code>.</code>.</li> <li><code>ghe-repl-setup</code> did not warn if the master had an existing replica.</li> <li>The system did not always shut down cleanly due to using <code>kexec</code> rather than <code>reboot</code>.</li> <li><code>ghe-service-list</code> did not list <code>github-svn-proxy</code> or <code>github-timerd</code>.</li> <li><code>resqued</code>, <code>svn-proxy</code> and <code>timerd</code> held on to a deleted log file rather than rotating correctly.</li> </ul> <h2>Security Fixes</h2> <ul> <li>Ubuntu packages have been updated to the latest security versions.</li> <li><strong>LOW</strong>: <a href="https://web.archive.org/web/20220930152959/https://www.ruby-lang.org/en/news/2015/04/13/ruby-2-1-6-released/">Ruby 2.1.6</a></li> <li><strong>LOW</strong>: Branch names were not escaped correctly so could allow a XSS vulnerability.</li> <li><strong>LOW</strong>: A bug in URL parsing in Safari could allow the bypass of the same origin checks in JavaScript.</li> </ul> <h2>Known Issues</h2> <ul> <li>Creating the OpenVPN connection can fail, causing replication set up with <code>ghe-repl-setup</code> to hang.</li> <li>Git replication can be slow and CPU intense during initial push of large or complex repositories.</li> <li>The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.</li> <li>Jobs stuck on code indexing can delay other jobs from running.</li> <li>Dashboard activity feed links point to wrong hostname after restoring from backup if the hostname has changed.</li> <li>In some circumstances, after an upgrade we prompt you to upload a license, even though there's already a valid license.</li> <li>On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.</li> <li>Events in the <code>github_audit</code> log stream are being logged twice.</li> <li>Gists can't be created when using Safari 8.x in Private Mode.</li> <li>SNMP can't be run on high availability replicas.</li> <li>Gist profile pages don't have proper styling when subdomain isolation disabled.</li> <li>Management console sessions can expire too quickly for Safari users.</li> <li>We can fail to properly create the key for the secure connection between a high availability replica and the primary, which causes replication setup to fail.</li> <li>Custom firewall rules aren't maintained during an upgrade.</li> <li>A high availability replica that's been promoted to primary and then set up as a replica again doesn't properly show the replica status page, but shows "Starting..." instead.</li> <li>Replication setup fails for IPv6 hosts.</li> <li>It's not possible to convert a user account to an organization.</li> <li>Accessing GitHub Enterprise using a hostname alias with private mode enabled as an unauthenticated user will redirect you to the dashboard instead of the page you were trying to visit after you log in.</li> <li>Individual application logs are not reliably forwarded. (updated 2015-04-20)</li> <li>Avatars, <a href="https://web.archive.org/web/20220930152959/https://help.github.com/enterprise/2.1/user/articles/about-releases/">release downloads</a>, and image attachments to wikis and issues are not copied correctly by high availability replication. (updated 2015-05-20)</li> <li>We show your gravatar or identicon on Gists instead of your custom profile picture. (updated 2015-06-15)</li> <li>Repositories with a leading dot in their name fail to replicate if they were created before replication was set up. (updated 2015-06-16)</li> <li>We display the time in the scheduled maintenance banner in UTC instead of the viewer's timezone. (updated 2015-06-18)</li> <li>Users with LDAP DNs longer than 255 characters are suspended if LDAP Sync is enabled. (updated 2015-06-19)</li> <li>Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes. (updated 2015-07-14)</li> <li>With private mode enabled, a Pages site with no default page serves a generic error rather than an informative message. (updated 2015-07-14)</li> <li>Updates to Wiki pages by users without a primary email address set throw errors. (updated 2015-08-25)</li> <li>With LDAP authentication enabled, entering the wrong password can cause a timeout for some users. (updated 2015-09-02)</li> <li>Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails. (updated 2016-01-14)</li> </ul> <p>Thanks!</p> <p>The GitHub Team</p> </div> </div> <div class="release" id="release-2.1.5"> <h3> <a href="/web/20220930152959/https://enterprise.github.com/releases/2.1.5">GitHub Enterprise 2.1.5</a> <small class="release-date note">March 24, 2015</small> <small class="right release-actions"> <a href="/web/20220930152959/https://enterprise.github.com/releases/2.1.5/download">Download</a> </small> </h3> <div class="notes"> <h2>Bug Fixes</h2> <ul> <li>Pull requests didn't properly trigger repository replication.</li> <li>In rare circumstances, Git clients displayed a misleading repository corruption message when garbage collection ran while fetching a pack file that was bigger than a configured memory limit. We've bumped up the configured memory limit to make that situation even less likely.</li> <li>If the credentials of the LDAP bind user became incorrect鈥攆or example, if a password expired鈥擫DAP sync incorrectly removed users from teams. If those users had forks of private repositories, the forks were deleted.</li> <li>We incorrectly performed some LDAP searches as the authenticating user instead of the LDAP bind user. This user might have less access than the bind user, which could cause errors.</li> <li>The user API only returned a user's LDAP mapping if LDAP sync was enabled.</li> <li>We added support for the "SSH" and "SSHKey" prefixes for ActiveDirectory's <code>altSecurityIdentities</code> attributes.</li> <li>With LDAP Sync enabled, it was possible to set the special Owners team to sync with an LDAP group, but the sync couldn't complete. We disable syncing the Owners team now.</li> <li>When LDAP Sync was set to sync emails, we showed a banner message suggesting users add an email address even though they couldn't.</li> <li>Inviting a user to join an organization could return a "Not found" error when all the teams in an organization were mapped to LDAP groups and the invited user wasn't already a member of another team.</li> <li>After configuring a fresh instance to use static networking, we could still request a DHCP lease. Restarting the VM stopped the DHCP requests, but we fixed the problem and don't ask for a lease now.</li> <li>When saving settings, the "Restarting system services" spinner could keep spinning even after the services had restarted properly.</li> <li>The HAProxy logs were rotated weekly, so on busy instances they could get very large. We rotate them daily now.</li> <li>We kept too many logs for webhooks, which slowed stuff down. We purge older logs now.</li> <li>Some network setups made browsers send headers too big for us to handle, causing a "Request header or cookie too large" error. We've made our header buffers bigger.</li> <li>We added some flags to the <code>ghe-support-bundle</code> command line utility to make it possible to upload a support bundle directly to GitHub from the VM.</li> <li>Email hooks were incorrectly sent from "<a href="https://web.archive.org/web/20220930152959/mailto:noreply@github.com">noreply@github.com</a>" if "Send from author" wasn't selected. Some email services would reject those emails, making it seem like the hook was failing.</li> <li>One of the Percona database tools we ship with the VM was phoning home to check for updates.</li> <li>When the Status API was used to set a pending status on a pull request, we incorrectly said some checks had failed.</li> <li>There was a race condition in our assets server, which delivers resources like profile pictures and downloads, that could cause file handle leakage. If that happened, performance could be degraded. (updated 2015-03-25)</li> <li>Chrome 42 users weren't able to edit wiki pages or upload images via drag and drop, and autocomplete menus and repository graphs didn't display. (updated 2015-05-06)</li> </ul> <h2>Security Fixes</h2> <ul> <li>Ubuntu packages have been updated to the latest security versions.</li> <li><strong>LOW</strong>: Using an access token with <code>public_repo</code> scope, requests for lists of issues would return issues from private repositories.</li> <li><strong>LOW</strong>: <a href="https://web.archive.org/web/20220930152959/https://launchpad.net/ubuntu/+source/openssl/1.0.1-4ubuntu5.25">OpenSSL 1.0.1-4ubuntu5.25</a></li> </ul> <h2>Integration with GitHub for Mac</h2> <ul> <li>For reasons outside our control, the implementation behind the "Clone in desktop" button for GitHub for Mac doesn't work any more. We now use the same method for both desktop applications and check you have an application configured. This means we'll only show the button when you're logged in.</li> </ul> <h2>Known Issues</h2> <ul> <li>Creating the OpenVPN connection can fail, causing replication set up with <code>ghe-repl-setup</code> to hang.</li> <li>Git replication can be slow and CPU intense during initial push of large or complex repositories.</li> <li>The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.</li> <li>Jobs stuck on code indexing can delay other jobs from running.</li> <li>Dashboard activity feed links point to wrong hostname after restoring from backup if the hostname has changed.</li> <li>In some circumstances, after an upgrade we prompt you to upload a license, even though there's already a valid license.</li> <li>On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.</li> <li>Events in the <code>github_audit</code> log stream are being logged twice.</li> <li>Gists can't be created when using Safari 8.x in Private Mode.</li> <li>SNMP can't be run on high availability replicas.</li> <li>Gist profile pages don't have proper styling when subdomain isolation disabled.</li> <li>Management console sessions can expire too quickly for Safari users.</li> <li>We can fail to properly create the key for the secure connection between a high availability replica and the primary, which causes replication setup to fail.</li> <li>Custom firewall rules aren't maintained during an upgrade.</li> <li>A high availability replica that's been promoted to primary and then set up as a replica again doesn't properly show the replica status page, but shows "Starting..." instead.</li> <li>LDAP Sync fails for groups that have a period in their CN.</li> <li>Replication setup fails for IPv6 hosts.</li> <li>It's not possible to convert a user account to an organization.</li> <li>Accessing GitHub Enterprise using a hostname alias with private mode enabled as an unauthenticated user will redirect you to the dashboard instead of the page you were trying to visit after you log in.</li> <li>Can't suspend or rename users when LDAP Sync is off. (updated 2015-04-20)</li> <li>Individual application logs are not reliably forwarded. (updated 2015-04-20)</li> <li>Avatars, <a href="https://web.archive.org/web/20220930152959/https://help.github.com/enterprise/2.1/user/articles/about-releases/">release downloads</a>, and image attachments to wikis and issues are not copied correctly by high availability replication. (updated 2015-05-20)</li> <li>We show your gravatar or identicon on Gists instead of your custom profile picture. (updated 2015-06-15)</li> <li>Repositories with a leading dot in their name fail to replicate if they were created before replication was set up. (updated 2015-06-16)</li> <li>We display the time in the scheduled maintenance banner in UTC instead of the viewer's timezone. (updated 2015-06-18)</li> <li>Users with LDAP DNs longer than 255 characters are suspended if LDAP Sync is enabled. (updated 2015-06-19)</li> <li>Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes. (updated 2015-07-14)</li> <li>With private mode enabled, a Pages site with no default page serves a generic error rather than an informative message. (updated 2015-07-14)</li> <li>Updates to Wiki pages by users without a primary email address set throw errors. (updated 2015-08-25)</li> <li>With LDAP authentication enabled, entering the wrong password can cause a timeout for some users. (updated 2015-09-02)</li> <li>Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails. (updated 2016-01-14)</li> </ul> <p>The GitHub Team</p> </div> </div> <div class="release" id="release-2.1.4"> <h3> <a href="/web/20220930152959/https://enterprise.github.com/releases/2.1.4">GitHub Enterprise 2.1.4</a> <small class="release-date note">March 03, 2015</small> <small class="right release-actions"> <a href="/web/20220930152959/https://enterprise.github.com/releases/2.1.4/download">Download</a> </small> </h3> <div class="notes"> <h2>Bug Fixes</h2> <ul> <li>Ubuntu packages have been updated to the latest bugfix/security versions.</li> <li>Enabling LDAP Sync for emails could cause background jobs to be continuously queued, which in turn could affect performance.</li> <li>Viewing a PSD or STL file with more than one revision results in an error being thrown.</li> <li>The GitHub application server could fail to start, because under some circumstances there could be a stale zero-downtime restart flag file.</li> <li>Scheduled maintenance mode didn't activate, so GitHub Enterprise was still available when it shouldn't have been.</li> <li>Saving settings in the management console with invalid LDAP connection settings caused an error. We fail with an appropriate message now.</li> <li>Promoting a high availability replica failed if the primary wasn't accessible.</li> <li>MySQL replication could fail on really, really busy instances.</li> <li>With SSL disabled, regenerating the self-signed certificate enabled SSL. This would happen if you use the IP address as the hostname and change the IP address of the VM.</li> <li>The admin SSH user didn't have proper access to <code>man</code> pages.</li> <li>There was an unused Redis stats bubble in the site admin toolbar, which looked like a warning. We've taken out the bubble.</li> <li>Chrome Canary didn't show the number of open pull requests when you viewed a repository.</li> <li>The <code>ghe-upgrade</code> command produced the following harmless error: <code>line 205: /dev/null/: Is a directory</code>.</li> </ul> <h2>Security Fixes</h2> <ul> <li><strong>MEDIUM</strong>: There was an XSS vulnerability in wikis.</li> </ul> <h2>Known Issues</h2> <ul> <li>Creating the OpenVPN connection can fail, causing replication set up with <code>ghe-repl-setup</code> to hang.</li> <li>Git replication can be slow and CPU intense during initial push of large or complex repositories.</li> <li>The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.</li> <li>Jobs stuck on code indexing can delay other jobs from running.</li> <li>Dashboard activity feed links point to wrong hostname after restoring from backup if the hostname has changed.</li> <li>In some circumstances, after an upgrade we prompt you to upload a license, even though there's already a valid license.</li> <li>On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.</li> <li>Events in the <code>github_audit</code> log stream are being logged twice.</li> <li>Gists can't be created when using Safari 8.x in Private Mode.</li> <li>SNMP can't be run on high availability replicas.</li> <li>Gist profile pages don't have proper styling when subdomain isolation disabled.</li> <li>After initial set up, an instance with static networking configured that has not been rebooted can try to get a DHCP lease.</li> <li>Management console sessions can expire too quickly for Safari users.</li> <li>We can fail to properly create the key for the secure connection between a high availability replica and the primary, which causes replication setup to fail.</li> <li>Custom firewall rules aren't maintained during an upgrade.</li> <li>A high availability replica that's been promoted to primary and then set up as a replica again doesn't properly show the replica status page, but shows "Starting..." instead.</li> <li>Individual application logs are not reliably forwarded. (updated 2015-04-20)</li> <li>When using Chrome 42 or newer, wiki pages can't be edited, images can't be uploaded via drag and drop, and autocomplete menus and repository graphs may not display. (updated 2015-05-06)</li> <li>Avatars, <a href="https://web.archive.org/web/20220930152959/https://help.github.com/enterprise/2.1/user/articles/about-releases/">release downloads</a>, and image attachments to wikis and issues are not copied correctly by high availability replication. (updated 2015-05-20)</li> <li>We show your gravatar or identicon on Gists instead of your custom profile picture. (updated 2015-06-15)</li> <li>Repositories with a leading dot in their name fail to replicate if they were created before replication was set up. (updated 2015-06-16)</li> <li>We display the time in the scheduled maintenance banner in UTC instead of the viewer's timezone. (updated 2015-06-18)</li> <li>Users with LDAP DNs longer than 255 characters are suspended if LDAP Sync is enabled. (updated 2015-06-19)</li> <li>Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes. (updated 2015-07-14)</li> <li>With private mode enabled, a Pages site with no default page serves a generic error rather than an informative message. (updated 2015-07-14)</li> <li>Updates to Wiki pages by users without a primary email address set throw errors. (updated 2015-08-25)</li> <li>With LDAP authentication enabled, entering the wrong password can cause a timeout for some users. (updated 2015-09-02)</li> <li>Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails. (updated 2016-01-14)</li> </ul> </div> </div> <div class="release" id="release-2.1.3"> <h3> <a href="/web/20220930152959/https://enterprise.github.com/releases/2.1.3">GitHub Enterprise 2.1.3</a> <small class="release-date note">February 17, 2015</small> <small class="right release-actions"> <a href="/web/20220930152959/https://enterprise.github.com/releases/2.1.3/download">Download</a> </small> </h3> <div class="notes"> <h2>Bug Fixes</h2> <ul> <li>Ubuntu packages have been updated to the latest bugfix/security versions.</li> <li>Downloading code archives failed when private mode was enabled.</li> <li>The assets server didn't always properly close file handles, which could cause performance issues if the file handle limit was reached.</li> <li>Custom CA certificates installed with <code>ghe-ssl-ca-certificate-install</code> were lost after upgrading.</li> <li>Maintenance mode wasn't maintained after upgrading, so applications were unexpectedly accessible to users.</li> <li>Updating a license in the management console was not reflected in the GitHub application under some circumstances.</li> <li>Diagnostics always said avatars are disabled, regardless of reality.</li> <li>Some organization names were incorrectly blacklisted.</li> <li>We didn't require SAML responses to be signed. We enforce that now.</li> <li>We didn't properly support SAML single sign on URLs with query parameters.</li> <li>Our validation when adding restricted LDAP groups in the management console was overly strict, and stopped you adding groups whose name was a substring of existing groups.</li> <li>We weren't properly suspending users when they were suspended in ActiveDirectory.</li> <li>We failed to properly sync LDAP users' email addresses in some cases.</li> <li>LDAP Sync unsuspended users who'd been suspended if the <code>userAccountControl</code> attribute wasn't present. That's usually the case when the directory isn't ActiveDirectory unless the attribute was added with a custom schema.</li> <li>The <code>ghe-org-owner-promote</code> command line utility was broken.</li> <li>Wildcard SSL certificates in the management console could be incorrectly marked invalid under some circumstances.</li> <li>We only copied admin SSH keys when initially setting up replication, so the keys on the high availability replica could be out of sync. We regularly update them now.</li> <li>The management console settings and GitHub Enterprise license were only copied the first time replication was set up, so the high availability replica could be out of sync. Now we update the settings and license each time replication is set up.</li> <li>The monitoring graphs were set to PST timezone. We always use UTC now.</li> <li>We ignored region settings in the AWS CodeDeploy service hook, causing it to fail.</li> <li>Switching to a different authentication method didn't expire existing sessions.</li> <li>Profile pictures migrated from an avatar service could revert to identicons under some circumstances.</li> </ul> <h2>Known Issues</h2> <ul> <li>The <code>ghe-upgrade</code> command will output the following harmless error: <code>line 205: /dev/null/: Is a directory</code></li> <li>Creating the OpenVPN connection can fail, causing replication set up with <code>ghe-repl-setup</code> to hang.</li> <li><del>Replica promotion can hang when running <code>ghe-repl-promote</code>.</del></li> <li>Git replication can be slow and CPU intense during initial push of large or complex repositories.</li> <li>The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.</li> <li>Jobs stuck on code indexing can delay other jobs from running.</li> <li>Dashboard activity feed links point to wrong hostname after restoring from backup if the hostname has changed.</li> <li>In some circumstances, after an upgrade we prompt you to upload a license, even though there's already a valid license.</li> <li>On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.</li> <li>Events in the <code>github_audit</code> log stream are being logged twice.</li> <li>Gists can't be created when using Safari 8.x in Private Mode.</li> <li>SNMP can't be run on high availability replicas.</li> <li>Enabling LDAP Sync for emails can cause background jobs to be continuously queued, which in turn can affect performance. We recommend disabling email sync in this version. (updated 2015-02-25)</li> <li>Viewing a PSD or STL file with more than one revision results in an error being thrown. (updated 2015-02-27)</li> <li>Individual application logs are not reliably forwarded. (updated 2015-04-20)</li> <li>When using Chrome 42 or newer, wiki pages can't be edited, images can't be uploaded via drag and drop, and autocomplete menus and repository graphs may not display. (updated 2015-05-06)</li> <li>Avatars, <a href="https://web.archive.org/web/20220930152959/https://help.github.com/enterprise/2.1/user/articles/about-releases/">release downloads</a>, and image attachments to wikis and issues are not copied correctly by high availability replication. (updated 2015-05-20)</li> <li>We show your gravatar or identicon on Gists instead of your custom profile picture. (updated 2015-06-15)</li> <li>Repositories with a leading dot in their name fail to replicate if they were created before replication was set up. (updated 2015-06-16)</li> <li>We display the time in the scheduled maintenance banner in UTC instead of the viewer's timezone. (updated 2015-06-18)</li> <li>Users with LDAP DNs longer than 255 characters are suspended if LDAP Sync is enabled. (updated 2015-06-19)</li> <li>Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes. (updated 2015-07-14)</li> <li>With private mode enabled, a Pages site with no default page serves a generic error rather than an informative message. (updated 2015-07-14)</li> <li>Updates to Wiki pages by users without a primary email address set throw errors. (updated 2015-08-25)</li> <li>With LDAP authentication enabled, entering the wrong password can cause a timeout for some users. (updated 2015-09-02)</li> <li>Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails. (updated 2016-01-14)</li> </ul> <h2>Security Fixes</h2> <ul> <li><strong>LOW</strong>: SAML authentication responses weren't signed.</li> </ul> <h2>Errata</h2> <ul> <li>Replica promotion hanging when running <code>ghe-repl-promote</code> was fixed in 2.0.2.</li> </ul> </div> </div> <div class="release" id="release-2.1.2"> <h3> <a href="/web/20220930152959/https://enterprise.github.com/releases/2.1.2">GitHub Enterprise 2.1.2</a> <small class="release-date note">January 31, 2015</small> <small class="right release-actions"> <a href="/web/20220930152959/https://enterprise.github.com/releases/2.1.2/download">Download</a> </small> </h3> <div class="notes"> <h2>Bug Fixes</h2> <ul> <li>Static network configuration had to be reapplied after upgrading from 2.1.0 to 2.1.1. We now properly maintain these settings during an upgrade.</li> </ul> <h2>Known Issues</h2> <ul> <li>Creating the OpenVPN connection can fail, causing replication set up with <code>ghe-repl-setup</code> to hang.</li> <li><del>Replica promotion can hang when running <code>ghe-repl-promote</code>.</del></li> <li>Git replication can be slow and CPU intense during initial push of large or complex repositories.</li> <li>The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.</li> <li>Jobs stuck on code indexing can delay other jobs from running.</li> <li>Dashboard activity feed links point to wrong hostname after restoring from backup if the hostname has changed.</li> <li>The <code>ghe-org-owner-promote</code> command line utility is currently broken.</li> <li>In some circumstances, after an upgrade we prompt you to upload a license, even though there's already a valid license.</li> <li>On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.</li> <li>Switching to a different authentication method doesn't expire existing sessions.</li> <li>Events in the <code>github_audit</code> log stream are being logged twice.</li> <li>Replication needs to be reconfigured after upgrading a replica with <code>ghe-upgrade</code>.</li> <li>Gists can't be created when using Safari 8.x in Private Mode.</li> <li>SNMP can't be run on high availability replicas.</li> <li>Updating a license in the management console is not reflected in the GitHub application under some circumstances. (updated 2015-02-02)</li> <li>Enabling LDAP Sync for emails can cause background jobs to be continuously queued, which in turn can affect performance. We recommend disabling email sync in this version. (updated 2015-02-25)</li> <li>Viewing a PSD or STL file with more than one revision results in an error being thrown. (updated 2015-02-27)</li> <li>Individual application logs are not reliably forwarded. (updated 2015-04-20)</li> <li>When using Chrome 42 or newer, wiki pages can't be edited, images can't be uploaded via drag and drop, and autocomplete menus and repository graphs may not display. (updated 2015-05-06)</li> <li>Avatars, <a href="https://web.archive.org/web/20220930152959/https://help.github.com/enterprise/2.1/user/articles/about-releases/">release downloads</a>, and image attachments to wikis and issues are not copied correctly by high availability replication. (updated 2015-05-20)</li> <li>We show your gravatar or identicon on Gists instead of your custom profile picture. (updated 2015-06-15)</li> <li>Repositories with a leading dot in their name fail to replicate if they were created before replication was set up. (updated 2015-06-16)</li> <li>We display the time in the scheduled maintenance banner in UTC instead of the viewer's timezone. (updated 2015-06-18)</li> <li>Users with LDAP DNs longer than 255 characters are suspended if LDAP Sync is enabled. (updated 2015-06-19)</li> <li>Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes. (updated 2015-07-14)</li> <li>With private mode enabled, a Pages site with no default page serves a generic error rather than an informative message. (updated 2015-07-14)</li> <li>Updates to Wiki pages by users without a primary email address set throw errors. (updated 2015-08-25)</li> <li>With LDAP authentication enabled, entering the wrong password can cause a timeout for some users. (updated 2015-09-02)</li> <li>Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails. (updated 2016-01-14)</li> </ul> <h2>Errata</h2> <ul> <li>Replica promotion hanging when running <code>ghe-repl-promote</code> was fixed in 2.0.2.</li> </ul> <p>Thanks!</p> <p>The GitHub Team</p> </div> </div> <div class="release" id="release-2.1.1"> <h3> <a href="/web/20220930152959/https://enterprise.github.com/releases/2.1.1">GitHub Enterprise 2.1.1</a> <small class="release-date note">January 30, 2015</small> <small class="right release-actions"> <a href="/web/20220930152959/https://enterprise.github.com/releases/2.1.1/download">Download</a> </small> </h3> <div class="notes"> <h2>Bug Fixes</h2> <ul> <li>Ubuntu packages have been updated to the latest bugfix/security versions.</li> <li>With more than seven tabs open, dynamic content could fail to load due to browser connection limits. We've returned to using polling instead.</li> <li>When a SAML response incorrectly had an email as the <code>NameID</code>, but didn't include <code>email</code> as a released attribute, users could sign in the first time but couldn't sign in again after signing out.</li> <li>If an SSH key contained extra whitespace or a comment, LDAP Sync sent emails warning that an SSH key was added to your account each time sync ran.</li> <li>When synchronizing an LDAP Group mapped to multiple GitHub Teams, we queried the LDAP directory for each Team. We now query once for the Group and update all the Teams at the same time. We also improved the performance of searching for group members.</li> <li>Creating LDAP users through the site admin caused an error if their LDAP username included characters that would be normalized in their GitHub username, like <code>$</code>, <code>_</code>, <code>.</code>.</li> <li>Members of the LDAP admin group were given admin privileges on account creation or LDAP Sync, but not when they signed in.</li> <li>We incorrectly hid avatar options in the management console if a service URL was set but avatars were disabled.</li> <li>If your management console session timed out, connectivity tests failed without any error message. Now you're redirected to log in again.</li> <li>The <code>From:</code> address was wrong in notification emails if the "no-reply" email address was configued, using the SMTP HELO domain instead.</li> <li>SASL was enabled even if SMTP authentication wasn't turned on, which could cause email delivery failures.</li> <li>Doing an initial installation using the management console API failed if you didn't include the port, because we dropped data when redirecting.</li> <li>If Pages on a replica fell too far behind the primary, the alert shown by <code>ghe-repl-status</code> was missing how far behind replication was.</li> <li>Diagnostics always said Log Forwarding was disabled, regardless of reality.</li> <li>The Git gateway tried to log timing statistics to an inaccessible statsd server.</li> <li>Hovering over the timing statistics graph in the site admin showed <code>undefined</code> instead of the hostname and Ruby version.</li> <li>Compressing a support bundle could be slow, so we sped it up using more than one core (but with a high <code>nice</code> so it won't affect anything else).</li> </ul> <h2>Known Issues</h2> <ul> <li>Creating the OpenVPN connection can fail, causing replication set up with <code>ghe-repl-setup</code> to hang.</li> <li><del>Replica promotion can hang when running <code>ghe-repl-promote</code>.</del></li> <li>Git replication can be slow and CPU intense during initial push of large or complex repositories.</li> <li>The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.</li> <li>Jobs stuck on code indexing can delay other jobs from running.</li> <li>Dashboard activity feed links point to wrong hostname after restoring from backup if the hostname has changed.</li> <li>The <code>ghe-org-owner-promote</code> command line utility is currently broken.</li> <li>In some circumstances, after an upgrade we prompt you to upload a license, even though there's already a valid license.</li> <li>On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.</li> <li>Switching to a different authentication method doesn't expire existing sessions.</li> <li>Events in the <code>github_audit</code> log stream are being logged twice.</li> <li>Replication needs to be reconfigured after upgrading a replica with <code>ghe-upgrade</code>.</li> <li>Gists can't be created when using Safari 8.x in Private Mode.</li> <li>SNMP can't be run on high availability replicas.</li> <li>Updating a license in the management console is not reflected in the GitHub application under some circumstances. (updated 2015-02-02)</li> <li>Enabling LDAP Sync for emails can cause background jobs to be continuously queued, which in turn can affect performance. We recommend disabling email sync in this version. (updated 2015-02-25)</li> <li>Viewing a PSD or STL file with more than one revision results in an error being thrown. (updated 2015-02-27)</li> <li>Individual application logs are not reliably forwarded. (updated 2015-04-20)</li> <li>When using Chrome 42 or newer, wiki pages can't be edited, images can't be uploaded via drag and drop, and autocomplete menus and repository graphs may not display. (updated 2015-05-06)</li> <li>Avatars, <a href="https://web.archive.org/web/20220930152959/https://help.github.com/enterprise/2.1/user/articles/about-releases/">release downloads</a>, and image attachments to wikis and issues are not copied correctly by high availability replication. (updated 2015-05-20)</li> <li>We show your gravatar or identicon on Gists instead of your custom profile picture. (updated 2015-06-15)</li> <li>Repositories with a leading dot in their name fail to replicate if they were created before replication was set up. (updated 2015-06-16)</li> <li>We display the time in the scheduled maintenance banner in UTC instead of the viewer's timezone. (updated 2015-06-18)</li> <li>Users with LDAP DNs longer than 255 characters are suspended if LDAP Sync is enabled. (updated 2015-06-19)</li> <li>Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes. (updated 2015-07-14)</li> <li>With private mode enabled, a Pages site with no default page serves a generic error rather than an informative message. (updated 2015-07-14)</li> <li>Updates to Wiki pages by users without a primary email address set throw errors. (updated 2015-08-25)</li> <li>With LDAP authentication enabled, entering the wrong password can cause a timeout for some users. (updated 2015-09-02)</li> <li>Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails. (updated 2016-01-14)</li> </ul> <h2>Security Fixes</h2> <ul> <li><strong>MEDIUM</strong>: Buffer overflow in <code>gethostbyname</code>. Also known as the GHOST vulnerability.</li> </ul> <h3>GHOST vulnerability</h3> <p>Qualys researchers have <a href="https://web.archive.org/web/20220930152959/http://seclists.org/oss-sec/2015/q1/274">found a buffer overflow vulnerability</a> in the <code>gethostbyname</code> function in the C standard library that could allow remote code execution under some circumstances. There is currently no known way to exploit GitHub Enterprise remotely using this vulnerability, as <a href="https://web.archive.org/web/20220930152959/http://seclists.org/oss-sec/2015/q1/283">many services don't use <code>gethostbyname</code> in a way that is exploitable</a>. However, as a precaution we recommend upgrading to this latest patch release or to a <a href="https://web.archive.org/web/20220930152959/https://enterprise.github.com/releases/">later version</a>.</p> <h2>Errata</h2> <ul> <li>Replica promotion hanging when running <code>ghe-repl-promote</code> was fixed in 2.0.2.</li> </ul> <p>Thanks!</p> <p>The GitHub Team</p> <p><a href="https://web.archive.org/web/20220930152959/https://enterprise.github.com/releases">https://enterprise.github.com/releases</a></p> <p><a href="https://web.archive.org/web/20220930152959/https://enterprise.github.com/releases/2.1.1">https://enterprise.github.com/releases/2.1.1</a></p> <h1>Security Notification</h1> <h2>Important Security Vulnerabilities Fixed in GitHub Enterprise 2.1.1</h2> <p>The following important security vulnerabilities have been fixed in the 2.1.1 release:</p> <ul> <li><strong>MEDIUM</strong>: Buffer overflow in <code>gethostbyname</code>. Also known as the GHOST vulnerability.</li> </ul> <h3>GHOST vulnerability</h3> <p>Qualys researchers have <a href="https://web.archive.org/web/20220930152959/http://seclists.org/oss-sec/2015/q1/274">found a buffer overflow vulnerability</a> in the <code>gethostbyname</code> function in the C standard library that could allow remote code execution under some circumstances. There is currently no known way to exploit GitHub Enterprise remotely using this vulnerability, as <a href="https://web.archive.org/web/20220930152959/http://seclists.org/oss-sec/2015/q1/283">many services don't use <code>gethostbyname</code> in a way that is exploitable</a>. However, as a precaution we recommend upgrading to this latest patch release or to a <a href="https://web.archive.org/web/20220930152959/https://enterprise.github.com/releases/">later version</a>.</p> <p>If you have any questions, please contact support at <a href="https://web.archive.org/web/20220930152959/mailto:enterprise@github.com">enterprise@github.com</a></p> <p>Thanks!</p> <p>The GitHub Team</p> </div> </div> <div class="release" id="release-2.1.0"> <h3> <a href="/web/20220930152959/https://enterprise.github.com/releases/2.1.0">GitHub Enterprise 2.1.0</a> <small class="release-date note">January 20, 2015</small> <small class="right release-actions"> <a href="/web/20220930152959/https://enterprise.github.com/releases/2.1.0/download">Download</a> </small> </h3> <div class="notes"> <h2>GitHub Enterprise 2.1.0 Update Released</h2> <p>The 2.1.0 release for GitHub Enterprise is now available for download from <a href="https://web.archive.org/web/20220930152959/https://enterprise.github.com/download">https://enterprise.github.com/download</a>. We've listed out all the included features, bug fixes, and known issues below, and have also drafted up a set of <a href="https://web.archive.org/web/20220930152959/https://help.github.com/enterprise/2.1/admin/guides/installation/upgrading-to-github-enterprise-2-1">upgrade instructions</a> to help make your migration as smooth as possible.</p> <h2>New Features</h2> <p>With the new features added in GitHub Enterprise 2.1.0, you can:</p> <ul> <li>Automate user and team management with <a href="https://web.archive.org/web/20220930152959/https://help.github.com/enterprise/2.1/admin/guides/user-management/using-ldap#enabling-ldap-sync">LDAP Sync</a>.</li> <li>Deploy GitHub Enterprise on <a href="https://web.archive.org/web/20220930152959/https://help.github.com/enterprise/2.1/admin/guides/installation/installing-github-enterprise-on-openstack-kvm">OpenStack KVM</a>.</li> <li>Audit all user actions across your instance with the <a href="https://web.archive.org/web/20220930152959/https://help.github.com/enterprise/2.1/admin/guides/user-management/auditing-users-across-your-instance">Instance Audit Log</a>.</li> <li>Monitor the performance of GitHub Enterprise with the <a href="https://web.archive.org/web/20220930152959/https://help.github.com/enterprise/2.1/admin/guides/installation/system-resource-monitoring-and-alerting#accessing-the-internal-monitoring-dashboard">Instance Monitoring Dashboard</a>.</li> <li><a href="https://web.archive.org/web/20220930152959/https://help.github.com/articles/about-webhooks/">Configure webhooks</a> at the organization level.</li> <li>Set your GitHub Enterprise <a href="https://web.archive.org/web/20220930152959/https://help.github.com/enterprise/2.1/user/articles/how-do-i-set-up-my-profile-picture">profile picture</a>.</li> <li>See the results from <a href="https://web.archive.org/web/20220930152959/https://github.com/blog/1935-see-results-from-all-pull-request-status-checks">multiple pull requests status checks</a>.</li> <li>View and diff <a href="https://web.archive.org/web/20220930152959/https://help.github.com/articles/rendering-and-diffing-images/">SVG files</a>.</li> <li>Manage todos with the <a href="https://web.archive.org/web/20220930152959/https://help.github.com/articles/viewing-all-of-your-issues-and-pull-requests/"><code>/pulls</code> and <code>/issues</code> dashboard pages</a>.</li> <li>More easily review changes to code with <a href="https://web.archive.org/web/20220930152959/https://github.com/blog/1932-syntax-highlighted-diffs">syntax highlighted diffs</a>.</li> <li>Automate deployments from GitHub Enterprise repositories with <a href="https://web.archive.org/web/20220930152959/https://developer.github.com/enterprise/2.1/v3/repos/deployments/">the Deployments API</a>.</li> <li>Run GitHub Enterprise within your IPv6 network.</li> <li>Find what you're looking for on the go with <a href="https://web.archive.org/web/20220930152959/https://github.com/blog/1924-mobile-search">mobile search</a>.</li> <li>See what Git operations are running on GitHub Enterprise with the <a href="https://web.archive.org/web/20220930152959/https://help.github.com/enterprise/2.1/admin/articles/command-line-utilities#ghe-btop"><code>ghe-btop</code> command line utility</a>.</li> <li><a href="https://web.archive.org/web/20220930152959/https://help.github.com/articles/generating-ssh-keys/">Use Ed25519 SSH client keys</a> for Git operations.</li> </ul> <h2>Changes</h2> <ul> <li>To stop users committing large files that can harm server performance, files larger than 100MB are now rejected by default. The file size limit can be <a href="https://web.archive.org/web/20220930152959/https://help.github.com/enterprise/2.1/admin/articles/setting-git-push-limits/">changed or removed</a>. (updated 2015-02-02)</li> <li>With the release of the <a href="https://web.archive.org/web/20220930152959/https://github.com/blog/1803-switch-your-picture-with-ease">profile pictures</a> feature, support for external avatar services has been deprecated. (updated 2015-02-02)</li> </ul> <h2>Bug Fixes</h2> <ul> <li>Ubuntu packages have been updated to the latest bugfix/security versions.</li> <li>When installing, you had to upload the license and then set the password. Now we do it in one step, so someone nasty can't set a password after you've uploaded the license and gone for coffee.</li> <li>With private mode enabled, redirects could leak the Nginx version we use.</li> <li>When talking to an LDAP server multiple times in a request, we'd start a new connection each time. Now we reuse connections where possible, so it's much faster.</li> <li>Checking replica status with <code>ghe-repl-status</code> was really slow. We made it faster.</li> <li>We sometimes didn't show the gateway address in the hypervisor console.</li> <li>We stopped you from adding a duplicate or broken SSH key to the management console, but the error didn't show up properly.</li> <li>Accessing GitHub Enterprise in Firefox with the default certificate still enabled displayed the SSL warning twice.</li> <li>It was easy to accidentally change network settings in the VMware console. Now you have to hit 's' instead of any key.</li> <li>In the security section of the settings page, we incorrectly showed requests coming from 127.0.0.1 if they came from a private network.</li> <li>Replication didn't restart properly after rebooting a high availability replica.</li> <li>Replication didn't replicate custom DNS settings.</li> <li>If a high availability replica was offline for a while, restarting it could fail if MySQL had moved on too far.</li> <li>The SSH key used for replication didn't survive upgrades and had to be regenerated.</li> <li>Memcached didn't restart after a crash, which broke Gist and other pages.</li> <li>In Pages sites, JSON files were served with the wrong MIME type.</li> <li>People expected to be able to invite users to an organization by their full name. Now you can.</li> <li>Wiki links to other wiki pages were rendered as images when a repository contained a directory with the same name.</li> <li>Adding an SSH key that contained non-ASCII characters like smart quotes would break the management console.</li> <li>The 'Revert' button didn't work properly when trying to revert a pull request from a fork.</li> <li>The hypervisor console script timed out every five seconds and respawned, spamming the logs.</li> <li>Git clone events weren't being forwarded as part of the <code>github_audit</code> log stream.</li> <li>The Git gateway logs were messed up when we tried to rotate them.</li> <li>Creating the diagnostics file for support could timeout if there were lots of webhook delivery logs.</li> <li>The page that users see when maintenance mode is enabled linked to <a href="https://web.archive.org/web/20220930152959/mailto:enterprise@github.com">enterprise@github.com</a> instead of your configured support email address.</li> <li>The "Open in desktop" button only worked if you already had the desktop application installed.</li> <li>PSD files didn't render with the default self-signed certificate.</li> <li>Git authentication could fail after changing the hostname. (updated 2015-02-02)</li> </ul> <h2>Security Fixes</h2> <ul> <li><strong>LOW</strong>: Desktop applications were granted API tokens with more access scope than was necessary.</li> <li><strong><del>LOW</del> HIGH</strong>: <a href="https://web.archive.org/web/20220930152959/https://launchpad.net/ubuntu/+source/openssl/1.0.1-4ubuntu5.21">OpenSSL 1.0.1-4ubuntu5.21</a>.</li> </ul> <h2>Removal of RC4 SSL cipher</h2> <p>To keep GitHub Enterprise as secure as possible, we have removed support for the cryptographically weak RC4 cipher in our SSL configuration. With the removal of RC4, Internet Explorer on Windows XP will no longer be able to access GitHub Enterprise. You can read more about this change in our <a href="https://web.archive.org/web/20220930152959/https://github.com/blog/1937-improving-github-s-ssl-setup">announcement on GitHub.com</a>.</p> <h2>Known Issues</h2> <ul> <li>Creating the OpenVPN connection can fail, causing replication set up with <code>ghe-repl-setup</code> to hang.</li> <li><del>Replica promotion can hang when running <code>ghe-repl-promote</code>.</del></li> <li>Git replication can be slow and CPU intense during initial push of large/complex repositories.</li> <li>The management console settings interface does not clearly show if you have previously uploaded certificate files or a private key.</li> <li>Jobs stuck on code indexing can delay other jobs from running.</li> <li>Dashboard activity feed links point to the wrong hostname after restore if the hostname has changed.</li> <li>The <code>ghe-org-owner-promote</code> command line utility is currently broken.</li> <li>In some circumstances after an upgrade, we prompt you to upload a license even though there's already a valid license.</li> <li>If your management console session has timed out, connectivity tests can fail without any error message.</li> <li>On a freshly set up GitHub Enterprise instance without any users, an attacker could create the first admin user.</li> <li>Switching to a different authentication method doesn't expire existing sessions.</li> <li>Events in the <code>github_audit</code> log stream are being logged twice.</li> <li>Replication needs to be reconfigured after upgrading a replica with <code>ghe-upgrade</code>.</li> <li>Gists can't be created when using Safari 8.x in Private Mode. (updated 2015-01-27)</li> <li>SNMP can't be run on high availability replicas. Our previous fix was incomplete. (updated 2015-02-02)</li> <li>Updating a license in the management console is not reflected in the GitHub application under some circumstances. (updated 2015-02-02)</li> <li>Enabling LDAP Sync for emails can cause background jobs to be continuously queued, which in turn can affect performance. We recommend disabling email sync in this version. (updated 2015-02-25)</li> <li>Viewing a PSD or STL file with more than one revision results in an error being thrown. (updated 2015-02-27)</li> <li>Individual application logs are not reliably forwarded. (updated 2015-04-20)</li> <li>When using Chrome 42 or newer, wiki pages can't be edited, images can't be uploaded via drag and drop, and autocomplete menus and repository graphs may not display. (updated 2015-05-06)</li> <li>Avatars, <a href="https://web.archive.org/web/20220930152959/https://help.github.com/enterprise/2.1/user/articles/about-releases/">release downloads</a>, and image attachments to wikis and issues are not copied correctly by high availability replication. (updated 2015-05-20)</li> <li>We show your gravatar or identicon on Gists instead of your custom profile picture. (updated 2015-06-15)</li> <li>Repositories with a leading dot in their name fail to replicate if they were created before replication was set up. (updated 2015-06-16)</li> <li>We display the time in the scheduled maintenance banner in UTC instead of the viewer's timezone. (updated 2015-06-18)</li> <li>Users with LDAP DNs longer than 255 characters are suspended if LDAP Sync is enabled. (updated 2015-06-19)</li> <li>Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes. (updated 2015-07-14)</li> <li>With private mode enabled, a Pages site with no default page serves a generic error rather than an informative message. (updated 2015-07-14)</li> <li>Updates to Wiki pages by users without a primary email address set throw errors. (updated 2015-08-25)</li> <li>With LDAP authentication enabled, entering the wrong password can cause a timeout for some users. (updated 2015-09-02)</li> <li>Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails. (updated 2016-01-14)</li> </ul> <h2>Errata</h2> <ul> <li>Replica promotion hanging when running <code>ghe-repl-promote</code> was fixed in 2.0.2.</li> <li>The OpenSSL 1.0.1-4ubuntu5.21 update was upgraded to a <strong>HIGH</strong> security fix due to the publication of <a href="https://web.archive.org/web/20220930152959/https://freakattack.com/">Freak Attack</a>.</li> </ul> </div> </div> </div> <div class="footer-push"></div> </div> <div class="footer"> <div class="container"> <div class="span8 left"> <span class="mega-octicon octicon-mark-github"></span> <nav class="footer-nav"> <a href="https://web.archive.org/web/20220930152959/https://github.com/about">About us</a> · <a href="/web/20220930152959/https://enterprise.github.com/support">Support</a> · <a href="/web/20220930152959/https://enterprise.github.com/security">Security</a> · <a href="https://web.archive.org/web/20220930152959/http://training.github.com/" target="_blank">Training</a> · <a href="/web/20220930152959/https://enterprise.github.com/contact">Contact</a> </nav> <p class="copyright">© 2022 GitHub, Inc. All rights reserved.</p> </div> <div class="span4 right"> <p class="sales-number">For sales inquiries call <a href="https://web.archive.org/web/20220930152959/tel:+1-877-958-8742" class="phone-number">+1 (877) 958-8742</a></p> </div> </div> </div> <script src="/web/20220930152959js_/https://enterprise.github.com/assets/analytics-e54ba350ad4d563dcc221a9e7bcdbbfd4f2279c538a1bc7b0345de167ef9d2f4.js"></script> </body> </html>

CINXE.COM

GitHub Enterprise - The best way to build and ship software