Security vulnerability in bash addressed
Update: 2014-09-29 23:10 UTC We have published an update to the Git Shell tools for GitHub for Windows, which resolves the bash vulnerabilities CVE-2014-6271, CVE-2014-7169, CVE-2014-7186 and CVE-2014-7187. If you…
Update: 2014-09-29 23:10 UTC
We have published an update to the Git Shell tools for GitHub for Windows, which resolves the bash vulnerabilities CVE-2014-6271, CVE-2014-7169, CVE-2014-7186 and CVE-2014-7187. If you are running GitHub for Windows, we strongly encourage you to upgrade. You can check if you are on the latest version, and upgrade if needed, by opening “Tools” -> “About GitHub for Windows…”
Update: 2014-09-28 17:30 UTC
Two new bash vulnerabilities, CVE-2014-7186 and CVE-2014-7187, have been discovered. We have now released special patches of GitHub Enterprise using the latest upstream bash fix for CVE-2014-7186 and CVE-2014-7187. Upgrade instructions have been sent to all GitHub Enterprise customers, and we strongly encourage all customers to upgrade their instance using this latest release. GitHub.com remains unaffected by this vulnerability.
Update: 2014-09-26 00:22 UTC
Security patches released yesterday for the bash command vulnerability identified in CVE-2014-6271 turned out to be incomplete, and a new vulnerability, CVE-2014-7169, was identified. We have now released special patches of GitHub Enterprise using the latest upstream bash fix for CVE-2014-7169. Upgrade instructions have been sent to all GitHub Enterprise customers, and we strongly encourage all customers to upgrade their instance using this latest release. GitHub.com remains unaffected by this vulnerability.
Update: 2014-09-25 15:45 UTC
GitHub is closely monitoring new developments that indicate the existing bash patch for CVE-2014-6271 is incomplete. The fix for this new bash vulnerability is still in progress, but we will be releasing a new patch for GitHub Enterprise once it has been resolved. At this time, we still strongly encourage all GitHub Enterprise customers to update their instances using the patch made available yesterday.
This morning it was disclosed that Stephane Chazelas discovered a critical vulnerability in the GNU bash utility present on the vast majority of Unix and Linux systems. Using this vulnerability, an attacker can force the execution of arbitrary commands on an affected server. While these commands may not run with root privileges, they provide a significant vector for further exploitation of a system.
We have released special patches of GitHub Enterprise to fix this vulnerability, and have provided detailed instructions to all our Enterprise customers on how to upgrade their instance. An immediate upgrade is required.
None of the extensive penetration testing we’ve performed today has uncovered any vulnerability on GitHub.com, including git over SSH. As an added precaution, however, we have patched all systems to ensure the vulnerability is addressed.
Written by
Related posts
What 986 million code pushes say about the developer workflow in 2025
Nearly a billion commits later, the way we ship code has changed for good. Here’s what the 2025 Octoverse data says about how devs really work now.
Introducing Agent HQ: Any agent, any way you work
At Universe 2025, GitHub’s next evolution introduces a single, unified workflow for developers to be able to orchestrate any agent, any time, anywhere.
Octoverse: A new developer joins GitHub every second as AI leads TypeScript to #1
In this year’s Octoverse, we uncover how AI, agents, and typed languages are driving the biggest shifts in software development in more than a decade.