Home / Companies / GitHub / Blog / September 2021

September 2021 Summaries

22 posts from GitHub

Filter
Month: Year:
Post Summaries Back to Blog
GitHub has introduced enterprise managed users (EMU) for GitHub Enterprise Cloud (GHEC), providing companies with centralized user account administration and enhanced control over their employees' accounts while maintaining the scalability and reliability of the platform. This feature allows companies to connect their identity providers (IdPs) with GitHub, streamlining user account creation, updates, and suspensions, and enabling synchronization of GitHub user details with corporate identities. EMU also enhances auditing capabilities, allowing enterprise owners to monitor user activities and ensuring that repositories within EMU accounts remain private to protect intellectual property. This development does not affect regular GitHub users and is available for enterprises utilizing AzureAD and Okta IdPs.
Sep 30, 2021 465 words in the original blog post.
The blog post delves into the exploitation of CVE-2021-30528, a use-after-free vulnerability in Chrome that allows a compromised renderer to escape the sandbox and gain privileged access on Android devices. The author, Man Yue Mo, details the complex interaction between C++ and Java code, illustrating how Chrome's object management can lead to vulnerabilities. The post examines the impact of Chrome's use of PartitionAlloc as a memory allocator and describes a method to place controlled data at predictable addresses, bypassing memory space randomization mitigations. The author explores techniques for exploiting the vulnerability, including overcoming challenges related to object replacement and memory allocation, and ultimately achieving arbitrary code execution. The exploit highlights the intricacies of Chrome's architecture, emphasizing the need for continued improvements in sandbox and memory management security.
Sep 30, 2021 4,782 words in the original blog post.
GitHub Enterprise Server 3.2 introduces over 70 new features aimed at enhancing the developer experience and providing advanced security capabilities. Notable updates include improved management of continuous delivery workflows via GitHub Actions, enhanced user experience with new dark and dimmed appearance settings, and the ability to share videos within issues and pull requests. Security enhancements are significant, offering integration with industry-trusted security tools, the ability to control email domain notifications, and automatic expiration of personal access tokens to mitigate threats. GitHub Advanced Security users gain access to a comprehensive security overview and enhanced secret scanning capabilities, including custom pattern support. Users are encouraged to explore these enhancements through the release notes or by starting a free trial.
Sep 28, 2021 273 words in the original blog post.
GitHub.com, initially built on Ruby on Rails with a single MySQL database, has evolved over the years to support its growth and resilience demands by iterating its database architecture. Originally relying on a primary database cluster named mysql1, GitHub faced scalability challenges as it expanded. In response, the company implemented virtual partitions and schema domains to manage data more effectively, enforced by SQL linters that ensure data can be safely partitioned without cross-domain queries. In addition, GitHub developed a transaction linter and employed tools like Vitess and a custom write-cutover process for moving large data sets across database clusters without downtime. These efforts have resulted in a 50% load reduction on database hosts, improved system reliability, and a reduction in database-related incidents. The strategic use of both vertical and horizontal partitioning has allowed GitHub to accommodate sustainable growth, with plans to detail further advancements in future communications.
Sep 27, 2021 2,021 words in the original blog post.
GitHub has updated its privacy agreements to align with new legal requirements and its own data protection practices, following the European Union Court of Justice's invalidation of the EU-US Privacy Shield in July 2020 due to concerns over US government access to EU personal data. To ensure uninterrupted trans-Atlantic developer collaboration, GitHub has implemented standard contractual clauses (SCCs) and additional security measures, which are reflected in its updated customer data protection terms and Privacy Statement. The company has reviewed the new SCCs published by the European Commission in June 2021, which offer stronger protections and a modular approach to EU data transfers. GitHub's revised Data Protection Agreement (DPA) and Microsoft Addendum incorporate these new SCCs to enhance transparency and demonstrate compliance with privacy laws, reinforcing its commitment to safeguarding developer and customer data.
Sep 27, 2021 293 words in the original blog post.
On September 13, 2021, Google released Chrome version 93.0.4577.82, addressing two critical security vulnerabilities, CVE-2021-30632 and CVE-2021-30633, that were being actively exploited. These vulnerabilities involved a type confusion bug in the JIT compiler and a use-after-free bug in the IndexedDB API, allowing for a full remote compromise of Chrome through remote code execution and sandbox escape. The analysis explores the intricacies of the JIT compiler in Chrome’s v8 JavaScript engine, particularly focusing on property access optimizations, map stability, and transitions that can lead to type confusions and potential exploits. The author provides a detailed walkthrough of constructing an exploit based on these vulnerabilities, emphasizing the complexities involved in ensuring consistency in object states across different layers of property access implementations. This technical examination aims to offer insights into the vulnerabilities of JIT optimizations, aiding researchers in preventing similar issues in the future.
Sep 27, 2021 5,207 words in the original blog post.
GitHub has expanded its Advisory Database to include curated security advisories for the Rust ecosystem, marking its coverage of eight programming language ecosystems, including Composer, Go, Maven, npm, NuGet, pip, RubyGems, and now Rust. This addition allows Rust developers to check for security vulnerabilities directly on GitHub, where their code resides. The initiative is part of GitHub's broader mission to enhance supply chain security for developers and organizations. The expansion was made possible through collaboration with RustSec, an independent organization that provides a public database of Rust security advisories, which serves as a foundation for GitHub's Rust vulnerability dataset. GitHub plans to continue working with RustSec and the Rust community to share and enhance security data, promoting better visibility and reduction of vulnerabilities across ecosystems. The GitHub Advisory Database is an open resource licensed under Creative Commons Attribution 4.0, aiming to provide high-quality, actionable vulnerability information for developers.
Sep 23, 2021 361 words in the original blog post.
GitHub is enhancing the security of its supply chain by introducing a new authentication token format for npm, aligning it with the GitHub authentication tokens format. Previously, npm tokens followed a 36-character UUID pattern, which posed challenges like inaccurate detection of compromised tokens. The new tokens begin with an identifiable "npm" prefix, facilitating indexing by GitHub secret scanning and npm's internal secret scanners, and use an underscore as a delimiter for improved usability. This new format increases token entropy from 128 to 178 by making the tokens longer and using a larger alphabet, while the inclusion of a CRC32 checksum encoded in Base62 helps minimize false positives in leak detection. Users are encouraged to reset their existing access tokens to this new format to enhance security and improve the precision of secret scanning.
Sep 23, 2021 327 words in the original blog post.
During an audit of Apache Dubbo v2.7.8, multiple vulnerabilities were discovered, allowing for remote code execution by enabling attackers to compromise and run arbitrary system commands. The audit process, detailed in a blog post, utilized CodeQL, a semantic code analysis tool from GitHub, to explore the Dubbo codebase and identify security weaknesses, particularly in deserialization processes. Several past vulnerabilities, such as CVE-2020-11995 and CVE-2020-1948, were noted for unsafe deserialization, and new vulnerabilities were identified, including issues with arbitrary bean manipulation and YAML unmarshalling. CodeQL was leveraged to model and track data flows, revealing vulnerabilities related to the Dubbo protocol's handling of serialized data, which could be exploited to bypass security controls. The blog emphasizes the importance of understanding the application's attack surface, using CodeQL not just for automated scanning but as an exploratory tool to enhance code audits and quickly identify critical security issues.
Sep 21, 2021 6,954 words in the original blog post.
GitHub Enterprise Cloud has introduced a new feature allowing customers to stream audit log and Git events to platforms like Splunk or Azure Event Hub in near real-time, with data retention for up to seven days for paused collections. This feature enhances the ability of enterprise administrators to conduct short-term investigations and long-term threat analysis by ensuring no audit log event is lost, and allows data to be stored within an organization's data collection systems for extended periods. Git events constitute the majority of enterprise-generated events and can be analyzed using GitHub's API or streaming capability, though the API provides only a seven-day data window. Users can filter events by specific organizations and integrations with platforms like AWS S3, Azure Blob Storage, and Google Cloud Storage are forthcoming, alongside support for more SIEM partners and threat prevention tools. GitHub is actively seeking user feedback and offers support to help users set up their streams, with more status and error handling improvements planned as the feature remains in public beta.
Sep 16, 2021 643 words in the original blog post.
Open source software thrives due to the contributions of over 65 million developers worldwide, who continuously improve and expand the boundaries of technology. The ReadME Project, launched in August 2020, highlights inspiring stories of developers, maintainers, and organizations advancing humanity through open source initiatives. These stories include Limor Fried's groundbreaking work with Adafruit Industries, Sonia John's journey from hyperinflation in South Sudan to becoming a blockchain developer, Henry Zhu's transition to a full-time Babel maintainer, and Ada Nduka Oyom's efforts to empower women in tech through She Code Africa. Additionally, the community's collaborative power is exemplified by nearly 12,000 developers' contributions to NASA's Ingenuity Helicopter. The project encourages ongoing community engagement by inviting feedback and story nominations, while also offering a newsletter to keep readers informed about open source achievements.
Sep 14, 2021 346 words in the original blog post.
GitHub announced several updates and innovations in August, with the general availability of GitHub Codespaces allowing developers to create dev environments directly from a browser, eliminating the need for high-powered machines. GitHub Discussions, launched over a year ago, has moved out of beta, providing a collaborative space for sharing ideas with functionalities like label integration and GitHub Actions compatibility. Security improvements include the shift from password to token-based authentication for Git operations and enhancements in secret scanning alerts management. Updates to GitHub Actions include improvements for Java projects and the introduction of composite actions for easier script reuse, alongside new runner options for Windows Server 2022 and macOS 11 Big Sur. The GitHub CLI 2.0 now supports extensions for custom command creation, and GitHub for Mobile introduced customizable shortcuts. GitHub Classroom's new extension for Visual Studio Code aims to simplify the learning process for students and teachers. Furthermore, GitHub Issues saw enhancements in search filtering and draft conversion, while a new release creation UI was introduced. Meanwhile, GitHub's dark high contrast theme is now available, improving nighttime browsing experiences.
Sep 13, 2021 1,153 words in the original blog post.
GitHub announced the GitHub Open Source Grants at GitHub Satellite India 2021, dedicating one crore Indian rupees to support open source maintainers and contributors in India, fostering innovation and global impact through open source software. Since May 2021, developers from 81 cities and 19 states across India have applied, showcasing diverse projects, including developer tools and COVID-19 initiatives, with the first 15 grant recipients being acknowledged for their contributions. GitHub also introduced GitHub Sponsors in India to financially back developers, starting with an initial group, including grant recipients, to ensure a sustainable open-source community. The initiative emphasizes the pivotal role of Indian developers in shaping the future of software, with GitHub committed to ongoing support through grants and the expanding Sponsors program, encouraging broader participation and innovation in the open source domain.
Sep 12, 2021 423 words in the original blog post.
The blog post from GitHub Security Lab explores the relationship between developers and security researchers, focusing on the vulnerability disclosure process and the perspectives of open source maintainers. The study highlights the lack of a standardized process for vulnerability disclosure, with entities like Google’s Project Zero and GitHub Security Lab having their own methods. Developers often experience anxiety upon receiving vulnerability reports but appreciate constructive feedback, particularly when communicated privately. While maintainers generally have limited engagement with the security research community, they express openness to foundational security knowledge and resources. The research emphasizes the need for a collaborative and flexible approach to the 90-day disclosure timeline and aims to foster better partnerships between developers and researchers. The findings are intended to inform improvements at GitHub Security Lab and contribute to a safer, more cooperative ecosystem, with plans to expand the analysis to include insights from the security research community later.
Sep 09, 2021 2,192 words in the original blog post.
GitHub Enterprise Server 3.2 has been released as a candidate, introducing over 70 new features to enhance the developer experience and bolster security capabilities. Highlights include the addition of dark and dimmed themes to reduce eye strain, video uploads in pull requests for improved collaboration, and new compliance controls such as disabled auto-merge for pull requests with new changes. GitHub Advanced Security now supports custom patterns for secret scanning and offers a new security overview for application security risks. The release enhances continuous delivery with GitHub Actions by introducing environment protection rules and secrets, enabling secure deployments and compliance adherence. Developers can securely access GitHub using third-party security keys and the Git Credential Manager, while companies can restrict notification emails to approved domains. The release aims to provide a more delightful and secure development environment for users, encouraging testing in non-production settings to gather feedback.
Sep 09, 2021 662 words in the original blog post.
Between July 21 and August 13, 2021, vulnerabilities were discovered in the Node.js packages tar and @npmcli/arborist through a private security bug bounty program, potentially leading to arbitrary code execution. These vulnerabilities stem from issues like file overwrites when extracting untrusted tar files or installing npm packages, affecting the npm CLI and other dependent projects due to their widespread use. Seven CVEs were assigned, with four directly impacting the npm CLI, emphasizing the need to update npm and tar to the latest versions to mitigate risks. The npm team acted swiftly, releasing fixes, scanning for malicious packages, and blocking certain package types to enhance security. Additionally, they collaborated with security researchers and the community to address these vulnerabilities, highlighting the importance of coordinated disclosure and community partnership in maintaining security.
Sep 08, 2021 2,190 words in the original blog post.
GitHub's code scanning tool, CodeQL, is being utilized internally to enhance code quality by identifying common coding mistakes, such as memory leaks and unchecked errors, that can be challenging to detect manually. By leveraging CodeQL, GitHub has developed queries to flag specific issues like Go's defer statement causing memory leaks and missing error checks in GORM, a Go Object Relational Mapper. Additionally, they have addressed performance issues associated with "N+1 queries" by identifying inefficient database operations within loops. These custom queries, although experimental, can be employed by developers via a special query suite to improve code quality and developer efficiency. GitHub encourages the creation and sharing of custom CodeQL queries to address unique issues within codebases, enhancing the community's collective coding practices.
Sep 07, 2021 717 words in the original blog post.
August was a busy month for the open-source community as numerous projects launched significant updates, showcasing a diverse range of innovations from data visualization tools to gaming. Highlighted releases include Grafana 8.0, which enhances data visualization and alerting capabilities, and D3 7.0, a JavaScript library for creating interactive web-based data visualizations. Chainlink 1.0 facilitates communication with blockchains for smart contracts, while Postal 2.0 offers an open-source solution for email delivery. FSNotes 5.0 for macOS and iOS brings significant improvements to note management, and Locust 2.0 introduces changes in performance testing. Network monitoring tool ntopng 5.0 now features an advanced alert engine, while Reaction 4.0 integrates Node.js, React, and GraphQL in a commerce platform. GitHub CLI 2.0 supports extensions for custom workflows, and Shattered Pixel Dungeon 1.0 delivers a randomized rogue-like RPG experience. These releases highlight the community's creativity and dedication to advancing technology across various fields.
Sep 03, 2021 1,108 words in the original blog post.
Applications are open for the MLH Fellowship: GitHub Externship Track, offering students the chance to work on GitHub's core codebases, gaining real-world experience and earning while they learn. This initiative, in collaboration with Major League Hacking, allows students to contribute to both open source and innersource projects, impacting millions of developers globally. The partnership, which has spanned seven years, focuses on teaching early career developers meaningful collaboration using industry-leading tools. The program encourages applicants familiar with programming languages such as Ruby/Rails, C++, C#, Go, JavaScript, and functional languages like Haskell or OCaml. Applications are accepted until September 13, with further inquiries directed to [email protected], and updates available via GitHub's blog and social media channels.
Sep 02, 2021 411 words in the original blog post.
GitHub's Git Systems team is implementing several security enhancements to improve the safety of protocol interactions when users push or pull Git data, particularly focusing on SSH connections. Changes include discontinuing support for DSA keys, requiring SHA-2 signatures for new RSA keys, and eliminating older SSH algorithms like HMAC-SHA-1 and CBC ciphers. Additionally, GitHub will introduce ECDSA and Ed25519 host keys and disable the unencrypted Git protocol. These updates aim to bolster security by removing outdated and less secure cryptographic methods, with the transition occurring through a series of planned "brownouts"—temporary periods where the deprecated features will be disabled to help users identify and adjust to the changes. Users relying on SSH or git:// protocols are advised to update their systems to ensure compatibility, while those using HTTPS connections remain unaffected.
Sep 01, 2021 1,413 words in the original blog post.
In August, GitHub experienced two significant incidents affecting various services, including Git operations and GitHub Actions, highlighting challenges with database and microservice management. On August 10, a MySQL database primary entered a degraded state due to a poorly performing query and application retry logic, affecting services requiring write access and leading to a prolonged outage. This incident prompted discussions on improving incident reporting and post-incident analysis to enhance service reliability. Later, on the same day, an unrelated incident during maintenance of the Actions service caused a high error rate due to a bad service record in the microservices architecture, disrupting workflow runs. The mitigation involved removing the faulty record, and GitHub has since prioritized changes to improve service discovery processes and enhance visibility across microservices. GitHub emphasizes ongoing efforts to refine their incident response and maintain user trust, encouraging users to follow updates on their status page and blog.
Sep 01, 2021 664 words in the original blog post.
GitHub Global Campus serves as a centralized platform for the growing community of over 1.7 million students, providing access to a wide range of educational resources, industry tools, and community connections. It enables students to connect with local Campus Experts, utilize the GitHub Student Developer Pack, which includes over 100 offers, and participate in events such as hackathons and tech talks. The platform also supports academic activities by allowing students to review coursework and collaborate using tools like the Visual Studio Code Classroom extension. By joining Global Campus, students gain access to a global network of peers and resources aimed at fostering their technical career development. Registration is available through the GitHub Student Developer Pack, offering students a streamlined way to enhance their learning and professional growth.
Sep 01, 2021 466 words in the original blog post.