Security

• CRIT: Fixed potential authentication bypass in the Management Console.
• MOD: Fixed privilege escalation vulnerability due to world writable executable.
• LOW: Session cookie expiration time lowered to 1 week.

New

• Relative links in markup files
• Sorting through search results
• Quick quotes
• Global Issue Search
• Sortable Stars
• Better live updates
• Moving and Renaming Files on GitHub
• Closing Issues Across Repositories
• Branch and Tag Labels for Commit Pages
• Quickly access Repositories you contribute to
• A smarter, more complete search bar
• Redesigned merge button
• Get up to speed with Pulse
• Check the status of your branches
• GitHub OAuth Authentication

Enhancements

• Upgraded git to v1.8.1.6.
• Added ElasticSearch disk usage information to diagnostics.
• Removed git-daemon max connections limit.
• Increased MySQL innodb_buffer_pool_size from 8MB to 128MB.
• Added better sysctl defaults and the ability to customize them (see /etc/sysctl.conf for details).
• Added access to some limited sudo capabilities (netstat, kill, lsof, tcpdump, strace, tail, grep, shutdown).
• Added timeout cache clearing to "Clear Page Cache" functionality in Admin Tools facebox (hit backslash while viewing a repo).
• Added new Reports section in the Admin Tools dashboard to download CSV reports of users, organizations, and repositories.
• Added the ability to bulk suspend dormant users.

Bugfixes

• Site Admins can now create wikis without disabling admin mode.
• In-repo source code searches for public repositories would throw 404 errors.
• Importing from MySQL backups taken prior to 11.10.300 could prevent logins from working if a configuration run wasn't performed.
• ElasticSearch indexes weren't being properly created under some conditions. This release will perform a full reindex.
• Ignore whitespace in diffs wasn't working as expected.
• Customer license information wasn't being displayed in diagnostics output.
• Logging out under CAS authentication wasn't working.
• Display issues on the license expiration page.
• An interrupted upgrade could put the install in a bad state.
• Upgrading would sometimes throw a 500 error while uploading the new GHP.
• Exporting/importing ssh authorized keys raised an error.
• Caching wasn't being properly cleared when gravatars were enabled, the hostname was changed or SSL was enabled.
• Gravatars stopped showing up properly even when email addresses were present.
• Some process monitoring-related issues would sometimes prevent git-daemon from starting properly after upgrades.
• Submodules living on GitHub.com would be linked to as if they were local.
• Some cookies were not being set to HttpOnly.
• Deleting an organization was failing.
• Downloading support bundles would sometimes throw 500 errors preventing them from being downloaded via the web UI.
• Pull requests from forks defaulted the target branch to master rather than the corresponding upstream branch.
• Timeouts when opening pull requests resulted in a 500 rather than a more user-friendly error message.
• User to Organization conversions were throwing a 500 error, making it impossible to convert a user to an organization.
• Unlocking private repositories as a site admin now works as expected.

Additional information is available here.