The 2.0 series release notes contain important changes in this release series.
- HIGH Read access to public API endpoints of private-mode instances and to specific reporting endpoints can be authenticated by connecting via local trusted ports. This authentication could be bypassed by manipulating specific HTTP headers and lead to information disclosure.
- Kernel and packages have been updated to the latest security versions.
- Mediawiki Math markup within Gists and repository files with the
.mediawiki suffix could leak information to the Google Chart API when they were displayed.
- In some circumstances, after an upgrade we prompt you to upload a license, even though there's already a valid license.
- Git replication can be slow and CPU intense during initial push of large or complex repositories.
- Creating the OpenVPN connection can fail, causing replication set up with
ghe-repl-setup to hang.
- Events in the
github_audit log stream are logged twice.
- Jobs stuck on code indexing can delay other jobs from running.
- SNMP can't be run on high availability replicas.
- On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
- Dashboard activity feed links point to wrong hostname after restoring from backup if the hostname has changed.
- The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.
- Gists can't be created when using Safari 8.x in Private Mode.
- We display the time in the scheduled maintenance banner in UTC instead of the viewer's timezone.
- Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
- With private mode enabled, a Pages site with no default page serves a generic error rather than an informative message.
The GitHub Team