The 2.0 series release notes contain important changes in this release series.

Git client vulnerability

Yesterday a critical Git security vulnerability was announced that affects all versions of the official Git client and all related software that interacts with Git repositories.

While GitHub Enterprise itself is not directly affected, it may be used as a distribution point for an attacker to reach unpatched clients. This release detects and blocks malicious trees from being pushed to an Enterprise instance, eliminating it as an attack vector.

Important details

It it critical to note that this release only provides mitigation against low-levels attacks where a user with write access could attempt to push malicious files to a GitHub Enterprise instance. It does not prevent interactions with malicious external Git servers that can open up command-line level attack vectors, as those must be dealt with at the Git client level.

For full protection, we strongly recommend you ensure that all developers update their Git clients, in addition to upgrading to this release. Installing this update alone does not mean your organization is fully safe against this vulnerability. The only way to make sure none of your developers are vulnerable is to have everyone upgrade their Git client.

More details on the vulnerability can be found in the official Git mailing list announcement, on the git-blame blog, and on the GitHub blog.

If you have any questions, please contact support at enterprise@github.com

Bug Fixes and Updates

• Maintenance pages now display the configured support email rather than the enterprise@github.com default.
• The version number is displayed correctly on AWS installations.
• The index entries in Index Management correctly change the cursor to indicate they are clickable links.
• The welcome screen will no longer blank and requires s rather than any key to start network setup.
• There is now a /usr/local/bin/ghe-btop utility to query the status of babeld.

Known Issues

• Creating the OpenVPN connection can fail, causing replication set up with ghe-repl-setup to hang.
• Replica promotion can hang when running ghe-repl-promote.
• Replicas need to be restarted after upgrading with ghe-upgrade.
• Git replication slow and CPU intense during initial push of large/complex repositories.
• First run in Firefox displays the SSL warning twice.
• Admin is prompted to reapply the license after ghe-upgrade runs even though the license file is present.
• The management console doesn't handle non-ASCII characters in authorized_keys.
• Management console settings interface does not clearly show if you have previously uploaded certificate files or a private key.
• Downloading diagnostics from the web can time out if there are a lot of hook deliveries.
• Memcache doesn't restart properly after a crash and must be manually restarted.
• Jobs stuck on code indexing can delay other jobs from running.
• Dashboard activity feed links point to wrong hostname after restore if the hostname has changed.
• A user cannot be invited to an organization by their full name.
• Wiki links to other wiki pages are rendered as images when a repository contains a directory with the same name.
• Individual application logs are not reliably forwarded. (updated 2015-04-20)
• We display the time in the scheduled maintenance banner in UTC instead of the viewer's timezone. (updated 2015-06-18)
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes. (updated 2015-07-14)
• With private mode enabled, a Pages site with no default page serves a generic error rather than an informative message. (updated 2015-07-14)