The 2.0 series release notes contain important changes in this release series.

Security Fixes

• CRITICAL: Remote code execution possible via ntpd.
• MEDIUM: Specially crafted Gist updates could bypass the Git client protection introduced in 2.0.4.
• MEDIUM: The web editor could be used to bypass the Git client protection introduced in 2.0.4.

NTP vulnerability

Critical vulnerabilities in the Network Time Protocol (NTP) have been discovered and disclosed by members of the Google Security Team. These vulnerabilities make it possible for a remote attacker to send a carefully crafted packet with malicious arbitrary code that will execute at the privilege level of the ntpd process.

This release includes patches to NTP from upstream to make sure it is not exploitable. As an additional measure, we've also updated the firewall rules to be more strict. We strongly recommend that all GitHub Enterprise customers upgrade their instances as soon as possible.

More details on the vulnerabilities can be found in the ICSA-14-353-01 advisory.

Mitigation
If you can't immediately upgrade, the attack can be mitigated by removing the firewall rule that accepts traffic to port 123. To temporarily remove the rule, SSH into the appliance and run:

sudo ufw delete allow ghe-123

If you have any questions, please contact support at enterprise@github.com

Known Issues

• Creating the OpenVPN connection can fail, causing replication set up with ghe-repl-setup to hang.
• Replica promotion can hang when running ghe-repl-promote.
• Replicas need to be restarted after upgrading with ghe-upgrade.
• Git replication slow and CPU intense during initial push of large/complex repositories.
• First run in Firefox displays the SSL warning twice.
• Admin is prompted to reapply the license after ghe-upgrade runs even though the license file is present.
• The management console doesn't handle non-ASCII characters in authorized_keys.
• Management console settings interface does not clearly show if you have previously uploaded certificate files or a private key.
• Downloading diagnostics from the web can time out if there are a lot of hook deliveries.
• Memcache doesn't restart properly after a crash and must be manually restarted.
• Jobs stuck on code indexing can delay other jobs from running.
• Dashboard activity feed links point to wrong hostname after restore if the hostname has changed.
• A user cannot be invited to an organization by their full name.
• Wiki links to other wiki pages are rendered as images when a repository contains a directory with the same name.
• Individual application logs are not reliably forwarded. (updated 2015-04-20)
• We display the time in the scheduled maintenance banner in UTC instead of the viewer's timezone. (updated 2015-06-18)
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes. (updated 2015-07-14)
• With private mode enabled, a Pages site with no default page serves a generic error rather than an informative message. (updated 2015-07-14)