Bug Fixes

Ubuntu packages have been updated to the latest bugfix/security versions.
With private mode enabled, redirects could leak the Nginx version we use.
Changes to authentication settings in the management console were lost if any settings failed to validate.
Adding an SSH key that contained non-ASCII characters like smart quotes would break the management console.
If your management console session timed out, connectivity tests failed without any error message. Now you're redirected to log in again.
We stopped you from adding a duplicate or broken SSH key to the management console, but the error didn't show up properly.
The HAProxy connection limits were incorrectly configured, making them a little bit lower than they should have been.
When a SAML response incorrectly had an email as the NameID, but didn't include email as a released attribute, users could sign in the first time but couldn't sign in again after signing out.
Checking replica status with ghe-repl-status was really slow. We made it faster.
If Pages on a replica fell too far behind the primary, the alert shown by ghe-repl-status was missing how far behind replication was.
Replication didn't restart properly after rebooting a high availability replica.
Replication didn't replicate custom DNS settings.
The SSH key used for replication didn't survive upgrades and had to be regenerated.
The Git gateway tried to log timing statistics to an inaccessible statsd server.
The Git gateway included the repository twice in SSH log entries.
The Git gateway logs were messed up when we tried to rotate them.
The Git gateway was being restarted every day, but we didn't need to do that.
The hypervisor console script timed out every five seconds and respawned, spamming the logs.
Git clone events weren't being forwarded as part of the github_audit log stream.
Hovering over the timing statistics graph in the site admin showed undefined instead of the hostname and Ruby version.
Compressing a support bundle could be slow, so we sped it up using more than one core (but with a high nice so it won't affect anything else).
Diagnostics always said Log Forwarding was disabled, regardless of reality.
Creating the diagnostics file for support could timeout if there were lots of webhook delivery logs.
In Pages sites, JSON files were served with the wrong MIME type.
We sometimes didn't show the gateway address in the hypervisor console.
Accessing GitHub Enterprise in Firefox with the default certificate still enabled displayed the SSL warning twice.
The 'Revert' button didn't work properly when trying to revert a pull request from a fork.
Git authentication could fail after changing the hostname.

Known Issues

Creating the OpenVPN connection can fail, causing replication set up with ghe-repl-setup to hang.
~~Replica promotion can hang when running ghe-repl-promote.~~
Git replication can be slow and CPU intense during initial push of large or complex repositories.
The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.
Jobs stuck on code indexing can delay other jobs from running.
Dashboard activity feed links point to wrong hostname after restoring from backup if the hostname has changed.
The ghe-org-owner-promote command line utility is currently broken.
In some circumstances, after an upgrade we prompt you to upload a license, even though there's already a valid license.
On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
Switching to a different authentication method doesn't expire existing sessions.
Events in the github_audit log stream are being logged twice.
Replication needs to be reconfigured after upgrading a replica with ghe-upgrade.
Gists can't be created when using Safari 8.x in Private Mode.
SNMP can't be run on high availability replicas.
Individual application logs are not reliably forwarded. (updated 2015-04-20)
We display the time in the scheduled maintenance banner in UTC instead of the viewer's timezone. (updated 2015-06-18)
Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes. (updated 2015-07-14)
With private mode enabled, a Pages site with no default page serves a generic error rather than an informative message. (updated 2015-07-14)

Security Fixes

MEDIUM: Buffer overflow in gethostbyname. Also known as the GHOST vulnerability.
LOW: Desktop applications were granted API tokens with more access scope than was necessary.

GHOST vulnerability

Qualys researchers have found a buffer overflow vulnerability in the gethostbyname function in the C standard library that could allow remote code execution under some circumstances. There is currently no known way to exploit GitHub Enterprise remotely using this vulnerability, as many services don't use gethostbyname in a way that is exploitable. However, as a precaution we recommend upgrading to this latest patch release or to a later version.