The 2.1 series release notes contain important changes in this release series.

Bug Fixes

• Ubuntu packages have been updated to the latest bugfix/security versions.
• With more than seven tabs open, dynamic content could fail to load due to browser connection limits. We've returned to using polling instead.
• When a SAML response incorrectly had an email as the NameID, but didn't include email as a released attribute, users could sign in the first time but couldn't sign in again after signing out.
• If an SSH key contained extra whitespace or a comment, LDAP Sync sent emails warning that an SSH key was added to your account each time sync ran.
• When synchronizing an LDAP Group mapped to multiple GitHub Teams, we queried the LDAP directory for each Team. We now query once for the Group and update all the Teams at the same time. We also improved the performance of searching for group members.
• Creating LDAP users through the site admin caused an error if their LDAP username included characters that would be normalized in their GitHub username, like $, _, ..
• Members of the LDAP admin group were given admin privileges on account creation or LDAP Sync, but not when they signed in.
• We incorrectly hid avatar options in the management console if a service URL was set but avatars were disabled.
• If your management console session timed out, connectivity tests failed without any error message. Now you're redirected to log in again.
• The From: address was wrong in notification emails if the "no-reply" email address was configued, using the SMTP HELO domain instead.
• SASL was enabled even if SMTP authentication wasn't turned on, which could cause email delivery failures.
• Doing an initial installation using the management console API failed if you didn't include the port, because we dropped data when redirecting.
• If Pages on a replica fell too far behind the primary, the alert shown by ghe-repl-status was missing how far behind replication was.
• Diagnostics always said Log Forwarding was disabled, regardless of reality.
• The Git gateway tried to log timing statistics to an inaccessible statsd server.
• Hovering over the timing statistics graph in the site admin showed undefined instead of the hostname and Ruby version.
• Compressing a support bundle could be slow, so we sped it up using more than one core (but with a high nice so it won't affect anything else).

Known Issues

• Creating the OpenVPN connection can fail, causing replication set up with ghe-repl-setup to hang.
• Replica promotion can hang when running ghe-repl-promote.
• Git replication can be slow and CPU intense during initial push of large or complex repositories.
• The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.
• Jobs stuck on code indexing can delay other jobs from running.
• Dashboard activity feed links point to wrong hostname after restoring from backup if the hostname has changed.
• The ghe-org-owner-promote command line utility is currently broken.
• In some circumstances, after an upgrade we prompt you to upload a license, even though there's already a valid license.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Switching to a different authentication method doesn't expire existing sessions.
• Events in the github_audit log stream are being logged twice.
• Replication needs to be reconfigured after upgrading a replica with ghe-upgrade.
• Gists can't be created when using Safari 8.x in Private Mode.
• SNMP can't be run on high availability replicas.
• Updating a license in the management console is not reflected in the GitHub application under some circumstances. (updated 2015-02-02)
• Enabling LDAP Sync for emails can cause background jobs to be continuously queued, which in turn can affect performance. We recommend disabling email sync in this version. (updated 2015-02-25)
• Viewing a PSD or STL file with more than one revision results in an error being thrown. (updated 2015-02-27)
• Individual application logs are not reliably forwarded. (updated 2015-04-20)
• When using Chrome 42 or newer, wiki pages can't be edited, images can't be uploaded via drag and drop, and autocomplete menus and repository graphs may not display. (updated 2015-05-06)
• Avatars, release downloads, and image attachments to wikis and issues are not copied correctly by high availability replication. (updated 2015-05-20)
• We show your gravatar or identicon on Gists instead of your custom profile picture. (updated 2015-06-15)
• Repositories with a leading dot in their name fail to replicate if they were created before replication was set up. (updated 2015-06-16)
• We display the time in the scheduled maintenance banner in UTC instead of the viewer's timezone. (updated 2015-06-18)
• Users with LDAP DNs longer than 255 characters are suspended if LDAP Sync is enabled. (updated 2015-06-19)
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes. (updated 2015-07-14)
• With private mode enabled, a Pages site with no default page serves a generic error rather than an informative message. (updated 2015-07-14)
• Updates to Wiki pages by users without a primary email address set throw errors. (updated 2015-08-25)
• With LDAP authentication enabled, entering the wrong password can cause a timeout for some users. (updated 2015-09-02)
• Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails. (updated 2016-01-14)

Security Fixes

• MEDIUM: Buffer overflow in gethostbyname. Also known as the GHOST vulnerability.

GHOST vulnerability

Qualys researchers have found a buffer overflow vulnerability in the gethostbyname function in the C standard library that could allow remote code execution under some circumstances. There is currently no known way to exploit GitHub Enterprise remotely using this vulnerability, as many services don't use gethostbyname in a way that is exploitable. However, as a precaution we recommend upgrading to this latest patch release or to a later version.

Errata

• Replica promotion hanging when running ghe-repl-promote was fixed in 2.0.2.

Thanks!

The GitHub Team

https://enterprise.github.com/releases

https://enterprise.github.com/releases/2.1.1

Security Notification

Important Security Vulnerabilities Fixed in GitHub Enterprise 2.1.1

The following important security vulnerabilities have been fixed in the 2.1.1 release:

• MEDIUM: Buffer overflow in gethostbyname. Also known as the GHOST vulnerability.

GHOST vulnerability

Qualys researchers have found a buffer overflow vulnerability in the gethostbyname function in the C standard library that could allow remote code execution under some circumstances. There is currently no known way to exploit GitHub Enterprise remotely using this vulnerability, as many services don't use gethostbyname in a way that is exploitable. However, as a precaution we recommend upgrading to this latest patch release or to a later version.

If you have any questions, please contact support at enterprise@github.com

Thanks!

The GitHub Team