GitHub Enterprise - The best way to build and ship software

GitHub Enterprise 2.11.0 September 13, 2017 Series notes · Download

Features

Upgrade to Elasticsearch 2.4, which impacts GitHub Enterprise upgrades.
Experience reduced downtime when you’re upgrading patch releases with hotpatching.
Configure Git rate limiting with Governor.
Experience performance improvements in high-availability environments for geographically-distributed teams with geo-replication.
Enable SNMP v3 for extra security, including authentication and encryption using the user-based security model (USM).
Increase the root partition size using an existing appliance.
Limit the creation of LDAP group mappings to organization or site administrators.
Enable LDAP certificate verification.
Configure a replica appliance with a new workflow.
Restrict the ability to change repository visibility to organization owners.
Display and delete image attachments from issues and pull requests using administrator tools.
Create multiple levels of nested teams within an organization to reflect your company or group’s hierarchy structure.
Ask a specific team in your organization to review a pull request.
Specify a code owner for your project's code who will be automatically added as a reviewer for code they own.
Open issues directly from code within a file or pull request.
Create a permanent link to a code snippet.
Store important files for your project, like README and CONTRIBUTING files, in a repository's docs folder.
Create a SUPPORT file for your project.
Mark and unmark issues and pull requests as duplicates.
Use a saved reply to mark an issue as a duplicate.
Navigate pull requests, including Python pull requests, using a summary list of changed methods and functions.
Use ED25519 keys for GPG.
Use emojis and @mentions in your organization description.
Clone your repository in Xcode.
Use improved project board features, like advanced card filtering and task list summaries on cards.
Search, show, and delete image attachments from /stafftools.

Security Fixes

Packages have been updated to their latest security versions.
LOW: A PDF with looping xref tables caused the PDF renderer to consume high amounts of CPU or hang a user's browser. (updated 2017-09-19)

Bug Fixes

Commit contributions for a repository were not rebuilt when the gh-pages branch is deleted.
In a clustering environment, ghe-cluster-config-node-init could fail silently.
Adding a project note containing emoji would fail with a '500 Internal Server Error'.
The Branch Merging API stripped lines starting with # from commit messages.
The user suggestion functionality could timeout when adding members to a very large team.
Adding files with a blank content type, e.g. .zip, .docx, to conversations in issues and pull requests would fail.
An empty Projects board was shown when Elasticsearch was unavailable or rebuilding indices after an upgrade.

Changes

The MIME types used by GitHub Pages match those used by the rest of the appliance.
Syslog identifiers for various services have been made more explicit to make it easier to identify the service.
The maximum number of multiplexed session for administrative SSH session has been increased to 100. This improves backup restores for clustering environments.
NTLM has been removed from the SMTP configuration as an authentication protocol option. This was not working and is insecure.
Releases are sorted first by date and then semantic version instead of lexicographically.
Support for legacy high availability replication has been removed in 2.11. The default replication mechanism changed in 2.9 and this is now the only option in 2.11. This change has no impact unless legacy high availability replication was explicitly configured.
OpenVPN, used in high availability and clustering environments, has been upgraded to 2.4 with support for ECDHE. This removes the need to generate DH parameters and speeds up initial OpenVPN setup.
Pre-receive hooks now run as an unprivileged dedicated user. This could impact running hooks if hooks write temporary data outside /tmp. Running pre-receive hooks as an unprivileged dedicated user improves security by limiting access to the rest of the system from pre-receive hooks.
GitHub Pages now uses Jekyll 3.5.1.
GitHub Pages now uses Commonmark for Markdown rendering.
Using enterprise@github.com as the support address is no longer supported. Customers who have this email address configured need to change it to a valid internal support address or URL.
samplicator, the utility that sends statistics to the metrics servers in cluster environments, now runs as an unprivileged dedicated user.
The commit button text is now shown as "Commit merge" in the conflict editor to better communicate what is happening.

Backups and Disaster Recovery

GitHub Enterprise 2.11 requires at least GitHub Enterprise Backup Utilities 2.11.0 for Backups and Disaster Recovery.

Upcoming deprecation of Internet Explorer 11 support

Support for Internet Explorer 11 will be deprecated on September 13, 2018.

Upcoming deprecation of VMware ESX 5.5 support

Support for VMware ESX 5.5 will be deprecated on September 13, 2018.

Upcoming deprecation of GitHub Enterprise 2.8

GitHub Enterprise 2.8 will be deprecated as of November 9, 2017. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.

Known Issues

We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
Custom firewall rules aren't maintained during an upgrade.
svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
~~GitHub Enterprise clustering can not be configured without https.~~
Deleting a search index doesn't delete all associated metadata, which are then incorrectly reused if a new search index is created. This causes search index repair jobs to be reported as finished in the site admin when they were not.

Upgrading a high availability environment from a 2.10 release to 2.11.0 could fail with the following error: (updated 2017-09-14)

  $ ghe-upgrade ./github-enterprise-ami-2.11.0.pkg
  *** verifying upgrade package signature...
  725MiB 0:00:05 [ 141MiB/s] [===========================>] 100%
  gpg: Signature made Tue 12 Sep 2017 05:03:10 AM UTC using RSA key ID 0D65D57A
  gpg: Good signature from "GitHub Enterprise (Upgrade Package Key) <enterprise@github.com>"
  *** applying update...
  Scanning for incompatible Elasticsearch mappings...
  waiting for ssh for [ghe-host-replica] to be available
  ssh command returned 255
  Failed drop elasticsearch scan file

If you encounter this error, run the following command from your primary or replica appliance before running ghe-upgrade again:

  $ ghe-cluster-each -- sudo touch /data/user/common/es-scan-complete

Users may have a missing dashboard (i.e. default authenticated homepage) if they don't own or have direct collaboration permissions to any repositories. If users are encountering this error, they can work around this issue by creating a personal repository. (updated 2017-09-14)
For a user or organization named apps, the profile page at /apps shows an integrations landing page and repository pages at /apps/<repository> result in a 404 Not Found response due to a conflict with an internal URL. (updated 2017-10-24)
Changing the parent of a nested team can result in the nested team not receiving updated inherited permissions. (updated 2017-10-27)
After changing the visibility of a repository, wiki search results have a conflicting number of displayed search results. Administrators can reindex the wiki through the site admin dashboard. (updated 2017-11-09)
After changing HTTP proxy configuration in the Management Console, webhooks do not use the settings unless hookshot-resqued is restarted manually via SSH by running: sudo systemctl restart hookshot-resqued. (updated 2017-12-19)
The merge button could get stuck in the "Checking for ability to merge" state. (updated 2017-12-20)
Rebuilding a search index—including during an upgrade to this version—could cause many exceptions to be logged to /var/log/github/exceptions.log. The fast growth of this log file could cause the root disk to fill up. (updated 2017-12-20)
Pull request review comments migrated with ghe-migrator are displayed in the wrong order. (updated 2017-12-20)
The pull request review request has users reversed, after migration with ghe-migrator. (updated 2017-12-20)
The comment count in the "Conversation" tab of a pull request migrated with ghe-migrator can be wrong. (updated 2017-12-20)
The create team API endpoint returns a 500 error if LDAP Sync is enabled and the team already exists. (updated 2018-01-09)
The gpgverify service may consume large amounts of CPU time even when not processing requests. (updated 2018-02-14)
Pull request reviewer usernames were not updated if a reviewer was mapped to a different username when migrating repositories using ghe-migrator. (updated 2018-04-12)
Nameid-format matching on SAML response is too strict when value is "unspecified", which can cause an error with the "Another user already owns the account." message if the IdP changes NameID. (updated 2018-06-25)

Errata

HTTPS is now a requirement of GitHub Enterprise clustering. (updated 2018-08-13)

Thanks!

The GitHub Team

Release notes