The 2.11 series release notes contain important changes in this release series.
- MEDIUM: Environment variables passed to pre-receive hook scripts were not properly escaped.
- LOW: It was possible to start a shell from the network configuration settings screen available on a virtual console.
- LOW: Filtering of parameters in log files was changed from a blacklist of fields to a whitelist. This ensures that less values are logged and in the future no values are accidentally logged.
- LOW: The body of API requests containing sensitive data was written to log files on the appliance. The request body is now only logged for debugging purposes and sensitive data is scrubbed before being logged.
- Packages have been updated to the latest security versions.
- Parallel uploads of the same Git LFS object could fail but still be reported as successful.
- A hotpatch could be applied to the appliance whilst a configuration run was in progress. This could lead to inconsistencies and unexpected behaviour.
- The LDAP users page at
/stafftools/users/ldap had layout and accessibility issues.
- The Fork button was enabled for repositories in cases where a repository could not be forked anywhere.
- Including the port in the
Host header when requesting a Pages site would return a 404 error.
- We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
- Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
- On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
- Custom firewall rules aren't maintained during an upgrade.
svn checkout may timeout while the repository data cache is being built. In most cases, subsequent
svn checkout attempts will succeed.
- Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
GitHub Enterprise clustering can not be configured without https.
- Pull request review comments migrated with
ghe-migrator are displayed in the wrong order.
- The pull request review request has users reversed, after migration with
- The comment count in the "Conversation" tab of a pull request migrated with
ghe-migrator can be wrong.
gpgverify service may consume large amounts of CPU time even when not processing requests.
- Failing to delete associated metadata when deleting a search index was resolved in 2.11.12. (updated 2018-08-06)
- HTTPS is now a requirement of GitHub Enterprise clustering. (updated 2018-08-13)
The GitHub Team