The 2.12 series release notes contain important changes in this release series.
- MEDIUM: Environment variables passed to pre-receive hook scripts were not properly escaped.
- LOW: It was possible to start a shell from the network configuration settings screen available on a virtual console.
- LOW: Filtering of parameters in log files was changed from a blacklist of fields to a whitelist. This ensures that less values are logged and in the future no values are accidentally logged.
- LOW: The body of API requests containing sensitive data was written to log files on the appliance. The request body is now only logged for debugging purposes and sensitive data is scrubbed before being logged.
- Packages have been updated to the latest security versions.
- Parallel uploads of the same Git LFS object could fail but still be reported as successful.
- A hotpatch could be applied to the appliance whilst a configuration run was in progress. This could lead to inconsistencies and unexpected behaviour.
- The LDAP users page at
/stafftools/users/ldap had layout and accessibility issues.
- The Fork button was enabled for repositories in cases where a repository could not be forked anywhere.
- Including the port in the
Host header when requesting a Pages site would return a 404 error.
- Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
- On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
- Custom firewall rules aren't maintained during an upgrade.
- svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
- Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
GitHub Enterprise clustering can not be configured without https.
- Pull request review comments migrated with
ghe-migrator are displayed in the wrong order.
- Git LFS, release and issue assets, user profile images, webhooks, or Subversion access may be unavailable if an appliance is restarted after applying the 2.12.5 or greater hotpatch—if this occurs, please contact Enterprise Support for assistance.
- HTTPS is now a requirement of GitHub Enterprise clustering. (updated 2018-08-13)
The GitHub Team