The 2.13 series release notes contain important changes in this release series.

Security Fixes

• LOW: A malicious user could execute a 'tab-nabbing' attack by exploiting window.opener when linking from GitHub Enterprise hosted Markdown content.
• Packages have been updated to the latest security versions.

Bug Fixes

• Promoting a replica could take an excessive amount of time in a multi-replica environment.
• Incorrect legends were displayed in the LDAP Management Console graphs.
• Self-signed TLS certificates would fail to generate on Azure instances.
• Tags created through a release contained incomplete reflog data
• Organizations could be incorrectly suspended via the Suspend User REST API.
• Email visibility could be incorrectly toggled via the REST API.
• Fixes an issue where rate limits on raw and archive endpoints were left enabled even when configured to be disabled.
• Users can no longer accidentally upload their private PGP keys.

Changes

• Optimise Elasticsearch backup process by preferring local copies of indices.

Known Issues

• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
• Pull request review comments are missing from an import with ghe-migrator.
• The import of protected branches with ghe-migrator fails when the creator of the protected branch no longer exists on the source instance. (updated 2018-10-31)
• The import of project boards with ghe-migrator fails when the creator of a card on the board no longer exists on the source instance. (updated 2018-11-21)

Thanks!

The GitHub Team