The 2.13 series release notes contain important changes in this release series.
- LOW: A malicious user could execute a 'tab-nabbing' attack by exploiting
window.opener when linking from GitHub Enterprise hosted Markdown content.
- Packages have been updated to the latest security versions.
- Promoting a replica could take an excessive amount of time in a multi-replica environment.
- Incorrect legends were displayed in the LDAP Management Console graphs.
- Self-signed TLS certificates would fail to generate on Azure instances.
- Tags created through a release contained incomplete reflog data
- Organizations could be incorrectly suspended via the Suspend User REST API.
- Email visibility could be incorrectly toggled via the REST API.
- Fixes an issue where rate limits on raw and archive endpoints were left enabled even when configured to be disabled.
- Users can no longer accidentally upload their private PGP keys.
- Optimise Elasticsearch backup process by preferring local copies of indices.
- Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
- On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
- Custom firewall rules aren't maintained during an upgrade.
- svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
- Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
- Pull request review comments are missing from an import with
- The import of protected branches with
ghe-migrator fails when the creator of the protected branch no longer exists on the source instance. (updated 2018-10-31)
- The import of project boards with
ghe-migrator fails when the creator of a card on the board no longer exists on the source instance. (updated 2018-11-21)
The GitHub Team