The 2.13 series release notes contain important changes in this release series.
- MEDIUM: Environment variables passed to pre-receive hook scripts were not properly escaped.
- LOW: It was possible to start a shell from the network configuration settings screen available on a virtual console.
- LOW: Filtering of parameters in log files was changed from a blacklist of fields to a whitelist. This ensures that less values are logged and in the future no values are accidentally logged.
- LOW: The body of API requests containing sensitive data was written to log files on the appliance. The request body is now only logged for debugging purposes and sensitive data is scrubbed before being logged.
- Packages have been updated to the latest security versions.
- Parallel uploads of the same Git LFS object could fail but still be reported as successful.
- A hotpatch could be applied to the appliance whilst a configuration run was in progress. This could lead to inconsistencies and unexpected behaviour.
- Jupyter notebooks added to a Gist would fail to render on appliances with subdomain isolation disabled.
- A pull request created via the API could be assigned an ID of
- The LDAP users page at
/stafftools/users/ldap had layout and accessibility issues.
- The Fork button was enabled for repositories in cases where a repository could not be forked anywhere.
- Including the port in the
Host header when requesting a Pages site would return a 404 error.
- Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
- On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
- Custom firewall rules aren't maintained during an upgrade.
- svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
- Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
- Pull request review comments are missing from an import with
- The import of protected branches with
ghe-migrator fails when the creator of the protected branch no longer exists on the source instance. (updated 2018-10-31)
- The import of project boards with
ghe-migrator fails when the creator of a card on the board no longer exists on the source instance. (updated 2018-11-21)
The GitHub Team