The 2.14 series release notes contain important changes in this release series.
- LOW: A malicious user could execute a 'tab-nabbing' attack by exploiting
window.opener when linking from GitHub Enterprise hosted Markdown content.
- Packages have been updated to the latest security versions.
- Promoting a replica could take an excessive amount of time in a multi-replica environment.
- Incorrect legends were displayed in the LDAP Management Console graphs.
- Network interface statistics were not collected or displayed due to a recent kernel upgrade.
- When executed in verbose mode,
ghe-repl-status will set its exit code to
0 even when replication issues are present.
- The order of nameservers defined in
/etc/resolve.conf was not respected when performing lookups.
- When a web proxy is configured, uploads of files, diagnostics, or support bundles will silently fail.
- Self-signed TLS certificates would fail to generate on Azure instances.
- Local connections were not properly closed and resulted in a memory leak.
- Tags created through a release contained incomplete reflog data
- Organizations could be incorrectly suspended via the Suspend User REST API.
- Email visibility could be incorrectly toggled via the REST API.
- Fixes an issue where rate limits on raw and archive endpoints were left enabled even when configured to be disabled.
- Users can no longer accidentally upload their private PGP keys.
- Optimise Elasticsearch backup process by preferring local copies of indices.
Upcoming deprecation of GitHub Enterprise 2.11
GitHub Enterprise 2.11 will be deprecated as of September 13, 2018. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.
- On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
- Custom firewall rules aren't maintained during an upgrade.
- svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
- Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
- The import of protected branches with
ghe-migrator fails when the creator of the protected branch no longer exists on the source instance. (updated 2018-10-31)
- The import of project boards with
ghe-migrator fails when the creator of a card on the board no longer exists on the source instance. (updated 2018-11-21)
- Upgrading to a later version in this series may overwrite custom DNS entries in
/etc/resolvconf/resolv.conf.d/head (updated 2018-12-19)
- Pull request review comments can be misplaced when the pull request has large diffs. (updated 2019-01-21)
- Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. (updated 2019-03-07)
- Some pull requests and issues are purged completely when restoring the repository right after deleting it. (updated 2019-03-19)
The GitHub Team