The 2.14 series release notes contain important changes in this release series.

Security Fixes

• CRITICAL: A file path traversal vulnerability in the jekyll-remote-theme gem of GitHub Pages could allow users to display the content of local files.

Bug Fixes

• ghe-repl-setup allowed re-adding the same node as a replica.
• GitHub Enterprise API responses would not be compressed when requested with gzip encoding.
• Webhooks could fail to be delivered if the compressed payload was greater than 1 MB.
• Upgrades could fail with Connection timed out if the hookshot service was unable to run migrations due to a firewall update that ran out of order.
• Repository replication records may be created inconsistently, resulting in unreported replication failures. This type of replication failure is now reported in ghe-repl-status.
• Replication could fail due to stale or duplicate entries to the primary in a replica's /etc/hosts.
• Messages sent from the email service hook failed when the upstream SMTP server didn’t accept the plain authentication method.
• Using Safari, administrators were unable to schedule a future hotpatch upgrade from the Management Console due to an incompatible date parse.
• ghe-config-check would hang if run without any arguments.
• hookshot logs weren't purged properly in Elasticsearch and could consume large amounts of disk space.
• Migrations with ghe-migrator could fail to complete trying to add the same label to an issue.
• The pull request page could fail to load with a 500 Internal Server Error if a reviewer is no longer a member of the GitHub Enterprise environment.
• Users were unable to view the diff of comment edits, delete comment edit history items, dismiss the comment edit history onboarding, and reload on comment edits for gist comments.

Changes

• GitHub Enterprise clustering has been updated to purge older than one hour MySQL binary logs prior to a ghe-restore.

Known Issues

• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
• The import of protected branches with ghe-migrator fails when the creator of the protected branch no longer exists on the source instance. (updated 2018-10-31)
• The import of project boards with ghe-migrator fails when the creator of a card on the board no longer exists on the source instance. (updated 2018-11-21)
• Upgrading to a later version in this series may overwrite custom DNS entries in /etc/resolvconf/resolv.conf.d/head (updated 2018-12-19)
• Pull request review comments can be misplaced when the pull request has large diffs. (updated 2019-01-21)
• Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. (updated 2019-03-07)
• Some pull requests and issues are purged completely when restoring the repository right after deleting it. (updated 2019-03-19)

Thanks!

The GitHub Team