The 2.15 series release notes contain important changes in this release series.

Security Fixes

• MEDIUM: Rack packages have been updated to address cross-site scripting (XSS) and Denial of Service (DoS) vulnerabilities CVE-2018-16470 and CVE-2018-16471 respectively.
• Packages have been updated to the latest security versions.

Bug Fixes

• Checking the replication status on a replica during a reboot of the primary could prevent replication for Git pre-receive hooks.
• When a business had enforced a two-factor authentication policy, business admins were able to be added when they didn't have two-factor authentication enabled.
• Text between a pair of double underscores, such as __init__, was removed in code blocks in MediaWiki-formatted pages.
• The "Start a new conversation" button on a pull request diff did not work for threads targeting the context of a change rather than an addition or deletion.
• When creating a new organization, the preview of the resulting organization URL was reset on validation.
• The BackfillEnterpriseBusinessAdminsAndOrganizationsTransition data transition could fail while running migrations.
• Under some circumstances, attempting to create a new organization would result in a 422 Unprocessable Entity error.
• Pre-receive hook target enforcement options did not properly reflect their persisted values.
• Issue and pull request pages could fail to load if they were referred to by a project the viewer of the issue does not have access to.
• A user's roles in an organization were represented inconsistently at /stafftools/users/:user/organization_memberships in comparison to user-facing pages.
• When an invalid admin value was provided to the REST API endpoint to create an organization, an organization without any owners was created rather than a meaningful error message being returned.
• After signing in, users were sometimes shown the contents of the manifest.json file instead of being redirected to the correct location in the user interface.

Known Issues

• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
• Some settings available on the /business page are inaccessible when the company name in the license file is comprised of multi byte strings.
• Listing the GUIDs of migrations that are in progress with the ghe-migrator list command throws an error and fails. (updated 2018-11-21)
• The import of project boards with ghe-migrator fails when the creator of a card on the board no longer exists on the source instance. (updated 2018-11-21)
• Pull request review comments can be misplaced when the pull request has large diffs. (updated 2019-01-21)
• Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. (updated 2019-03-07)
• Some pull requests and issues are purged completely when restoring the repository right after deleting it. (updated 2019-03-19)
• Resque workers may not be cleaned up following a configuration run leading to a growing number of stale workers which in turn could lead to high memory consumption. (updated 2019-05-08)

Errata

• The issue that some settings available on the /business page are inaccessible when the company name in the license file is comprised of multi byte strings was incorrectly included in the bug fixes section instead of the known issues section. (updated 2019-01-10)

Thanks!

The GitHub Team