The 2.16 series release notes contain important changes in this release series.
- MEDIUM: A race condition allowed a malicious GitHub App integrator to gain escalated user privileges by quickly updating their App's permissions during the OAuth flow.
- Packages have been updated to the latest security versions.
- Webhooks continued to be delivered via a proxy server after removing the proxy configuration.
- Background jobs for the Content Attachments API used by GitHub Apps were not processed and as a result context information was not shown.
- Successful delivery logs for Webhooks sent through a proxy server were reported as a delivery error if the proxy server inserted additional headers.
- The migrations that are run while upgrading to GitHub Enterprise Server 2.16.0 could report "Column cache_version_number cannot be null" errors being logged to
- Site admins can no longer create GitHup Apps and OAuth apps that start with the reserved words
- On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
- Custom firewall rules aren't maintained during an upgrade.
- svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
- Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
- Stricter REST API validation has been prematurely enabled. As a result, API requests that previously succeeded may be rejected with a
422 Unprocessable Entity response. (updated 2019-02-01)
- Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters. (updated 2019-03-07)
- Some pull requests and issues are purged completely when restoring the repository right after deleting it. (updated 2019-03-19)
The GitHub Team