GitHub Enterprise - The best way to build and ship software

The 2.16 series release notes contain important changes in this release series.

Security Fixes

HIGH: An attacker could inject potentially malicious options into Git sub-commands when executed on the server. This could allow an attacker to truncate existing files on the server or execute other unintended functionality of affected Git sub-commands. To exploit this vulnerability, an attacker would need permission to create a branch within a repository on the GitHub Enterprise Server instance. This vulnerability was reported through the GitHub Security Bug Bounty program.
MEDIUM: GitHub App permissions could be incorrectly set by the user.
Packages have been updated to the latest security versions.

Using ghe-migrator or exporting from GitHub.com, an export would silently fail to export issue comments when a repository was archived.
GitHub Enterprise Server was incorrectly using support@example.com as the sender of notification emails in certain circumstances.
Comparing OAuth Access Tokens returned 404 Not Found error.
Deleting a repository and its projects could delete other owned or accessible projects.
When enabling a feature for GitHub Connect resulted in an error, users were not properly notified.

On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
Custom firewall rules aren't maintained during an upgrade.
svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
Resque workers may not be cleaned up following a configuration run leading to a growing number of stale workers which in turn could lead to high memory consumption.

Thanks!

The GitHub Team