Features

• Issues can be assigned to read-only contributors that have commented on the issue.
• Milestones are now visible on project boards.
• User-owned repositories are automatically watched for updates upon creation.
• Users can receive notifications for conversations occurring on Gists.
• Users can limit the types of notifications they receive for any issue and pull request to be specific to merge, reopened and/or closed events.
• Users can transfer issues from one repository to another that they have write access to.
• Security alerts are supported for repositories using Yarn for dependency management.
• Repository admins can make an existing repository a template so users can generate new repositories with the same directory structure and files.
• Organization owners can choose to display their member's profile names in comments on private repositories.
• The audit log can now be exported in JSON or CSV format and queried using the Audit log API.
• Cards can be converted to issues on user owned projects.
• Users have the option to toggle annotations in the diff view.

Security Fixes

• HIGH: An attacker could inject potentially malicious options into Git sub-commands when executed on the server. This could allow an attacker to truncate existing files on the server or execute other unintended functionality of affected Git sub-commands. To exploit this vulnerability, an attacker would need permission to create a branch within a repository on the GitHub Enterprise Server instance. This vulnerability was reported through the GitHub Security Bug Bounty program.
• MEDIUM: GitHub App permissions could be incorrectly set by the user.
• Packages have been updated to the latest security versions.

Bug Fixes

• GitHub Enterprise Server was incorrectly using support@example.com as the sender of notification emails if a URL was used for the support link instead of an email address.
• GitHub app managers were able to access and manage applications for the organization after being removed from it.
• Lines in gists were not selectable.

Changes

• WireGuard replaces OpenVPN as the technology used to encrypt communication between nodes in High Availability configurations.
• Webhook payloads include the milestone object when milestones are added or removed.
• Links to all the pull requests associated with a security alert are viewable on the security alerts page.
• Users are able to update their branch with the base branch when a pull request is in draft status.
• Files marked as reviewed will be marked as unreviewed for all users that have previously reviewed the file after a new commit has been made.
• Reduced memory utilization on GitHub Enterprise Server instances.
• The longpoll service has been replaced with alive.
• Replication must be stopped during a feature upgrade.

Backups and Disaster Recovery

GitHub Enterprise Server 2.18 requires at least GitHub Enterprise Backup Utilities 2.18.0 for Backups and Disaster Recovery.

Upcoming deprecation of GitHub Enterprise Server 2.15

GitHub Enterprise Server 2.15 will be deprecated as of October 16, 2019. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise Server as soon as possible.

Known Issues

• On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
• Custom firewall rules are not maintained during an upgrade.
• Subversion (SVN) checkout may timeout while the repository data cache is being built. In most cases, subsequent Subversion checkout attempts will succeed.
• Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
• Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
• Issue, pull request, and project pages may not automatically update with changes from other users. (updated 2019-08-30)
• When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
• Security alerts are not reported when pushing to a repository on the command line. (updated 2020-06-23)

Thanks!

The GitHub Team