GitHub Enterprise - The best way to build and ship software

The 2.18 series release notes contain important changes in this release series.

Security Fixes

HIGH: The legacy avatar upgrade functionality was vulnerable to a Server-Side Request Forgery (SSRF) vulnerability when fetching image content from third-party avatar services. This could allow an attacker to make GET requests to internal services reachable from the GitHub Enterprise deployment.
LOW: The script-src: 'unsafe-inline' CSP header was applied to all paths for Enterprise Manager.
Packages have been updated to the latest security versions.

Promoting a replica in an active HA environment could fail to properly apply configuration changes and remove a pre-flight check holding page.
A race condition could occur when a replica node was rebooted, preventing the internal VPN from starting correctly.
MySQL replication lag could rise significantly on high traffic instances during times of peak user activity.

The Google Accounts Daemon and google_set_hostname DHCP hook are now disabled on Google Cloud Platform images.
GitHub Enterprise Server is now available in the eu-north-1 AWS region.
MySQL database seeding progress is reported during replication setup and recorded in the configuration log.

On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
Custom firewall rules are not maintained during an upgrade.
Subversion (SVN) checkout may timeout while the repository data cache is being built. In most cases, subsequent Subversion checkout attempts will succeed.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
When using Let's Encrypt with a new installation, an error can occur when creating a new Let's Encrypt account.
When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
Security alerts are not reported when pushing to a repository on the command line. (updated 2020-06-23)

Thanks!

The GitHub Team