GitHub Enterprise - The best way to build and ship software

The 2.19 series release notes contain important changes in this release series.

Security Fixes

HIGH: The legacy avatar upgrade functionality was vulnerable to a Server-Side Request Forgery (SSRF) vulnerability when fetching image content from third-party avatar services. This could allow an attacker to make GET requests to internal services reachable from the GitHub Enterprise deployment.

Storage objects were incorrectly deleted from non-voting replicas, potentially leading to data loss on replica promotion.
Unsubscribe email notification language was inconsistent with the language used in the web interface.
Team membership information could be destroyed during an upgrade from GHES 2.17.
The related issues feature was incorrectly included in the release.

On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
Custom firewall rules are not maintained during an upgrade.
Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
The Let's Encrypt certificate registration feature consistently fails following an update to the external API.
When pushing to a gist, an exception could be triggered during the post-receive hook.
When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
Security alerts are not reported when pushing to a repository on the command line. (updated 2020-06-23)

Thanks!

The GitHub Team