The 2.3 series release notes contain important changes in this release series.
- The instance could reboot before MySQL had completely stopped. This could lead to database inconsistencies that may have only come to light during an upgrade.
- The warning message shown when making a public repository on instances with private mode enabled was a little vague and could lead to uncertainly about how public the repository would really be.
- The Elasticsearch logs could contain socket exception errors caused by a health check exiting prematurely.
- Pull request
.diff URLs would fail on instances with subdomain isolation disabled.
- In our instructions to merge a pull request on the command line, we showed the steps to merge using the Git protocol even when private mode is on. Private mode forces authentication but the Git protocol is unauthenticated so the steps would always fail. We also didn't show the steps to merge using SSH.
- The installation preflight check didn't make it clear that two block devices are required.
- The maintenance page on the high availability replica instance used the incorrect information from the primary instance in the link to the primary instance. This led to a confusing experience for users following this link.
- Updates to Wiki pages by users without a primary email address set would throw errors – the updates are now refused.
- The audit log was missing useful Git activity information.
- Postfix allowed local user and address verification using the RCPT and VRFY commands potentially exposing operating system-level user information.
- Semicolons were allowed to be used in the LDAP Base name settings within the management console leading to problems authenticating users via LDAP.
core.package-version variable in the appliance configuration file was not updated to reflect the new appliance version during an upgrade.
- Viewing a repository's push log in a web browser displayed the warning "Reflog Sync disabled on this repository. Results maybe out of date." This was cosmetic only and did not indicate an issue with the push log or repository storage.
- HIGH Read access to public API endpoints of private-mode instances and to specific reporting endpoints can be authenticated by connecting via local trusted ports. This authentication could be bypassed by manipulating specific HTTP headers and lead to information disclosure.
- HIGH The Markdown syntax highlighter allowed malicious users to inject unsanitized HTML into comments and Markdown documents.
- Kernel and packages have been updated to the latest security versions.
- Mediawiki Math markup within Gists and repository files with the
.mediawiki suffix could leak information to the Google Chart API when they were displayed.
- Raw Gist URLs didn't include an expiring token when private mode is enabled. This meant raw Gists were always accessible without authentication if you knew the full URL.
- We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
- Email can't be sent over TLS when SSL is disabled.
Deleting a user doesn't delete their gists, which can cause problems with replication.
- Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
- On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
- The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.
- Management console sessions can expire too quickly for Safari users.
- Gist repositories are not garbage collected by the maintenance scheduler.
- Custom firewall rules aren't maintained during an upgrade.
- Repositories that are in an incomplete state, which is a rare problem, can cause the migration to the new repository disk layout to fail.
- Enqueued background jobs are sometimes not purged when a repository is deleted.
- When a member of a team with admin access tries to add a new team member, it fails without an error. Only the Owners team can add new team members.
- Viewing raw files in repositories owned by a user or organization named "github" fails with a 400 error. (updated 2015-12-15)
- Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails. (updated 2016-01-14)
- Not deleting a user's gists when deleting the user was fixed in 2.3.0. (updated 2015-10-12)
The GitHub Team