GitHub Enterprise - The best way to build and ship software

Release notes for GitHub Enterprise Server versions 2.20.0+ have moved to GitHub Docs. Release notes for versions prior to 2.20.0 will remain on GitHub Enterprise Releases

GitHub Enterprise 2.3.8 February 09, 2016 Series notes · Download

The 2.3 series release notes contain important changes in this release series.

Bug Fixes

Repository maintenance was not run on the high availability replica. This could lead to high load while repositories were repacked when first promoting the replica.
Accessing the raw URL for a file named 'policies' would fail with a 404 error.
Downloading the diagnostics via the Management Console could time out on instances with many release or Git LFS assets.

Security Fixes

HIGH OpenSSH packages have been updated to address multiple vulnerabilities.
MED libxml2 and related packages have been updated to address multiple vulnerabilities.
MED rsync has been updated to address a recently identified vulnerability.
LOW Passwords and two-factor authentication one-time passwords could be written to the exceptions log.
Packages have been updated to the latest security versions.

Known Issues

We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
Email can't be sent over TLS when SSL is disabled.
Deleting a user doesn't delete their gists, which can cause problems with replication.
Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.
Management console sessions can expire too quickly for Safari users.
Gist repositories are not garbage collected by the maintenance scheduler.
Custom firewall rules aren't maintained during an upgrade.
Repositories that are in an incomplete state, which is a rare problem, can cause the migration to the new repository disk layout to fail.
Enqueued background jobs are sometimes not purged when a repository is deleted.
When a fork is detached from its repository network by an administrator or by changing visibility, its filesystem path won't be updated on a high availability replica until at least one commit has been pushed.
Viewing raw files in repositories owned by a user or organization named "github" fails with a 400 error. (updated 2015-12-15)

HIGH (CVE-2015-7547) 2.3 is vulnerable to glibc getaddrinfo stack-based buffer overflow. To manually patch your appliance, apply the hotfix by connecting to your appliance via SSH and running these commands: (updated 2016-02-17)

$ curl -O https://github-enterprise.s3.amazonaws.com/patches/github-enterprise-libc-precise.hpkg
$ md5sum github-enterprise-libc-precise.hpkg # c068256696f2775579e2cd8223f82306
$ chmod +x github-enterprise-libc-precise.hpkg
$ ./github-enterprise-libc-precise.hpkg

Thanks!

The GitHub Team