The 2.4 series release notes contain important changes in this release series.
- High availability replication could fail to automatically start after a reboot.
- Viewing raw files in repositories owned by a user or organization named "github" failed with a 400 error.
- A high availability replica that's been promoted to primary and then set up as a replica again showed the 'Starting...'' page instead of the replica status page following a reboot.
- Starting high availability replication printed verbose MySQL status information.
- The connection limit for the longpoll service (used for providing live updates to Issues and Pull Requests) could be exhausted on very busy appliances.
- A team membership invitation email was incorrectly sent to the user when they were added to an Organization's team using the Add team membership API.
- Git LFS server maintenance jobs could fail to run and throw an exception error.
- X11Forwarding for administrative SSH connections is now disabled.
- The management console now displays a warning when the appliance time is significantly different from the time reported by the browser. This large time different can lead to management console sessions expiring too quickly.
- The LDAP authorization state is now included in the user suspension reason within the LDAP logs. This will help administrators determine why a LDAP user has been suspended.
- Legacy organization admin teams, those teams with 'admin' permissions before GitHub Enterprise 2.4.0, are now clearly shown in the organization teams page.
- Management console sessions could expire too quickly for Safari users.
- HIGH An integer overflow in Git could result in incorrect memory allocation values (CVE-2016-2315, CVE-2016-2324). (updated 2016-03-17)
- MED libxml2 and related packages have been updated to address multiple vulnerabilities.
- MED OpenSSL packages have been updated to address multiple vulnerabilities.
- LOW Auto-completion within several fields of the management console settings could cause SNMP and LDAP secrets to be logged in plaintext.
- Packages have been updated to the latest security versions.
- We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
- Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
- On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
- The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.
- Custom firewall rules aren't maintained during an upgrade.
- Enqueued background jobs are sometimes not purged when a repository is deleted.
- Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails. (updated 2016-01-14)
Git LFS Client Vulnerability
An issue has been identified that could allow an attacker to execute arbitrary commands on a user’s computer if they had Git LFS installed and cloned a malicious repository. Git LFS supports a per-repository configuration file to customize how certain aspects of Git LFS function. However, this file also allowed arbitrary Git configuration options to be modified. We have addressed the vulnerability by whitelisting the set of per-repository Git LFS configuration options that can be used to a safe subset.
GitHub Enterprise is not directly affected as this is a client-side vulnerability and Git LFS is disabled on GitHub Enterprise by default. If you have enabled Git LFS on your appliance, we recommend you upgrade your clients to Git LFS 1.0.1 or later to address this vulnerability.
The GitHub Team