GitHub Enterprise - The best way to build and ship software

Release notes for GitHub Enterprise Server versions 2.20.0+ have moved to GitHub Docs. Release notes for versions prior to 2.20.0 will remain on GitHub Enterprise Releases

GitHub Enterprise 2.4.4 February 09, 2016 Series notes · Download

The 2.4 series release notes contain important changes in this release series.

Bug Fixes

Repository maintenance was not run on the high availability replica. This could lead to high load while repositories were repacked when first promoting the replica.
Accessing the raw URL for a file named 'policies' would fail with a 404 error.
Downloading the diagnostics via the Management Console could time out on instances with many release or Git LFS assets.
We tried to log timing statistics to an inaccessible statsd server when downloading release assets.
Repository milestones weren't updated on repositories migrated from GitHub.com.
Viewing the Pages section in admin tools would cause a 500 error if no Pages site existed.
Incorrect permissions could be set on certificate authority certificates installed with ghe-ssl-ca-certificate-install. This could cause webhooks to fail as the certificates could not be read.
Backups could fail to restore if a previous Pages migration had failed on the destination appliance.

Security Fixes

HIGH OpenSSH packages have been updated to address multiple vulnerabilities.
MED libxml2 and related packages have been updated to address multiple vulnerabilities.
MED rsync has been updated to address a recently identified vulnerability.
LOW Passwords and two-factor authentication one-time passwords could be written to the exceptions log.
Packages have been updated to the latest security versions.

Known Issues

We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key.
Custom firewall rules aren't maintained during an upgrade.
Enqueued background jobs are sometimes not purged when a repository is deleted.
Trying to add a file to a repository with Subversion 1.9 clients incorrectly detects the file already exists and fails.
On instances upgraded from 2.3 and earlier, restoring an archived protected branch will not restore all the settings correctly. This does not affect new instances.

HIGH (CVE-2015-7547) 2.4 is vulnerable to glibc getaddrinfo stack-based buffer overflow. To manually patch your appliance, apply the hotfix by connecting to your appliance via SSH and running these commands: (updated 2016-02-17)

$ curl -O https://github-enterprise.s3.amazonaws.com/patches/github-enterprise-libc-precise.hpkg
$ md5sum github-enterprise-libc-precise.hpkg # c068256696f2775579e2cd8223f82306
$ chmod +x github-enterprise-libc-precise.hpkg
$ ./github-enterprise-libc-precise.hpkg

Thanks!

The GitHub Team