With the new features added in GitHub Enterprise 2.5.0, you can:
RelayState parameter as sent from the appliance. For IdP-initiated authentication you must ensure the "IdP initiated SSO (disables AuthnRequest)" setting is checked within the management console. You may experience a redirect loop between your appliance and your SAML server if either of these conditions are not met. (updated 2016-02-29)Upgrading to the 2.5 release series is supported from GitHub Enterprise 2.3.0 and above.
In order to backup and restore GitHub Enterprise 2.5, you will need to upgrade backup-utils to version 2.5.0.
ghe-ssl-ca-certificate-install. This could cause webhooks to fail as the certificates could not be read.An issue was identified that could allow an attacker to execute arbitrary commands on a user’s computer if they had Git LFS installed and cloned a malicious repository. Git LFS supports a per-repository configuration file to customize how certain aspects of Git LFS function. However, this file also allowed arbitrary Git configuration options to be modified. We have addressed the vulnerability by whitelisting the set of per-repository Git LFS configuration options that can be used to a safe subset.
GitHub Enterprise is not directly affected as this is a client-side vulnerability but as Git LFS is now enabled by default, we recommend you upgrade your clients to Git LFS 1.0.1 or later to address this vulnerability.
To prepare for GitHub Clustering, this release changes the way GitHub Enterprise stores assets, such as release downloads, Git LFS objects, Avatars, and image attachments to wikis and issues. On instalations with many large assets, moving assets to their new location can take a long time. As always, we encourage you to test the upgrade in a staging environment before upgrading your production instance.
GitHub Enterprise 2.0 is now deprecated. That means that no patch releases will be made, even for critical security issues, after this release. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.
GitHub Enterprise 2.1 will be deprecated as of April 4, 2016. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.
Support for Internet Explorer 9 and 10 will be deprecated in a future release. There will be no changes in site functionality, but a warning banner will be displayed to Internet Explorer 9 and 10 users.
CRITICAL There is a remote code execution vulnerability through the Management Console, patched in GitHub Enterprise 2.5.4. (updated 2016-03-31)
HIGH Release assets from a public repository can be accessed by unauthenticated users in private mode. (updated 2016-05-27)
Saving settings in the management console can overwrite the SAML Issuer with the value of the SAML certificate issuer, causing authentication to fail. The SAML Issuer must be set manually each time any settings are saved if a certificate has been uploaded. (updated 2016-02-12)
We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
The management console settings interface doesn't clearly show if you have previously uploaded certificate files or a private key. (updated 2016-02-10)
Custom firewall rules aren't maintained during an upgrade.
Enqueued background jobs are sometimes not purged when a repository is deleted.
If Git LFS was globally disabled prior to upgrading, manual configuration may be required to re-enabled it.
On instances upgraded from 2.3 and earlier, restoring an archived protected branch will not restore all the settings correctly. This does not affect new instances.
Upgrading directly from any 2.3 release to 2.5.0 can result in the removal of all personal access tokens. This can be prevented by upgrading to any 2.4 release first. (updated 2016-02-15)
HIGH (CVE-2015-7547) 2.5.0 is vulnerable to glibc getaddrinfo stack-based buffer overflow. To manually patch your appliance, apply the hotfix by connecting to your appliance via SSH and running these commands: (updated 2016-02-17)
$ curl -O https://github-enterprise.s3.amazonaws.com/patches/github-enterprise-libc-trusty.hpkg
$ md5sum github-enterprise-libc-trusty.hpkg # 9deaf87e3313e9239e42179b78cd024a
$ chmod +x github-enterprise-libc-trusty.hpkg
$ ./github-enterprise-libc-trusty.hpkg
Periodic LDAP user and group memberships synchronization jobs do not run automatically. Synchronization can still be triggered manually. (updated 2016-02-18)
Downloading a release asset from a private repository with the Releases API fails with an internal server error. (updated 2016-02-23)
Automatic update checks fail to locate an upgrade package.
User sessions are not properly revoked when they reach the expiry limit set by the SAML IdP.
svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed. (updated 2016-05-24)
Migration data exported from GitHub Enterprise with ghe-migrator does not include issue file attachments, which may cause imports to another server to fail. (updated 2016-06-09)
Console text is difficult to read on OpenStack KVM. (updated 2016-08-03)
The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host. (updated 2017-02-23)
Git LFS objects may take up to an hour to replicate in a High Availability configuration. (updated 2017-02-23)
Thanks!
The GitHub Team