The 2.5 series release notes contain important changes in this release series.
- The Collectd log file was not rotated and could grow quite large.
- Duplicate Pages sites in /data/user/pages differing only by case could cause an upgrade to fail. This may occur if a background job for a rename or deletion had failed on a previous Enterprise release.
- The Audit Log map could fail to render correctly.
- The Audit Log dashboard could fail to load.
- Periodic LDAP user and group memberships synchronization jobs did not run automatically.
- LDAP Sync didn't remove a user that was no longer a member of an LDAP group.
- LDAP authentication attempted bind multiple times using the same credentials. If these credentials are incorrect, this could cause accounts to be locked on the LDAP server.
- Incorrect permissions on
/data/repositories/info/svn-v4-upgraded could cause restores to fail.
- Saving settings in the management console could overwrite the SAML Issuer with the value of the SAML certificate issuer, causing authentication to fail.
- Upgrading directly from any 2.3 release to 2.5.0 could result in the removal of all personal access tokens.
- Repository disk usage could be incorrectly calculated in the site admin.
- If Git LFS was globally disabled prior to upgrading, manual configuration was required to re-enabled it.
ghe-check-disk-usage could fail to display filesystem information.
ghe-cluster-status could exit early without printing the status of all nodes in the cluster.
glibc packages have been updated to address CVE-2015-7547, a
getaddrinfo stack-based buffer overflow.
libssh packages have been updated to address CVE-2016-0739, a weakness in diffie-hellman secret key generation.
nss packages have been updated to address CVE-2016-1938.
- Packages have been updated to the latest security versions.
- CRITICAL There is a remote code execution vulnerability through the Management Console, patched in GitHub Enterprise 2.5.4. (updated 2016-03-31)
- HIGH Release assets from a public repository can be accessed by unauthenticated users in private mode. (updated 2016-05-27)
- We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
- Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
- On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
- Custom firewall rules aren't maintained during an upgrade.
- Enqueued background jobs are sometimes not purged when a repository is deleted.
- On instances upgraded from 2.3 and earlier, restoring an archived protected branch will not restore all the settings correctly. This does not affect new instances.
- Duplicate uploads are stored in more than three hosts in a cluster with more than three replica file servers.
- In cluster mode, restoring backups to the nodes of a cluster require
git-server roles to be on the same machine.
- Downloading a release asset from a private repository with the Releases API fails with an internal server error. (updated 2016-02-23)
- Automatic update checks fail to locate an upgrade package.
- User sessions are not properly revoked when they reach the expiry limit set by the SAML IdP.
svn checkout may timeout while the repository data cache is being built. In most cases, subsequent
svn checkout attempts will succeed. (updated 2016-05-24)
- Migration data exported from GitHub Enterprise with
ghe-migrator does not include issue file attachments, which may cause imports to another server to fail. (updated 2016-06-09)
- Console text is difficult to read on OpenStack KVM. (updated 2016-08-03)
- The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host. (updated 2017-02-23)
- Git LFS objects may take up to an hour to replicate in a High Availability configuration. (updated 2017-02-23)
The GitHub Team