The 2.5 series release notes contain important changes in this release series.

Bug Fixes

• Changing a public repository to private would cause Git operations to stop replicating to the high availability replica.
• Downloading a release asset from a private repository with the Releases API failed with an internal server error.
• Automatic update checks failed to locate an upgrade package.
• Upgrading to 2.5 could take a very long time on instances with a large number of assets, such as release downloads, Git LFS objects, Avatars, and image attachments to wikis and issues.
• In cluster mode, restoring backups to the nodes of a cluster required storage-server and git-server roles to be on the same machine.
• Upgrading to 2.5 could fail during the transition of recently deleted Gists.
• Images in Issue comment emails would not be displayed if private mode is enabled.
• Replication conflicts could occur if cluster nodes are initialized in the wrong order.
• Cluster support bundles could fail to generate.
• Restoring Redis data from a backup could report a "LOADING: integer expression expected" error.
• Importing a migration archive using gh-migrator with unresolved conflicts could fail with an "undefined method" error.
• The Issues Events API returned the incorrect actor for an issue assignment event.

Changes

• High availability replication now runs with four workers. This will lead to quicker synchronization when initially starting replication and ongoing replication on very busy instances.
• The global Maximum Object Size advanced setting can now be set in the Admin Center.

Security Fixes

• MEDIUM OpenSSL packages have been updated to address multiple vulnerabilities, including CVE-2016-0800, known as DROWN, which did not affect GitHub Enterprise.
• MEDIUM Ruby on Rails packages have been updated to address multiple vulnerabilities.
• MEDIUM Implemented mitigation for a cross-site scripting (XSS) vulnerability in Microsoft Internet Explorer 9 through 11 (CVE-2015-0072).
• MEDIUM Implemented mitigation for a cross-site scripting (XSS) vulnerability where plain text or other content types could be parsed as HTML.
• Packages have been updated to the latest security versions.
• The ca-certificates package has been updated to remove outdated certificate authority (CA) certificates. This update refreshes the included certificates and removes the SPI CA and CA certificates with 1024-bit RSA keys.

Known issues

• CRITICAL There is a remote code execution vulnerability through the Management Console, patched in GitHub Enterprise 2.5.4. (updated 2016-03-31)
• HIGH Release assets from a public repository can be accessed by unauthenticated users in private mode. (updated 2016-05-27)
• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• On instances upgraded from 2.3 and earlier, restoring an archived protected branch will not restore all the settings correctly. This does not affect new instances.
• Duplicate uploads are stored in more than three hosts in a cluster with more than three replica file servers.
• A quota limit warning email can be incorrectly triggered when transferring repositories with Git LFS objects.
• User sessions are not properly revoked when they reach the expiry limit set by the SAML IdP.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed. (updated 2016-05-24)
• Migration data exported from GitHub Enterprise with ghe-migrator does not include issue file attachments, which may cause imports to another server to fail. (updated 2016-06-09)
• Console text is difficult to read on OpenStack KVM. (updated 2016-08-03)
• The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host. (updated 2017-02-23)
• Git LFS objects may take up to an hour to replicate in a High Availability configuration. (updated 2017-02-23)

Thanks!

The GitHub Team