New Features

With the new features added in GitHub Enterprise 2.6.0, you can:

• Enforce push policies and optimize workflows with pre-receive hooks.
• Create Issue and pull request templates.
• Take advantage of more flexibility with protected branches.
• Add custom messages to the sign in and suspended user pages.
• Flexibly review pull requests.
• Merge pull requests with squash commits.
• Add reactions to Pull Requests, Issues, and Comments.
• Save time writing frequently used responses with saved replies.
• Use a markdown toolbar to style text in comments and issues without learning Markdown.
• Upload files into repositories using GitHub's interface.
• Serve GitHub Pages faster and simpler with Jekyll 3.0.
• Configure an Advanced Setting to automatically reactivate suspended LDAP users on their next successful authentication.

Changes

• The cross-origin resource sharing (CORS) policy has been updated to bring it inline with W3C recommendations.
• Auto-complete is disabled on the password configuration fields in the management console.
• It is no longer possible to filter members of an organization using the is:inactive filter.
• Admin Tools now has a 'Disabled repositories' page.
• The number of simultaneous connections tracked by the appliance firewall has been increased to 524288.
• When the protected branch policy is not fulfilled, we report different states depending on the protected branch required status checks policy.
• Unused scripts have been removed and internal-only scripts have been moved out of the default path.
• All customer-facing scripts print usage information when called with -h or --help.
• SAML requests can now be configured to use SHA-256 and other common hashing algorithms for the signature and digest methods. The default is now SHA-256. You may need to update your configuration and select SHA-1 if your identity provider does not support SHA-256.
• The management console now contains inline links to the configuration documentation for each section.
• A proxy exclusion (no_proxy) list can now be configured in the management console.
• Logs can be forwarded to multiple locations.
• ghe-repl-start will report if high availability replication is still starting following a reboot.
• ghe-repl-status displays which host is the high availability replica when run on the primary node.
• The license, SSH keys and settings are copied to the high availability replica as and when they're modified on the primary.
• Custom certificate authority certificates added to the appliance using ghe-ssl-ca-certificate-install are automatically replicated to the high availability replica.
• All certificates included in the certificate file uploaded via the management console are automatically imported.
• Custom certificate authority certificates are saved with descriptive names for easier identification when running ghe-ssl-ca-certificate-install -l.
• The self-signed certificate generated by the appliance when first configured now includes a wildcard subject alternate name (SAN) entry for the appliance hostname for use with sub-domain isolation.
• Previously built Pages sites are no longer displayed if Pages is subsequently disabled.
• GitHub Pages has been updated to Jekyll 3.0.
• A reason for an email notification is now included in the footer of the email.
• The search index definitions have changed. Some searches may return partial results while the search indices are rebuilt. (updated 2016-04-27)
• GitHub Pages now verifies the SSL connection when cloning sites, so builds will fail if your SSL certificate is invalid. (updated 2016-05-10)

Upgrading

Upgrading to the 2.6 release series is supported from GitHub Enterprise 2.4.0 and above.

Backup & Restore

In order to backup and restore GitHub Enterprise 2.6, you will need to upgrade backup-utils to version 2.6.0.

Bug Fixes

• Changing a repository's parent allowed you to reparent onto a folk of the repository being reparented. This would lead to a loop that would fail and leave the repository network in an inconsistent state.
• A migration archive with @mentions in issues or comments that contain dashes were not correctly rewritten when imported using ghe-migrator on the destination appliance.
• Migrating a repository with issue attachments using ghe-migrator could fail to import on the destination appliance.
• User sessions were not properly revoked when they reached the expiry limit set by the SAML identity provider (IdP).
• User web browser sessions were revoked after 14 days of inactivity instead of 30 days.
• ghe-support-bundle displayed harmless messages.

Security Fixes

• MEDIUM Resolved a cross-site scripting (XSS) vulnerability in task lists.
• MEDIUM Implemented mitigation for a URI decoding vulnerability that affects modern versions of Microsoft Internet Explorer.
• User sessions were not properly revoked when they reached the expiry limit set by the SAML identity provider (IdP).
• Packages have been updated to the latest security versions.

Deprecation of GitHub Enterprise 2.1

GitHub Enterprise 2.1 is now deprecated. That means that no patch releases will be made, even for critical security issues, after this release. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.

Upcoming deprecation of GitHub Enterprise 2.2

GitHub Enterprise 2.2 will be deprecated as of August 2016. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise as soon as possible.

Deprecation of Support for Internet Explorer 9 and 10

Support for Internet Explorer 9 and 10 will be deprecated in a future release. There will be no changes in site functionality, but a warning banner will be displayed to Internet Explorer 9 and 10 users.

Upcoming deprecation of Markdown engines

GitHub Pages on GitHub Enterprise 2.7 and later will only support kramdown, Jekyll's default Markdown engine. If you are currently using Rdiscount or Redcarpet we've enabled kramdown's GitHub-flavored Markdown support by default, meaning kramdown should have all the features of the two deprecated Markdown engines, so the transition should be as simple as updating the Markdown setting to kramdown in your site's configuration (or removing it entirely).

Known Issues

• HIGH Release assets from a public repository can be accessed by unauthenticated users in private mode. (updated 2016-05-27)
• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• On instances upgraded from 2.3 and earlier, restoring a protected branch archived whilst running 2.3, will not restore all the settings correctly. This does not affect new instances or protected branches archived on later releases.
• Duplicate uploads are stored in more than three hosts in a cluster with more than three replica file servers.
• Editing custom messages in the Admin Center doesn't provide emoji suggestions.
• Native emoji are lost when saving custom messages in the Admin Center.
• The custom messages setting within the Admin Center is not disabled when SAML authentication is used. The setting has no effect when using SAML as the SAML server is responsible for displaying the relevant pages to users.
• The custom messages Markdown editor in the Admin Center includes buttons for non-applicable functionality.
• Background jobs in the languages queue aren't run. This causes repository language statistics to be inaccurate. (updated 2015-04-28)
• The find command isn't available in the default pre-receive hook environment. (updated 2015-04-28)
• Repository push logs don't record whether a push was forced. (updated 2016-05-13)
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed. (updated 2016-05-24)
• Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository. (updated 2016-05-24)
• Migration data exported from GitHub Enterprise with ghe-migrator does not include issue file attachments, which may cause imports to another server to fail. (updated 2016-06-09)
• GitHub Enterprise clustering can not be configured without https. (updated 2016-08-01)
• Console text is difficult to read on OpenStack KVM. (updated 2016-08-03)
• The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host. (updated 2017-02-23)
• Git LFS objects may take up to an hour to replicate in a High Availability configuration. (updated 2017-02-23)

Thanks!

The GitHub Team