The 2.7 series release notes contain important changes in this release series.

Security Fixes

• CRITICAL: Fixed a buffer overflow vulnerability in a network accessible service. Exploitation could result in remote code execution or denial of service. This vulnerability was identified internally and currently no known exploits exist.
• HIGH: Worked around Microsoft Internet Explorer bug causing redirects to the incorrect hostname during OAuth negotiation.
• MEDIUM: Users were able to delete SSH and/or GPG keys when LDAP sync is enabled.
• Packages have been updated to the latest security versions.

Bug Fixes

• An appliance would enter maintenance mode earlier than expected if scheduled more than a week in advance.
• ghe-diagnostics printed a benign unrecognised disk label error message.
• Pre-receive hooks using the curl and/or gpg command may have failed using the default hook environment due to missing libraries.
• Git pushes were denied if the pre-receive hook timed out on repositories with a non-enforced exit-status.
• Public Pages could not be configured when Private Mode is enabled.
• The Pages preview API showed incorrect values for html_url and erroneously used cname when subdomain isolation is enabled.
• sudo and commands that call sudo, like the ghe-repl-* commands, would print a harmless sudo: unable to resolve host message when run on AWS-hosted high availability replicas.
• Avatars may have failed to render in a clustering environment.
• Large file uploads may have timed out in a clustering environment.
• git operations may have blocked indefinitely if the data volume had less than 10% free disk space.

Known Issues

• We incorrectly redirect to the dashboard if you accessed GitHub Enterprise using an alias while in private mode. This might happen if you set a fully qualified domain name but the subdomain resolves correctly.
• Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• Enqueued background jobs are sometimes not purged when a repository is deleted.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
• GitHub Enterprise clustering can not be configured without https.
• Additional white spacing can sometimes be seen above the Admin center header.
• Issue assignees assigned in GitHub Enterprise 2.6 or earlier aren't visible. (updated 2016-08-27)
• The initial import of the VMware OVA image may fail when deployed via vCenter Server 6.0 or 6.5. The import will succeed when performed directly on an ESXi host. (updated 2017-02-23)
• Git LFS objects may take up to an hour to replicate in a High Availability configuration. (updated 2017-02-23)
• collectd metric paths can be truncated, which causes multiple write attempts to the same file for different metrics. (updated 2017-07-10)

Errata

• Editing custom messages in the Admin center doesn't provide emoji suggestions was resolved in 2.7.0. (updated 2016-09-21)
• Native emoji are lost when saving custom messages in the Admin center was resolved in 2.7.0. (updated 2016-09-21)

Thanks!

The GitHub Team