Downloads of the 2.21.0 release have been disabled, as a result of a major bug affecting multiple customers. We will publish a new release, numbered 2.21.1, shortly. If you have already upgraded your appliance to GitHub Enterprise 2.21.0, please contact support for assistance.
Last updated: 19th June, 2020.
- An improper access control vulnerability was identified in the GitHub Enterprise Server API that allowed an organization member to escalate permissions and gain access to unauthorized repositories within an organization. This vulnerability affected all versions of GitHub Enterprise Server prior to 2.21. We have issued CVE-2020-10516 in response to this issue. The vulnerability was reported via the GitHub Bug Bounty program.
- If a user with push access minimized another user's comment, the author of the comment could unminimize it even if they had insufficient privileges.
- Users could accidentally merge to master from the issue template editor and blob editor.
- When a user deleted an account from GitHub, the audit log records did not correctly show organization removal records.
- The gist avatar for the current user would link to a non-existent URL.
- The organization repositories tab count did not include internal repositories.
- Clicking the "Show All Teams" button when transferring a repository caused a 500 error.
- Long filenames could cause overflow issues when showing the 'Changed since last view' label or the 'Show rich' diff toggle on the diff file view.
- Hovercards for organization teams misreported their member size.
- The pull request review comment popup window had a scrolling issue.
- Haproxy could become saturated causing a slowdown in git operations.
- The Dependency Graph feature was not automatically enabled after HA replica promotion.
- A timeout could be triggered on the releases index page for repositories with thousands of draft pull requests.
- It was not possible to filter pull requests by both state and draft at the same time.
- If a pull request changed a submodule pointer, then clicking "Edit file" on that submodule file from the "Files changed" tab of the pull request page caused a 404 error.
- It was not possible to add users to an organization, or delete the organization, following the bulk removal of all users and admins from that organization.
- Review comments against files containing diacritics and non-Latin characters in the filename on the "Files changed" page would disappear when the page is reloaded.
- The state of the "Viewed" checkbox was not retained for files containing diacritics and non-Latin characters in the filename on the "Files changed" page.
- Pull requests showed the "Approved" badge when not all required reviews were in place.
- The tag dropdown was empty when searching for a tag in repositories with more than 100 tags.
- Pull request pages showing annotations with non UTF-8 titles could encounter encoding errors in view rendering.
- A race condition for refresh on the OAuth page could cause a redirect to be executed twice.
- The "Personal Access Tokens" page would timeout if there are more than 10 tokens.
- Scheduled LDAP User and Team Sync jobs could be started while previously scheduled Sync jobs were still in process. A locking mechanism has been implemented to prevent new Sync jobs from starting if one is still running.
- The web notifications interface, including new states , filters and shortcuts have been updated.
- It is now possible to disable reactivation of LDAP users on LDAP sync.
- The push protected branch wording has been updated to clarify that admins can always push and that users with the Maintain role can push when status checks pass.
- Prevent blank commit when suggestion is identical to original text.
- Pagination is supported as a way to get more files in the diff associated with a commit via the REST API.
- Admins can enable, disable, delete, and search for webhooks using the webhook ID from the command line using
- Automatic base retargeting will happen after manual head reference cleanup for a merged pull request.
- SVG files are handled as text and as images in the diff viewer.
- The "auto delete branches on merge" setting can be set when creating and updating repositories using the REST API.
- A new endpoint has been added to delete a deployment through the REST API.
- Admins can enable security alerts but disable all notifications from those alerts.
- The Pages log shows the user login accessing the GitHub Pages site.
- Enterprise members can see all of the organizations they belong to as part of their Enterprise account from one view by navigating to
- REST API support for triage and maintain roles has been expanded.
- A user can create and share search queries that resolve to the current user by using the
@me search syntax.
- New issue template configuration options have been added.
- MySQL backup and restore reliability and time to completion has been improved.
- Improved visibility of pull requests and issue references in the issue sidebar, issue cards and issue list.
- Users can filter and search by
- Automatic failover of MySQL within a single region for Cluster deployments is now possible.
- A user can compare tags between two releases to determine what changes have been made on the releases page.
- Outdated comments are no longer collapsed by default on the Pull Request timeline. They can be collapsed by resolving the thread.
- Admins can view a list of logins reserved for internal use by navigating to the "Reserved logins" stafftools tab.
Backups and Disaster Recovery
GitHub Enterprise Server 2.21 requires at least GitHub Enterprise Backup Utilities 2.21.0 for Backups and Disaster Recovery.
Deprecations of User Interface Support for Older Browsers
We have deprecated user interface support for Microsoft Edge 16, Microsoft Edge 17 and Firefox versions 60 - 67. People using these browsers will see a notice on the sign-in page. Users are encouraged to use a newer version of these browsers.
Upcoming Deprecation of Password Authentication and Other APIs
In a future release, we will be deprecating a set of APIs to improve the security of the Authentication and Authorization APIs. When the deprecation is applied to Github Enterprise Server, an announcement will be included in the release notes. At this time, please note that a deprecation process is underway. You can read more about the coming changes here.
Deprecation of Legacy GitHub App Webhook Events
Starting with GitHub Enterprise Server 2.21.0, two legacy GitHub Apps-related webhook events are deprecated and will be removed in GitHub Enterprise Server 2.25.0. The deprecated events
integration_installation_repositories have equivalent events which will be supported. More information is available in the deprecation announcement blog post.
Deprecation of Legacy GitHub Apps Endpoint
Starting with GitHub Enterprise Server 2.21.0, the legacy GitHub Apps endpoint for creating installation access tokens is deprecated and will be removed in GitHub Enterprise Server 2.25.0. More information is available in the deprecation announcement blog post.
Deprecation of Mapbox Studio Classic style support for GeoJSON rendering
GeoJSON map files will no longer render on instances running GitHub Enterprise prior to version 2.21, due to a third-party deprecation. If the instance was configured to use a custom Mapbox Studio Classic style, the default basemap will be used until the instance is configured to use a modern Mapbox Studio style. Instances that are configured to use a Mapbox Atlas server are unaffected.
Upcoming Deprecation of GitHub Enterprise Server 2.18
GitHub Enterprise Server 2.18 will be deprecated as of August 20, 2020. That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise Server as soon as possible.
- On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
- Custom firewall rules are not maintained during an upgrade.
- Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
- Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
- When pushing to a gist, an exception could be triggered during the post-receive hook.
- When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
- Security alerts are not reported when pushing to a repository on the command line. (updated 2020-06-23)
The GitHub Team