The 2.16 series release notes contain important changes in this release series.

Security Fixes

• LOW: Git has been updated to address CVE-2019-1348, CVE-2019-1349, CVE-2019-1350, CVE-2019-1351, CVE-2019-1352, CVE-2019-1353, CVE-2019-1354, and CVE-2019-19604. These vulnerabilities could not be triggered on the GitHub Enteprise Server instance itself, but new restrictions prevent malicious repositories from being pushed to the server instance, protecting clients which have not yet been patched.
• Packages have been updated to the latest security versions.

Bug Fixes

• The Alambic storage service could hit a file descriptor limit that could cause the kernel to hang and other services to log errors.
• Importing of teams with nested teams with security visibility could fail. Nested teams will now be imported as top-level teams if they are imported as children of a team with secret visibility.

Upcoming deprecation of GitHub Enterprise Server 2.16

GitHub Enterprise Server 2.16 will be deprecated as of January 22, 2020 That means that no patch releases will be made, even for critical security issues, after this date. For better performance, improved security, and new features, upgrade to the newest version of GitHub Enterprise Server as soon as possible.

Known Issues

• On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
• Custom firewall rules aren't maintained during an upgrade.
• svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
• Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
• Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
• Resque workers may not be cleaned up following a configuration run leading to a growing number of stale workers which in turn could lead to high memory consumption.

Thanks!

The GitHub Team