GitHub Upgrade – 2.18.0/2.18.1

The 2.18.0 update is a large update, introducing a lot of useful features and package updates. We will also be installing the 2.18.1 update, which is a small update fixing a few bugs.

Notable Features

  • Issues can be assigned to read-only contributors that have commented on the issue.
  • Milestones are now visible on project boards.
  • User-owned repositories are automatically watched for updates upon creation.
  • Users can receive notifications for conversations occurring on Gists.
  • Users can limit the types of notifications they receive for any issue and pull request to be specific to mergereopened and/or closed events.
  • Users can transfer issues from one repository to another that they have write access to.
  • Security alerts are supported for repositories using Yarn for dependency management.
  • Repository admins can make an existing repository a template so users can generate new repositories with the same directory structure and files.
  • Organization owners can choose to display their member’s profile names in comments on private repositories.
  • Cards can be converted to issues on user owned projects.
  • Users have the option to toggle annotations in the diff view.

Security Fixes

  • An attacker could inject potentially malicious options into Git sub-commands when executed on the server. This could allow an attacker to truncate existing files on the server or execute other unintended functionality of affected Git sub-commands. To exploit this vulnerability, an attacker would need permission to create a branch within a repository on the GitHub Enterprise Server instance. This vulnerability was reported through the GitHub Security Bug Bounty program.
  • GitHub App permissions could be incorrectly set by the user.

Notable Bug Fixes

  • GitHub Enterprise Server was incorrectly using as the sender of notification emails if a URL was used for the support link instead of an email address.
  • GitHub app managers were able to access and manage applications for the organization after being removed from it.
  • Lines in gists were not selectable.
  • On appliances that send a lot of notifications, GitHub Enterprise opened too many connections to the configured email server which delayed delivery in certain cases.

We will be applying the patch at 5:00 PM EST on Aug 30th.