Welcome to the February 2020 edition of our monthly recurring blog post covering the highlights of Atlassian Server and Data Center product updates. For each product, we cover a selection of the most exciting new features, bug fixes and security advisories that were released in the last month.

In this month’s edition, the major highlights are new feature releases for Confluence, Jira Software and Jira Service Desk.

As TMC ALM, we provide services for keeping your products up-to-date. We have a lot of experience with upgrading Atlassian environments safely and securely. Your data and business continuation has our top priority! When looking at Atlassian from a Platinum partner perspective we notice a significant trend at Atlassian. Although this is a monthly release update, when we zoom out and look at Atlassian (feature) development, in general, we see that the main focus is at data center and the cloud. To learn more about what this trend or the new releases mean for you and your organisation, please check out our services page or contact us.

Jira’s February Release Highlights

Jira 8.7.0 and 8.7.1

Feature release Jira 8.7.0 has been released on the 3rd of February, followed by bugfix release 8.7.1 on February 10. New features include PostgreSQL 11 support and a solution to support the ‘right to be forgotten’ as part of GDPR.

• Anonymizing users for GDPR compliance has been added to the user management section. It allows Jira administrators to permanently remove personal details from a user’s profile, so the profile becomes anonymous. Both active and deleted user profiles can be anonymized. Before a user is anonymized, you will get a preview of the data that is anonymized and you will have to select a successor to transfer ownership to for certain Jira items like Project or Component lead.
  Unfortunately, this feature has not been made available for the 8.5 Enterprise release. Read more on user anonymization here.
• This month the final release for PostgreSQL 9.4 has been released, which means it is officially not supported anymore. For PostgreSQL 9.5 this date is set to February 11, 2021, and for 9.6 the final release date is November 11, 2021. With the 8.7 release, Jira now officially supports PostgreSQL 11, which has a final release date of November 9, 2023. More information can be found here.
• Jira Data Center already supported OAuth 2.0 delegated authentication and SAML federated authentication (SSO). With Jira 8.7, Data Center now also supports OpenId Connect, which basically is federated authentication (SSO) build on top of the OAuth 2.0 protocol.
  As with the already existing SAML SSO configuration, for OpenId Connect it is also possible to use it as either primary or secondary authentication, so you can safely test the configuration. More details can be found here.
• The default behaviour of the Enable HTML in custom field descriptions and list values items option has been changed. It will now be switched to OFF for new Jira installations and the upgraded ones that have never used it. If you have modified this option, you shouldn’t be affected, but it is recommended to check it to make sure it’s set correctly for your instance. (System > General configuration).

Important security fixes

Several security vulnerabilities have been fixed with Jira 8.7.0 and some of these have also been backported to the latest Enterprise Release, Jira 8.5.4. Do note that this Enterprise release on the time of writing isn’t available yet. Also, no security advisories have yet been released for these vulnerabilities.

• It is possible to perform a CSRF on the request for configuring application links if an attacker convinces a user with an active WebSudo session (and permissions to create application links,) to click on a crafted link (JRASERVER-70607).
• When configuring an SMTP Server Connection, the “Test Connection” functionality does not properly validate the referrer or atl_token attributes. This allows for a CSRF that could enumerate hosts available to the JIRA server (JRASERVER-70605).
  Similar to the above, a CSRF exists in the Test Connection functionality available when creating POP and IMAP connections (JRASERVER-70606).
• Comment properties in Atlassian Jira Server and Data Center before version 7.13.12, from 8.0.0 before version 8.5.4, and 8.6.0 before version 8.6.1 allows remote attackers to make comments on a ticket to which they do not have commenting permissions via a broken access control bug (JRASERVER-70543).

Interesting bug fixes

• Chrome version 80 has been shipped this February (2020). With this release, there are some new cookie security features coming that will force Chrome clients to enforce a SameSite check policy. Right now, this policy breaks all the functionality of issue collectors that appear on separate domains (JRASERVER-70494).
  A workaround is to set ‘SameSite by default cookies’ to disabled in chromes://flags
• A bug fixed in Jira 6.4.5 but has resurfaced. During JIRA startup, there is code that attempts to recover JIRA’s issues index to a consistent state. As part of this process issues that are indexed but are no longer present in the database are removed from the index. There is a bug in that code that tries to load issues keys while they are not populated. This bug manifests itself by following warning in the Jira application log:
  Issue (id=0) has empty field ‘num’. Returning null for ‘key’.
• Data Center only. A bug when performing a bulk change and one of the nodes loses its connection could get the executing job to be stuck for the whole cluster. To undo this, all nodes would have to restart at the same time in order for this job to be removed from the cache, which is, of course, bad for availability (JRASERVER-66204).

Jira Service Desk 4.7.0 and 4.7.1

Next to the feature additions and fixes introduced in Jira 8.7 and 8.7.1, Jira Service Desk has received some interesting changes itself as well.

• From Jira Service Desk 4.7 onwards, request sharing will default to private for all requests created through the portal. New requests submitted by email will still be shared with the entire organization by default if the requester is only in 1 organization. This can be globally turned off though in the Service Desk configuration. The idea behind this change is that sensitive tickets can not accidentally be shared within an organization.
• Sign-up verification has been added so customers can be required to verify their email addresses. This makes sure all customers are exactly who they say they are. Learn more.
• How agents in certain roles are treated by Jira Service Desk has been changed. Until now, agents acting as approvers or belonging to the customer’s organization were seen as customers, which affected SLAs and automation rules; e.g. when an agent (“customer”) commented on a request, the clock kept on ticking and the request status didn’t change, which brought a lot of confusion to true customers.

Interesting bug fixes

• When opening an issue from the queue view, the formatting of the comment will break down when lists are mixed with bold words. The default issue view is not affected (JSDSERVER-6662).
• Jira Service Desk does not fill out the requestURL variable on outgoing notifications when the ticket does not have a request type. This results in email notifications without a direct URL to the ticket in the  “View Request” link (JSDSERVER-4378).

Our advice

Considering the various security vulnerabilities that have been fixed in Jira 8.7/JSD 4.7 and the new features that have been introduced, we think upgrading to Jira 8.7.1/JSD 4.7.1 is well worth the effort. Do note that some changes introduced in this release modify the behaviour of certain events. Please read the above carefully to be fully aware of these behavioural changes.

For Enterprise customers, we suggest upgrading to Jira 8.5.4 (JSD 4.5.4) as soon as it’s available.

Confluence’s February Release Highlights

Confluence 7.3.1 and 7.3.2

Confluence 7.3.0, which we covered in last month’s edition was pulled back and is now marked as an internal release and made unavailable. This month Atlassian released feature release Confluence 7.3.1 and bugfix release 7.3.2 instead. New features include:

• When loading a space’s page tree, Confluence needs to do lots of permission checks to make sure users don’t see pages that are restricted. In a very large space, these checks can consume a lot of memory and CPU and have an impact on the overall performance of Confluence.To prevent this, Confluence now loads a maximum of 200 pages at each level of the hierarchy. An extra option has been added for such cases to load all the pages in the space in one go. Administrators are able to disable this newly added behaviour. 
• The page options menu (), now includes an option (People who can view) to see who can view the current page. This option can be disabled by administrators but is enabled by default.
• Advanced permission management functions for Data Center, which include:
  • A Jira-like permission helper on global, space and page-level depending on your permissions.
  • A permission report (CSV export) for auditing purposes.
  • Bulk copy permissions from one space to another.
• The companion app works a bit better now, as it will display a list of files you are currently working on. Also, Confluence will now ask for your permission to launch the Companion app when you click edit on a Confluence attachment. Do note that both Confluence and the Companion app need to be updated for this to work.

Interesting bug fixes

• With Confluence 7.2 a bug was introduced that throws an exception when the PDF macro should display the PDF contents (CONFSERVER-59323). This has been fixed with Confluence 7.3.1.
• A bug introduced since Confluence 7 which showed an empty archived spaces directory list when more than 1 space has been archived. This bug has been fixed with Confluence 7.3.1 (CONFSERVER-58979).
• A bug which causes logs getting flooded with LaasPerformanceLoggingJob warnings has been fixed in Confluence 7.3.2 (CONFSERVER-55875). The workaround for this is to disable the “scheduledjob.desc.LaasPerformanceLoggingJob” from the scheduled jobs configuration.
• Editing page with a panel, warning, note, tip or info macro over https in the browser will trigger mix content action, it will break the certificate trust on a certain request; i.e. the certificate is not trusted anymore (green lock will disappear) due to one request is resolved over HTTP (CONFSERVER-57934).

Our advice

If you are already on Confluence 7 then Confluence 7.3.2 is a highly advisable release to upgrade to, as some long-running and known Confluence 7 bugs have been fixed. This also applies to customers still on Confluence 6 and not tied to Enterprise releases.

We expect the Confluence 7 Enterprise release to be around the corner. Probably Confluence 7.5 or 7.6, given the types of bugfixes that are marked for Confluence 7.4.

Bitbucket’s February Release Highlights

Bitbucket 6.10.1

Bitbucket 6.10.1 is the first bugfix for a Bitbucket Enterprise release. It contains 2 bug fixes, an updated version of the bundled Elasticsearch component (search engine) and a fix mainly applicable for a MySQL 8 database-related bug. The only notable bugfix is:

• When attempting to merge a pull request that was declined and reopened, if a pull request was merged in the meantime you are unable to merge it (BSERV-12116).

Our advice

If you are not already on Bitbucket 6.10.0, then definitely update Bitbucket to Bitbucket 6.10.1 that fixes several security vulnerabilities discussed in last month’s edition. It fixes a lot of bugs and security vulnerabilities whilst also being the latest Enterprise release and prepares your instance for the upcoming Bitbucket 7 release.

If you already upgraded to Bitbucket 6.10.0, then upgrading to 6.10.1 is not necessary as it doesn’t contain any critical fixes.

Make sure you also upgrade Git to at least version 2.20, if you are upgrading Bitbucket, but preferably version 2.24 to be able to make use of new functionality and mitigate any security vulnerabilities that have been fixed since.

Thanks for reading!

Remember to contact us if you have any (support) questions.