July 2019 Atlassian Release Highlights

30 juli 2019

Welcome to the second edition of our monthly recurring blog post covering the highlights of Atlassian Server and Data Center product updates. For each product, we made a selection of the most exciting new features, bug fixes and security advisories that are released in the last month.

As TMC ALM, we provide services for keeping your products up-to-date. We have a lot of experience with upgrading Atlassian environments safely and securely. Your data and business continuation has our top priority!
For more information, please check out our services page or contact us.

Jira’s July Release Highlights

Atlassian released Jira 8.2.3, 8.2.4 and 8.3.0 (Jira Service Desk 4.2.3/4 and 4.3.0) this month. Given that Jira 8.2.3 contains a critical security fix, Jira 8.2.4 a partial fix to the i18n-bug and that Jira 8.3.0 is a feature release, our upgrade advice will be a bit complicated.

Jira 8.2.3 and Jira Service Desk 4.2.3

Jira 8.2.3 contains a fix for the below security advisory and several bugfixes

Jira Security Advisory CVE-2019-11581

A critical security advisory for all Jira Server and Data Center versions was published on July 10th, 2019.

Basically, two server-side template injections are exploitable if an SMTP server is configured in your instance:

1. The “Contact Adminstrators”-form is exploitable without authentication;
2. The “Send Bulk Mail”-action is exploitable if attackers have Jira Administrator access; which is a pretty strange situation, but a vulnerability none the less.

Another near-critical security issue that has not been disclosed in a security advisory by Atlassian is that the Tomcat 8.5.35 version bundled with Jira 8.x is vulnerable to DoS-attacks. From Jira 8.2.3 onwards the Tomcat version has been upgraded to 8.5.40 that fixes this issue.

Please read the “Our Opinion”-section or contact us on how to mitigate the risk or to consult you on upgrading Jira to a secure version.

Other High priority bugs that are fixed and new features that are added with Jira 8.2.3 are:

  • A bug introduced with Jira 8.2 is that in Jira 8.2 renamed users, can’t be removed from the project roles. Jira 8.2.3 fixes this (JRASERVER-69419).
  • No longer will an exception being thrown in the Backlog and Active Sprint boards when rendering the Issue Detail View (i.e., when clicking an issue) (JSWSERVER-19975).
  • Since Jira 8, when creating an Epic from the backlog, a TypeError exception was thrown regarding the “scrollheight”-property. This has been fixed (JSWSERVER-20044).

Jira 8.2.4 and Jira Service Desk 4.2.4

The i18n-bug

The i18n-bug that was introduced since Jira 8.2 causes specific fields to show its i18n field identifier (used for localization) instead of its user-friendly field name. The same goes for the field’s description.
The big problem with this is that the JQL reference also changed, so instead of searching for the field “Development” for example, you need to search for its i18n field identifier; in this case, called “devstatus.customfield.development.name”.

The list of affected Fields is as follows:

  • Development (Jira Software)
  • Approvals (Jira Service Desk)
  • Organizations (Jira Service Desk)
  • Customer Request Type (Jira Service Desk)
  • Request Participants (Jira Service Desk)
  • Target End (Portfolio)
  • Target Start (Portfolio)
  • Original Story Points (Portfolio)
  • Parent Link (Portfolio)
  • Team (Portfolio)

All saved filters, subscriptions, boards and dashboard gadgets that use one of these fields might not work correctly anymore.

The partial fix in Jira 8.2.4 (JSD 4.2.4) will prevent the issue from affecting new data only. An upgrade won’t fix the already existing problems. Atlassian is working on a solution for this as well. The problem is tracked in JRASERVER-69635 with Highest priority.

Jira Service Desk 4.2.4 contains a whole bunch of bug fixes; here are the highlights:

  • The job responsible for cleaning up the SLA audit log data can run for several hours instead of finishing within a reasonable amount of time. Which, in turn, uses unnecessary resources. This bug was introduced with JSD 3.8.3 and is now fixed. The fixes are also included in the Enterprise releases that are still under support.
  • Since JSD 3.9.4, customers were unable to share request if they didn’t have the “Assign issue”-permission. This should not be necessary and is fixed with JSD 4.2.4 and the latest Enterprise release (3.16.6).

Jira 8.3.0 and Jira Service Desk 4.3.0

On July 22nd, Atlassian released the Jira feature release 8.3.0. A lot of new features, as well as bug fixes, are included in this version, but the i18n is only partially fixed as explained earlier.

Most interesting features are:

  • The Projects Overview page has received a noticeable performance boost.
  • The official mobile app for Jira Server is available. The app can be used to view your work on the go and stay up-to-date with anything that’s going on in your projects. Creating and editing issues, moving them on your board, commenting away, and getting notifications when you get distracted — all this, and much more, straight from your device.
  • Content Delivery Network (CDN) for Jira Data Center, which means that you can serve static assets (such as JavaScript, CSS, and fonts) from servers closer to your users, resulting in faster page load times.
    A CDN is a geographically distributed network of proxy servers and their data centers. The static assets will be served by proxy servers which can easily be set up by a CDN vendor or using Atlassian’s AWS CloudFront template.
    See Use a CDN with Atlassian Data Center applications for more info on how using a CDN might help your team.
  • Jira 8.3.0’s Pre-Upgrade Planning Page features a list of files which have been modified. And even after upgrading Jira, an overview will be presented with custom changes. So even without backing up these changes before the upgrade, the modifications are still marked and available, ready to be re-applied. That is, of course, if you are able to visit Jira without the custom modifications.
  • Three Custom field filters have been added to the Custom Fields administrative page. This allows you to find the custom field without knowing its exact name.
  • Now you can configure the notification frequency at which you want users to receive the batched email updates instance wide. For details, see Configuring email notifications.
  • It’s now possible to encrypt the database password that is stored in the dbconfig.xml file used by Jira to access your database. It’s even possible to create your own encryption based on Atlassian’s Cipher interface. More info can be found here.
  • A highly upvoted issue, JRASERVER-44801, which addresses the missing option in Jira’s REST API to disable users, is finally fixed. By using the Jira’s Crowd REST API as a workaround, it was still possible to do this. But now with Jira 8.3.0, you can also disable users using Jira’s own REST API.
  • Oracle 12c R2 is finally supported with Jira 8.3 and will also be added to the upcoming release in Jira 7.13.x’s Enterprise Release stream.

Jira Service Desk 4.3.0

Additionally, JSD 4.3 has received a bunch of improvements on its own. The most interesting ones are listed below.

  • Help Center’s search has been expanded with a similarity search for request types. Previously, if you searched for Onboard employee, you wouldn’t see the Onboard new employee request type in search results, but now you do.
  • Significant improvements have been made to previously database and CPU intensive SLA events processor.
  • Automation rules related to a single project, will now also be removed from the database when deleting a project. This caused a lot of noise in the Jira logs. The issue appeared with JSD 4.0 and is now fixed.
  • The expectation system can cause severe performance degradation on JSD Data Center instances before 4.3.0. This is now fixed. More info can be found in JSDSERVER-5736.

Our Advice

If you are already on any of these versions, you should of course update to 8.2.4 or 8.3.0 because of the security advisory; unless you are on 8.2.3 (which includes the security fix), then we suggest you wait for 8.2.5 or 8.3.1.

Concerning the security advisory, it’s wise to update to Jira 8.2.4 or 8.3.0 as soon as possible or implement the before mentioned workaround.

At the time of writing, the full fix for the i18n-bug is planned for Jira 8.2.5 and 8.3.1. So if you’re on any 8.2.x version below 8.2.4, make sure you update to at least Jira 8.2.5/8.3.1 when released, to completely fix the issue.

Jira 8.3.0 containes some nice features. We only suggest you upgrade to this version if you really want to use Oracle 12c R2 or experience performance issues with JSD Data Center. In all other cases we suggest you wait for at least 8.3.1.

Substract the Jira major version by 4 to get the corresponding Service Desk version; e.g., Jira 8.2.4 parallels the Jira Service Desk 4.2.4 release.

Confluence’s July Release Highlights

Confluence bug fix release 6.15.7 was the only Confluence release released this month.
This is a minor release which contains an improvement and a bugfix regarding Atlassian’s Companion app.

Our Opinion

Unless the Companion app is heavily used in your organisation, wait for a more interesting release.That is of course assuming that you are on any of the following versions already:

● 6.13.4, 6.13.5
● 6.14.3
● 6.15.2 or higher

Else upgrading is a must both feature and security wise!

Hopefully, the insignificance of the latest release might hint toward the closeness of the Confluence 7 platform release.

Bitbucket’s July Release Highlights

The first bugfix release for feature release 6.4 was released by Atlassian on the 18th of July and on the 24th of July Bitbucket 6.5 was released.

Bitbucket 6.4.1 contains two minor fixes and the following High priority fix:

  • Creating a Pull Request with reviewers that are at the bottom of a structure in nested groups would delay the creation of the pull request up to 10 minutes after submitting it. With this fix, the pull request is instantly created.

Bitbucket 6.5.0

This feature release offers some nice new possibilities, which we haven’t been able to test yet, unfortunately.

  • With Bitbucket 6.5.0 Atlassian released their Bitbucket Server for Slack app which is backwards compatible up to Bitbucket Server 5.2. The app enables Slack channels to receive updates about repositories and map Slack slash commands to Bitbucket REST requests; pretty cool!
    Check out the configuration guide here.
  • You can now block pull requests from merging by allowing reviewers to mark a request as “needs work”.
  • Bitbucket Server was already able to merge changes automatically to newer release branches, reducing the need for manual maintenance of branches. Atlassian updated this feature with the possibility to block users from merging pull requests automatically.
  • In preparation for the launch of mirror farms, Atlassian introduced a new webhook in this release that tells continuous integration systems when a mirror has finished synchronizing a set of changes. With this webhook in place, CI systems are guaranteed to find the changes they would expect from a notification. Only for Data Center of course.
  • Git LFS file locking is made even more accessible in this release. With the click of a button, it’s now possible to lock or unlock files directly in Bitbucket Server’s source view.
  • The ordering in the Bitbucket Projects used to differentiate upper and lower case letters resulting in non-alphabetical ordering. This has been fixed with this release (BSERV-11820).

Our Advise

For the Slack integration, you do not need to update Bitbucket. Just install Atlassian’s Bitbucket Server for Slack app from the marketplace.

The other new features and bugfixes are useful, but unless you are on Bitbucket 6.1.2 or lower, are in our opinion not worth the downtime and effort. We suggest you wait for a more interesting release.

Bamboo’s July Release Highlights

Atlassian released Bamboo bugfix release 6.9.2 on the 4th of July which mostly contains minor bugfixes. Below are the most interesting ones.

  • When a quarantined test in a plan branch exists, the trigger when creating a new branch in the git repository to start a build fails. This has been resolved in 6.9.2 (BAM-20489).
  • The All Deployment Projects page in Bamboo 6.9.1 shows a popup window with a NullPointerException stack trace. This has been fixed in 6.9.2 (BAM-20470).
  • Freshly created deployment projects from 6.9.2 onwards don’t grant every Bamboo user “View”-permissions by default (BAM-20492).
  • Deployments triggered by a schedule are now able to download the artefacts if the last plan result is a specs update. Before this was only possible when manually triggered (BAM-20390).

Our Opinion

Are you still using Bamboo 6.6 or lower? Then please do upgrade as a lot of new features and fixes have been added since.

Otherwise the Bamboo 6.9.2 release contains mostly minor bugfixes. We do not see a reason to upgrade unless you are affected by the particular bugs that are fixed in this release.

Do note that Bamboo 6.8 introduced the new look and feel matching the other Atlassian tooling and also improved significantly on the Deployment side of Bamboo. With release 6.9, Atlassian improved a lot on the Bamboo Specs feature. If these are features that are heavily used in your organisation, you should definitely upgrade.

That’s it! Hope you found it useful and if you have any questions regarding the above, do not hesitate to contact us!