July and August 2020 Atlassian Release Highlights

7 september 2020
Welcome to the July and August 2020 edition of our monthly blog covering the highlights of Atlassian Server and Data Center product updates. For each product, we cover a selection of the most exciting new features, bug fixes and security advisories that were released in the last month.

Welcome to the July and August 2020 edition of our monthly recurring blog post covering the highlights of Atlassian Server and Data Center product updates. For each product, we cover a selection of the most exciting new features, bug fixes and security advisories that were released in the last month, well in this edition the last two months due to the summer vacation.

In this month’s edition, lots of feature releases for all products except Advanced Roadmaps for Jira (formerly Jira Portfolio). We’ll be covering bamboo’s first feature release of the Bamboo 7 major release, several Bitbucket, Jira and Jira Service Desk feature releases and a new feature release for Confluence. To find out more, keep on reading!

As TMC ALM, we provide services for keeping your Atlassian tools up-to-date. We have a lot of experience with upgrading Atlassian environments safely and securely. Your data and business continuation has our top priority! When looking at Atlassian from a Platinum partner perspective we notice a significant trend at Atlassian. Although this is a monthly release update, when we zoom out and look at Atlassian (feature) development, in general, we see that the main focus is at Data Center and the Cloud. To learn more about what this trend or the new releases mean for you and your organisation, please check out our services page or contact us.

Jira’s July and August Release Highlights

Jira 8.10.1

The Jira 8.10.1 bugfix release was released on July 20th and contains 8 bug fixes including some major ones:

  • Whenever Jira misses enough issue updates from Bitbucket Server, Bamboo and/or Fecru to fit into single fetch (Guaranteed Delivery), Jira will get stuck looping the results over and over [LTS 8.5.6] (JSWSERVER-20612).
  • In Jira 8 there remain a few operations that regularly take more than 5 seconds. E.g. Epic Link query performance which can cause delays and block stories from being created when the Epic Link is a required field on a create screen. In the fix versions, it should take less than 3 seconds [LTS 7.13.16+ 8.5.7] (JSWSERVER-20452).
  • Related to the previous one, JQL autocomplete suggestions on the Epic field can cause serious performance issues. This has been fixed with less complex data structure [LTS 7.13.16+ 8.5.7] (JSWSERVER-20272).
  • CVE-2020-14174: Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view titles of a private project via an Insecure Direct Object References (IDOR) vulnerability in the Administration Permission Helper [LTS 7.13.16+ 8.5.7] (JRASERVER-71275).
  • CVE-2019-20330: Jira Server uses a vulnerable version of jackson-databind [LTS 7.13.16+ 8.5.7] (JRASERVER-70971).

Jira Service Desk 4.10.1

The corresponding JSD 4.10.1 release also contains 3 major bug fixes:

  • Incoming mail meant to create a new Jira and that contains 2 attachments with the exact name, trigger an error in the Mail Audit Logs (JSDSERVER-6904).
  • RequestCache being used in an invalid context which will cause issues for future releases (JSDSERVER-6897).
  • ‘Organization added’ notification is not sent out when Request is shared to Organization during creation (JSDSERVER-6894).

Jira 8.11.0 and 8.11.1

Feature release Jira 8.11, was released on July 15th and received a bugfix release on Aug 18th.

Lots of interesting new features have been added, including:

  • Finally, Atlassian made the issue detail view optional on the Kanban and Sprint boards, e.g. you can now choose if Jira should show the issue detail view when clicking on an issue on the board: click on the Board button in the upper right corner and select the Hide detail view from the options.
  • Admins now have an option to enable restricted sprint selection for users. When restricted, user can only select sprints when creating or editing an issue that belong the project the issue belongs to. Great improvement! The option can be found in Jira Administration → Jira Software Configuration → Relevant sprints. Users are still able to select unrelated sprints, but it will require an extra step, making the sprint selection process less error-prone.
  • Great news for admins, from Jira 8.11 onwards admins will be able to edit and delete private filters and dashboards. So admins will be able to see all existing filters and dashboards, whether shared or private and choose how to handle them.
  • @mention email notifications have been improved to further reduce the amount of notification spam from Jira. Now, mentions will be included together with other issue updates in the summary email, but they will trigger this email to be sent as soon as possible.
  • The embedded crowd has been upgraded, resulting in:
    • Performance improvements
    • Clustering support
    • Improved directory failover
    • Many bugs and suggestions resolved
  • Max timeout setting for the favourite filter gadget has been added to Jira’s general configuration. This way admins can reduce the impact on performance this gadget can have. If set to -1, Jira won’t be counting issues at all in the gadget (default is 5000 ms).

A large number of notable bug fixes are included in Jira 8.11.0 and 8.11.1. These are:

  • Issue removed from Sprint not showing in Burndown Chart or Sprint Report (JSWSERVER-14984).
  • Unable to edit Sprint when Remaining Estimate and Time Spent is enabled. Jira will throw a clauseValues is empty Javascript error (JSWSERVER-20541).
  • ira’s DVCS GitHub connector uses the “access_token” query parameter which is a deprecated authentication method for the GitHub API [LTS 8.5.7] (JSWSERVER-20414).
  • When connecting Jira to Bitbucket Cloud through DVCS, there is a limitation regarding the number of branches that are retrieved per repository, which is set to 10. This can cause Jira to fail to retrieve branches if more than 10 were updated before the sync, causing older branches to not be synchronized. [LTS 8.5.7] (JSWSERVER-20340).
  • Logs of usage of RequestCache without context is flooding the log files (JRASERVER-71310).
  • CVE-2020-9484: Bundled Tomcat is affected by a recently disclosed vulnerability (JRASERVER-71221).
  • The Jira Server mobile app cannot connect to Jira when using a version where the bug JRASERVER-71175 is fixed or when the workaround is implemented (JRASERVER-71217).
  • In specific situations with few roles defined in the instance and a large amount of users assigned to them, removing actor from a specific role can take several seconds causing all incoming requests that require permission validation to hang (JRASERVER-69446).
  • Nested enabled LDAP can be integrated with JIRA without a problem. If however due to poor search filter, lone child groups are imported, performance will greatly degrade (JRASERVER-26830).

Jira Service Desk 4.11.0 and 4.11.1

The corresponding feature release for Jira Service Desk, 4.11, contains besides the abovementioned features and bugfixes the following JSD specific new features and bugfixes:

  • Jira Service Desk now comes with a multilingual customer portal and help center. Translations can be added to your service desk for the most important items, including portal names, request types, and announcements.
  • The satisfaction comment (CSAT) is now searchable with JQL.
  • Data Center versions of JSD now have advanced auditing capabilities  to areas that are specific to Jira Service Desk:
    • SLAs (SLA calendars, SLA goals, SLA names)
    • Reports (created, deleted)
    • Agents (invited or removed from the project)
    • Email channels (enabled, disabled)
    • Request types (created, deleted)
    • Organizations (created, deleted, updated)
    • General configuration (public signup enabled, disabled)
  • The page to configure the language support, introduced in Service Desk 4.11.0, is broken when Service Desk is installed from the page Applications > Versions & Licenses (or by uploading the Service Desk OBR file). In JSD 4.11.1 this has been fixed (JSDSERVER-6944).

Jira 8.12.0

Just a few days ago, on August 26th, the latest Jira feature release, 4.12.0, has been made available. Mostly containing new Data Center features:

  • The Single user picker custom field type has been improved and now has the same look and feel like the user system fields such as Reporter and Assignee, i.e. showing the user’s avatar and full name.
  • Support for MySQL 8.0.
  • For Data Center, Atlassian has added even more improvements to the audit log, including:
    • Filter by category
    • Filter by summary
    • New events: priority, secure admin login (websudo), issue export and OAuth 2.0 integration.
    • Change log file retention settings, i.e. the limit of 100 log files has been removed and this is now configurable
  • Just-in-time user provisioning (JIT provisioning) has been added and allows users to be created and updated automatically when they log in through SAML SSO or OpenID Connect (OIDC) SSO to Atlassian Data Center applications such as Jira, Confluence, or Bitbucket. Preventing log in failure when using SSO if the user is not present in one of the user directories.
  • The newly added Document-Based Replication feature mitigates the impact apps can have on indexing time and prevents index inconsistencies in Jira Data Center.

A number of important bugs have also been fixed in this latest feature release:

  • Jira 8+ does not run plugin upgrade tasks upon the first launch. After the upgrade, it requests immediate re-indexing, re-indexes the issues, but didn’t schedule upgrades to run (in com.atlassian.jira.upgrade.UpgradeScheduler) and didn’t execute the plugin upgrade tasks [LTS 8.5.7] (JRASERVER-71179).
  • When transitioning an issue from one column to the another (without clicking the issue to open the issue details on the right-side panel), the new comment textbox doesn’t show the rich text options (JSWSERVER-20402).
  • Epic Burndown report does not display the chart depending on how the Epic Link was created (JSWSERVER-20617).
  • When anonymizing a user who has an anonymous user key (already anonymized or created in Jira version >= 8.4) the full names in the issue history remain unchanged (JRASERVER-71153).
  • When creating an issue, multi-user picker custom field which is made “required/mandatory” in field configuration, allows white space and commas even without a user being picked (JRASERVER-71108).
  • A user who is a member of the Project Role (Administrators) which has been added to the Administer Project permission is unable to edit the Project Lead/Default assignee, if this user is not grated the Jira Administrators global permission (JRASERVER-70592).
  • Jira is trying to do index recovery every time Jira is restarted in Standalone mode by reconciling the issues difference against DB.
    It has been noticed since Jira 8 was released, that logging for index recovery happens after every Jira restart (JRASERVER-70248).
  • Jira doesn’t correctly create a session token when you access the <Jira URL>/projects/<Project key>/issues page prior to login. This causes an error to be thrown when e.g. creating an issue (JRASERVER-69054).

Jira Service Desk 4.12.0

Next to the above-mentioned features and bugfixes, the latest JSD feature release adds the following JSD specific new features and bugfixes to Jira Service Desk 4.12.0:

  • From JSD 4.12 onwards it is possible to integrate Confluence Cloud as a Knowledgebase.
  • Also, from JSD 4.12 onwards it is possible to integrate Jira Service Desk with Opsgenie and set up incident management for individual projects. This allows service desk agents to view ongoing incidents, create new ones to alert the Opsgenie teams right away, and link incidents to related requests to give everyone involved more context.
  • JSD Help Center does not properly show the wiki-style markup in the Request Type description (JSDSERVER-6932).
  • Knowledgebase articles can’t be opened in some cases if Jira is connected to at least 2 Confluence instances (JSDSERVER-6691).

Our advice

Considering the number of major bugs fixed in the releases covered this month and not to mention the new features that have been added, especially in Jira 11. We highly recommend to upgrade Jira to Jira 8.12, but we do suggest to wait on the first bugfix release for this version (8.12.1), which should be just around the corner.

The same applies for the Long Term Support (LTS), formerly Enterprise release customers, we strongly advise upgrading to Jira 8.5.7, which was released on August 10th.

Confluence’s July and August Release Highlights

Confluence 7.6.1 and 7.6.2

Confluence bugfix release 7.6.1 and -2 were released on the 15th and 27th of July respectively. Major bugfixes included in these releases are:

  • Custom Fields are missing in the Jira Issue Macro after upgrading to Confluence 7.4.1, 7.5.0, 7.6.0 [LTS 7.4.3] (CONFSERVER-60050).
  • When Confluence asynchronous events are generated faster than Confluence can process them this queue is backed up, typically due to a performance issue. The error message that is printed to the log is too implicit about what is causing the issue and troubleshoot it. The error log message has been made more explicit in Confluence 7.6.2 [LTS 7.4.4] (CONFSERVER-55028).
  • Jira macros where that are configured to display the Epic Name field throw an unexpected error [LTS 7.4.3] (CONFSERVER-60029).

Confluence 7.7.2

Confluence 7.7.0 and 7.7.1 are marked as internal releases, hence Confluence 7.7.2 is the latest Confluence feature release publicly available since August 19th. This release includes the following new features:

  • From Confluence 7.7 onwards, webhooks can be created! Webhooks are a way for one application to notify another application, in real-time, when an event happens.
    The events where webhooks can be created for in Confluence include:
    • when users or groups are added and removed
    • when content is created or updated
    • when content is deleted, restored, or purged from the trash.
      Checkout the Managing Webhooks knowledge base article for more details!
  • The editor has been upgraded with fixes for several long-standing frustrations related to:
    • copying and pasting lists
    • navigation within tables
    • inserting links
    • using keyboard shortcuts
    • changing cell background colors
  • Hundreds of accessibility improvements have been added that were identified in during a Voluntary Product Accessibility Template (VPAT) assessment, including:
    • missing names for buttons
    • no labels on form elements
    • keyboard navigation bugs
    • non-text content
    • missing lang attributes and language codes
  • Improvements have been added to the Page Properties Report macro. The loading time has been improved and several performance issues have been fixed that limited the report to 500 pages.
    This improved performance means the macro will display up to 3000 pages by default. But, this is configurable; system administrators can increase or decrease the limit using a system property.
  • Several Data Center improvements have been added, including:
    • From Confluence 7.7 onwards, rebuilding the search index in a cluster is less of a hassle. The number of steps has been reduced, and no more need for any manual file handling.  Rebuilding the index on one node will automatically propagate the new index file to every other node in the cluster. Last, but not least, a refreshed UI allows you to see exactly where the process is up to, from any node in the cluster.
    • More improvements to the audit log, including:
      • Filter by category
      • Filter by summary
      • Change log file retention settings, i.e. the limit of 100 log files has been removed and this is now configurable
    • Just-in-time user provisioning (JIT provisioning) has been added and allows users to be created and updated automatically when they log in through SAML SSO or OpenID Connect (OIDC) SSO to Atlassian Data Center applications such as Jira, Confluence, or Bitbucket. Preventing log in failure when using SSO if the user is not present in one of the user directories.

Important bugs that have been fixed in Confluence 7.7.2, include:

  • When adding an image to a page and applying an image effect, if you choose drop-shadow the ImageFilterEffect thread will become long-running and cause a JVM pause while it’s attempting to go to savepoint for garbage collection or other VM tasks. Pauses can be an upwards of 35 seconds, which is long enough to cause a node ejection in Data Center environments if the Hazelcast heartbeat is set to the default interval of 30 seconds or less. Other pauses can still be 9-24 seconds, during which the Confluence application would be totally inaccessible [LTS 7.4.4] (CONFSERVER-59837).
  • Performance bottlenecks can be triggered by Label related queries on large Confluence instances (CONFSERVER-58137).
  • Configuring Confluence’s Tomcat connector with a protocol different from Http11NioProtocol may cause the startup check to alert about the maxThreads attribute not being configured (CONFSERVER-58739).

Our advice

Confluence 7.7.2 is definitely an interesting release to upgrade to, we suggest to upgrade to this release, except if you are an LTS customer.

For the Long Term Support (LTS), formerly Enterprise release customers, Atlassian will make the bugfix release 7.4.4 available any time soon. We advise to upgrade to this version once available as this and the prior 7.4 LTS bugfix releases include important bugfixes.

Another thing concerning the companion app, it is now possible to set trusted domains/sites before rolling out the Companion app to all users. Setting your Confluence URL as a trusted domain means users don’t have to select ‘Trust this domain’ when they edit a file for the first time. Set your trusted domains with an environment variable or during the MSI installation for your users, to make it less of a burden to use this app.

Bitbucket’s July and August Release Highlights

Bitbucket 7.3.2

On July 28th, the Bitbucket 7.3.2 bugfix release has been released, including fixes for the following bugs:

  • The project key in the pull request links is case sensitive. Links with lower case project keys do not work correctly (BSERV-12415).
  • Audit configuration properties àre not working. These are the properties starting with “plugin.audit.” from this section in the In bitbucket.properties file (BSERV-12409)

Bitbucket 7.4.0 and 7.4.1

The new features included in the 7.4.0 Bitbucket release are:

  • Integrated CI/CD has been added in two new ways in Bitbucket Server.A new Builds page
    • And a new Builds tab on the Pull requests page.
    • When you integrate Bitbucket with Bamboo, Jenkins, or any other CI application, build results and additional related info can be viewed on these two new Bitbucket pages. In upcoming Bitbucket releases, new features will be added to these pages.
  • Bitbucket 7.4 includes significant improvements to how Git hosting is handled for both HTTP and SSH that includes:
    • a new approach to running Git processes that reduce threads used for hosting requests by 80%.
    • a rewritten SCM cache implementation that allows sharing cached packs between clients regardless of request protocol (HTTP or SSH) or Git wire protocol (v0 or v2).
  • Comments that are in older diffs or that have become outdated due to a pull request update used to disappear. From Bitbucket 7.4 onwards, selecting the other comments counter when it appears on your pull request, will give you more context on why code has changed throughout a pull request by being able to:
    • see a file’s activity stream showing comments that are outdated or appear on another diff.
    • distinguish which comments are actually outdated.
    • reply to, like, delete, or react to outdated comments the same way you can from the overview tab.
  • Support for PostgreSQL 12. Support will be removed for PostgreSQL 9.4 in Bitbucket Server 8.0.
  • Data Center also received some new features:Bitbucket Data Center customers are now able to set instance-wide permissions to have control over who can delete a repository.
    • More improvements to the audit log, including:Filter by category
    • increased coverage of auditing events in Bitbucket Data Center
    • the addition of more information to many of the existing ones, like extra attributes and linking to the user in affected objects
    • event names that are now summarized and turned into human-readable titles in the audit log, allowing them to be translated into their own language
    • Change log file retention settings, i.e. the limit of 100 log files has been removed and this is now configurable

Bitbucket 7.4.0 and 7.4.1 include fixes for the following important bugs:

  • Since Bitbucket 6.10.3 application/javascript MIME type files are not getting compressed by Bitbucket before being sent to the client. By default all javascript related MIME types should be compressed, however, even with listing application/javascript explicitly with server.compression.mime-types, they are not (BSERV-12382).
  • When readme.md contains a URL that contains an asterisk, the resulting link points to “null” (BSERV-12341).
  • Mirror nodes can time out while building the local diffs, as the idle timeout is set to the default value of 60 seconds and the process may take longer than that to produce the response (BSERV-12444).

Bitbucket 7.5.0 and 7.5.1

On August 11th, Atlassian made Bitbucket 7.5.0 available. New features included in this release are:

  • As promised, further improvements for the Builds page and the Builds tab. Optimization for accessing the new Builds page and tab with build status icon which will take you straight to the most relevant view from anywhere in Bitbucket. When you’re on the Branches list page, clicking a build status will take you to the Builds page with that branch selected. Similarly, when you’re on the Pull requests list page, clicking a build status will take you to that pull request’s Builds tab.
  • When Jenkins is integrated, Jenkins, direct links in Bitbucket Server are available to logs and artefacts for each build.
  • Setting a system-wide default branch name is now possible in Bitbucket for all new repositories. Alternatively, users can set the default branch when creating a repository.
  • Java versions 11.0.0 – 11.0.7 are no longer recommended due to the Java bug, JDK-8241054.
  • Support for Git 2.28 has been added.
  • Just-in-time user provisioning (JIT provisioning) has been added and allows users to be created and updated automatically when they log in through SAML SSO or OpenID Connect (OIDC) SSO to Atlassian Data Center applications such as Jira, Confluence, or Bitbucket. Preventing log in failure when using SSO if the user is not present in one of the user directories.

The following important fixes for bugs are included in these releases:

  • Upon starting up the Bitbucket Server, there is an error message claiming that the class related to Bamboo is not loaded (BSERV-12272).
  • If the upstream repository does not have a master branch, and its default branch is defined differently, a mirror-sync of this repository will fail (BSERV-12526).
  • When farm vet detects a lot of content inconsistencies during mirror startup and tries to sync them, suddenly syncing process stops and the mirror never changes to SYNCHRONIZED status, causing a deadlock (BSERV-12489).

Our advice

Some nice new features have been introduced for Bitbucket, especially if you integrate with CI/CD tools. Also for Data Center customers, some critical/major bugs have been fixed and cool new features have been added. We advise you to upgrade to the latest 7.5.1 release.

Nothing has changed for customers following the Long Term Support (formerly Enterprise) releases. They can upgrade to Bitbucket 6.10.5, but it’s probably not worth the effort and downtime if you are already on Bitbucket 6.10.4.
We expect Atlassian to label their Bitbucket 7.6 or 7.7 feature release as the new LTS release. So, it is probably wise to wait for that to become available.

Bamboo’s July and August Release Highlights

Bamboo 7.1

More than a month ago, on July 24th, Atlassian released Bamboo 7.1. Loads of new features and bug fixes are included. We tried to cover the most important ones:

  • A long awaiting issue of synchronizing remote agent capabilities has been addressed! Starting from version 7.1, modifying a remote agent capability in the bamboo-capabilities.properties will also modify that capability in Bamboo. Read more about it in Configuring remote agent capabilities using bamboo-capabilities.properties and Synchronising remote agent capabilities with Bamboo Server.
  • It is now also possible to update or remove the agent’s capabilities in Bamboo through the Bamboo REST API.
  • As of version 7.1, build and deployment workspaces are removed from remote agents’ home directories if corresponding entities are removed on Bamboo server. In case of agents with long build history, the cleanup happens gradually, in order to avoid agent unresponsiveness upon upgrade.
  • Just like with Confluence, Bamboo 7.1 now supports webhooks. These allow you to send selected real-time information about Bamboo to third-party applications. For example, display Bamboo build status in your team’s chatroom, or signal an alarm in case a plan fails. Pretty useful! For more information, checkout Using webhooks.
  • Bamboo 7.1 adds a new variable type – a project variable. Project variables are defined for a specific project and have the same value for every plan that belongs to the project. If you want to define a variable for a specific plan, define a plan variable as described in Defining plan variables. To read more about project variables, see Defining project variables.
  • In Bamboo 7.1, you can mark your tasks as conditional, which means they will run only under certain conditions. You can use variables and regular expressions to create conditions that have to be met to run a task. This way you can skip build steps in plan branches, decide what tasks are mandatory and what could be skipped. You can set conditions for tasks through Bamboo UI or by using Bamboo Specs. For more information, see Configuring tasks.
  • Bamboo now allows exporting existing plans and deployments to Bamboo YAML Specs automatically. For more information, see Exporting existing plan configurations to Bamboo YAML Specs.
  • Other Bamboo Specs improvements included in this release are:
    • It’s now possible to predefine different configuration for specific branches in Bamboo YAML Specs.
    • You can now define different Bamboo Specs configuration for different Bamboo instances.
    • An option to override the default number of concurrent builds in YAML.
  • Excessive logging is known to cause serious performance problems including build result processing timing out (grey builds). One way to mitigate this problem is to turn live log transmission off, which is a new feature in Bamboo 7.1. See Configuring live logs transmission.
  • Support for PostgreSQL 11

Bugs fixed in this release include:

  • Bamboo crashes with H2 db and Java update version higher than 255 (BAM-21018).
  • Branch plan created through a pull request is not disabled when the corresponding PR is deleted (BAM-20995).
  • Providing a passphrase encrypted by another Bamboo instance can break repositories and cause Bamboo to not start up (BAM-20946).
  • Local agent has JMS RequestTimedOutIOException randomly (BAM-20939).
  • Having Specs Branches enabled, Bamboo will fail to run a build where an Artefact Download task is configured (BAM-20892).
  • Keep the previous latest build result during expiry if the latest build only has specs build (BAM-20213).
  • Docker Runner build will fail if the image used specifies a non-root user for the USER in the Dockerfile (BAM-19827).
  • By using the REST API, users are able to dedicate agents, which can lead to denial of service situation if someone misuses this to dedicate all the agents. Agent assignment can now be restricted to admins only (BAM-19760).

Our advice

The Bamboo 7.1.0 feature release contains very nice feature improvements and welcome bugfixes. We suggest upgrading Bamboo to release 7.1.0.

If you are still on Bamboo 6, Bamboo 7.1.0 is safe to upgrade to as it ha been out for more than a month already. Test it thoroughly though and involve your key users. Don’t forget to test your most important build and deployment plans.

Thanks for reading!

Read our blog Upgrade Best Practices for stress-free upgrades or contact us if you have any (support) questions.