Welcome to the September 2019 edition of our monthly recurring blog post covering the highlights of Atlassian Server and Data Center product updates. For each product, we cover a selection of the most exciting new features, bug fixes and security advisories that were released in the last month. Highlights this month are the Confluence 7 platform release and 3 security advisories regarding Jira, Jira Service Desk and Bitbucket.
Another important update concerning all Atlassian products and Atlassian-owned apps. Starting October 3, 2019, Atlassian will update its product pricing. Especially new Server licenses will see a significant price increase. Read more about it right here…
As TMC ALM, we provide services for keeping your products up-to-date. We have a lot of experience with upgrading Atlassian environments safely and securely. Your data and business continuation has our top priority! When looking at Atlassian from a Platinum partner perspective we notice a significant trend at Atlassian. Although this is a monthly release update, when we zoom out and look at Atlassian (feature) development, in general, we see that the main focus is at data center and cloud. To learn more about what this trend or the new releases mean for you and your organisation, please check out our services page or contact us.
Jira’s September Release Highlights
Feature release 8.4 is released in September and updated with bugfix release 8.4.1 containing a critical security fix concerning Security Advisory CVE-2019-15001.
Jira 8.4 – New features!
Some minor new features and a series of bug fixes have been added to Jira in version 8.4. Atlassian is preparing its enterprise release version (Jira 8.5). As expected, no big new features were introduced in version 8.4. Here are the highlights:
- You can now scope users that are available in a custom filed of the user picker type using filters (JRASERVER-36833)
- For Data Center, the archived issues overview received filter options.
- Batch email notifications enabled has become the default.
- By default, external links will open in new tabs. This has become a user preference that can individually be changed.
- Official Docker images are now available for Jira Server and Data Center products. Amazon Aurora PostgreSQL support for Data Center has been added as well.
- Boards have been optimized to handle a huge number of unreleased versions (JSWSERVER-16401/JSWSERVER-13194).
- The Createmeta REST endpoint will be replaced by new endpoints that are available from Jira 8.4 onwards. The new endpoints will return projects, issue types and fields separately instead of all at once with the old endpoint, which even could cause Jira to be unresponsive. You can find more details here. The Createmeta REST endpoint will be removed in the next Jira platform release (Jira 9). If you have any custom scripts or integrations that use this endpoint, you should update them asap (JRASERVER-69897).
- A series of security vulnerabilities have been fixed with Jira 8.4. More details can be found here.
- A bug which first occurred in Jira 8 has been fixed in Jira 8.4. This bug removes text in the “add comment”-field when switching tabs. (JRASERVER-69186).
- Also since Jira 8 but now fixed is a bug that shows an exception when creating an issue link while uploading an attachment to the issue (JRASERVER-68980)
- The Issues → Custom Fields page would show no custom fields when less than 2 language packs had been enabled, this has been fixed with Jira 8.4.1 (JRASERVER-67956).
- Using @mention with a clipboard paste now has predictable behaviour (JRASERVER-67598).
- To prevent data exposure, the “Anyone” and “Public” group is now called “Anyone on the web” in the global permissions. Also, warnings are now more explicit when one selects this group and it is not the default selected group anymore.
Jira 8.4.1 – Security fix for CVE-2019-15001
Jira 8.4.1 is all about fixing a single critical security vulnerability. This vulnerability allowed an attacker to remotely execute code using template injection in the Jira Importers Plugin (JIM). An attacker requires “JIRA Administrators” access to be able to exploit this vulnerability. An attacker with admin access is an unlikely situation. Nevertheless, updating to Jira 8.4.1 fixes this or you can also block a certain REST endpoint as a temporary workaround. Details can be found here. The last two enterprise release also received this fix. (Jira 7.6 and Jira 7.13).
Jira Service Desk
Jira Service Desk (JSD) also received its own security advisory, that’s a first! Jira Service Desk is growing up so fast… As can be expected, feature release 4.4 and bugfix release 4.4.1 were released in September. The latter contains the security fix for CVE-2019-14994.
Service Desk 4.4 – New JSD improvements!
Though many of the features and bug fixes for JSD 4.4 are inherited from Jira 8.4, JSD has received some interesting improvements on its own as well:
- The browse permission has finally been updated to what one would expect it to enable:
- view requests one previously created
- view requests they’re a request participant of
- receive request notifications
- approve requests.
- Calendars have been greatly improved, meaning:
- They now have their own page.
- On day level you can now add multiple shifts, lunch breaks, etc to be able to only track the time that counts.
- For holidays it’s made possible to import an ICS file that spans multiple years.
- Issue archiving in JSD now has an improved customer experience and the ability to archive using automation.
- A long outstanding bug that encodes the “Customer Request Type” field when exporting issues to CSV format is finally fixed in JSD 4.4 (JSDSERVER-4520).
Service Desk 4.4.1 – Fixes both CVE-2019-15001 and CVE-2019-14994
As for Jira, JSD 4.4.1 is a critical security fix and it’s the first time that a critical security vulnerability is exposed specifically in JSD
Our advice
Whatever release you are on, we definitely suggest updating to Jira 8.4.1 and/or JSD 4.4.1, as this turns out to be a very stable release. If you are dependent on the Enterprise releases, we suggest applying the mitigation fixes for the security advisories and waiting for Jira 8.5 and/or JSD 4.5 in order to minimize downtime.
Confluence’s September Release Highlights
Finally! Confluence 7, the new platform release, is out in the open! But is it that spectacular? In short, no. Most of the really big changes were already available in the latest Confluence 6 feature releases, making 7 a platform release without noticeable changes. Atlassian acknowledges this saying it contains the technical groundwork for future improvements to performance, scale, and enabling them to continue building a solid set of features to meet the needs of admins and end-users in large enterprises. That last part can be interpreted in various ways, but looking at the past it could mean that more and more new features will be available first or only for Data Center.
Though Jira 8 had some noticeable changes, new features were mainly introduced with Jira 8.1. Let’s see if Atlassian repeats that with Confluence. The Confluence 7 Enterprise Release is planned for somewhere next year and Atlassian isn’t more explicit than that.
The biggest new feature is probably Content Delivery Network (CDN) support. Jira already has it and now Confluence does too. CDN allows you to serve static assets (such as JavaScript, CSS, and fonts) from servers closer to your users, resulting in faster page load times. Remember that this is a Data Center only feature.
Another very nice feature, which is more of a bug fix really, is that 2 new Synchrony cleanup scheduled jobs have been added. On busy instances, this can greatly improve page saving performance. More info here.
Our advice
As 7.0.1 is the first public release of Confluence 7 we suggest you wait with upgrading at least until 7.1.1 is available, hopefully containing some new features. The only case we can imagine that really makes it worth to upgrade is if you are on Data Center and CDN is a feature that would highly benefit your user’s experience or you’re having trouble with getting synchrony working. Do note that a lot of apps are still not compatible with Confluence 7!
Bitbucket’s September Release Highlights
Bitbucket received no new features this month but did get a critical security fix and a few minor bug fixes. The security advisory concerns a vulnerability that allows an attacker to inject additional arguments into Git commands, which could lead to remote code execution. An attacker needs to be able to access a Git repository in Bitbucket. But public access allows exploiting this issue anonymously.
The fix is to update to one of the below versions or install a hotfix plugin available from the security advisory. This comes with a side note, that apps (add-ons) may still introduce vulnerabilities, even with the hotfix installed. The hotfix only protects the standard functionality of Bitbucket.
- 5.16.10
- 6.0.10
- 6.1.8
- 6.2.6
- 6.3.5
- 6.4.3
- 6.5.2lls it
- 6.6.0
- 6.6.1
Our advice
If you use Bitbucket without any apps or only apps that do not perform git commands, install the hotfix and else update the instance to any release from the list above which suits you best.
Bamboo’s September Release Highlights
After months of waiting, which is pretty usual for Bamboo, a new feature release has been made available: Bamboo 6.10. And this release has some interesting highlights:
- The service wrapper for Bamboo agents has been updated to version 3.5.39, fixing some really frustrating bugs regarding agent management:
- You can now select the time span in which Bamboo agents reconnect to the Bamboo server before they shut down. Hooray!
- Agents do not use the system’s environmental variables, but only the user’s environmental variables. This has been fixed by the service wrapper update!
- It’s now possible to use personal access tokens instead of user credentials with making REST calls.
- Atlassian calls it selectable quick filters, but basically, you can favourite some quick filters and ignore the others at a user’s level.
- Support for Docker build arguments has been added (more info).
- The Github repository connector now works with Github Enterprise.
Our advice
If you manage a lot of agents, upgrading to Bamboo 6.10.2 is a must. The addition of favourite quick filters and personal access tokens are nice, but no reason to create downtime.
Planning downtime can be a pain with large instances, you could also choose to only pull the agent installer from a temporary Bamboo 6.10 installation and update the agent. The installer is backwards compatible with older Bamboo releases.
That’s it! Hope you enjoyed the read and if you have any feedback, please let us know.
