Bitbucket 7.17.X LTS

Dec 9, 2021 | Jira Addons

Bitbucket’s new Long Term Support version: the new stuff, the fixed stuff and the Kubernetes

Long Term Support releases backport critical security and product bug fixes so that if you only upgrade once a year you know you have a stable, critical fix version to work with.

The last LTS release was 7.6 and since then there have been over 140 bug fixes and updates

    New functionality released since the last LTS release.

    Jira integration

    • On the Bitbucket dashboard, you can see open Jira issues assigned to you. This makes it easy to see what’s coming up at a glance without jumping between tools.
    • Require Jira issues in commit messages with the built-in commit checker for Jira issues.
    • Integrate with Jira Software Cloud using OAuth to enable Bitbucket Data Center to send enhanced development information to your Jira site.

    Flexibility and control

    • The Required builds merge check gives admins more flexibility and control over pull requests that are being merged into important destination branches.
    • Database password encryption allows you to encrypt the database password that is stored in the bitbucket.properties file

    Performance and scaling

    • Manage all of your repositories in Bitbucket Data Center from one location.
    • Automatically decline inactive pull requests to increase productivity and optimize the performance of your Bitbucket instance.

    An enhanced developer experience

    • Reviewer groups for pull requests help you quickly add the right reviewers that need to be involved with your code review.
    • Draft multiple comments on files and code during a review process, then send them all off at once using the code review workflow.
    • Collaborate with your team by sharing ideas that combine code, data, and visualizations by rendering Jupyter notebooks.

    Upgrading made easy

    • Upgrading made easy Upgrade Bitbucket Data Center to a later bug fix version without downtime by performing a rolling upgrade.

    Integrated CI/CD

    • Set up actions and rerun builds from Bitbucket on the Builds page and Pull request page Builds tab.

    Bug fixes since 7.6

    There are a number of bug fixes that have been implemented since the 7.6 LTS release. Here are some of the highlights.

    Unicode characters allow malicious code to be hidden from a human reviewer (Bitbucket Server / DC)

    • Researchers at the University of Cambridge reported a vulnerability affecting Bitbucket Server / DC where special characters, known as Unicode bidirectional override characters, are not rendered or displayed in the affected applications. These special characters are typically not displayed by the browser or code editors but can affect the meaning of the source code when it is processed by a compiler or an interpreter. The issue is now fixed.

    Pull request diff page errors when displaying code insights file reports

    • There exists a race condition when loading the annotations for a file that they can be for a report that was published after the page was loaded.
      This results in an error being thrown that propagates up to the diff tab level.

    User renames can trigger permission errors from event listeners

    • Each Bitbucket Data Center user can have a personal project, where they can create their own repositories. When a user is renamed, their personal project’s details are updated to match and a ProjectModifiedEvent is raised. If that rename is processed as part of directory synchronization, however, there’s no context user. That means if any event listeners try to access the project without using the SecurityService to escalate permissions, the listener fails.

    Child Git processes are not terminated cleanly, and keep piling up as zombie processes (and yes, I grabbed this one because Zombies)

    • Multiple customers are seeing zombie (defunct) Git processes after an upgrade to 7.x (earliest affected version reported is 7.2.4). The parent process, as expected, is Bitbucket Server so the processes are cleaned only once Bitbucket Server is restarted.

    On pull requests, the merge UI should not timeout before the server request

    • When merging a pull request, if that merge takes longer than the default timeout in the UI (1 minute) then the UI will indeed timeout the request before the server request finishes the merge. We allow up to 5 minutes for a merge to finish, so the UI should wait for the server request to finish.

    Commits added to a pull request by rescoping sometimes don’t get linked to the pull request

    • When pull requests are updated, the system stores metadata that associates the commit and the pull request. When viewing that commit on the repository “Commits” tab, it will show the pull requests it’s associated with, if any. However, in certain scenarios, new commits associated with an existing pull request do not have that metadata link created. They still show up on the pull request’s “Commits” tab, but when viewing the commit from the repository “Commits” tab (left sidebar) or retrieving pull requests by commit via REST the pull request will not be included.

    Searching in Bitbucket results in deadlocked threads

    • On attempting to search for results in Bitbucket, it’s possible that the thread handling the search request can get into a deadlock, permanently increasing the number of concurrently executing threads until the JVM is restarted.

    Update lodash to 4.17.20+ due to security vulnerability

    • lodash is vulnerable to prototype pollution attack. The vulnerability exists due to the ability to inject properties on Object.prototype using the function `zipObjectDeep`, leading to DoS, and possibly other forms of attacks.

    Security bug fix request for Apache Tomcat CVE-2020-13943 Vulnerability

    • Security bug fix request for CVE-2020-13943 Vulnerability

    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13943

    If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers – including HTTP/2 pseudo headers – from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources.

    You can see the other bug fixes released in the Bitbucket Data Center and Server 7.17 Long Term Support Release Change Log

    Kubernetes

    Not going to lie, I broke this out in part because the word Kubernetes amuses me. It is Greek for “helmsman”, “pilot” or “governor” (the controller definition, not the politician) and the word cybernetics is derived from it. It is also known as K8 and is an open source system for automating deployment, scaling and management of containerized applications.

    Kubernetes clusters can be used to more efficiently utilize an organization’s infrastructure. It allows you to scale your data center up and down and manage and schedule your workloads to drive greater agility while simplifying the administration. Atlassian offers Helm charts on GitHub for installing and operating Atlassian products like Bitbucket, Jira and Confluence. You can go to

    Running Data Center products on a Kubernetes cluster to learn more.

    Should you upgade? – YES

    If you have Data Center and want to use Kubernetes, the upgrade is the way to go. On Server, the bug fixes and additional functionality make it worthwhile, especially if you haven’t updated in a while. In addition, the fact that this is a Long Term Support release means that you won’t have to do a full upgrade to fix critical security and bug fixes.