April patches for Azure DevOps Server and Team Foundation Server
This month, we are releasing fixes for security vulnerabilities that impact our self-hosted product, Azure DevOps Server, as well as the following older Team Foundation Server releases: TFS 2017 and TFS 2018.
The following vulnerability and bug will be fixed with this patch:
-
CVE-2021-27067: Information disclosure
-
CVE-2021-28459: Spoofing vulnerability
-
Resolve the issue reported in this Developer Community feedback ticket | New Test Case button not working. The fix for this issue was applied to Azure DevOps Server 2020 and 2020.0.1 with the February patch. With this patch we are fixing this issue for Azure DevOps Server 2019.1.1.
Azure DevOps Server 2020.0.1 Patch 2
To implement fixes for this patch you will have to follow steps to install Azure DevOps Server 2020.0.1 Patch 2. In addition, you will have to install the AzureResourceGroupDeploymentV2
and AzureResourceGroupDeploymentV3
tasks. Please see the release notes for installation instructions.
Azure DevOps Server 2020
If you have Azure DevOps Server 2020, you should first update to Azure DevOps Server 2020.0.1. Once on 2020.0.1, install Azure DevOps Server 2020.0.1 Patch 2. In addition, you will have to install the AzureResourceGroupDeploymentV2
and AzureResourceGroupDeploymentV3
tasks. Please see the release notes for installation instructions.
Azure DevOps Server 2019.1.1 Patch 8
To apply Patch 8 you will have to install Azure DevOps Server 2019.1.1 Patch 8 and AzureResourceGroupDeploymentV2
task. Please see the release notes for task installation instructions.
Azure DevOps Server 2019.0.1 Patch 10
To apply Patch 10 you will have to install the AzureResourceGroupDeploymentV2
task. Please see the release notes for task installation instructions.
TFS 2018 Update 3.2 Patch 15
To apply Patch 15 you will have to install the AzureResourceGroupDeploymentV2
task. Please see the release notes for task installation instructions.
TFS 2018 Update 1.2 Patch 10
To apply Patch 10 you will have to install the AzureResourceGroupDeployment
task. Please see the release notes for task installation instructions.
TFS 2017 Update 3.1 Patch 13
To apply Patch 13 you will have to install the AzureResourceGroupDeployment
task. Please see the release notes for task installation instructions.
27 comments
Release notes mention to download Node.JS v14.15.1 but that doesn’t seem available – should it be v14.16.1 (latest LTS version)?
Some additional advice regarding “Create a personal access token with Full access privileges” might be useful.
https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops&tabs=current-page
Hi Evahn, please use the latest version of Node.js. Thank you for your recommendation about including a link to documentation for access tokens. I will include with the next update to the release notes.
Hi,
release notes for TFS 2018 Update 3.2 Patch 15 says “to apply Patch 13 you will have to install…”
But Patch 13 is for TFS 2017 Update 3.1
So is it just a typo from the Patch number, or is the whole information for TFS 2018 Update 3.2 Patch 15 incorrect?
Best regards,
Christian
Hi Christian, I just fixed. It was a typo
Regarding TFS 2017 Update 3.1 Patch 13 – can you answer the below?
The release notes don’t cover the above detail.
https://docs.microsoft.com/en-us/visualstudio/releasenotes/tfs2017-update3#-release-date-april-13-2021
Many thanks.
Hi Scott,
Please find my answers below:
1. You can check from the TFX command logs for any failures. In addition, the task version for this fix is 2.1.5, so after installation, the task should show this version in the logs(it would be showing an older version before installation).
2. You can download the current task version at anytime, the URL for that is /_apis/distributedtask/tasks/94A74903-F93F-4075-884F-DC11F34058B4/ . There is no change in the task except mitigating the security vulnerability, so you don’t need to roll back. If you do need to roll back, you will need to delete the task from the server using TFX CLI(using the command, tfx build tasks delete –task-id 94A74903-F93F-4075-884F-DC11F34058B4), followed by installing the downloaded task using the same procedure mentioned in the doc.
3. Since you are interacting with the ADO server, you would need to run these on the machine which is running the ADO server, or one from which the ADO server is accessible. You might need to set routing rules for the latter case.
Hi Ashwin,
could you provide the new task versions for every TFS version?
e.g. I just updated the Task on a TFS 2018 Update 3.2 Patch 15 and the command tfx build tasks list still shows version 2.131.3
Thx,
Christian
TFS 2018.3.2 Patch 15 : 2.131.8
Azure DevOps Server 2019.0.1 Patch 10 : 2.141.5
Azure DevOps Server 2019.1.1 Patch 9: 2.152.5
TFS 2017.3.1 Patch 13 : 2.1.5
TFS 2018.1.2 Patch 10 : 2.2.9
Azure DevOps Server 2020 Patch 4 (AzureResourceGroupDeploymentV2 ) :2.170.1
Azure DevOps Server 2020 Patch 4 (AzureResourceManagerTemplateDeploymentV3):3.2.9
Christian,
Could you also share the message you got when you tried command “tfx build tasks upload” on 2018 update 3.2 patch 15.
Also could you try triggering any pipeline which uses this task and verify version there too.
Where is fix https://developercommunity.visualstudio.com/t/waiting-for-available-socket/1247090?from=email ???
Hi Ivan, it has been fixed with this patch.
Hi Gloridel
I was told that the following issue would be fixed the the April patch, but cannot see it from the release notes:
https://developercommunity2.visualstudio.com/t/Azure-DevOps-Server-2020-Retention-Polic/1306205
Is is possible to install Azure DevOps Server 2020.0.1 Patch 2 directly on top of Azure DevOps Server 2020.0.1 RC? I aim for installing 2020.1 when released, but would be good to know in case that plan fails.
Hi Tore, it is not possible to install patches to a release candidate. Regarding the fix Developer Community ticket, it was fixed with this patch. I will update the release notes to reflect this. Thank you!
Hi Gloridel
I think we will go for 2020.0.1 RTW followed by 2020.0.1 Patch 2 as it seems that 2020 Update 1 has a bit time before release, based on your comment here: https://devblogs.microsoft.com/devops/azure-devops-server-2020-1-rc2-now-available/#comment-2538
I cannot see that the release notes has been update yet, or am I lookin in the wrong place?
https://docs.microsoft.com/en-us/azure/devops/server/release-notes/azuredevops2020?view=azure-devops#azure-devops-server-202001-patch-2-release-date-april-13-2021
I just did a direct/in-place upgrade of Azure DevOps Server 2019 (patch7) to ADS 2020, then I installed ADS 2020 Patch 1, 2, and 3.
Do I need to worry about any of the patches related to ADS 2020.0.1?
Hi William, to have fixes for this security patches you should first update to Azure DevOps Server 2020.0.1 and then install Patch 2. So far, we have released only 2 patches for Azure DevOps Server 2020.0.1.
Is there an off line patch 15 for TFS 2018 3.2?
When click on the patch it takes me to patch 14.
You can find details about patch 14 in the release notes.
Hi,
in the release notes you wrote:
Option 2: Check the version of the following file: [INSTALL_DIR]\Azure DevOps Server 2019\Application Tier\Web Services\bin\Microsoft.VisualStudio.Services.Feed.Server.dll. Azure DevOps Server 2019 is installed to c:\Program Files\Azure DevOps Server 2019 by default. After installing Azure DevOps Server 2019.1.1 Patch 8, the version will be 17.153.31010.1.
Actually it’s a different version. After installing Patch 8 the version of the dll is 17.153.31129.2
Hi Christian, thanks for pointing this out. I have updated the release notes with the correct file version (17.153.31129.2).
Dear gabriela, i have a question: when is avalaible: git clone auditing in Azure Devops? It is necesary for us , because this is a company policy, help me please.
Thank you!!
Bayron
Good Afternoon.
I ran Azure DevOps Server 2019.1.1 Patch 8 and rebooted, then I did a verify with Run devops2019.1.1patch8.exe CheckInstall and my version shows up as 17.153.31010.1. Your updated shows a new version 17.153.31129.2. I am not sure how to get my server to that version. What am I missing. My install says successful. What am I missing?
Thank you
Joshua
I found the issue, it is a patch 8 linking issue
Azure DevOps Server 2019 Update 1.1 Patch 8 Release Date: April 13, 2021
We have released a patch for Azure DevOps Server 2019 Update 1.1 that fixes the following. – This patch link leads to https://aka.ms/azdev2019.1.1patch8. – version 17.153.31129.2
CVE-2021-27067: Information disclosure
Resolve the issue reported in this Developer Community feedback ticket | Unable to register test result iteration details on Azure DevOps Server 2019
To implement fixes for this patch you will have to follow the steps listed below for general patch installation and AzureResourceGroupDeploymentV2 task installations.
General patch installation
If you have Azure DevOps Server 2019 Update 1.1, you should install Azure DevOps Server 2019 Update 1.1 Patch 8 – This link https://aka.ms/azdev2019.1patch8(missing a .1) – version 17.153.31010.1
Hi Joshua,
one question will the version 17.153.31010.1 be updated on the Azure Devops Console after installing?.
Currently it has not updated.Can you please comment on this
Shadab