April patches for Azure DevOps Server and Team Foundation Server

Gloridel

This month, we are releasing fixes for security vulnerabilities that impact our self-hosted product, Azure DevOps Server, as well as the following older Team Foundation Server releases: TFS 2017 and TFS 2018.

The following vulnerability and bug will be fixed with this patch:

  • CVE-2021-27067: Information disclosure

  • CVE-2021-28459: Spoofing vulnerability

  • Resolve the issue reported in this Developer Community feedback ticket | New Test Case button not working. The fix for this issue was applied to Azure DevOps Server 2020 and 2020.0.1 with the February patch. With this patch we are fixing this issue for Azure DevOps Server 2019.1.1.

Azure DevOps Server 2020.0.1 Patch 2

To implement fixes for this patch you will have to follow steps to install Azure DevOps Server 2020.0.1 Patch 2. In addition, you will have to install the AzureResourceGroupDeploymentV2 and AzureResourceGroupDeploymentV3 tasks. Please see the release notes for installation instructions.

Azure DevOps Server 2020

If you have Azure DevOps Server 2020, you should first update to Azure DevOps Server 2020.0.1. Once on 2020.0.1, install Azure DevOps Server 2020.0.1 Patch 2. In addition, you will have to install the AzureResourceGroupDeploymentV2 and AzureResourceGroupDeploymentV3 tasks. Please see the release notes for installation instructions.

Azure DevOps Server 2019.1.1 Patch 8

To apply Patch 8 you will have to install Azure DevOps Server 2019.1.1 Patch 8 and AzureResourceGroupDeploymentV2 task. Please see the release notes for task installation instructions.

Azure DevOps Server 2019.0.1 Patch 10

To apply Patch 10 you will have to install the AzureResourceGroupDeploymentV2 task. Please see the release notes for task installation instructions.

TFS 2018 Update 3.2 Patch 15

To apply Patch 15 you will have to install the AzureResourceGroupDeploymentV2 task. Please see the release notes for task installation instructions.

TFS 2018 Update 1.2 Patch 10

To apply Patch 10 you will have to install the AzureResourceGroupDeployment task. Please see the release notes for task installation instructions.

TFS 2017 Update 3.1 Patch 13

To apply Patch 13 you will have to install the AzureResourceGroupDeployment task. Please see the release notes for task installation instructions.

27 comments

Comments are closed. Login to edit/delete your existing comments

  • Jens Kunze

    Is there a possibility to install the new versions for AzureResourceGroupDeploymentV2 and AzureResourceManagerTemplateDeploymentV3 on a server level?
    Because I needed to do the “tfx build task upload” for all of my collections. Otherwise a collection would still display old version.

    And what about, when I create new collections? Will the old versions of the tasks be used?

    Or do I have to use a special service url? Uploading worked only with “https://devopsserver/{CollectionName}”and not with “https://devopsserver/” as Service-URL.

  • Tore Østergaard Jensen (TORE)

    Hi

    The above section about Azure DevOps Server 2020.0.1 Patch 2 mentions the following two tasks:
    AzureResourceGroupDeploymentV2
    AzureResourceGroupDeploymentV3

    Whereas the release notes for the same mentions:
    AzureResourceGroupDeploymentV2
    AzureResourceManagerTemplateDeploymentV3

    I guess that the release notes are correct, right?

    Do I even need to install them if I do not need them? I am primarily installing the patch to fix the build retention. Then I would just get them when eventually upgrading to 2020.1 or a later version.