For the April security release, we are releasing fixes for vulnerabilities that impact Azure DevOps Server 2019, TFS 2018, TFS 2017, and TFS 2015. These vulnerabilities were found through our Azure DevOps Bounty Program. Thanks to everyone who has been participating in this program.
CVE-2019-0857: spoofing vulnerability in the Wiki
CVE-2019-0866: remote code execution vulnerability in Pipelines
CVE-2019-0867: cross site scripting (XSS) vulnerability in Pipelines
CVE-2019-0868: cross site scripting (XSS) vulnerability in Pipelines
CVE-2019-0869: HTML injection vulnerability in Pipelines
CVE-2019-0870: cross site scripting (XSS) vulnerability in Pipelines
CVE-2019-0871: cross site scripting (XSS) vulnerability in Pipelines
CVE-2019-0874: cross site scripting (XSS) vulnerability in Pipelines
CVE-2019-0875: elevation of privilege vulnerability in Boards
Azure DevOps Server 2019 Patch 1
If you have Azure DevOps Server 2019, you should install Azure DevOps Server 2019 Patch 1.
Verifying Installation
To verify if you have this update installed, you can check the version of the following file: [INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Server.WebAccess.VersionControl.dll. Azure DevOps Server 2019 is installed to c:\Program Files\Azure DevOps Server 2019 by default.
After installing Azure DevOps Server 2019 Patch 1, the version will be 17.143.28804.3.
TFS 2018 Update 3.2 Patch 3
If you have TFS 2018 Update 2 or Update 3, you should first update to TFS 2018 Update 3.2. Once on Update 3.2, install TFS 2018 Update 3.2 Patch 3.
Verifying Installation
To verify if you have this update installed, you can check the version of the following file: [TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.WorkItemTracking.Web.dll. TFS 2018 is installed to c:\Program Files\Microsoft Team Foundation Server 2018 by default.
After installing TFS 2018 Update 3.2 Patch 3, the version will be 16.131.28728.4.
TFS 2018 Update 1.2 Patch 3
If you have TFS 2018 RTW or Update 1, you should first update to TFS 2018 Update 1.2. Once on Update 1.2, install TFS 2018 Update 1.2 Patch 3.
Verifying Installation
To verify if you have this update installed, you can check the version of the following file: [TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Server.WebAccess.Admin.dll. TFS 2018 is installed to c:\Program Files\Microsoft Team Foundation Server 2018 by default.
After installing TFS 2018 Update 1.2 Patch 3, the version will be 16.122.28801.2.
TFS 2017 Update 3.1 Patch 4
If you have TFS 2017, you should first update to TFS 2017 Update 3.1. Once on Update 3.1, install TFS 2017 Update 3.1 Patch 4.
Verifying Installation
To verify if you have a patch installed, you can check the version of the following file: [TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Server.WebAccess.Admin.dll. TFS 2017 is installed to c:\Program Files\Microsoft Team Foundation Server 15.0 by default.
After installing TFS 2017 Update 3.1 Patch 4, the version will be 15.117.28728.0.
TFS 2015 Update 4.2
If you are on TFS 2015, you should upgrade to TFS 2015 Update 4.2 with the ISO or Web Install. For TFS 2015 Update 4.2 Express, you can upgrade with the ISO or Web Install. This is a full upgrade and will require you to run the Upgrade Wizard.
Hi,
I have TFS 2015 in Spanish installed on Windows Server in Spanish. When I try to install TFS 2015 Update 4.2 (tfsserver2015.4.2.exe) I get error "Stop Block: Dev14_LanguageInstall : The currently installed version of Team Foundation Server is a different language. There can only be one language of Team Foundation Server installed." This is because the setups wants to find HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\DevDiv\tfs\Servicing\14.0\serverCore\1033 (English) but it finds HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\DevDiv\tfs\Servicing\14.0\serverCore\3082 (Spanish)
So, where can I download TFS 2015 Update 4.2...
Hi Carlos,
Are you on a non-Spanish browser or operating system? The links are fwlinks that have logic to determine the language based on your browser or OS. For 2015 Update 4.2, the link for Spanish is https://go.microsoft.com/fwlink/?linkid=844068&clcid=0c0a. If that still doesn't work, here are what the fwlinks point to for Spanish:
https://download.visualstudio.microsoft.com/download/pr/9419b349-3e7e-4907-ba90-15c6aa0cbe3f/656fea677560c92bde0a51496f84be2d/tfsserver2015.4.2.exe
https://download.visualstudio.microsoft.com/download/pr/c268b4ab-1995-4f18-b1f6-b85d5f6f9d64/68c8dae4729b2cf1eaa8b012e2833190/tfsserver2015.4.2_esn.iso
Why you not update version in console TFS?..
Everytime I run one of these patches for 2017 the output is a bunch of "Waiting on process NNNNN (XXX seconds elapsed)" for several minutes, sporadic exceptions, waiting for the pool to stop for several more minutes, a final flurry of activity I suspect is that actual update running, and then the installer completes. I expect it to take several minutes and throw several exceptions and yet still 'succeed'.
Are the 2018 and 2019 installers...
I ran this against our server with 2017 3.1 and we now get an error starting up the TFS administration console saying that “There was an exception while launching the Team Foundation Administration Console: Could not load file or assembly ‘Microsoft.TeamFoundation.Framework.Server, Version=11.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a’ or one of its dependencies. The located assembly’s manifest definition does not match the assembly reference. (Exception from HRESULT: 0x80131040)”. Any thoughts?
this comment has been deleted.
Hi Aditya,
These are only applicable to the on premises environments. All vulnerabilities that impacted our cloud service have already been addressed, so no action is needed for the service.
this comment has been deleted.
@Erin, will these patches included in the ISO images downloadable from MSDN etc? If so, will take a long time? TIA
Hi Giulio,
No, these won’t be included in the MSDN/VS Subscription ISOs. You’ll have to apply these patches over the installations you do with the VS subscription ISOs.
But only the latest patch, all predecessors are included, right?
Correct. All of the patches include all the fixes from previous patches.
When will be the groundbreaking feature implemented for an unattend installation from patches?
🙂 We expect it to be available for the May security release.
Hi, I just installed this patch on two of our test Azure Devops 2019 servers. On both servers the installation succeeded but it encountered a timeout exception while waiting for the application pool to have succesfully stopped. It doesn’t seem to correctly detect that the pool has stopped so it’ll hit the timeout. When retrying it’ll instantly detect that the pool has stopped and continue with applying the patch.
Hello Corné,
I found out some information from my collegue, Matt.
Sorry that you ran into problems with the install. There are some rare cases where we don’t correctly detect that everything has stopped. In those cases, re-running the patch is the correct response, and it will correctly update the files and then restart the server.
Tried to apply the patch on a TFS2018 Update 3.2 Patch 2:Error patching files: System.UnauthorizedAccessException: Access to the path ‘C:\Program Files\Microsoft Team Foundation Server 2018\Application Tier\TFSJobAgent\Microsoft.TeamFoundation.DistributedTask.Orchestration.Server.dll’ is denied.
The current version of C:\Program Files\Microsoft Team Foundation Server 2018\Application Tier\Web Services\bin\Microsoft.TeamFoundation.WorkItemTracking.Web.dll is 16.131.28626.3 (I applied yesterday tfs2018.3.2patch2.exe)
Hi Daniel,
For TFS 2018 Update 3.2, it should be patch 3. Can you confirm you installed tfs2018.3.2patch3.exe, not patch2? Are you still having the System.UnauthorizedAccessException issue?
For TFS 2015 Update 4.2 is there an express version available? tfsexpress2015.4.2.exe
I just updated the post with the links for TFS 2015 Update 4.2 Express. The web install is at https://go.microsoft.com/fwlink/?linkid=844070. Thanks!
Thanks for the link. The install failed with “A setup package is either missing or damaged.” Since this is a web installer looks like its failing to download some packages during install. thanks,
I’m taking a look. In the meantime, can you get unblocked by downloading the ISO?
Had the same issue with the TFS 2015 Web Install, had to use the ISO to update without the error.