This month, we are releasing fixes that impact our self-hosted product, Azure DevOps Server.
The following versions of the products have been patched. Check out the links for each version for more details.
Azure DevOps Server 2022.0.1 Patch 2
Update: If you have Azure DevOps 2022 and installed Patch 4, take a look at this post from the Developer Community before you install this patch.
Note: If you have Azure DevOps Server 2022, you should first update to Azure DevOps Server 2022.0.1 and then install install Azure DevOps Server 2022.0.1 Patch 2.
If you have Azure DevOps Server 2022.0.1, you should install Azure DevOps Server 2022.0.1 Patch 2.
-
CVE-2023-36869 – Azure DevOps Server Spoofing Vulnerability.
-
Fixed a bug in SOAP calls where ArithmeticException can be raised for big metadata XML response.
-
Implemented changes to the service connections editor so that endpoint state flushes on component dismiss.
-
Addressed issue with relative links not working in markdown files.
-
Fixed a performance issue related to application tier taking longer than normal to startup when there are a large number of tags defined.
-
Addressed TF400367 errors on the Agent Pools page.
-
Fixed a bug where Analysis Owner identity showed as Inactive Identity.
-
Fixed infinite loop bug on CronScheduleJobExtension.
Verifying Installation
- Run
devops2022.0.1patch2.exe CheckInstall,devops2022.0.1patch2.exeis the file that is downloaded from the link above. The output of the command will either say that the patch has been installed, or that it is not installed.
Azure DevOps Server 2020.1.2 Patch 7
If you have Azure DevOps Server 2020.1.1, you should first update to Azure DevOps Server 2020.1.2. Once on 2020.1.2, install Azure DevOps Server 2020.1.2 Patch 7.
-
CVE-2023-36869 – Azure DevOps Server Spoofing Vulnerability.
-
Update SSH service to support SHA2-256 and SHA2-512. If you have SSH config files hard coded to use RSA, you should update to SHA2 or remove the entry.
-
Addressed issue with relative links not working in markdown files.
-
Fixed a bug with comment navigation on a commit page.
-
Fixed a bug where Analysis Owner identity showed as Inactive Identity.
-
Fixed infinite loop bug on CronScheduleJobExtension.
Verifying Installation
- Run
devops2020.1.2patch7.exe CheckInstall,devops2020.1.2patch7.exeis the file that is downloaded from the link above. The output of the command will either say that the patch has been installed, or that it is not installed.
Azure DevOps Server 2020.0.2 Patch 3
If you have Azure DevOps Server 2020.0.1, you should first update to Azure DevOps Server 2020.0.2. Once on Update 2020.0.2, install Azure DevOps Server 2020.0.2 Patch 3.
- CVE-2023-36869 – Azure DevOps Server Spoofing Vulnerability.
- Fixed a bug where Analysis Owner identity showed as Inactive Identity.
Verifying Installation
- Run
devops2020.0.2patch3.exe CheckInstall,devops2020.0.2patch3.exeis the file that is downloaded from the link above. The output of the command will either say that the patch has been installed, or that it is not installed.
Azure DevOps Server 2019.1.2 Patch 4
If you have Azure DevOps Server 2019.1.1, you should first update to Azure DevOps Server 2019.1.2. Once on Update 2019.1.2, install Azure DevOps Server 2019.1.2 Patch 4.
- CVE-2023-36869 – Azure DevOps Server Spoofing Vulnerability.
- Update SSH service to support SHA2-256 and SHA2-512. If you have SSH config files hard coded to use RSA, you should update to SHA2 or remove the entry.
- Fixed infinite loop bug on CronScheduleJobExtension.
Verifying Installation
- Run
devops2019.1.2patch4.exe CheckInstall,devops2019.1.2patch4.exeis the file that is downloaded from the link above. The output of the command will either say that the patch has been installed, or that it is not installed.
Azure DevOps Server 2019.0.1 Patch 14
If you have Azure DevOps Server 2019.0.1, you should install Azure DevOps Server 2019.0.1 Patch 14.
- CVE-2023-36869 – Azure DevOps Server Spoofing Vulnerability.
Verifying Installation
- Run
devops2019.0.1patch14.exe CheckInstall,devops2019.0.1patch14.exeis the file that is downloaded from the link above. The output of the command will either say that the patch has been installed, or that it is not installed.
Ms Morales
I am on 2020.1.2 patch 6. The ADS Admin Console shows 18.181.33921.3 (Azure DevOps Server 2020 Update 1.2).
I'm running ADS on an Amazon Web Services instance
- Windows Server 2022 Datacenter, 21H2. 64 Bit
- AMD EPYC 7571
I just attempted to install devops2020.1.2patch7.exe and got this error:
<code>
Can you help?
Alternatively, can I skip 2020 1.2 patch 7 and 2020 1.2 patch 8 and install 2020 1.2 patch 9?
How do I verify file integrity of Azure Devops patches? They are not listed in the Release Notes 256 SHA hashes.
Hi Andreas, we currently don’t publish SHA hashes for patches. What version of the product are you planning to patch?
@Gloridel Morales
could you please add a big warning that upgrading from AzureDevops Server 2022 Patch 4 fails and corrupts the configuration database.
easiest way to upgrade from 2022 Patch 4 to 2022.0.1 is to uninstall 2022 Patch 4 and the install 2022.0.1.
see https://developercommunity.visualstudio.com/t/202201-upgrade-failure—Could-not-loa/10444816?q=Microsoft.VisualStudio.Services.Gallery.Server for reference.
we did run into the same issue.