August patches for Azure DevOps Server

Gloridel Morales

August 8th, 20234 2

This month, we are releasing fixes that impact our self-hosted product, Azure DevOps Server.

The following versions of the products have been patched. Check out the links for each version for more details.

Azure DevOps Server 2022.0.1 Patch 2

Update: If you have Azure DevOps 2022 and installed Patch 4, take a look at this post from the Developer Community before you install this patch.

Note: If you have Azure DevOps Server 2022, you should first update to Azure DevOps Server 2022.0.1 and then install install Azure DevOps Server 2022.0.1 Patch 2.

If you have Azure DevOps Server 2022.0.1, you should install Azure DevOps Server 2022.0.1 Patch 2.

Release notes

  • CVE-2023-36869 – Azure DevOps Server Spoofing Vulnerability.

  • Fixed a bug in SOAP calls where ArithmeticException can be raised for big metadata XML response.

  • Implemented changes to the service connections editor so that endpoint state flushes on component dismiss.

  • Addressed issue with relative links not working in markdown files.

  • Fixed a performance issue related to application tier taking longer than normal to startup when there are a large number of tags defined.

  • Addressed TF400367 errors on the Agent Pools page.

  • Fixed a bug where Analysis Owner identity showed as Inactive Identity.

  • Fixed infinite loop bug on CronScheduleJobExtension.

Verifying Installation

  • Run devops2022.0.1patch2.exe CheckInstall, devops2022.0.1patch2.exe is the file that is downloaded from the link above. The output of the command will either say that the patch has been installed, or that it is not installed.

Azure DevOps Server 2020.1.2 Patch 7

If you have Azure DevOps Server 2020.1.1, you should first update to Azure DevOps Server 2020.1.2. Once on 2020.1.2, install Azure DevOps Server 2020.1.2 Patch 7.

Release notes

  • CVE-2023-36869 – Azure DevOps Server Spoofing Vulnerability.

  • Update SSH service to support SHA2-256 and SHA2-512. If you have SSH config files hard coded to use RSA, you should update to SHA2 or remove the entry.

  • Addressed issue with relative links not working in markdown files.

  • Fixed a bug with comment navigation on a commit page.

  • Fixed a bug where Analysis Owner identity showed as Inactive Identity.

  • Fixed infinite loop bug on CronScheduleJobExtension.

Verifying Installation

  • Run devops2020.1.2patch7.exe CheckInstall, devops2020.1.2patch7.exe is the file that is downloaded from the link above. The output of the command will either say that the patch has been installed, or that it is not installed.

Azure DevOps Server 2020.0.2 Patch 3

If you have Azure DevOps Server 2020.0.1, you should first update to Azure DevOps Server 2020.0.2. Once on Update 2020.0.2, install Azure DevOps Server 2020.0.2 Patch 3.

Release notes

  • CVE-2023-36869 – Azure DevOps Server Spoofing Vulnerability.
  • Fixed a bug where Analysis Owner identity showed as Inactive Identity.

Verifying Installation

  • Run devops2020.0.2patch3.exe CheckInstall, devops2020.0.2patch3.exe is the file that is downloaded from the link above. The output of the command will either say that the patch has been installed, or that it is not installed.

Azure DevOps Server 2019.1.2 Patch 4

If you have Azure DevOps Server 2019.1.1, you should first update to Azure DevOps Server 2019.1.2. Once on Update 2019.1.2, install Azure DevOps Server 2019.1.2 Patch 4.

Release notes

  • CVE-2023-36869 – Azure DevOps Server Spoofing Vulnerability.
  • Update SSH service to support SHA2-256 and SHA2-512. If you have SSH config files hard coded to use RSA, you should update to SHA2 or remove the entry.
  • Fixed infinite loop bug on CronScheduleJobExtension.

Verifying Installation

  • Run devops2019.1.2patch4.exe CheckInstall, devops2019.1.2patch4.exe is the file that is downloaded from the link above. The output of the command will either say that the patch has been installed, or that it is not installed.

Azure DevOps Server 2019.0.1 Patch 14

If you have Azure DevOps Server 2019.0.1, you should install Azure DevOps Server 2019.0.1 Patch 14.

Release notes

Verifying Installation

  • Run devops2019.0.1patch14.exe CheckInstall, devops2019.0.1patch14.exe is the file that is downloaded from the link above. The output of the command will either say that the patch has been installed, or that it is not installed.

Gloridel Morales Senior Technical Program Manager, Azure DevOps

Read next

4 comments

Discussion is closed. Login to edit/delete existing comments.

  • Daniel Steiner 0

    @Gloridel Morales

    could you please add a big warning that upgrading from AzureDevops Server 2022 Patch 4 fails and corrupts the configuration database.

    easiest way to upgrade from 2022 Patch 4 to 2022.0.1 is to uninstall 2022 Patch 4 and the install 2022.0.1.

    see https://developercommunity.visualstudio.com/t/202201-upgrade-failure—Could-not-loa/10444816?q=Microsoft.VisualStudio.Services.Gallery.Server for reference.

    we did run into the same issue.

  • Andreas Appelros 0

    How do I verify file integrity of Azure Devops patches? They are not listed in the Release Notes 256 SHA hashes.

    • Gloridel MoralesMicrosoft employee 0

      Hi Andreas, we currently don’t publish SHA hashes for patches. What version of the product are you planning to patch?

  • William Charlton 0

    Ms Morales

    I am on 2020.1.2 patch 6. The ADS Admin Console shows 18.181.33921.3 (Azure DevOps Server 2020 Update 1.2).

    I’m running ADS on an Amazon Web Services instance
    – Windows Server 2022 Datacenter, 21H2. 64 Bit
    – AMD EPYC 7571

    I just attempted to install devops2020.1.2patch7.exe and got this error:

    Starting process E:\Program Files\Azure DevOps Server 2020\Tools\tfsconfig updateTasks
Error running a command: System.ComponentModel.Win32Exception (0x80004005): The specified executable is not a valid application for this OS platform.

    Can you help?

    Alternatively, can I skip 2020 1.2 patch 7 and 2020 1.2 patch 8 and install 2020 1.2 patch 9?

Feedback usabilla icon