This month, we are releasing fixes for security vulnerabilities that impact our self-hosted product, Azure DevOps Server, as well as the following older Team Foundation Server releases: TFS 2015, TFS 2017 and TFS 2018.
The following vulnerabilities will be fixed with this patch:
- CVE-2020-17135: Azure DevOps Server Spoofing Vulnerability
- CVE-2020-17145: Azure DevOps Server and Team Foundation Services Spoofing Vulnerability
- CVE-2020-1325: Azure DevOps Server Spoofing Vulnerability
- Fix issue with TFVC not processing all results
Azure DevOps Server 2020 Patch 1
If you have Azure DevOps Server 2020, you should install Azure DevOps Server 2020 Patch 1.
Verifying Installation
-
Option 1: Run
devops2020patch1.exe CheckInstall, devops2020patch1.exe is the file that is downloaded from the link above. The output of the command will either say that the patch has been installed, or that is not installed. -
Option 2: Check the version of the following file:
[INSTALL_DIR]\Azure DevOps Server 2020\Application Tier\bin\Microsoft.Teamfoundation.Framework.Server.dll. Azure DevOps Server 2020 is installed toc:\Program Files\Azure DevOps Server 2020by default. After installing Azure DevOps Server 2020 Patch 1, the version will be 18.170.30723.6.
Azure DevOps Server 2019.1.1 Patch 6
If you have Azure DevOps Server 2019 Update 1.1, you should install Azure DevOps Server 2019 Update 1.1 Patch 6. Please see the release notes for AzurePowerShellV4 task installation instructions.
Verifying Installation
-
Option 1: Run
devops2019.1.1patch6.exe CheckInstall, devops2019.1.1patch6.exe is the file that is downloaded from the link above. The output of the command will either say that the patch has been installed, or that is not installed. -
Option 2: Check the version of the following file:
[INSTALL_DIR]\Azure DevOps Server 2019\Application Tier\Web Services\bin\Microsoft.VisualStudio.Services.Feed.Server.dll. Azure DevOps Server 2019 is installed toc:\Program Files\Azure DevOps Server 2019by default. After installing Azure DevOps Server 2019.1.1 Patch 6, the version will be 17.153.30723.5.
Azure DevOps Server 2019.0.1 Patch 9
If you have Azure DevOps Server 2019, you should first update to Azure DevOps Server 2019.0.1. Once on 2019.0.1, install Azure DevOps Server 2019.0.1 Patch 9.
Verifying Installation
-
Option 1: Run
devops2019.0.1patch9.exe CheckInstall, devops2019.0.1patch9.exe is the file that is downloaded from the link above. The output of the command will either say that the patch has been installed, or that is not installed. -
Option 2: Check the version of the following file:
[INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Framework.Server.dll. Azure DevOps Server 2019 is installed toc:\Program Files\Azure DevOps Server 2019by default. After installing Azure DevOps Server 2019.0.1 Patch 9, the version will be 17.143.30723.4.
TFS 2018 Update 3.2 Patch 14
If you have TFS 2018 Update 2 or Update 3, you should first update to TFS 2018 Update 3.2. Once on Update 3.2, install TFS 2018 Update 3.2 Patch 14.
Verifying Installation
-
Option 1: Run
tfs2018.3.2patch14.exe CheckInstall, tfs2018.3.2patch14.exe is the file that is downloaded from the link above. The output of the command will either say that the patch has been installed, or that is not installed. -
Option 2: Check the version of the following file:
[TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.WorkItemTracking.Web.dll. TFS 2018 is installed toc:\Program Files\Microsoft Team Foundation Server 2018by default. After installing TFS 2018 Update 3.2 Patch 14, the version will be 16.131.30724.3.
TFS 2018 Update 1.2 Patch 9
If you have TFS 2018 RTW or Update 1, you should first update to TFS 2018 Update 1.2. Once on Update 1.2, install TFS 2018 Update 1.2 Patch 9.
Verifying Installation
-
Option 1: Run
tfs2018.1.2patch9.exe CheckInstall, tfs2018.1.2patch9.exe is the file that is downloaded from the link above. The output of the command will either say that the patch has been installed, or that is not installed. -
Option 2: Check the version of the following file:
[TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Server.WebAccess.Admin.dll. TFS 2018 is installed toc:\Program Files\Microsoft Team Foundation Server 2018by default. After installing TFS 2018 Update 1.2 Patch 9, the version will be 16.122.30723.1.
TFS 2017 Update 3.1 Patch 12
If you have TFS 2017, you should first update to TFS 2017 Update 3.1. Once on Update 3.1, install TFS 2017 Update 3.1 Patch 12.
Verifying Installation
-
Option 1: Run
tfs2017.3.1patch12.exe CheckInstall, tfs2017.3.1patch12.exe is the file that is downloaded from the link above. The output of the command will either say that the patch has been installed, or that is not installed. -
Option 2: Check the version of the following file:
[TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Server.WebAccess.Admin.dll. TFS 2017 is installed toc:\Program Files\Microsoft Team Foundation Server 15.0by default. After installing TFS 2017 Update 3.1 Patch 12, the version will be 15.117.30801.0.
TFS Update 2015.4.2 Patch 7
If you have TFS 2015, you should first update to TFS 2015 Update 4.2. Once on Update 4.2, install TFS 2015 Update 4.2 Patch 7.
Verifying Installation
-
Option 1: Run
tfs2015.4.2patch7.exe CheckInstall, tfs2015.4.2patch17.exe is the file that is downloaded from the link above. The output of the command will either say that the patch has been installed, or that is not installed. -
Option 2: Check the version of the following file:
[TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Framework.Server.dll. TFS 2015 is installed toc:\Program Files\Microsoft Team Foundation Server 14.0by default. After installing TFS 2015 Update 4.2 Patch 7, the version will be 14.114.30730.0.
We are planning on upgrading to TFS 2015 4.2 Patch 7 but I don’t see an “uninstall” option to use if we have issues. Is there one?
If not, I presume we have to uninstall TFS 2015 4.2 and reinstall from scratch?
I presume patch 7 must be applied to all servers with TFS 2105 4.2 installed including the TFS 2015 XAML Build servers?
The patches don’t touch the TFS Databases do they?
Thanks!
Hi raynman, we don’t have an uninstall option for patches. Regarding the 2015 installation, you should install the patch in all 2015.4.2 instances. If you have 2015, you should first update to 2015.4.2 before installing this patch. Lastly, we don’t include database changes with these patches.
After installing upgrade from Server 2019 to Server 2020, then attempting to run Patch 1, “Microsoft.VisualStudio.Services.Feed.Server.dll” is on version “18.170.30723.6”, however, TFS Configuration management shows that the version is still “18.170.30525.1” and the web browser reference the old patch, as well.
Is there anyway to confirm everything updated properly?
Hi Heather, you have the patch installed since the dll has the correct version. You can also check ‘[INSTALL_DIR]\Azure DevOps Server 2020\Application Tier\bin\Microsoft.Teamfoundation.Framework.Server.dll’ to see if it is on version 18.170.30723.6.
When we try install the latest patch6(devops2019.1.1patch6.exe) on our Azure Devops server 17.153.29207.5 (AzureDevOps2019.Update1),I am getting the below error
Microsoft (R) AzureDevOpsPatch - Azure DevOps Server update tool - version 17.153.30723.5
Copyright (c) Microsoft Corporation. All rights reserved.
Logging going to 'C:\ProgramData\Microsoft\Azure DevOps\Server Configuration\Logs\Patch_2020-12-21_14-38-59.log'
Checking SOFTWARE\Microsoft\TeamFoundationServer\17.0 to see if Azure DevOps Server is installed
Found InstallPath: D:\Azure DevOps Server 2019\
Found InstallVersion: 17.153.29207.5
Could not find Patch version in registry, no patches installed.
The Application Tier...
Hi Shadab, you should install Update 1.1 first. You can find more details in the Azure DevOps Server 2019 Update 1.1 RTW blog post.
Can you elaborate or supply a link for the item “Fix issue with TFVC not processing all results” in relation to ADS 2020?
It seems to not be present in the release notes:
https://docs.microsoft.com/da-dk/azure/devops/server/release-notes/azuredevops2020?view=azure-devops#azure-devops-server-2020-patch-1-date-december-8-2020
Whereas it is available on the ADS 2019 release notes. Does that mean that it is not affecting ADS 2020?
Hi Tore, you can see details about this issue in the release notes for Azure DevOps Server 2020
Hi Gloridel
You link seems to be pointing to this exact comment and not to the 2020 release notes.
However I cannot either fint TFVC mentioned anywhere on the 2020 release notes:
https://docs.microsoft.com/da-dk/azure/devops/server/release-notes/azuredevops2020
Hi Tore, apologies for the confusion. The fix applies to Azure DevOps Server 2019 only. It does not affect Azure DevOps Server 2020.
After installing the Server 2020 Patch 1, “Microsoft.VisualStudio.Services.Feed.Server.dll” is on version “18.170.30525.1” and not “18.170.30723.6”
The “CheckInstall” command reports the patch as installed.
Same here
Hi Necati, thank you for installing the patch. I just updated the blog instructions with the correct file for validation. It should be
Hi Hendrik, thank you for installing the patch. We are looking at this and will get back to you once we have more information.
Hi Hendrik, I just updated the blog instructions with the correct file for validation. It should be
. Thanks again for installing and for reporting this.
I installed Azure DevOps Server 2019 update 1.1 but I have never applied any patches. Do I have to install patch 1, patch 2, patch 3 … or do I have to install only last patch 6?
Hi Francesco, if you have Azure DevOps Server 2019 Update 1.1, you can install Azure DevOps Server 2019 Update 1.1 Patch 6. You don’t need to install other patches prior to Patch 6.