Updated: February patches for Azure DevOps Server

Gloridel Morales

2/17 Update: After installing Azure DevOps Server 2020.1.2 Patch 5 notifications were not getting delivered. To address this issue, we are re-releasing the patch. If you installed Patch 5, you should download and re-install the patch from the link provided in the instructions below.

This month, we are releasing fixes that impact our self-hosted product, Azure DevOps Server.

The following will be fixed with this patch:

• CVE-2023-21564: Azure DevOps Server Cross-Site Scripting Vulnerability
• CVE-2023-21553: Azure DevOps Server Remote Code Execution Vulnerability
• Updated MSBuild and VSBuild tasks to support Visual Studio 2022.
• Update methodology of loading reauthentication to prevent XSS attack vector.
• Azure DevOps Server 2022 Proxy reports the following error: VS800069: This service is only available in on-premises Azure DevOps.
• Fixed shelvesets accessibility issue via web UI.

Azure DevOps Server 2022 Patch 2

If you have Azure DevOps Server 2022, you should install Azure DevOps Server 2022 Patch 2. Check out the release notes for more details.

Verifying Installation

• Run devops2022patch2.exe CheckInstall, devops2022patch2.exe is the file that is downloaded from the link above. The output of the command will either say that the patch has been installed, or that it is not installed.

Azure DevOps Server 2020.1.2 Patch 5

If you have Azure DevOps Server 2020.1.1, you should first update to Azure DevOps Server 2020.1.2. Once on 2020.1.2, install Azure DevOps Server 2020.1.2 Patch 5. Check out the release notes for more details.

Verifying Installation

• Run devops2020.1.2patch5.exe CheckInstall, devops2020.1.2patch5.exe is the file that is downloaded from the link above. The output of the command will either say that the patch has been installed, or that it is not installed.

Gloridel Morales Senior Technical Program Manager, Azure DevOps

Follow