February 12th, 2019

February Security Release: Team Foundation Server 2018 Update 3.2 Patch 1 is available

Erin Dormier
Principal Program Manager

We announced the Azure DevOps Bounty Program a few weeks ago. We’re excited that this effort has already helped us on our mission to provide the highest level of security for our customers. Thanks to everyone who is participating in the Bounty program.

We plan to release security updates on the second Tuesday of each month (Patch Tuesday). This will give our customers a predictable and regular cadence that lines up with other security releases from Microsoft. When the updates involve binary changes, our releases will only replace the impacted binaries. If the updates involve database changes, we will release full installations.

TFS 2018 Update 3.2 Patch 1 Today, we released Team Foundation Server 2018 Update 3.2 Patch 1 that fixes two cross site scripting vulnerabilities found through the Bounty program: – CVE-2019-0742: Cross site scripting (XSS) vulnerability in work items – CVE-2019-0743: Cross site scripting (XSS) vulnerability in pull requests

TFS 2018 Update 2 and Update 3 are impacted by these vulnerabilities. Azure DevOps Server 2019 RC2 is also impacted and will be fixed in the final release of Azure DevOps Server 2019. We recommend that all customers on TFS 2018 Update 2 or Update 3 upgrade to TFS 2018 Update 3.2 and apply TFS 2018 Update 3.2 Patch 1.

Verifying Installation To verify if you have this update installed, you can check the versions of the following file: [TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.WorkItemTracking.Web.dll

TFS 2018 is installed to c:\Program Files\Microsoft Team Foundation Server 2018 by default.

After installing TFS 2018 Update 3.2 Patch 1, the version will be 16.131.28605.6.

Author

Erin Dormier
Principal Program Manager

5 comments

Discussion is closed. Login to edit/delete existing comments.

  • Brandon Creasap

    I have a question Erin…In your links above it says TFS 2018 3.2 Patch 1 but when I click the download the the file name is ‘tfs2018.3.2patch4.exe’ Is this actually patch 1 or do I need to download it from somewhere else? Thank you in advance.

  • Daniel Stefanescu

    You should really fix the application tier in order to show the correct version in the about page; it’s a very confusing issue.

  • Nick Schonning

    The last 2 XSS patches were also applied to TFS 2017. Does this one not apply to 2017 or can we expect a separate release for 2017?

    • Erin DormierMicrosoft employee Author

      This one only applies to TFS 2018 Update 2 and later. 2017 is not impacted.

      • Nick Schonning

        Thanks for confirming!