February Security Release: Team Foundation Server 2018 Update 3.2 Patch 1 is available

Erin Dormier

Erin

We announced the Azure DevOps Bounty Program a few weeks ago. We’re excited that this effort has already helped us on our mission to provide the highest level of security for our customers. Thanks to everyone who is participating in the Bounty program.

We plan to release security updates on the second Tuesday of each month (Patch Tuesday). This will give our customers a predictable and regular cadence that lines up with other security releases from Microsoft. When the updates involve binary changes, our releases will only replace the impacted binaries. If the updates involve database changes, we will release full installations.

TFS 2018 Update 3.2 Patch 1 Today, we released Team Foundation Server 2018 Update 3.2 Patch 1 that fixes two cross site scripting vulnerabilities found through the Bounty program: – CVE-2019-0742: Cross site scripting (XSS) vulnerability in work items – CVE-2019-0743: Cross site scripting (XSS) vulnerability in pull requests

TFS 2018 Update 2 and Update 3 are impacted by these vulnerabilities. Azure DevOps Server 2019 RC2 is also impacted and will be fixed in the final release of Azure DevOps Server 2019. We recommend that all customers on TFS 2018 Update 2 or Update 3 upgrade to TFS 2018 Update 3.2 and apply TFS 2018 Update 3.2 Patch 1.

Verifying Installation To verify if you have this update installed, you can check the versions of the following file: [TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.WorkItemTracking.Web.dll

TFS 2018 is installed to c:\Program Files\Microsoft Team Foundation Server 2018 by default.

After installing TFS 2018 Update 3.2 Patch 1, the version will be 16.131.28605.6.

Erin Dormier
Erin Dormier

Release Manager, Azure DevOps

Follow Erin   

Avatar
anonymous 2019-02-19 09:50:17
This comment has been deleted.
Avatar
Daniel Stefanescu 2019-02-14 06:30:18
You should really fix the application tier in order to show the correct version in the about page; it's a very confusing issue.
Avatar
Nick Schonning 2019-02-13 13:50:24
The last 2 XSS patches were also applied to TFS 2017. Does this one not apply to 2017 or can we expect a separate release for 2017?