February Security Release: Team Foundation Server 2018 Update 3.2 Patch 1 is available

Erin Dormier

We announced the Azure DevOps Bounty Program a few weeks ago. We’re excited that this effort has already helped us on our mission to provide the highest level of security for our customers. Thanks to everyone who is participating in the Bounty program.

We plan to release security updates on the second Tuesday of each month (Patch Tuesday). This will give our customers a predictable and regular cadence that lines up with other security releases from Microsoft. When the updates involve binary changes, our releases will only replace the impacted binaries. If the updates involve database changes, we will release full installations.

TFS 2018 Update 3.2 Patch 1 Today, we released Team Foundation Server 2018 Update 3.2 Patch 1 that fixes two cross site scripting vulnerabilities found through the Bounty program: – CVE-2019-0742: Cross site scripting (XSS) vulnerability in work items – CVE-2019-0743: Cross site scripting (XSS) vulnerability in pull requests

TFS 2018 Update 2 and Update 3 are impacted by these vulnerabilities. Azure DevOps Server 2019 RC2 is also impacted and will be fixed in the final release of Azure DevOps Server 2019. We recommend that all customers on TFS 2018 Update 2 or Update 3 upgrade to TFS 2018 Update 3.2 and apply TFS 2018 Update 3.2 Patch 1.

Verifying Installation To verify if you have this update installed, you can check the versions of the following file: [TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.WorkItemTracking.Web.dll

TFS 2018 is installed to c:\Program Files\Microsoft Team Foundation Server 2018 by default.

After installing TFS 2018 Update 3.2 Patch 1, the version will be 16.131.28605.6.