July Security Release: Patches available for Azure DevOps Server and Team Foundation Server

Erin Dormier

Erin

For the July security release, we are releasing fixes for vulnerabilities that impact Azure DevOps Server 2019, TFS 2018, TFS 2017, TFS 2015, TFS 2013, TFS 2012, and TFS 2010. Thanks to everyone who has been participating in our Azure DevOps Bounty Program.

CVE-2019-1072: remote code execution vulnerability in work item tracking

CVE-2019-1076: cross site scripting (XSS) vulnerability in Pull Requests

Functional bug fix: Email notifications may have incorrect dates

Azure DevOps Server 2019.0.1 Patch 1

If you have Azure DevOps Server 2019, you should first update to Azure DevOps Server 2019.0.1. Once on 2019.0.1, install Azure DevOps Server 2019.0.1 Patch 1.

Verifying Installation

To verify if you have this update installed, you can check the version of the following file: [INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Framework.Server.dll. Azure DevOps Server 2019 is installed to c:\Program Files\Azure DevOps Server 2019 by default.

After installing Azure DevOps Server 2019.0.1 Patch 1, the version will be 17.143.29019.5.

TFS 2018 Update 3.2 Patch 5

If you have TFS 2018 Update 2 or Update 3, you should first update to TFS 2018 Update 3.2. Once on Update 3.2, install TFS 2018 Update 3.2 Patch 5.

Verifying Installation

To verify if you have this update installed, you can check the version of the following file: [TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.WorkItemTracking.Web.dll. TFS 2018 is installed to c:\Program Files\Microsoft Team Foundation Server 2018 by default.

After installing TFS 2018 Update 3.2 Patch 5, the version will be 16.131.29019.4.

TFS 2018 Update 1.2 Patch 5

If you have TFS 2018 RTW or Update 1, you should first update to TFS 2018 Update 1.2. Once on Update 1.2, install TFS 2018 Update 1.2 Patch 5.

Verifying Installation

To verify if you have this update installed, you can check the version of the following file: [TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Server.WebAccess.Admin.dll. TFS 2018 is installed to c:\Program Files\Microsoft Team Foundation Server 2018 by default.

After installing TFS 2018 Update 1.2 Patch 5, the version will be 16.122.29017.5.

TFS 2017 Update 3.1 Patch 6

If you have TFS 2017, you should first update to TFS 2017 Update 3.1. Once on Update 3.1, install TFS 2017 Update 3.1 Patch 6.

Verifying Installation

To verify if you have a patch installed, you can check the version of the following file: [TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Server.WebAccess.Admin.dll. TFS 2017 is installed to c:\Program Files\Microsoft Team Foundation Server 15.0 by default.

After installing TFS 2017 Update 3.1 Patch 6, the version will be 15.117.29024.0.

TFS 2015 Update 4.2 Patch 2

If you have TFS 2015, you should first update to TFS 2015 Update 4.2. Once on Update 4.2, install TFS 2015 Update 4.2 Patch 2.

Verifying Installation

To verify if you have a patch installed, you can check the version of the following file: [TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Framework.Server.dll. TFS 2015 is installed to c:\Program Files\Microsoft Team Foundation Server 14.0 by default.

After installing TFS 2015 Update 4.2 Patch 1, the version will be 14.114.29025.0.

TFS 2013 Update 5 Patch 1

If you have TFS 2013, you should first update to TFS 2013 Update 5, which you can get at https://my.visualstudio.com. Once on Update 5, install TFS 2013 Update 5 Patch 1.

Verifying Installation

To verify if you have a patch installed, you can check the version of the following file: [TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Framework.Server.dll. TFS 2013 is installed to c:\Program Files\Microsoft Team Foundation Server 12.0 by default.

After installing TFS 2013 Update 5 Patch 1, the version will be 12.0.40681.0

TFS 2012 Update 4 Patch 1

If you have TFS 2012, you should first update to TFS 2012 Update 4, which you can get at https://my.visualstudio.com. Once on Update 4, install TFS 2012 Update 4 Patch 1.

Verifying Installation

To verify if you have a patch installed, you can check the version of the following file: [TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Framework.Server.dll. TFS 2012 is installed to c:\Program Files\Microsoft Team Foundation Server 11.0 by default.

After installing TFS 2012 Update 4 Patch 1, the version will be 11.0.61243.0.

TFS 2010 SP1 Patch 1

If you have TFS 2010, you should first update to Service Pack 1, which you can get at https://my.visualstudio.com. Once on SP1, install TFS 2010 SP1 Patch 1 64-bit or TFS 2010 SP1 Patch 1 32-bit.

Verifying Installation

To verify if you have a patch installed, you can check the version of the following file: [TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Framework.Server.dll. TFS 2010 is installed to c:\Program Files\Microsoft Team Foundation Server 2010 by default.

Update: If you installed the TFS 2010 patch before July 29, the version will be 10.0.40219.504. On July 29, we released a new patch to fix an issue installing on non-English languages. If you installed the patch on July 29 or later, the version will be 10.0.40219.506. Both versions contain the same fix and are valid.

Erin Dormier
Erin Dormier

Principal Program Manager, Azure DevOps

Follow Erin   

24 comments

  • Avatar
    Harley Parks

    The web installer for DevOps Server and the patch is a Release Candiate for version 17.143.29019.5.  Is it safe to expect a fully vetted upgrade will be available by Aug. 1st? and will a patch still be required?

  • Avatar
    Matthew Andrews

    [INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Server.WebAccess.VersionControl.dll does not appear to be upgraded by this patch. Is this the right file to examine?

    • Erin Dormier
      Erin Dormier

      Thanks for catching that. You can check the [INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Framework.Server.dll file. I updated the post with this information.

  • Avatar
    Desmond Kung

    I’m constantly getting an “Error writing install status to registry: System.UnauthorizedAccessException: Cannot write to the registry key” error, even though the DLL version has been updated for TFS 2015 Update 4.2 Patch 2. Should I be concerned?

  • Avatar
    Abhinay Potluri

    Am i missing something? I am unable to apply patch to TSF 2018, 3.2. I get the below error. Please advise: — Found InstallVersion: 16.131.28601.4 Could not find Patch version in registry, no patches installed. The Application Tier is configured. The Search Tier is not configured. The Proxy Tier is not configured. This patch does not apply to Tfs version 16.131.28601.4.

  • ILGopher - Ryan Weishalla
    ILGopher - Ryan Weishalla

    Are there any options for installing the patches siliently? We are currently using TFS 2018 Update 3.2 and trying to apply the latest security patch (Patch 5 or Patch 6). This is our first patch since upgrading to TFS 2018, so we aren’t familiar with the patch process yet.  If we unzip the files using the unzip command line argument and copy the file directory structure from the zip to the proper lications, is that all that needs to be done to apply the patch?

      • ILGopher - Ryan Weishalla
        ILGopher - Ryan Weishalla

        The -force command still leaves the command window which is lanuched with a press any key to continue at the end.

        • Erin Dormier
          Erin Dormier

          I just talked to my team and they are filing a bug to fix this. In the meantime, you can workaround it by wrapping the call to TfsPatch in a command shell, such as running “C:\Windows\SysWOW64\cmd.exe /c “<path to download>\TfsPatch.exe” -force”

  • Cristian Freddy Casanova Gallegos
    Cristian Freddy Casanova Gallegos

    I had TFS 2010 SP1 (kb2182621), and installed tfs2010sp1patch1-x64.exe, now version is 10.0.40219.506. Installation was successful, but now I’m getting this error on my TFS 2010 Buildings:

    Detailed Message: TF221122: An error occurred running job Test Management Warehouse Sync for team project collection or Team Foundation server Luzdelsur.
    Exception Message: TF30040: The database is not correctly configured. Contact your Team Foundation Server administrator. (type DatabaseConfigurationException)
    Exception Message: Could not find stored procedure ‘prc_QueryForMaxAuditId’. (type SqlException)

    Is there any solution or workaround about it?

    Thanks

Leave a comment