July Security Release: Patches available for Azure DevOps Server and Team Foundation Server

Erin Dormier

Erin

For the July security release, we are releasing fixes for vulnerabilities that impact Azure DevOps Server 2019, TFS 2018, TFS 2017, TFS 2015, TFS 2013, TFS 2012, and TFS 2010. Thanks to everyone who has been participating in our Azure DevOps Bounty Program.

CVE-2019-1072: remote code execution vulnerability in work item tracking

CVE-2019-1076: cross site scripting (XSS) vulnerability in Pull Requests

Functional bug fix: Email notifications may have incorrect dates

Azure DevOps Server 2019.0.1 Patch 1

If you have Azure DevOps Server 2019, you should first update to Azure DevOps Server 2019.0.1. Once on 2019.0.1, install Azure DevOps Server 2019.0.1 Patch 1.

Verifying Installation

To verify if you have this update installed, you can check the version of the following file: [INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Framework.Server.dll. Azure DevOps Server 2019 is installed to c:\Program Files\Azure DevOps Server 2019 by default.

After installing Azure DevOps Server 2019.0.1 Patch 1, the version will be 17.143.29019.5.

TFS 2018 Update 3.2 Patch 5

If you have TFS 2018 Update 2 or Update 3, you should first update to TFS 2018 Update 3.2. Once on Update 3.2, install TFS 2018 Update 3.2 Patch 5.

Verifying Installation

To verify if you have this update installed, you can check the version of the following file: [TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.WorkItemTracking.Web.dll. TFS 2018 is installed to c:\Program Files\Microsoft Team Foundation Server 2018 by default.

After installing TFS 2018 Update 3.2 Patch 5, the version will be 16.131.29019.4.

TFS 2018 Update 1.2 Patch 5

If you have TFS 2018 RTW or Update 1, you should first update to TFS 2018 Update 1.2. Once on Update 1.2, install TFS 2018 Update 1.2 Patch 5.

Verifying Installation

To verify if you have this update installed, you can check the version of the following file: [TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Server.WebAccess.Admin.dll. TFS 2018 is installed to c:\Program Files\Microsoft Team Foundation Server 2018 by default.

After installing TFS 2018 Update 1.2 Patch 5, the version will be 16.122.29017.5.

TFS 2017 Update 3.1 Patch 6

If you have TFS 2017, you should first update to TFS 2017 Update 3.1. Once on Update 3.1, install TFS 2017 Update 3.1 Patch 6.

Verifying Installation

To verify if you have a patch installed, you can check the version of the following file: [TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Server.WebAccess.Admin.dll. TFS 2017 is installed to c:\Program Files\Microsoft Team Foundation Server 15.0 by default.

After installing TFS 2017 Update 3.1 Patch 6, the version will be 15.117.29024.0.

TFS 2015 Update 4.2 Patch 2

If you have TFS 2015, you should first update to TFS 2015 Update 4.2. Once on Update 4.2, install TFS 2015 Update 4.2 Patch 2.

Verifying Installation

To verify if you have a patch installed, you can check the version of the following file: [TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Framework.Server.dll. TFS 2015 is installed to c:\Program Files\Microsoft Team Foundation Server 14.0 by default.

After installing TFS 2015 Update 4.2 Patch 1, the version will be 14.114.29025.0.

TFS 2013 Update 5 Patch 1

If you have TFS 2013, you should first update to TFS 2013 Update 5, which you can get at https://my.visualstudio.com. Once on Update 5, install TFS 2013 Update 5 Patch 1.

Verifying Installation

To verify if you have a patch installed, you can check the version of the following file: [TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Framework.Server.dll. TFS 2013 is installed to c:\Program Files\Microsoft Team Foundation Server 12.0 by default.

After installing TFS 2013 Update 5 Patch 1, the version will be 12.0.40681.0

TFS 2012 Update 4 Patch 1

If you have TFS 2012, you should first update to TFS 2012 Update 4, which you can get at https://my.visualstudio.com. Once on Update 4, install TFS 2012 Update 4 Patch 1.

Verifying Installation

To verify if you have a patch installed, you can check the version of the following file: [TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Framework.Server.dll. TFS 2012 is installed to c:\Program Files\Microsoft Team Foundation Server 11.0 by default.

After installing TFS 2012 Update 4 Patch 1, the version will be 11.0.61243.0.

TFS 2010 SP1 Patch 1

If you have TFS 2010, you should first update to Service Pack 1, which you can get at https://my.visualstudio.com. Once on SP1, install TFS 2010 SP1 Patch 1 64-bit or TFS 2010 SP1 Patch 1 32-bit.

Verifying Installation

To verify if you have a patch installed, you can check the version of the following file: [TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Framework.Server.dll. TFS 2010 is installed to c:\Program Files\Microsoft Team Foundation Server 2010 by default.

After installing TFS 2010 SP1 Patch 1, the version will be 10.0.40219.504.

Erin Dormier
Erin Dormier

Principal Program Manager, Azure DevOps

Follow Erin   

10 Comments
Avatar
John Keippel III 2019-07-15 14:54:06
Is there a way to sign up for alerts to security releases like this in the future?
Avatar
Kuznetsov Sergey 2019-07-15 04:04:03
Is the TFS 2018 Update 3.2 Patch 5 included previous patches? I mean TFS 2018 Update 3.2 Patch 4,3,2,1.
Avatar
Desmond Kung 2019-07-11 03:18:45
I'm constantly getting an "Error writing install status to registry: System.UnauthorizedAccessException: Cannot write to the registry key" error, even though the DLL version has been updated for TFS 2015 Update 4.2 Patch 2. Should I be concerned?
Avatar
Matthew Andrews 2019-07-09 11:29:29
[INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Server.WebAccess.VersionControl.dll does not appear to be upgraded by this patch. Is this the right file to examine?
Avatar
Harley Parks 2019-07-09 11:25:09
The web installer for DevOps Server and the patch is a Release Candiate for version 17.143.29019.5.  Is it safe to expect a fully vetted upgrade will be available by Aug. 1st? and will a patch still be required?