July Security Release: Patches available for Azure DevOps Server and Team Foundation Server
Erin Dormier
For the July security release, we are releasing fixes for vulnerabilities that impact Azure DevOps Server 2019, TFS 2018, TFS 2017, TFS 2015, TFS 2013, TFS 2012, and TFS 2010. Thanks to everyone who has been participating in our Azure DevOps Bounty Program.
CVE-2019-1072: remote code execution vulnerability in work item tracking
CVE-2019-1076: cross site scripting (XSS) vulnerability in Pull Requests
Functional bug fix: Email notifications may have incorrect dates
Azure DevOps Server 2019.0.1 Patch 1
If you have Azure DevOps Server 2019, you should first update to Azure DevOps Server 2019.0.1. Once on 2019.0.1, install Azure DevOps Server 2019.0.1 Patch 1.
Verifying Installation
To verify if you have this update installed, you can check the version of the following file: [INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Framework.Server.dll. Azure DevOps Server 2019 is installed to c:\Program Files\Azure DevOps Server 2019 by default.
After installing Azure DevOps Server 2019.0.1 Patch 1, the version will be 17.143.29019.5.
TFS 2018 Update 3.2 Patch 5
If you have TFS 2018 Update 2 or Update 3, you should first update to TFS 2018 Update 3.2. Once on Update 3.2, install TFS 2018 Update 3.2 Patch 5.
Verifying Installation
To verify if you have this update installed, you can check the version of the following file: [TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.WorkItemTracking.Web.dll. TFS 2018 is installed to c:\Program Files\Microsoft Team Foundation Server 2018 by default.
After installing TFS 2018 Update 3.2 Patch 5, the version will be 16.131.29019.4.
TFS 2018 Update 1.2 Patch 5
If you have TFS 2018 RTW or Update 1, you should first update to TFS 2018 Update 1.2. Once on Update 1.2, install TFS 2018 Update 1.2 Patch 5.
Verifying Installation
To verify if you have this update installed, you can check the version of the following file: [TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Server.WebAccess.Admin.dll. TFS 2018 is installed to c:\Program Files\Microsoft Team Foundation Server 2018 by default.
After installing TFS 2018 Update 1.2 Patch 5, the version will be 16.122.29017.5.
TFS 2017 Update 3.1 Patch 6
If you have TFS 2017, you should first update to TFS 2017 Update 3.1. Once on Update 3.1, install TFS 2017 Update 3.1 Patch 6.
Verifying Installation
To verify if you have a patch installed, you can check the version of the following file: [TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Server.WebAccess.Admin.dll. TFS 2017 is installed to c:\Program Files\Microsoft Team Foundation Server 15.0 by default.
After installing TFS 2017 Update 3.1 Patch 6, the version will be 15.117.29024.0.
TFS 2015 Update 4.2 Patch 2
If you have TFS 2015, you should first update to TFS 2015 Update 4.2. Once on Update 4.2, install TFS 2015 Update 4.2 Patch 2.
Verifying Installation
To verify if you have a patch installed, you can check the version of the following file: [TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Framework.Server.dll. TFS 2015 is installed to c:\Program Files\Microsoft Team Foundation Server 14.0 by default.
After installing TFS 2015 Update 4.2 Patch 1, the version will be 14.114.29025.0.
TFS 2013 Update 5 Patch 1
If you have TFS 2013, you should first update to TFS 2013 Update 5, which you can get at https://my.visualstudio.com. Once on Update 5, install TFS 2013 Update 5 Patch 1.
Verifying Installation
To verify if you have a patch installed, you can check the version of the following file: [TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Framework.Server.dll. TFS 2013 is installed to c:\Program Files\Microsoft Team Foundation Server 12.0 by default.
After installing TFS 2013 Update 5 Patch 1, the version will be 12.0.40681.0
TFS 2012 Update 4 Patch 1
If you have TFS 2012, you should first update to TFS 2012 Update 4, which you can get at https://my.visualstudio.com. Once on Update 4, install TFS 2012 Update 4 Patch 1.
Verifying Installation
To verify if you have a patch installed, bring up the Windows Run dialog and start appwiz.cpl. Then click on installed updates. There will be an entry for KB4506065 if the patch is installed.
You can also check “C:\Program Files\Microsoft Team Foundation Server 11.0\Application Tier\Web Services\bin\Microsoft.TeamFoundation.WorkItemTracking.Server.DataServices.dll”. In the Details page of its properties dialog, it will have version 11.0.61243.400 if patched, and 11.0.61030.0 if not patched.
TFS 2010 SP1 Patch 1
If you have TFS 2010, you should first update to Service Pack 1, which you can get at https://my.visualstudio.com. Once on SP1, install TFS 2010 SP1 Patch 1 64-bit or TFS 2010 SP1 Patch 1 32-bit.
Verifying Installation
To verify if you have a patch installed, you can check the version of the following file: [TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Framework.Server.dll. TFS 2010 is installed to c:\Program Files\Microsoft Team Foundation Server 2010 by default.
Update: If you installed the TFS 2010 patch before July 29, the version will be 10.0.40219.504. On July 29, we released a new patch to fix an issue installing on non-English languages. If you installed the patch on July 29 or later, the version will be 10.0.40219.506. Both versions contain the same fix and are valid.
Light
Dark
21 comments
The web installer for DevOps Server and the patch is a Release Candiate for version 17.143.29019.5. Is it safe to expect a fully vetted upgrade will be available by Aug. 1st? and will a patch still be required?
Azure DevOps Server 2019.0.1 is a fully released version, not a release candidate. Can you confirm you downloaded from https://go.microsoft.com/fwlink/?LinkId=2089023?
[INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Server.WebAccess.VersionControl.dll does not appear to be upgraded by this patch. Is this the right file to examine?
Thanks for catching that. You can check the [INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Framework.Server.dll file. I updated the post with this information.
I’m constantly getting an “Error writing install status to registry: System.UnauthorizedAccessException: Cannot write to the registry key” error, even though the DLL version has been updated for TFS 2015 Update 4.2 Patch 2. Should I be concerned?
Hi Desmond,
Thanks for reporting. Please reach out to CATExpert@service.microsoft.com and we can help you with further steps.
Our team took a look at this and determined you can safely ignore this error. We will fix this in the next patch to TFS 2015 Update 4.2. Sorry for the inconvenience.
Is the TFS 2018 Update 3.2 Patch 5 included previous patches? I mean TFS 2018 Update 3.2 Patch 4,3,2,1.
Yes, all the patches are cummulative, meaning they roll up the previous patches. So TFS 2018 Update 3.2 Patch 5 includes the fixes for Patches 1, 2, 3, and 4.
Thank a lot!
Is there a way to sign up for alerts to security releases like this in the future?
We don’t currently have alerts specific to Azure DevOps and TFS, but we are included in the Microsoft security notifications. You can find information about subscribing to the security notifications here: https://www.microsoft.com/en-us/msrc/technical-security-notifications
Am i missing something? I am unable to apply patch to TSF 2018, 3.2. I get the below error. Please advise: — Found InstallVersion: 16.131.28601.4 Could not find Patch version in registry, no patches installed. The Application Tier is configured. The Search Tier is not configured. The Proxy Tier is not configured. This patch does not apply to Tfs version 16.131.28601.4.
Hi Abhinay,
I’m following up with my team to figure out why you’re getting this error. The version is the correct version of TFS 2018 Update 3.2, so that’s definitely unexpected.
Abhinay,
We tried to reproduce this on our side and couldn’t, so you’re seeing something unexpected. Could you email me at egeaney@microsoft.com so we can run it down and figure this out?
Are there any options for installing the patches siliently? We are currently using TFS 2018 Update 3.2 and trying to apply the latest security patch (Patch 5 or Patch 6). This is our first patch since upgrading to TFS 2018, so we aren’t familiar with the patch process yet. If we unzip the files using the unzip command line argument and copy the file directory structure from the zip to the proper lications, is that all that needs to be done to apply the patch?
Hi Ryan,
Yes, we have a silent option. You can download the .exe for the patch, then run it from the command line using the -force parameter.
The -force command still leaves the command window which is lanuched with a press any key to continue at the end.
I just talked to my team and they are filing a bug to fix this. In the meantime, you can workaround it by wrapping the call to TfsPatch in a command shell, such as running “C:\Windows\SysWOW64\cmd.exe /c “<path to download>\TfsPatch.exe” -force”
Thanks, Erin. Sorry for the slow reply.
I had TFS 2010 SP1 (kb2182621), and installed tfs2010sp1patch1-x64.exe, now version is 10.0.40219.506. Installation was successful, but now I’m getting this error on my TFS 2010 Buildings:
Detailed Message: TF221122: An error occurred running job Test Management Warehouse Sync for team project collection or Team Foundation server Luzdelsur.
Exception Message: TF30040: The database is not correctly configured. Contact your Team Foundation Server administrator. (type DatabaseConfigurationException)
Exception Message: Could not find stored procedure ‘prc_QueryForMaxAuditId’. (type SqlException)
Is there any solution or workaround about it?
Thanks