July Security Release: Patches available for Azure DevOps Server and Team Foundation Server

Erin Dormier

For the July security release, we are releasing fixes for vulnerabilities that impact Azure DevOps Server 2019, TFS 2018, TFS 2017, TFS 2015, TFS 2013, TFS 2012, and TFS 2010. Thanks to everyone who has been participating in our Azure DevOps Bounty Program.

CVE-2019-1072: remote code execution vulnerability in work item tracking

CVE-2019-1076: cross site scripting (XSS) vulnerability in Pull Requests

Functional bug fix: Email notifications may have incorrect dates

Azure DevOps Server 2019.0.1 Patch 1

If you have Azure DevOps Server 2019, you should first update to Azure DevOps Server 2019.0.1. Once on 2019.0.1, install Azure DevOps Server 2019.0.1 Patch 1.

Verifying Installation

To verify if you have this update installed, you can check the version of the following file: [INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Framework.Server.dll. Azure DevOps Server 2019 is installed to c:\Program Files\Azure DevOps Server 2019 by default.

After installing Azure DevOps Server 2019.0.1 Patch 1, the version will be 17.143.29019.5.

TFS 2018 Update 3.2 Patch 5

If you have TFS 2018 Update 2 or Update 3, you should first update to TFS 2018 Update 3.2. Once on Update 3.2, install TFS 2018 Update 3.2 Patch 5.

Verifying Installation

To verify if you have this update installed, you can check the version of the following file: [TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.WorkItemTracking.Web.dll. TFS 2018 is installed to c:\Program Files\Microsoft Team Foundation Server 2018 by default.

After installing TFS 2018 Update 3.2 Patch 5, the version will be 16.131.29019.4.

TFS 2018 Update 1.2 Patch 5

If you have TFS 2018 RTW or Update 1, you should first update to TFS 2018 Update 1.2. Once on Update 1.2, install TFS 2018 Update 1.2 Patch 5.

Verifying Installation

To verify if you have this update installed, you can check the version of the following file: [TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Server.WebAccess.Admin.dll. TFS 2018 is installed to c:\Program Files\Microsoft Team Foundation Server 2018 by default.

After installing TFS 2018 Update 1.2 Patch 5, the version will be 16.122.29017.5.

TFS 2017 Update 3.1 Patch 6

If you have TFS 2017, you should first update to TFS 2017 Update 3.1. Once on Update 3.1, install TFS 2017 Update 3.1 Patch 6.

Verifying Installation

To verify if you have a patch installed, you can check the version of the following file: [TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Server.WebAccess.Admin.dll. TFS 2017 is installed to c:\Program Files\Microsoft Team Foundation Server 15.0 by default.

After installing TFS 2017 Update 3.1 Patch 6, the version will be 15.117.29024.0.

TFS 2015 Update 4.2 Patch 2

If you have TFS 2015, you should first update to TFS 2015 Update 4.2. Once on Update 4.2, install TFS 2015 Update 4.2 Patch 2.

Verifying Installation

To verify if you have a patch installed, you can check the version of the following file: [TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Framework.Server.dll. TFS 2015 is installed to c:\Program Files\Microsoft Team Foundation Server 14.0 by default.

After installing TFS 2015 Update 4.2 Patch 1, the version will be 14.114.29025.0.

TFS 2013 Update 5 Patch 1

If you have TFS 2013, you should first update to TFS 2013 Update 5, which you can get at https://my.visualstudio.com. Once on Update 5, install TFS 2013 Update 5 Patch 1.

Verifying Installation

To verify if you have a patch installed, you can check the version of the following file: [TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Framework.Server.dll. TFS 2013 is installed to c:\Program Files\Microsoft Team Foundation Server 12.0 by default.

After installing TFS 2013 Update 5 Patch 1, the version will be 12.0.40681.0

TFS 2012 Update 4 Patch 1

If you have TFS 2012, you should first update to TFS 2012 Update 4, which you can get at https://my.visualstudio.com. Once on Update 4, install TFS 2012 Update 4 Patch 1.

Verifying Installation

To verify if you have a patch installed, bring up the Windows Run dialog and start appwiz.cpl. Then click on installed updates. There will be an entry for KB4506065 if the patch is installed.

You can also check “C:\Program Files\Microsoft Team Foundation Server 11.0\Application Tier\Web Services\bin\Microsoft.TeamFoundation.WorkItemTracking.Server.DataServices.dll”. In the Details page of its properties dialog, it will have version 11.0.61243.400 if patched, and 11.0.61030.0 if not patched.

TFS 2010 SP1 Patch 1

If you have TFS 2010, you should first update to Service Pack 1, which you can get at https://my.visualstudio.com. Once on SP1, install TFS 2010 SP1 Patch 1 64-bit or TFS 2010 SP1 Patch 1 32-bit.

Verifying Installation

To verify if you have a patch installed, you can check the version of the following file: [TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Framework.Server.dll. TFS 2010 is installed to c:\Program Files\Microsoft Team Foundation Server 2010 by default.

Update: If you installed the TFS 2010 patch before July 29, the version will be 10.0.40219.504. On July 29, we released a new patch to fix an issue installing on non-English languages. If you installed the patch on July 29 or later, the version will be 10.0.40219.506. Both versions contain the same fix and are valid.

21 comments

Discussion is closed. Login to edit/delete existing comments.

  • Harley Parks 0

    The web installer for DevOps Server and the patch is a Release Candiate for version 17.143.29019.5.  Is it safe to expect a fully vetted upgrade will be available by Aug. 1st? and will a patch still be required?

  • Matthew Andrews 0

    [INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Server.WebAccess.VersionControl.dll does not appear to be upgraded by this patch. Is this the right file to examine?

    • Erin DormierMicrosoft employee 0

      Thanks for catching that. You can check the [INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Framework.Server.dll file. I updated the post with this information.

  • Desmond Kung 0

    I’m constantly getting an “Error writing install status to registry: System.UnauthorizedAccessException: Cannot write to the registry key” error, even though the DLL version has been updated for TFS 2015 Update 4.2 Patch 2. Should I be concerned?

    • Hao JiangMicrosoft employee 0

      Hi Desmond,
      Thanks for reporting. Please reach out to CATExpert@service.microsoft.com and we can help you with further steps.

    • Erin DormierMicrosoft employee 0

      Our team took a look at this and determined you can safely ignore this error. We will fix this in the next patch to TFS 2015 Update 4.2. Sorry for the inconvenience.

  • Kuznetsov Sergey 0

    Is the TFS 2018 Update 3.2 Patch 5 included previous patches? I mean TFS 2018 Update 3.2 Patch 4,3,2,1.

    • Erin DormierMicrosoft employee 0

      Yes, all the patches are cummulative, meaning they roll up the previous patches. So TFS 2018 Update 3.2 Patch 5 includes the fixes for Patches 1, 2, 3, and 4.

      • Kuznetsov Sergey 0

        Thank a lot!

  • John Keippel III 0

    Is there a way to sign up for alerts to security releases like this in the future?

  • Abhinay Potluri 0

    Am i missing something? I am unable to apply patch to TSF 2018, 3.2. I get the below error. Please advise: — Found InstallVersion: 16.131.28601.4 Could not find Patch version in registry, no patches installed. The Application Tier is configured. The Search Tier is not configured. The Proxy Tier is not configured. This patch does not apply to Tfs version 16.131.28601.4.

    • Erin DormierMicrosoft employee 0

      Hi Abhinay,

      I’m following up with my team to figure out why you’re getting this error. The version is the correct version of TFS 2018 Update 3.2, so that’s definitely unexpected.

      • Erin DormierMicrosoft employee 0

        Abhinay,

        We tried to reproduce this on our side and couldn’t, so you’re seeing something unexpected. Could you email me at egeaney@microsoft.com so we can run it down and figure this out?

  • ILGopher - Ryan Weishalla 0

    Are there any options for installing the patches siliently? We are currently using TFS 2018 Update 3.2 and trying to apply the latest security patch (Patch 5 or Patch 6). This is our first patch since upgrading to TFS 2018, so we aren’t familiar with the patch process yet.  If we unzip the files using the unzip command line argument and copy the file directory structure from the zip to the proper lications, is that all that needs to be done to apply the patch?

    • Erin DormierMicrosoft employee 0

      Hi Ryan,

      Yes, we have a silent option. You can download the .exe for the patch, then run it from the command line using the -force parameter.

      • ILGopher - Ryan Weishalla 0

        The -force command still leaves the command window which is lanuched with a press any key to continue at the end.

        • Erin DormierMicrosoft employee 0

          I just talked to my team and they are filing a bug to fix this. In the meantime, you can workaround it by wrapping the call to TfsPatch in a command shell, such as running “C:\Windows\SysWOW64\cmd.exe /c “<path to download>\TfsPatch.exe” -force”

          • ILGopher - Ryan Weishalla 0

            Thanks, Erin. Sorry for the slow reply.

  • Cristian Freddy Casanova Gallegos 0

    I had TFS 2010 SP1 (kb2182621), and installed tfs2010sp1patch1-x64.exe, now version is 10.0.40219.506. Installation was successful, but now I’m getting this error on my TFS 2010 Buildings:

    Detailed Message: TF221122: An error occurred running job Test Management Warehouse Sync for team project collection or Team Foundation server Luzdelsur.
    Exception Message: TF30040: The database is not correctly configured. Contact your Team Foundation Server administrator. (type DatabaseConfigurationException)
    Exception Message: Could not find stored procedure ‘prc_QueryForMaxAuditId’. (type SqlException)

    Is there any solution or workaround about it?

    Thanks

Feedback usabilla icon