March 12th, 2019

March Security Release: Patches available for TFS 2018.3.2, TFS 2018.1.2, and TFS 2017.3.1

Erin Dormier
Principal Program Manager

For the March security release, we are releasing a fix for a cross site scripting (XSS) vulnerability in release management (CVE-2019-0777). This impacts TFS 2017 and TFS 2018. We are releasing patches for TFS 2018 Update 3.2, TFS 2018 Update 1.2, and TFS 2017 Update 3.1. This fix is already in Azure DevOps Server 2019.

TFS 2018 Update 3.2 Patch 2

If you have TFS 2018 Update 2 or Update 3, you should first update to TFS 2018 Update 3.2. Once on Update 3.2, install TFS 2018 Update 3.2 Patch 2.

Verifying Installation

To verify if you have this update installed, you can check the version of the following file: [TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.WorkItemTracking.Web.dll. TFS 2018 is installed to c:\Program Files\Microsoft Team Foundation Server 2018 by default.

After installing TFS 2018 Update 3.2 Patch 2, the version will be 16.131.28626.3.

TFS 2018 Update 1.2 Patch 2

If you have TFS 2018 RTW or Update 1, you should first update to TFS 2018 Update 1.2. Once on Update 1.2, install TFS 2018 Update 1.2 Patch 2.

Verifying Installation

To verify if you have this update installed, you can check the version of the following file: [TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Server.WebAccess.Admin.dll. TFS 2018 is installed to c:\Program Files\Microsoft Team Foundation Server 2018 by default.

After installing TFS 2018 Update 1.2 Patch 2, the version will be 16.122.28627.2.

TFS 2017 Update 3.1 Patch 3

If you have TFS 2017, you should first update to TFS 2017 Update 3.1. Once on Update 3.1, install TFS 2017 Update 3.1 Patch 3.

Verifying Installation

To verify if you have a patch installed, you can check the version of the following file: [TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Server.WebAccess.Admin.dll. TFS 2017 is installed to c:\Program Files\Microsoft Team Foundation Server 15.0 by default.

After installing TFS 2017 Update 3.1 Patch 3, the version will be 15.117.28627.0

Author

Erin Dormier
Principal Program Manager

0 comments

Discussion are closed.