May Security Release: Patches available for Azure DevOps Server 2019, TFS 2018.3.2, TFS 2018.1.2, TFS 2017.3.1, and TFS 2015.4.2

Erin Dormier

Erin

For the May security release, we are releasing fixes for vulnerabilities that impact Azure DevOps Server 2019, TFS 2018, TFS 2017, and TFS 2015. Thanks to everyone who has been participating in our Azure DevOps Bounty Program.

We have now added the ability to patch TFS 2015, so customers do not need to install a full release to get the security fixes. As a reminder, all patches are cumulative, so they include all the fixes in previous patches.

CVE-2019-0872: cross site scripting (XSS) vulnerability in Test Plans

CVE-2019-0971: information disclosure vulnerability in the Repos API

CVE-2019-0979: cross site scripting (XSS) vulnerability in the User hub

Azure DevOps Server 2019 Patch 2

If you have Azure DevOps Server 2019, you should install Azure DevOps Server 2019 Patch 2.

Verifying Installation

To verify if you have this update installed, you can check the version of the following file: [INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Server.WebAccess.VersionControl.dll. Azure DevOps Server 2019 is installed to c:\Program Files\Azure DevOps Server 2019 by default.

After installing Azure DevOps Server 2019 Patch 2, the version will be 17.143.28826.2.

TFS 2018 Update 3.2 Patch 4

If you have TFS 2018 Update 2 or Update 3, you should first update to TFS 2018 Update 3.2. Once on Update 3.2, install TFS 2018 Update 3.2 Patch 4.

Verifying Installation

To verify if you have this update installed, you can check the version of the following file: [TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.WorkItemTracking.Web.dll. TFS 2018 is installed to c:\Program Files\Microsoft Team Foundation Server 2018 by default.

After installing TFS 2018 Update 3.2 Patch 4, the version will be 16.131.28826.3.

TFS 2018 Update 1.2 Patch 4

If you have TFS 2018 RTW or Update 1, you should first update to TFS 2018 Update 1.2. Once on Update 1.2, install TFS 2018 Update 1.2 Patch 4.

Verifying Installation

To verify if you have this update installed, you can check the version of the following file: [TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Server.WebAccess.Admin.dll. TFS 2018 is installed to c:\Program Files\Microsoft Team Foundation Server 2018 by default.

After installing TFS 2018 Update 1.2 Patch 4, the version will be 16.122.28826.4.

TFS 2017 Update 3.1 Patch 5

If you have TFS 2017, you should first update to TFS 2017 Update 3.1. Once on Update 3.1, install TFS 2017 Update 3.1 Patch 5.

Verifying Installation

To verify if you have a patch installed, you can check the version of the following file: [TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Server.WebAccess.Admin.dll. TFS 2017 is installed to c:\Program Files\Microsoft Team Foundation Server 15.0 by default.

After installing TFS 2017 Update 3.1 Patch 5, the version will be 15.117.28826.0.

TFS 2015 Update 4.2 Patch 1

If you have TFS 2015, you should first update to TFS 2015 Update 4.2. Once on Update 4.2, install TFS 2015 Update 4.2 Patch 1.

Verifying Installation

To verify if you have a patch installed, you can check the version of the following file: [TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Framework.Server.dll. TFS 2015 is installed to c:\Program Files\Microsoft Team Foundation Server 14.0 by default.

After installing TFS 2015 Update 4.2 Patch 1, the version will be 14.114.28829.0.

Erin Dormier
Erin Dormier

Principal Program Manager, Azure DevOps

Follow Erin   

8 Comments
Avatar
Neumann, Adrian 2019-06-13 06:53:39
Hello Erin, we are wondering why there is still no Patch 5 for TFS 2018 Update 3.2 released? In one of your anouncements you wrote "We plan to release security updates on the second Tuesday of each month (Patch Tuesday)." Please take in count, that your customers rely on your anouncements and planing of changes. I look forward to your reply. Best regards Adrian
Avatar
anonymous 2019-06-13 05:26:52
This comment has been deleted.
Avatar
anonymous 2019-06-13 05:20:12
This comment has been deleted.
Erin Dormier
Erin Dormier 2019-05-28 10:14:29

Thank you, I fixed the typos.

Avatar
Brian Baker 2019-05-23 20:13:25
FYI, you have a couple of typos in the TFS 2015 section. It refers to Update 3.1 and to TFS 2017.
Avatar
anonymous 2019-05-20 09:41:57

This comment has been deleted.

Avatar
sekan@efa-leipzig.com 2019-05-19 21:58:35
Hello, I can't install this patch :-( -- Installed version: 17.143.28819.4 Patch version: 17.143.28826.2. Version of Microsoft.TeamFoundation.Server.WebAccess.VersionControl.dll: 17.143.28819.4 --- Microsoft (R) AzureDevOpsPatch - Azure DevOps Server update tool - version 17.143.28826.2Copyright (c) Microsoft Corporation. All rights reserved. Logging going to 'C:\ProgramData\Microsoft\Azure DevOps\Server Configuration\Logs\Patch_2019-05-20_07-39-53.log' Checking SOFTWARE\Microsoft\TeamFoundationServer\17.0 to see if Azure DevOps Server is installedFound InstallPath: C:\Program Files\Azure DevOps Server 2019\Found InstallVersion: 17.143.28819.4Latest patch installed on machine is version 17.143.28804.3Patch 17.143.28826.2 is the same or later version as the patch installed on machine, patch can be installed.The Application Tier is configured.The Search Tier is configured.The Proxy Tier is not configured.This patch does not apply to Azure DevOps Server version 17.143.28819.4. ---