September patches for Azure DevOps Server and Team Foundation Server

Erin Dormier

Erin

This month, we are releasing fixes for security vulnerabilities that impact TFS 2015, TFS 2017, TFS 2018, and Azure DevOps Server 2019.

CVE-2019-1305: cross site scripting (XSS) vulnerability in Repos

CVE-2019-1306: remote code execution vulnerability in Wiki

Here are the versions impacted:

Azure DevOps Server 2019 Update 1 Patch 1

If you have Azure DevOps Server 2019 Update 1, you should install Azure DevOps Server 2019 Update 1 Patch 1.

Verifying Installation

To verify if you have this update installed, you can check the version of the following file: [INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.VisualStudio.Services.Search.Common.dll. Azure DevOps Server 2019 is installed to c:\Program Files\Azure DevOps Server 2019 by default.

After installing Azure DevOps Server 2019.1 Patch 1, the version will be 17.153.29226.8.

Azure DevOps Server 2019.0.1 Patch 3

If you have Azure DevOps Server 2019, you should first update to Azure DevOps Server 2019.0.1. Once on 2019.0.1, install Azure DevOps Server 2019.0.1 Patch 3.

Verifying Installation

To verify if you have this update installed, you can check the version of the following file: [INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Framework.Server.dll. Azure DevOps Server 2019 is installed to c:\Program Files\Azure DevOps Server 2019 by default.

After installing Azure DevOps Server 2019.0.1 Patch 3, the version will be 17.143.29226.4.

TFS 2018 Update 3.2 Patch 7

If you have TFS 2018 Update 2 or Update 3, you should first update to TFS 2018 Update 3.2. Once on Update 3.2, install TFS 2018 Update 3.2 Patch 7.

Verifying Installation

To verify if you have this update installed, you can check the version of the following file: [TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.WorkItemTracking.Web.dll. TFS 2018 is installed to c:\Program Files\Microsoft Team Foundation Server 2018 by default.

After installing TFS 2018 Update 3.2 Patch 7, the version will be 16.131.29226.5.

TFS 2018 Update 1.2 Patch 6

If you have TFS 2018 RTW or Update 1, you should first update to TFS 2018 Update 1.2. Once on Update 1.2, install TFS 2018 Update 1.2 Patch 6.

Verifying Installation

To verify if you have this update installed, you can check the version of the following file: [TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Server.WebAccess.Admin.dll. TFS 2018 is installed to c:\Program Files\Microsoft Team Foundation Server 2018 by default.

After installing TFS 2018 Update 1.2 Patch 6, the version will be 16.122.29226.6.

TFS 2017 Update 3.1 Patch 8

If you have TFS 2017, you should first update to TFS 2017 Update 3.1. Once on Update 3.1, install TFS 2017 Update 3.1 Patch 8.

Verifying Installation

To verify if you have a patch installed, you can check the version of the following file: [TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Server.WebAccess.Admin.dll. TFS 2017 is installed to c:\Program Files\Microsoft Team Foundation Server 15.0 by default.

After installing TFS 2017 Update 3.1 Patch 8, the version will be 15.117.29226.0.

TFS 2015 Update 4.2 Patch 3

If you have TFS 2015, you should first update to TFS 2015 Update 4.2. Once on Update 4.2, install TFS 2015 Update 4.2 Patch 3.

Verifying Installation

To verify if you have a patch installed, you can check the version of the following file: [TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Framework.Server.dll. TFS 2015 is installed to c:\Program Files\Microsoft Team Foundation Server 14.0 by default.

After installing TFS 2015 Update 4.2 Patch 3, the version will be 14.114.29226.0.

Erin Dormier
Erin Dormier

Principal Program Manager, Azure DevOps

Follow Erin   

9 comments

  • Avatar
    t shirai

    I applied “Azure DevOps Server 2019 Update 1 Patch 1”, but the “Microsoft.TeamFoundation.Framework.Server.dll” file was not changed and remained at “17.153.29207.5”.
    The following four files have been changed to “17.153.29226.8”.Is it correct?
    “Microsoft.VisualStudio.Services.Search.ReSearch.Core.dll””Microsoft.VisualStudio.Services.Search.Common.dll””Microsoft.VisualStudio.Services.Search.Indexer.dll””Microsoft.VisualStudio.Services.Search.Platforms.SearchEngine.dll”

    • Erin Dormier
      Erin Dormier

      Hi Michael,

      We don’t do automatic updates of Azure DevOps Server or TFS due to the complexities of configurations. For example, there may be multiple ATs and load balancers that need to be upgraded simultaneously.

    • Whitney Jenkins
      Whitney Jenkins

      Hi Matthieu, 

      Thanks for reaching out. We’re always working to address user feedback on our docs. As of right now, we publish incremental improvements to our REST API documentation each sprint. If there are any particular github issue in the repo linked above that need immediate consideration, please add a comment to the issue. This will help us with prioritizing fixes. 

      Best,

      Whitney 

  • Avatar
    Stanton, Andrew

    @Erin Dormier – Any chance that the build history that was deleted without warning or authorization is going to get restored? Also all the version numbers that were broken due to that “streamlining” get fixed?   The engineer working the feedback ticket does not seem to understand the risk this creates for your customers, even when painstakingly explained. Per his (push off) request, I opened a support request to have the history restored and the questions the support rep is asking are the kind one would get when the the source is trying to push-off or delay and hope the problem goes away. The only thing that the pipeline’s dev team agreed to fix was a bug in the settings UI related to this feature that still isnt fixed despite that feedback item indicating otherwise (and this defect ought to have been caught by by anyone testing the new feature). Meanwhile more of your customers are discovering all thier build numbers are reset and they are issuing programs and packages with different code and old version numbers. My only recourse was to make a utility that marks every build as retain indefinitely.
    I would have contacted you or the other AzDo PM’s directly, but all I can find on here are what look like non-work contact addresses.

Leave a comment