{"id":56156,"date":"2019-04-09T09:24:22","date_gmt":"2019-04-09T17:24:22","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/devops\/?p=56156"},"modified":"2019-04-15T08:29:01","modified_gmt":"2019-04-15T16:29:01","slug":"april-security-release-patches-available-for-azure-devops-server-2019-tfs-2018-3-2-tfs-2018-1-2-tfs-2017-3-1-and-the-release-of-tfs-2015-4-2","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/devops\/april-security-release-patches-available-for-azure-devops-server-2019-tfs-2018-3-2-tfs-2018-1-2-tfs-2017-3-1-and-the-release-of-tfs-2015-4-2\/","title":{"rendered":"April Security Release: Patches available for Azure DevOps Server 2019, TFS 2018.3.2, TFS 2018.1.2, TFS 2017.3.1, and the release of TFS 2015.4.2"},"content":{"rendered":"

For the April security release, we are releasing fixes for vulnerabilities that impact Azure DevOps Server 2019, TFS 2018, TFS 2017, and TFS 2015. These vulnerabilities were found through our Azure DevOps Bounty Program<\/a>. Thanks to everyone who has been participating in this program.<\/p>\n

CVE-2019-0857<\/a>: spoofing vulnerability in the Wiki<\/p>\n

CVE-2019-0866<\/a>: remote code execution vulnerability in Pipelines<\/p>\n

CVE-2019-0867<\/a>: cross site scripting (XSS) vulnerability in Pipelines<\/p>\n

CVE-2019-0868<\/a>: cross site scripting (XSS) vulnerability in Pipelines<\/p>\n

CVE-2019-0869<\/a>: HTML injection vulnerability in Pipelines<\/p>\n

CVE-2019-0870<\/a>: cross site scripting (XSS) vulnerability in Pipelines<\/p>\n

CVE-2019-0871<\/a>: cross site scripting (XSS) vulnerability in Pipelines<\/p>\n

CVE-2019-0874<\/a>: cross site scripting (XSS) vulnerability in Pipelines<\/p>\n

CVE-2019-0875<\/a>: elevation of privilege vulnerability in Boards<\/p>\n

\"\"<\/p>\n

Azure DevOps Server 2019 Patch 1<\/h3>\n

If you have Azure DevOps Server 2019, you should install Azure DevOps Server 2019 Patch 1<\/a>.<\/p>\n

Verifying Installation<\/strong><\/p>\n

To verify if you have this update installed, you can check the version of the following file: [INSTALL_DIR]\\Application Tier\\Web Services\\bin\\Microsoft.TeamFoundation.Server.WebAccess.VersionControl.dll. Azure DevOps Server 2019 is installed to c:\\Program Files\\Azure DevOps Server 2019 by default.<\/p>\n

After installing Azure DevOps Server 2019 Patch 1, the version will be 17.143.28804.3.<\/p>\n

TFS 2018 Update 3.2 Patch 3<\/h3>\n

If you have TFS 2018 Update 2 or Update 3, you should first update to TFS 2018 Update 3.2<\/a>. Once on Update 3.2, install TFS 2018 Update 3.2 Patch 3<\/a>.<\/p>\n

Verifying Installation<\/strong><\/p>\n

To verify if you have this update installed, you can check the version of the following file: [TFS_INSTALL_DIR]\\Application Tier\\Web Services\\bin\\Microsoft.TeamFoundation.WorkItemTracking.Web.dll. TFS 2018 is installed to c:\\Program Files\\Microsoft Team Foundation Server 2018 by default.<\/p>\n

After installing TFS 2018 Update 3.2 Patch 3, the version will be 16.131.28728.4.<\/p>\n

TFS 2018 Update 1.2 Patch 3<\/h3>\n

If you have TFS 2018 RTW or Update 1, you should first update to TFS 2018 Update 1.2<\/a>. Once on Update 1.2, install TFS 2018 Update 1.2 Patch 3<\/a>.<\/p>\n

Verifying Installation<\/strong><\/p>\n

To verify if you have this update installed, you can check the version of the following file: [TFS_INSTALL_DIR]\\Application Tier\\Web Services\\bin\\Microsoft.TeamFoundation.Server.WebAccess.Admin.dll. TFS 2018 is installed to c:\\Program Files\\Microsoft Team Foundation Server 2018 by default.<\/p>\n

After installing TFS 2018 Update 1.2 Patch 3, the version will be 16.122.28801.2.<\/p>\n

TFS 2017 Update 3.1 Patch 4<\/h3>\n

If you have TFS 2017, you should first update to TFS 2017 Update 3.1<\/a>. Once on Update 3.1, install TFS 2017 Update 3.1 Patch 4<\/a>.<\/p>\n

Verifying Installation<\/strong><\/p>\n

To verify if you have a patch installed, you can check the version of the following file: [TFS_INSTALL_DIR]\\Application Tier\\Web Services\\bin\\Microsoft.TeamFoundation.Server.WebAccess.Admin.dll. TFS 2017 is installed to c:\\Program Files\\Microsoft Team Foundation Server 15.0 by default.<\/p>\n

After installing TFS 2017 Update 3.1 Patch 4, the version will be 15.117.28728.0.<\/p>\n

TFS 2015 Update 4.2<\/h3>\n

If you are on TFS 2015, you should upgrade to TFS 2015 Update 4.2 with the ISO<\/a> or Web Install<\/a>. For TFS 2015 Update 4.2 Express, you can upgrade with the ISO<\/a> or Web Install<\/a>. This is a full upgrade and will require you to run the Upgrade Wizard.<\/p>\n","protected":false},"excerpt":{"rendered":"

For the April security release, we are releasing fixes for vulnerabilities that impact Azure DevOps Server 2019, TFS 2018, TFS 2017, and TFS 2015. These vulnerabilities were found through our Azure DevOps Bounty Program. Thanks to everyone who has been participating in this program. CVE-2019-0857: spoofing vulnerability in the Wiki CVE-2019-0866: remote code execution vulnerability […]<\/p>\n","protected":false},"author":78,"featured_media":55982,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[224,253],"tags":[],"class_list":["post-56156","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-azure","category-azure-devops-server"],"acf":[],"blog_post_summary":"

For the April security release, we are releasing fixes for vulnerabilities that impact Azure DevOps Server 2019, TFS 2018, TFS 2017, and TFS 2015. These vulnerabilities were found through our Azure DevOps Bounty Program. Thanks to everyone who has been participating in this program. CVE-2019-0857: spoofing vulnerability in the Wiki CVE-2019-0866: remote code execution vulnerability […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/56156","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/users\/78"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/comments?post=56156"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/56156\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/media\/55982"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/media?parent=56156"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/categories?post=56156"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/tags?post=56156"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}