February Security Release: Team Foundation Server 2018 Update 3.2 Patch 1 is available

This post has been republished via RSS; it originally appeared at: MSDN Blogs.

We announced the Azure DevOps Bounty Program a few weeks ago. We’re excited that this effort has already helped us on our mission to provide the highest level of security for our customers. Thanks to everyone who is participating in the Bounty program.

We plan to release security updates on the second Tuesday of each month (Patch Tuesday). This will give our customers a predictable and regular cadence that lines up with other security releases from Microsoft. When the updates involve binary changes, our releases will only replace the impacted binaries. If the updates involve database changes, we will release full installations.

TFS 2018 Update 3.2 Patch 1
Today, we released Team Foundation Server 2018 Update 3.2 Patch 1 that fixes two cross site scripting vulnerabilities found through the Bounty program:
- CVE-2019-0742: Cross site scripting (XSS) vulnerability in work items
- CVE-2019-0743: Cross site scripting (XSS) vulnerability in pull requests

TFS 2018 Update 2 and Update 3 are impacted by these vulnerabilities. Azure DevOps Server 2019 RC2 is also impacted and will be fixed in the final release of Azure DevOps Server 2019. We recommend that all customers on TFS 2018 Update 2 or Update 3 upgrade to TFS 2018 Update 3.2 and apply TFS 2018 Update 3.2 Patch 1.

Verifying Installation
To verify if you have this update installed, you can check the versions of the following file:
[TFS_INSTALL_DIR]Application TierWeb ServicesbinMicrosoft.TeamFoundation.WorkItemTracking.Web.dll

TFS 2018 is installed to c:Program FilesMicrosoft Team Foundation Server 2018 by default.

After installing TFS 2018 Update 3.2 Patch 1, the version will be 16.131.28605.6.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.