Team Foundation Server 2018 Update 3 Release Notes

---

Developer Community | System Requirements and Compatibility | License Terms | TFS DevOps Blog | SHA-1 Hashes | Latest Visual Studio 2019 Releases Notes

---

Note

If you are accessing this page from a non-English language version, and want to see the most up-to-date content, please visit this Release Notes page in English. You can change the language of this page by clicking the globe icon in the page footer and selecting your desired language.

---

In this article, you will find information regarding the newest release for Team Foundation Server 2018. Click the button to download.

To learn more about Team Foundation Server 2018, see the Team Foundation Server Requirements and Compatibility page. Visit the visualstudio.com/downloads page to download other TFS 2018 products.

Direct upgrade to Team Foundation Server 2018 Update 3 is supported from TFS 2012 and newer. If your TFS deployment is on TFS 2010 or earlier, you need to perform some interim steps before upgrading to TFS 2018 Update 3. Please see the chart below and the TFS Install page for more information.

TFS Upgrade Matrix

Important

You do not need to upgrade to TFS 2018 RTM before upgrading to TFS 2018 Update 3.

---

Release Date: November 14, 2023

Team Foundation Server 2018 Update 3.2 Patch 19

We have released a patch for Team Foundation Server 2018 Update 3.2 that includes fixes for the following.

• Extended the PowerShell tasks allowed list of characters for Enable shell tasks arguments parameter validation.

Note

To implement fixes for this patch you will have to follow a number of steps to manually update tasks.

Install patches

Important

We released updates to the Azure Pipelines agent with Patch 18 released on September 12, 2023. If you didn't install the agent updates as described in the release notes for Patch 18, we recommend that you install these updates before you install Patch 19. The new version of the agent after installing Patch 18 will be 3.225.0.

Configure TFX

1. Follow steps in the upload tasks to project collection documentation to install and login with tfx-cli.

Update tasks using TFX

File	SHA-256 Hash
Tasks20231103.zip	389BA66EEBC32622FB83402E21373CE20AE040F70461B9F9AF9EFCED5034D2E5

1. Download and extract Tasks20231103.zip.
2. Change directory into the extracted files.
3. Execute the following commands to upload the tasks:

tfx build tasks upload --task-zip-path AzureFileCopyV1.1.230.0.zip
tfx build tasks upload --task-zip-path AzureFileCopyV2.2.230.0.zip 
tfx build tasks upload --task-zip-path AzureFileCopyV3.3.230.0.zip 
tfx build tasks upload --task-zip-path AzureFileCopyV4.4.230.0.zip 
tfx build tasks upload --task-zip-path AzureFileCopyV5.5.230.0.zip 
tfx build tasks upload --task-zip-path BashV3.3.226.2.zip 
tfx build tasks upload --task-zip-path BatchScriptV1.1.226.0.zip 
tfx build tasks upload --task-zip-path PowerShellV2.2.230.0.zip 
tfx build tasks upload --task-zip-path SSHV0.0.226.1.zip 
tfx build tasks upload --task-zip-path WindowsMachineFileCopyV1.1.230.0.zip 
tfx build tasks upload --task-zip-path WindowsMachineFileCopyV2.2.230.0.zip 

Pipeline Requirements

To use the new behavior, a variable AZP_75787_ENABLE_NEW_LOGIC = true must be set in pipelines that use the affected tasks.

• On classic:

  Define the variable in the variable tab in the pipeline.

• YAML example:

variables: 
- name: AZP_75787_ENABLE_NEW_LOGIC 
  value: true 

Release Date: September 12, 2023

Team Foundation Server 2018 Update 3.2 Patch 18

We have released a patch for Team Foundation Server 2018.3.2 that fixes the following.

• CVE-2023-33136: Azure DevOps Server Remote Code Execution Vulnerability.

Important

Please deploy the patch to a test environment and ensure that the environment’s pipelines work as expected before applying the fix to production.

Note

To implement fixes for this patch you will have to follow several steps to manually update the agent and tasks.

Update the Azure Pipelines agent

1. Download the agent from: https://github.com/microsoft/azure-pipelines-agent/releases/tag/v3.225.0 - Agent_20230825.zip
2. Use the steps outlined in the self-hosted Windows agents documentation to deploy the agent.  

Note

The AZP_AGENT_DOWNGRADE_DISABLED must be set to “true” to prevent the agent from being downgraded. On Windows, the following command can be used in an administrative command prompt, followed by a reboot. setx AZP_AGENT_DOWNGRADE_DISABLED true /M

Configure TFX

1. Follow steps in the upload tasks to project collection documentation to install and login with tfx-cli.

Update tasks using TFX

1. Download and extract Tasks_20230825.zip.
2. Change directory into the extracted files.
3. Execute the following commands to upload the tasks:

tfx build tasks upload --task-zip-path AzureFileCopyV2.2.226.2.zip 
tfx build tasks upload --task-zip-path AzureFileCopyV3.3.226.2.zip 
tfx build tasks upload --task-zip-path AzureFileCopyV4.4.226.2.zip 
tfx build tasks upload --task-zip-path AzureFileCopyV5.5.226.2.zip 
tfx build tasks upload --task-zip-path BashV3.3.226.2.zip 
tfx build tasks upload --task-zip-path BatchScriptV1.1.226.0.zip 
tfx build tasks upload --task-zip-path PowerShellV2.2.226.1.zip 
tfx build tasks upload --task-zip-path SSHV0.0.226.1.zip 
tfx build tasks upload --task-zip-path WindowsMachineFileCopyV1.1.226.2.zip 
tfx build tasks upload --task-zip-path WindowsMachineFileCopyV2.2.226.2.zip 

Pipeline Requirements

To use the new behavior, a variable AZP_75787_ENABLE_NEW_LOGIC = true must be set in pipelines that use the affected tasks.

• On classic:

  Define the variable in the variable tab in the pipeline.

• YAML example:

variables: 
- name: AZP_75787_ENABLE_NEW_LOGIC 
  value: true 

Release Date: May 17, 2022

Team Foundation Server 2018 Update 3.2 Patch 17

We have released a patch for Team Foundation Server 2018.3.2 that fixes the following.

• Revoke all personal access tokens after a user’s Active Directory account is disabled.

Release Date: May 17, 2022

Team Foundation Server 2018 Update 3.2 Patch 17

We have released a patch for Team Foundation Server 2018.3.2 that fixes the following.

• Revoke all personal access tokens after a user’s Active Directory account is disabled.

Release Date: January 26, 2022

Team Foundation Server 2018 Update 3.2 Patch 16

We have released a patch for Team Foundation Server 2018.3.2 that fixes the following.

• Preferred email address was not getting updated in user profile. This resulted in emails being sent to the previous email address.
• Addressed Elasticsearch vulnerability by removing the jndilookup class from log4j binaries.

Installation steps

1. Upgrade the server with Patch 16.
2. Check the registry value at HKLM:\Software\Elasticsearch\Version. If the registry value is not there, add a string value and set the Version to 5.4.1 (Name = Version, Value = 5.4.1).
3. Run the update command PS C:\Program Files\{TFS Version Folder}\Search\zip> .\Configure-TFSSearch.ps1 -Operation update as provided in the readme file. It may return a warning like: Unable to connect to the remote server. Don't close the window, as the update is performing retries until it is completed.

Note

If Azure DevOps Server and Elasticsearch are installed on different machines, follow the steps outlined below.

1. Upgrade the server with Patch 16.
2. Check the registry value at HKLM:\Software\Elasticsearch\Version. If the registry value is not there, add a string value and set the Version to 5.4.1 (Name = Version, Value = 5.4.1).
3. Copy the content of the folder named zip, located on C:\Program Files\{TFS Version Folder}\Search\zip to the Elasticsearch remote file folder.
4. Run Configure-TFSSearch.ps1 -Operation update on the Elasticsearch server machine.

SHA-256 Hash: 37FB374CD05FC6C5A0552E0CD5296D5555755D58068BF6F4CF1F3DBE393853F1

Release Date: April 13, 2021

Team Foundation Server 2018 Update 3.2 Patch 15

We have released a patch for Team Foundation Server 2018.3.2 that fixes the following.

• CVE-2021-27067: Information disclosure

To implement fixes for this patch you will have to install the AzureResourceGroupDeployment task.

AzureResourceGroupDeployment task installation

Note

All the steps mentioned below need to be performed on a Windows machine

Install

1. Extract the AzureResourceGroupDeployment.zip package to a folder new folder on your computer. For example: D:\tasks\AzureResourceGroupDeployment.

2. Download and install Node.js 14.15.1 and npm (included with the Node.js download) according to your machine.

3. Open a command prompt in administrator mode and run the following command to install tfx-cli.

npm install -g tfx-cli

4. Create a personal access token with Full access privileges and copy it. This Personal access token will be used when running the tfx login command.

5. Run the following from the command prompt. When prompted, enter the Service URL and Personal access token.

~$ tfx login
Copyright Microsoft Corporation

> Service URL: {url}
> Personal access token: xxxxxxxxxxxx
Logged in successfully

6. Run the following command to upload the task on the server. Use the path of the extracted .zip file from step 1.

  ~$ tfx build tasks upload --task-path *<Path of the extracted package>*

Release Date: December 8, 2020

Team Foundation Server 2018 Update 3.2 Patch 14

We have released a security patch for TFS 2018 Update 3.2 to fix the following vulnerability.

• CVE-2020-17145: Azure DevOps Server and Team Foundation Services Spoofing Vulnerability

Please see the blog post for more information.

Release Date: October 13, 2020

Team Foundation Server 2018 Update 3.2 Patch 13

We have released a security patch for TFS 2018 Update 3.2 to remove SHA1 from 2018 server implementation . Please see the blog post for more information.

Release Date: Septebmer 10, 2019

Team Foundation Server 2018 Update 3.2 Patch 7

We have released a security patch for TFS 2018 Update 3.2 that fixes the following bugs. Please see the blog post for more information.

• CVE-2019-1305: Cross site scripting (XSS) vulnerability in Repos
• CVE-2019-1306: Remote code execution vulnerability in Wiki

---

Release Date: August 13, 2019

Team Foundation Server 2018 Update 3.2 Patch 6

We have released a patch for TFS 2018 Update 3.2 that fixes the following bug. Please see the blog post for more information.

• The Work Item Tracking Warehouse Sync stops syncing with an error: "TF221122: An error occurred running job Work Item Tracking Warehouse Sync for team project collection or Team Foundation server ATE. ---> System.Data.SqlClient.SqlException: Cannot create compensating record. Missing historic data."

---

Release Date: July 9, 2019

Team Foundation Server 2018 Update 3.2 Patch 5

We have released a security patch for TFS 2018 Update 3.2 that fixes the following bugs. Please see the blog post for more information.

• CVE-2019-1072: Remote code execution vulnerability in work item tracking
• CVE-2019-1076: Cross site scripting (XSS) vulnerability in pull requests

---

Release Date: May 14, 2019

Team Foundation Server 2018 Update 3.2 Patch 4

We have released a security patch for TFS 2018 Update 3.2 that fixes the following bugs. Please see the blog post for more information.

• CVE-2019-0872: Cross site scripting (XSS) vulnerability in the Test Plans
• CVE-2019-0971: Information disclosure vulnerability in the Repos API
• CVE-2019-0979: Cross site scripting (XSS) vulnerability in the User hub

---

Release Date: April 9, 2019

Team Foundation Server 2018 Update 3.2 Patch 3

We have released a security patch for TFS 2018 Update 3.2 that fixes the following bugs. Please see the blog post for more information.

• CVE-2019-0866: Remote code execution vulnerability in Pipelines
• CVE-2019-0867: Cross site scripting (XSS) vulnerability in Pipelines
• CVE-2019-0868: Cross site scripting (XSS) vulnerability in Pipelines
• CVE-2019-0870: Cross site scripting (XSS) vulnerability in Pipelines
• CVE-2019-0871: Cross site scripting (XSS) vulnerability in Pipelines

---

Release Date: March 12, 2019

Team Foundation Server 2018 Update 3.2 Patch 2

We have released a security patch for TFS 2018 Update 3.2 that fixes the following bug. Please see the blog post for more information.

• CVE-2019-0777: Cross site scripting (XSS) vulnerability in Pipelines

---

Release Date: February 12, 2019

Team Foundation Server 2018 Update 3.2 Patch 1

We have released a security patch for TFS 2018 Update 3.2 that fixes the following bugs. Please see the blog post for more information.

• CVE-2019-0742: Cross site scripting (XSS) vulnerability in work items
• CVE-2019-0743: Cross site scripting (XSS) vulnerability in pull requests

---

Release Date: February 5, 2019

Team Foundation Server 2018 Update 3.2

We have updated Team Foundation Server 2018 Update 3.2 with a new build to fix an issue where customers may see errors doing a variety of Team Foundation Version Control (TFVC) operations such as: tracking changesets, checking history or any branch related operations. For more information, see the blog post.

---

Release Date: January 14, 2019

Team Foundation Server 2018 Update 3.2

Note

The TFS Database Import Service currently doesn't support TFS 2018 Update 3.2. We're working on adding support, but that can take up to two weeks. You can see our list of currently supported versions for import here.

This release includes fixes for the following bugs. Please see the blog post for more information.

• CVE-2019-0646: Cross site scripting (XSS) vulnerability.
• CVE-2019-0647: Task groups may incorrectly show variables that are marked as secret.
• "TFS.WebApi.Exception: Service endpoint Url change requires all the confidential parameters to be provided. Please retry operation by providing value for parameter: Password." error when trying to update a SonarQube service endpoint.
• Some extensions cause a blank User hub.
• Database size continues to grow after builds are deleted.

It also includes performance improvements for Team Foundation Version Control.

---

Release Date: November 5, 2018

Team Foundation Server 2018 Update 3.1

This release includes a fix for a cross site scripting (XSS) vulnerability. We recommend upgrading to TFS 2018 Update 3.1. If TFS 2018 Update 3 is already installed, this patch includes the security fix.

---

Release Date: September 12, 2018

Summary of What's New in TFS 2018 Update 3

Team Foundation Server 2018 Update 3 includes bug fixes for Team Foundation Server 2018. It includes fixes in the following areas:

• Code
• Work
• Build and Release
• Test
• Reporting
• Administration

---

Details of the bugs fixed in TFS 2018 Update 3

Code

• "There is a problem on the server" error appears in Visual Studio when doing a code review.
• Large TFVC repos take a long time for search indexing. Users can now exclude folders from indexing to speed it up.
• Code search may be slow on collections with a high number of files.
• When code search jobs fail, job yield data is deleted, which causes the next jobs to restart indexing.
• Code search considers the underscore as a special character when it shouldn't.
• A security patch for Git clients was released since TFS 2018 Update 2. To protect unpatched Git clients, we made a change in TFS 2018 Update 3 to reject pushes that exploit the vulnerability. For more information, see Remediating the May 2018 Git Security Vulnerability.

Work

• The + icon is missing on the backlog page.
• The Name and DisplayName properties are not set in all legacy work items APIs.
• The attachments REST API does not support a FileID parameter to set the attachment URL.
• Work item resources and attachment resources sometimes returned project-scoped URLs, which were breaking backwards compatibility.

Build and Release

• Builds are not getting deleted based on the build retention policy.
• Deleting a build does not delete the drop location or symbols.
• A build will not queue if the build number format string results in an invalid build number.
• Build task versions get automatically updated when upgrading TFS.
• Performance issues in XAML builds with many build definitions.
• Build definitions migrated from TFS 2017 get a "definition.Repository.Mappings.Mapping.LocalPath" error.
• The link to Jira items from the Release Summary or Deploy Environment pop up does not work.
• A pending approval notification for a deployment is not delivered when TFS is installed in German locale.
• Task groups variable detection has started recognizing Build.BinariesDirectory as a system variable.
• "Cannot insert duplicate key row in object 'Release.tbl_TagString' with unique index 'PK_tbl_TagString'" error when adding a tag to a release.
• Deployments get cancelled if gates evaluation exceeds six hours.
• "TF400898 An internal error occurred. ActivityId" error occurs when adding or editing artifacts in release definitions.
• Release variables like Release.Reason can be used in custom phase conditions.
• "Lock Hierarchy violation" error occurs when deleting deployment pools.
• A release job fails when a path variable has square brackets.
• Azure Virtual Machine Scale Sets are not updated when the deployment script is updated.
• A release definition does not save when a user with edit release definition permissions, but no release approver permissions tries to edit the definition.
• The Azure App Service Deploy task version 3 is now available.

Test

• The error, "Expecting end of string. The error is caused by <<->>" occurs when loading test suites.
• "Argument out of range" error occurs when clicking on the New Test Case button.
• The Release Path of a bug is incorrectly changed after linking it to a Test Result.
• The Test Run is In Progress even though the test is marked as pass or fail.
• When invoking the Update Test Result API and passing the same test result multiple times, a primary key violation exception is raised from SQL.
• Exporting a test case with shared steps to email may fail due to email size limits.
• The Title column pastes incorrectly from Excel when using Add New Tests with the grid.
• In the Test Plan grid view, the shared step names are not escaped correctly, such as with the '<' character.

Reporting

• TFSConfig addProjectReports does not add reports if the folder already exists.

Administration

• When TFS databases are hosted on non-enterprise edition of SQL Server 2016 SP1 or above, page compression is not enabled on several tables during upgrade from TFS 2012 or 2013, which has a negative impact on upgrade and runtime performance.
• "Update PR Merge service hook subscriptions" error occurs when upgrading to TFS 2018.
• The Configure-GvfsCacheServer.psm1 file is being copied during TFS Proxy installs, even though the file cannot be used to configure the proxy.
• "TF400856: The following service is not registered in the database" error occurs when running TFSConfig OfflineDetach.
• Indexes are automatically enabled in the node configuration of Elastic Search.
• Re-indexing is not triggered when Elastic Search is newly configured and has stale data.
• In case of high-volume job failures, the search indexer pipeline does not throttle itself and has potential high resource usage.
• The Elastic Search service installation fails if the ES_JAVA_OPTS environment variable is set.
• When a collection is deleted, collection-level search records are not deleted.
• The process template editor displays errors such as "Requested value 'MANAGE_TEST_SUITES' was not found".
• The process template editor incorrectly shows the collection name in some identities while editing a workflow.
• When setting up a service hook on a code branch, the branch is set back to [Any] after saving.
• There are mail delivery errors due to a small timeout value.
• CVE-2018-8529: Basic authorization is now enabled on the communication between the TFS and Search services to make it more secure. Any user installing or upgrading to Update 3 will need to provide a user name / password while configuring Search (and also during Search Service setup in case of remote Search Service).
• "The user does not have a license for the extension" error occurs when purchasing or assigning licenses to extensions.

---

Feedback & Suggestions

We would love to hear from you! You can report a problem and track it through Developer Community and get advice on Stack Overflow.

---

Top of Page