Everything you want to know about Visual Studio ALM and Farming
Brian Harry is a Microsoft Technical Fellow working as the Product Unit Manager for Team Foundation Server. Learn more about Brian.
More videos »
Within the last couple of weeks, we released an important update to the Team System Web Access 2008 SP1 Power Tool. The update includes only one change and it fixes a significant security issue that we discovered. I'm not going to describe it in detail, for obvious reasons, however, I encourage anyone who had previously installed TSWA 2008 SP1 to uninstall it and install the updated version. The link is here:
· http://go.microsoft.com/fwlink/?LinkID=136577
If you go to "Help -> About" in TSWA you can tell whether or not you have the correct version. Build 9.0.3275 is the latest "patched" version. Anything before that is unpatched. Specifically, 9.0.3160 was the original TSWA SP1 release build number.
*** UPDATE ***
Clearly some of the feedback in this post indicates that the uninstall/reinstall approach is problematic for people. First, I'll point out that the install is only about 5 minutes but none-the-less, I understand. As I said in the comments, we really can't do hot-fix style servicing of PowerTools because the cost to do that is too high. However, this fix, in particular is a pretty contained change and one approach is for you to manually update the affected files. To do this you can install the update on another machine and get them from there or you can use:
msiexec /a TeamSystemWebAccess.msi /qb TARGETDIR=c:\temp\tswa
to extract all of the files from the MSI (obviously replace the TARGETDIR value with whatever you prefer to use).
The files you need to update are:
The updated files need to be placed in both:
The following script also needs to be updated:
in both:
We appologize for the inconvenience.
Brian
Can't you provide a hotfix package instead or just zip the affected DLL. Uninstalling Web Access in production is too much work for a security update, what happens if you find another one next month.
Can you refresh me on how we install this MSI can you install it right over the existing or do you have to remove the old first?
Hi, I am also interested in whether this update can be applied in production. Any stories to share on this?
Hi, we would also be helped a great deal with a hotfix ! More than 50 people are using it in production here + Management was just convinced to work with TFS and we wouldn't like to ask them already to take the system offline again .. Thank you
I understand that uninstalling and installing is onerous. It is, unfortunately one of our limitations for Power Tools. The cost to setup up hotfix servicing for Power Tools is prohibitive. However, Web Access is being incorporated into the shipping product for TFS 2010 and then is will become part of our normal hotfix capability. This is the first time in the 2 years of delivering TSWA as a Power Tool that we had to deliver a security patch this way. While I can't predict the future, I'm hopeful we won't have to do it again.
I will look into the idea of providing a procedure to just replace the affected dll(s). That may be practical.
Thank you,
Ok, thank you,
we would appreciate that !
OK, I have updated the post with instructions on how to perform the update manually. Hopefully this will help some of you manage the update more easily.
Thank you for the feedback,
From Hakan Eskici's blog : A security issue has been identified with Team System Web Access 2008
A security issue has been identified with Team System Web Access 2008 SP1 and we have recently published
Hmmm...your command line didn't work. It installed the files on my C: drive. It looks like I'll have to uninstall/reinstall anyway.
This is what I entered:
msiexec /a TeamSystemWebAccess.msi /qb /TARGETDIR=d:\temp\tfswa
The / in front of TargetDir is not needed.
I had the update installed and the downtime was only a few minutes.
I understand the update requests, but it went so smoothly that it was not problem for us.
It was simple, it worked and I'm done. cool.
That's very good to hear, thank you.
Thank you Brian for providing a manual way of patching! The TFS team has always been extremely responsive when it comes to customer feedback, I really appreciate your work.
Happy to help :)