Welcome to MSDN Blogs Sign in | Join | Help

Important Team System Web Access update (updated)

Within the last couple of weeks, we released an important update to the Team System Web Access 2008 SP1 Power Tool.  The update includes only one change and it fixes a significant security issue that we discovered.  I'm not going to describe it in detail, for obvious reasons, however, I encourage anyone who had previously installed TSWA 2008 SP1 to uninstall it and install the updated version.  The link is here:

ยท         http://go.microsoft.com/fwlink/?LinkID=136577

If you go to "Help -> About" in TSWA you can tell whether or not you have the correct version.  Build 9.0.3275 is the latest "patched" version.  Anything before that is unpatched.  Specifically, 9.0.3160 was the original TSWA SP1 release build number.

*** UPDATE ***

Clearly some of the feedback in this post indicates that the uninstall/reinstall approach is problematic for people.  First, I'll point out that the install is only about 5 minutes but none-the-less, I understand.  As I said in the comments, we really can't do hot-fix style servicing of PowerTools because the cost to do that is too high.  However, this fix, in particular is a pretty contained change and one approach is for you to manually update the affected files.  To do this you can install the update on another machine and get them from there or you can use:

msiexec /a TeamSystemWebAccess.msi /qb TARGETDIR=c:\temp\tswa

to extract all of the files from the MSI (obviously replace the TARGETDIR value with whatever you prefer to use).

The files you need to update are:

  • Microsoft.TeamFoundation.WebAccess.dll
  • Microsoft.TeamFoundation.WebAccess.Server.dll
  • Microsoft.TeamFoundation.WebAccess.WorkItemTracking.dll

The updated files need to be placed in both:

  •  %Program Files%\Microsoft Visual Studio 2008 Team Sytem Web Access\Web\bin
  •  %Program Files%\Microsoft Visual Studio 2008 Team Sytem Web Access\WIWA\bin

The following script also needs to be updated: 

  • EditWorkItem.js

in both:

  • %Program Files%\Microsoft Visual Studio 2008 Team Sytem Web Access\Web\Resources\Scripts
  • %Program Files%\Microsoft Visual Studio 2008 Team Sytem Web Access\WIWA\Resources\Scripts

We appologize for the inconvenience.

Brian 

 

Published Monday, February 02, 2009 9:21 AM by bharry

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

# re: Important Team System Web Access update

Can't you provide a hotfix package instead or just zip the affected DLL. Uninstalling Web Access in production is too much work for a security update, what happens if you find another one next month.

Monday, February 02, 2009 3:17 PM by Per

# re: Important Team System Web Access update

Can you refresh me on how we install this MSI can you install it right over the existing or do you have to remove the old first?

Monday, February 02, 2009 5:35 PM by B

# re: Important Team System Web Access update

Hi, I am also interested in whether this update can be applied in production. Any stories to share on this?

Tuesday, February 03, 2009 2:45 AM by Oskar

# re: Important Team System Web Access update

Hi, we would also be helped a great deal with a hotfix ! More than 50 people are using it in production here + Management was just convinced to work with TFS and we wouldn't like to ask them already to take the system offline again .. Thank you

Tuesday, February 03, 2009 3:17 AM by b..

# re: Important Team System Web Access update

I understand that uninstalling and installing is onerous.  It is, unfortunately one of our limitations for Power Tools.  The cost to setup up hotfix servicing for Power Tools is prohibitive.  However, Web Access is being incorporated into the shipping product for TFS 2010 and then is will become part of our normal hotfix capability.  This is the first time in the 2 years of delivering TSWA as a Power Tool that we had to deliver a security patch this way.  While I can't predict the future, I'm hopeful we won't have to do it again.

I will look into the idea of providing a procedure to just replace the affected dll(s).  That may be practical.

Thank you,

Brian

Tuesday, February 03, 2009 7:25 AM by bharry

# re: Important Team System Web Access update

Ok, thank you,

we would appreciate that !

Wednesday, February 04, 2009 7:48 AM by b..

# re: Important Team System Web Access update (updated)

OK, I have updated the post with instructions on how to perform the update manually.  Hopefully this will help some of you manage the update more easily.

Thank you for the feedback,

Brian

Wednesday, February 04, 2009 8:28 AM by bharry

# Security Update for TSWA 2008 SP1

From Hakan Eskici's blog : A security issue has been identified with Team System Web Access 2008

Wednesday, February 04, 2009 10:33 AM by Visual Studio Team System (VSTS) Blog - by Neno Loje

# Security Update for TSWA 2008 SP1

A security issue has been identified with Team System Web Access 2008 SP1 and we have recently published

Wednesday, February 04, 2009 1:08 PM by Hakan Eskici

# re: Important Team System Web Access update (updated)

Hmmm...your command line didn't work.  It installed the files on my C: drive.  It looks like I'll have to uninstall/reinstall anyway.

This is what I entered:

msiexec /a TeamSystemWebAccess.msi /qb /TARGETDIR=d:\temp\tfswa

Wednesday, February 04, 2009 2:54 PM by mskenny

# re: Important Team System Web Access update (updated)

The / in front of TargetDir is not needed.

Wednesday, February 04, 2009 3:32 PM by B

# re: Important Team System Web Access update (updated)

I had the update installed and the downtime was only a few minutes.

I understand the update requests, but it went so smoothly that it was not problem for us.

It was simple, it worked and I'm done. cool.

Thursday, February 05, 2009 3:02 AM by prulifson

# re: Important Team System Web Access update (updated)

That's very good to hear, thank you.

Brian

Thursday, February 05, 2009 8:25 AM by bharry

# re: Important Team System Web Access update (updated)

Thank you Brian for providing a manual way of patching! The TFS team has always been extremely responsive when it comes to customer feedback, I really appreciate your work.

Saturday, February 07, 2009 3:29 AM by Per

# re: Important Team System Web Access update (updated)

Happy to help :)

Brian

Saturday, February 07, 2009 11:40 AM by bharry

# VSTS Links - 02/10/2009

New Site: Team System Live! Brian Harry on Important Team System Web Access update Willy-Peter Schaub

Tuesday, February 10, 2009 8:19 AM by Team System News

# manual deployment concerns

Brian,

a diff of the original site vs an extracted copy of the patched one reveals that although the code changes made to resolve the vulnerability are small and isolated to the three dll's mentioned there are other significant changes that would deploy with an uninstall-reinstall.

it appears that changes were made in web.config to integrate newer ajax functionality and ReportViewer. EditWorkItem.js has also been modified with what appears to be a significant change. the .docx mimetype mapping has been removed from MimeMap.xml.

should any of these additional changes be deployed?

TIA

Tuesday, February 10, 2009 5:10 PM by steve baker

# manual deployment concerns (update)

i just upgraded our tswa manually and tested to make sure the vulnerability was fixed. it was.

however the EditWorkItem.js changes DID need to be copied over as well or a newly uploaded work item attachment (before you click the "Save" option for the work item) would not open, but would instead result in the following error:

"Invalid URI: The format of the URI could not be determined."

the javascript updates were made to resolve that issue.

Tuesday, February 10, 2009 6:26 PM by steve baker

# manual deployment concerns (update)

after testing the Web application and making sure everything worked OK i then tested the Wiwa side of things and found that the same manual deployment has broken the site.

Trying to download an attachment from a work item through wiwa now errors with "You are not authorized to access this page. Please contact your project administrator"

The url requested for the attachment is the same with or without the patch. i can only guess, but would it have something to do with our configuration and the new impersonation code in DownloadAttachment::GetFile:

Using WindowsIdentity.Impersonate(CommonUtility.ObtainProcessToken)

tswa is installed on an application tier "mostly" configured to use FQDN's. we found we had to enable delegation in order for the site to authenticate correctly even though it is on the app tier.

TIA

Tuesday, February 10, 2009 7:24 PM by steve baker

# re: Important Team System Web Access update (updated)

Checking on it, thank you.

Brian

Wednesday, February 11, 2009 2:55 PM by bharry

# re: Important Team System Web Access update (updated)

Steve,

RE: WIWA cannot download attachments

We've looked into this and it's a bug in the current release, however there's a quick workarorund you can apply. See my blog post for details:

http://blogs.msdn.com/hakane/archive/2009/02/13/fix-wiwa-cannot-download-attachments.aspx

Thanks,

-Hakan

Friday, February 13, 2009 2:19 PM by Hakan Eskici

# re: Important Team System Web Access update (updated)

Hi Brian, after I installed the SP1 version of TSWA, I'm not able to access the document tab anymore..

I'm getting the following error message:

"The permissions granted to user <user name> are insufficient to perform this operation.

Have you seen this before?

Best regards

Oberdan

Tuesday, March 17, 2009 6:26 PM by oberdan

# re: Important Team System Web Access update (updated)

Does TFSWA SP1 require VSTS/TFS 2008 SP1 to be installed?

Wednesday, March 25, 2009 6:16 PM by Greg

# re: Important Team System Web Access update (updated)

No, it works with 2005, and it works without SP1 for 2008 installed.  However, you must install Team Explorer 2008 in order to install TSWA 2008 or TSWA 2008 SP1.

Buck

Wednesday, March 25, 2009 8:35 PM by buckh

Leave a Comment

(required) 
required 
(required) 

  
Enter Code Here: Required
 
Page view tracker