Important Team System Web Access update (updated)

re: Important Team System Web Access update

Per — Mon, 02 Feb 2009 23:17:56 GMT

Can't you provide a hotfix package instead or just zip the affected DLL. Uninstalling Web Access in production is too much work for a security update, what happens if you find another one next month.

re: Important Team System Web Access update

Tue, 03 Feb 2009 01:35:21 GMT

Can you refresh me on how we install this MSI can you install it right over the existing or do you have to remove the old first?

re: Important Team System Web Access update

Oskar — Tue, 03 Feb 2009 10:45:47 GMT

Hi, I am also interested in whether this update can be applied in production. Any stories to share on this?

re: Important Team System Web Access update

b.. — Tue, 03 Feb 2009 11:17:45 GMT

Hi, we would also be helped a great deal with a hotfix ! More than 50 people are using it in production here + Management was just convinced to work with TFS and we wouldn't like to ask them already to take the system offline again .. Thank you

re: Important Team System Web Access update

bharry — Tue, 03 Feb 2009 15:25:03 GMT

I understand that uninstalling and installing is onerous. It is, unfortunately one of our limitations for Power Tools. The cost to setup up hotfix servicing for Power Tools is prohibitive. However, Web Access is being incorporated into the shipping product for TFS 2010 and then is will become part of our normal hotfix capability. This is the first time in the 2 years of delivering TSWA as a Power Tool that we had to deliver a security patch this way. While I can't predict the future, I'm hopeful we won't have to do it again.

I will look into the idea of providing a procedure to just replace the affected dll(s). That may be practical.

Thank you,

Brian

re: Important Team System Web Access update

b.. — Wed, 04 Feb 2009 15:48:08 GMT

Ok, thank you,

we would appreciate that !

re: Important Team System Web Access update (updated)

bharry — Wed, 04 Feb 2009 16:28:58 GMT

OK, I have updated the post with instructions on how to perform the update manually. Hopefully this will help some of you manage the update more easily.

Thank you for the feedback,

Brian

Security Update for TSWA 2008 SP1

Visual Studio Team System (VSTS) Blog - by Neno Loje — Wed, 04 Feb 2009 18:33:21 GMT

From Hakan Eskici's blog : A security issue has been identified with Team System Web Access 2008

Security Update for TSWA 2008 SP1

Hakan Eskici — Wed, 04 Feb 2009 21:08:15 GMT

A security issue has been identified with Team System Web Access 2008 SP1 and we have recently published

re: Important Team System Web Access update (updated)

mskenny — Wed, 04 Feb 2009 22:54:13 GMT

Hmmm...your command line didn't work. It installed the files on my C: drive. It looks like I'll have to uninstall/reinstall anyway.

This is what I entered:

msiexec /a TeamSystemWebAccess.msi /qb /TARGETDIR=d:\temp\tfswa

re: Important Team System Web Access update (updated)

Wed, 04 Feb 2009 23:32:03 GMT

The / in front of TargetDir is not needed.

re: Important Team System Web Access update (updated)

prulifson — Thu, 05 Feb 2009 11:02:11 GMT

I had the update installed and the downtime was only a few minutes.

I understand the update requests, but it went so smoothly that it was not problem for us.

It was simple, it worked and I'm done. cool.

re: Important Team System Web Access update (updated)

bharry — Thu, 05 Feb 2009 16:25:59 GMT

That's very good to hear, thank you.

Brian

re: Important Team System Web Access update (updated)

Per — Sat, 07 Feb 2009 11:29:12 GMT

Thank you Brian for providing a manual way of patching! The TFS team has always been extremely responsive when it comes to customer feedback, I really appreciate your work.

re: Important Team System Web Access update (updated)

bharry — Sat, 07 Feb 2009 19:40:36 GMT

Happy to help :)

Brian

VSTS Links - 02/10/2009

Team System News — Tue, 10 Feb 2009 16:19:19 GMT

New Site: Team System Live! Brian Harry on Important Team System Web Access update Willy-Peter Schaub

manual deployment concerns

steve baker — Wed, 11 Feb 2009 01:10:27 GMT

Brian,

a diff of the original site vs an extracted copy of the patched one reveals that although the code changes made to resolve the vulnerability are small and isolated to the three dll's mentioned there are other significant changes that would deploy with an uninstall-reinstall.

it appears that changes were made in web.config to integrate newer ajax functionality and ReportViewer. EditWorkItem.js has also been modified with what appears to be a significant change. the .docx mimetype mapping has been removed from MimeMap.xml.

should any of these additional changes be deployed?

TIA

manual deployment concerns (update)

steve baker — Wed, 11 Feb 2009 02:26:05 GMT

i just upgraded our tswa manually and tested to make sure the vulnerability was fixed. it was.

however the EditWorkItem.js changes DID need to be copied over as well or a newly uploaded work item attachment (before you click the "Save" option for the work item) would not open, but would instead result in the following error:

"Invalid URI: The format of the URI could not be determined."

the javascript updates were made to resolve that issue.

manual deployment concerns (update)

steve baker — Wed, 11 Feb 2009 03:24:31 GMT

after testing the Web application and making sure everything worked OK i then tested the Wiwa side of things and found that the same manual deployment has broken the site.

Trying to download an attachment from a work item through wiwa now errors with "You are not authorized to access this page. Please contact your project administrator"

The url requested for the attachment is the same with or without the patch. i can only guess, but would it have something to do with our configuration and the new impersonation code in DownloadAttachment::GetFile:

Using WindowsIdentity.Impersonate(CommonUtility.ObtainProcessToken)

tswa is installed on an application tier "mostly" configured to use FQDN's. we found we had to enable delegation in order for the site to authenticate correctly even though it is on the app tier.

TIA

re: Important Team System Web Access update (updated)

bharry — Wed, 11 Feb 2009 22:55:03 GMT

Checking on it, thank you.

Brian

re: Important Team System Web Access update (updated)

Hakan Eskici — Fri, 13 Feb 2009 22:19:40 GMT

Steve,

RE: WIWA cannot download attachments

We've looked into this and it's a bug in the current release, however there's a quick workarorund you can apply. See my blog post for details:

http://blogs.msdn.com/hakane/archive/2009/02/13/fix-wiwa-cannot-download-attachments.aspx

Thanks,

-Hakan

re: Important Team System Web Access update (updated)

oberdan — Wed, 18 Mar 2009 01:26:55 GMT

Hi Brian, after I installed the SP1 version of TSWA, I'm not able to access the document tab anymore..

I'm getting the following error message:

"The permissions granted to user <user name> are insufficient to perform this operation.

Have you seen this before?

Best regards

Oberdan

re: Important Team System Web Access update (updated)

Greg — Thu, 26 Mar 2009 01:16:24 GMT

Does TFSWA SP1 require VSTS/TFS 2008 SP1 to be installed?

re: Important Team System Web Access update (updated)

buckh — Thu, 26 Mar 2009 03:35:27 GMT

No, it works with 2005, and it works without SP1 for 2008 installed. However, you must install Team Explorer 2008 in order to install TSWA 2008 or TSWA 2008 SP1.

Buck