SharePoint security fixes released with December 2019 PU and offered through Microsoft Update

We did not release any security updates for SharePoint (2010, 2013, 2016, 2019) or Office Online Server in December.

More information:

21 Comments


    1. Hi Daniel,

      yes it is valid but it is not a security fix.

      Cheers,
      Stefan

      Reply

    1. Hi Travis,
      this articles includes security and non-security updates for Office and SharePoint. As you can see none of the SharePoint fixes is a security fix.
      Cheers,
      Stefan

      Reply

    1. Hi Greg,
      thats correct – the bulletin was released yesterday.
      But if you check the KB articles for the patches you will see that the fixes were all release already in November 2019 PU.
      Cheers,
      Stefan

      Reply

      1. Hi Stefan,
        thanks for clearing up/confirming how this works.
        So if my SP Farm is running CU 2019-11 or higher, I am not affected, and the heise article is incorrect as this is not an “out of the ordinary update” but rather an “out of the ordinary message about an old update”, correct? And https://www.heise.de/security/meldung/Microsoft-patcht-SharePoint-Server-ausser-der-Reihe-4619677.html is technically incorrect?

        Thanks for doing the good work and Merry Christmas 🙂
        Adrian

        Reply

        1. Hi Adrian,
          please have a look at the Description in the “Revisions” section of the CVE:
          “Information published. This CVE has been added to this month’s Security Updates. This is an informational change only. Customers who have successfully installed the applicable updates do not need to take any further action.”
          As you can see no binaries have been published – only an informational change.
          There is already a comment on the heise article from a user which pointed out that the fixes are for November and that this is most likely an issue already fixed a while back.
          Nothing to add here from my side.
          Cheers,
          Stefan

          Reply

  1. Hi Stefan,

    Our security department sent me this new vulnerability that was released Yesterday (12/17/19) https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1491

    Can you confirm the following

    I will need to run the config wizard after I install the patch
    There is no minimum current build that my SharePoint farm (2013 – 15.0.4995.1000) needs to be on before I can install this patch.

    Thanks for your time

    Reply

      1. That is great to know. Now a quick follow up question. If my security department cant wait until this patch is in the January CU and I need to install the Dec 2019 CU and this patch can I install them both and then run the config wizard after or do I have to install them separately and then run the config wizard twice?

        Reply

        1. Hi Dan,
          if you check the KB articles you will notice that these fixes were all released in November PU already. Only the security bulletin was released this week.
          So if you install December CU the November PU fixes are included.
          Second: you can install as many patches as you like and only run the config wizard once at the end.
          Cheers,
          Stefan

          Reply

          1. I really appreciate the help on this. You saved me alot of time….


  2. Hi Stefan, SharePoint Server 2013 is not affected, only SharePoint Foundation 2013, so a SharePoint Server 2013 Farm doesn’t need to be fixed, right?

    Reply

    1. Hi Daniel,
      that’s not correct. SharePoint foundation is an integral part of SharePoint server. All SharePoint foundation security fixes apply also to SharePoint server.
      Cheers,
      Stefan

      Reply

    1. Hi Karthikeyan,
      none. As you can read for yourself in the “Revisions” section of the CVE:
      “…This is an informational change only. Customers who have successfully installed the applicable updates do not need to take any further action…”
      Cheers,
      Stefan

      Reply

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.