UPDATE 13/March 21:48 – Microsoft is updating now the info. It’s March2019 update to address a security vulnerability (CVE-2019-0798).Specific details here:
Microsoft Lync Server/Skype for Business spoofing cross site scripting
Better start planning to rollout March/2019 CU9 then! (and Lync 2013 Server if you still use)
I downloaded all the cumulative updates as soon as they are released. I like to keep an history and peek on the changes. Today I need to get the January/2019 CU8, but my repository was unavailable. So I went to official CU download site, but I noticed that the date published was from yesterday, but pointing the the KB3061064 (?!). When I got back the access to my repository, I noticed that this file also has a different version:
Now I have two January/2019 CU with different versions (6.0.9319.537 and 6.0.9319.544) and different file sizes.
Time to dig and spot the differences: there are two msp files that changed:
Two noticeable changes:
– non-US dll language files: they were compiled in different dates, but still have the same version number
– The Tracing files (used by CLS/OcsLogger tracing tool). These one have some significant changes:
The files on both packages have the same size, but a ‘look inside’ reveals one particular difference: the ‘Lync.Client.Common.Consolidated.js’ is different.
A closer look reveals 5 lines of codes changes (one seems an additional protection)
So… since MS didn’t update any documentation so far:
- Is this CU8 republished?
If so, MS will now have customers with different files for the same CU
- Is this a CU9 (or a Cumulative Security update -SU-)?
It could be, since the date matches the usually releases cycles.
Running the cumulative update installer on a Front-end server with January2019 CU8, confirms the patches changes on the identified components:
That document mentions a ‘March 20’19 security update’:
The March 2019 security update contains a security fix for the spoofing vulnerability that is described in the following security advisory:
My official guess is now is that this is a SU9 and MS just decided to update this ‘silently’
But some IT engineers might believe that they are downloading and installing CU8 today.