[German]Microsoft has published some notes about security updates and revisions on December 8 and again on December 10, 2020. I am posting them here on the blog without comment.
Advertising
**************************************************************************************
Title: Microsoft Security Update Releases
Issued: December 8, 2020
**************************************************************************************
Summary
=======
The following CVEs have undergone a major revision increment:
* CVE-2020-1325
* CVE-2020-1596
* CVE-2020-17049
Revision Information:
=====================
Advertising
* CVE-2020-1325
– CVE-2020-1325 | Azure DevOps Server and Team Foundation Services Spoofing Vulnerability
– Version 2.0
– Reason for Revision: Microsoft is announcing the availability of the security update
for Azure DevOps Server 2019 Update 1.1 to address this vulnerability. Customers
running Azure DevOps Server 2019 Update 1.1 should install the update to be protected
from this vulnerability.
– Originally posted: November 10, 2020
– Updated: December 8, 2020
– Aggregate CVE Severity Rating: Important
* CVE-2020-1596
– CVE-2020-1596 | TLS Information Disclosure Vulnerability
– Version 3.0
– Reason for Revision: To address a known issue customers running Windows Server 2008
experienced after installing the September 2020 security updates, Microsoft has
released the December 2020 Monthly Rollup and Security Only updates for all affected
versions of Windows Server 2008. Microsoft strongly recommends that customers
enrolled in the Extended Security Update (ESU) program install the updates to
correct this known issue.
– Originally posted: September 8, 2020
– Updated: December 8, 2020
– Aggregate CVE Severity Rating: Important
* CVE-2020-17049
– CVE-2020-17049 | Kerberos KDC Security Feature Bypass Vulnerability
– Version 3.0
– Reason for Revision: To comprehensively address CVE-2020-17049, Microsoft has
released the following: December 2020 Security Updates for all affected Windows 10
servers, Windows Server 2012 R2, and Windows Server 2012; December 2020 Monthly
Rollup updates and Security Only updates for all affected versions of Windows
Server 2008 R2 and Windows Server 2008. These updates include fixes for all known
issues originally introduced by the November 10, 2020 security updates for
CVE-2020-17049. Microsoft strongly recommends that customers running any of these
versions of Windows Server install the updates and then follow the steps outlined
in https://support.microsoft.com/help/4598347 to enable full protection on domain
controller servers.
– Originally posted: November 10, 2020
– Updated: December 8, 2020
– Aggregate CVE Severity Rating: Important
See also Microsoft patches new Windows Kerberos vulnerability CVE-2020-16996 with Dec 2020 updates
***************************************************************
Title: Microsoft Security Update Releases
Issued: December 10, 2020
***************************************************************
Summary
=======
The following CVEs have undergone a major revision increment:
* CVE-2020-17002
* CVE-2020-17049
* CVE-2020-17160
Revision Information:
=====================
* CVE-2020-17002
– CVE-2020-17002 | Azure SDK for C Security Feature Bypass Vulnerability
– Version 2.0
– Reason for Revision: In the Security Updates table, added the following:
azure-c-shared-utility Release LTS_07_2020 and LTS_02_2020; C SDK for Azure
IoT Release LTS_07_2020 and LTS_02_2020; all supported releases of the following
protocol submodules: azure-uamqp-c, azure-umqtt-c, azure-uhttp-c, and azure-utpm-c.
These releases all contain a security fix, addressed by CVE-2020-17002, affecting
applications using c-utility in conjunction with OpenSSL or WolfSSL.
– Originally posted: December 8, 2020
– Updated: December 10, 2020
– Aggregate CVE Severity Rating: Important
* CVE-2020-17049
– CVE-2020-17049 | Kerberos KDC Security Feature Bypass Vulnerability
– Version 4.0
– Reason for Revision: In the Security Updates table, corrected the Download and
Article links for all affected Windows 10 servers, Windows Server 2012 R2, and
Windows Server 2012 R2. Note that the December 2020 Security Updates supercede
the security updates released on November 10, 2020 and the updates released
between November 17, 2020 and November 19, 2020 to address this vulnerability.
– Originally posted: November 10, 2020
– Updated: December 8, 2020
– Aggregate CVE Severity Rating: Important
See also Microsoft patches new Windows Kerberos vulnerability CVE-2020-16996 with Dec 2020 updates
*************************************************************************
Title: Microsoft Security Advisory Notification
Issued: December 8, 2020
*************************************************************************
Security Advisories Released or Updated on December 8, 2020
=========================================================================
*ADV200013
– ADV200013 | Microsoft Guidance for Addressing Spoofing Vulnerability in DNS Resolver
– Reason for Revision: Information published.
– Originally posted: December 8, 2020
– Updated: N/A
– Version: 1.0
* ADV990001
– ADV990001 | Latest Servicing Stack Updates
– Reason for Revision: Advisory updated to announce new versions of Servicing Stack
Updates are available. Please see the FAQ for details.
– Originally posted: November 13, 2018
– Updated: December 8, 2020
– Version: 29.0
* ADV200002
– ADV200002 | Chromium Security Updates for Microsoft Edge (Chromium-Based)
– Reason for Revision: Updated advisory to announce a new version of Microsoft
Edge (Chromium-based). Please see the table for more information.
– Originally posted: January 28, 2020
– Updated: December 8, 2020
– Version: 30.0
* CVE-2020-17160
– CVE-2020-17160 | RETRACTED – Version 2.0
– Reason for Revision: This CVE was published in error and has been retracted.
For the correct CVE information see
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17002.
– Originally posted: December 8, 2020
– Updated: December 9, 2020
– Aggregate CVE Severity Rating: N/A
