This security update resolves an Authentication Bypass vulnerability that allows SAML tokens to be signed by using arbitrary symmetric keys in Windows Communication Foundation (WCF) and Windows Identity Foundation (WIF). To learn more about the vulnerability, see Microsoft Common Vulnerabilities and Exposures CVE-2019-1006 and Microsoft Common Vulnerabilities and Exposures CVE-2019-1134.
Note To apply this security update, you must have the release version of Microsoft SharePoint Server 2019 installed on the computer.
Improvements and fixes
This security update contains improvements and fixes for the following nonsecurity issues:
Adds support for the new Japanese era name to the Chinese word breaker to make sure that the name will be broken correctly.
Adds the ProjectIdMinDigit, ProjectIdSeed, ProjectIdPostfix and ProjectIdPrefix properties in the EnterpriseProjectTypeCreationInformation class. You can now use these properties to update the Project Identifier information of an enterprise project type (EPT) through the client-side object model (CSOM).
Adds the ProjectQueuePublishSummary method for the ProjectCollection class in the client-side object model (CSOM) so that project-level fields on a project can be published independently from the entire project. For example, if you use a workflow in your project creation process, you can use this new method to publish the stage summaries.
Reduces the severity of certain upgrade sequence messages from WARNING to INFO. These messages indicate that the upgrade action doesn't have to make any changes because its database extension is not currently enabled in the database. For example, upgrade messages such as the following will no longer be labeled as warnings:
"Ignoring upgrade sequence: Microsoft.SharePoint.BusinessData.Upgrade.BdcDatabaseExtensionUpgradeSequence because related content database extension Microsoft.SharePoint.BusinessData.SharedService.BdcDatabaseExtension is not enabled."
- Updating a fixed duration task assignment from a timesheet may unexpectedly change the assignment’s finish date to an earlier date.
- Fixes an issue in which resetting the role inheritance by using the SPWeb.ResetRoleInheritance method does not work on copied sites that are created by using the Copy-SPSite cmdlet.
- In some cases, existing files are overwritten even if users don't explicitly overwrite the files.
- Fixes an issue in which an Office file that contains the number sign (#) in the file name is downloaded by a user who doesn’t have sufficient permissions on the file.
- Fixes an issue that prevents the BLOB cache feature from working unless the SharePoint application pool account is a member of the local Administrators group. If you add your SharePoint application pool account to the local Administrators group to work around this issue, we recommend that you remove that account from the local Administrators group after this update is installed. Removing the application pool account from the local Administrators group reduces potential security risks in your SharePoint farm.
Fixes an issue that causes an incorrect MIME type to be used for certain types of files that are stored in SharePoint, such as Cascading Style Sheet (.css) files. This may cause web browsers to incorrectly render webpages that depend on those files. To work around this issue, install the following Web Server Role (IIS) feature:
IIS 6 Metabase Compatibility (Web-Metabase)
This workaround is no longer necessary after this update is installed. Therefore, you can safely remove the IIS 6 Metabase Compatibility feature from SharePoint servers.
How to get and install the update
Method 1: Microsoft Update
This update is available from Microsoft Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to get security updates automatically, see Windows Update: FAQ.
Method 2: Microsoft Update Catalog
To get the standalone package for this update, go to the Microsoft Update Catalog website.
Method 3: Microsoft Download Center
You can get the standalone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.
Security update deployment information
For deployment information about this update, see security update deployment information: July 9, 2019.
Security update replacement information
This security update replaces previously released security update 4475512.
File hash information
|File name||SHA1 hash||SHA256 hash|
The English (United States) version of this software update installs files that have the attributes that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.