57
submitted 1 year ago* (last edited 1 year ago) by DarraignTheSane@lemmy.world to c/sysadmin@lemmy.world

Hello c/sysadmin, and welcome to the Patch Megathread! I'm editing this post and leaving it up as a single catch-all sticky post for patch days for the time being, since we're not seeing enough activity to warrant new threads IMO. If someone wants to help moderate / curate content and actively create new patch day posts, please let me know and I'll add you to the mod team.

 

This is the place to talk about the latest patches, updates, and releases. We put this thread into place to help gather all the information about this month's updates: What is fixed, what broke, what got released and should have been caught in QA, etc. We do this both to keep clutter out of the community, and provide a singular resource to read.

 

While this thread is timed to coincide with Microsoft's Patch Tuesday, feel free to discuss any patches, updates, and releases, regardless of the company or product.

 

Remember the rules of safe patching:

  • Deploy to a test/dev environment before prod.
  • Deploy to a pilot/test group before the whole org.
  • Have a plan to roll back if something doesn't work.
  • Test, test, and test!
top 8 comments
sorted by: hot top controversial new old
[-] defensor_fortis@lemmy.world 9 points 1 year ago
[-] DarraignTheSane@lemmy.world 5 points 1 year ago

I don't know, go ask him... seriously, we need contributors. :D

[-] lemmybenny@lemmy.world 2 points 1 year ago

yep, I've not been back to reddit since RIF stopped working but need more people posting!

[-] murty@lemmy.world 7 points 1 year ago* (last edited 1 year ago)

Starting my updates today (I typically wait a week to let other people be the test bed), I will update at the end tomorrow or the following day, especially if I run into any trouble.

More importantly though, there's two substantial changes in Windows Updates this month that you should be aware of if you are not already.

KB5020805 enters the next phase for patching CVE-2022-37967.

This month's patches do the following:

  • Removes the ability to set value 1 for the KrbtgtFullPacSignature subkey.
  • Moves the update to Enforcement mode (Default) (KrbtgtFullPacSignature = 3) which can be overridden by an Administrator with an explicit Audit setting.

Between now and October is your last chance to look for anything broken by this change, after October 10th patches the ability to undo this change is removed completely.

For more details see: https://support.microsoft.com/en-us/topic/kb5020805-how-to-manage-kerberos-protocol-changes-related-to-cve-2022-37967-997e9acc-67c5-48e1-8d0d-190269bf4efb

KB5021130 enters final phase of patching for CVE-2022-38023

This month's patches are the final phase of mitigation for this issue. Last month it forced the on everyone, so hopefully you've seen and found anything broken, as this month removes the ability to turn this change off due to the following:

  • The Windows updates released on July 11, 2023 will remove the ability to set value 1 to the RequireSeal registry subkey. This enables the Enforcement phase of CVE-2022-38023.

For more details see: https://support.microsoft.com/en-us/topic/kb5021130-how-to-manage-the-netlogon-protocol-changes-related-to-cve-2022-38023-46ea3067-3989-4d40-963c-680fd9e8ee25

Check your system logs for both of those KBs (event IDs to look for are outlined later in both articles) before patching.

Edit 1:

Just noticed that "CVE-2023-36884 - Office and Windows HTML Remote Code Execution Vulnerability" has additional remediation steps if you are not using Microsoft Defender for Office. More details and regkey included in this article: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884

Edit 2:

Finished updates last night with no issues. Basic environment overview: Mix of physical and VMs (split between Hyper-V and VMWare), mostly worked on Windows servers last night, 2012 R2 - 2019. Updated VMs and hosts (on both platforms). Everything seems to be humming along nicely.

[-] daftfuder@lemmy.world 5 points 1 year ago* (last edited 1 year ago)
[-] possiblylinux127@lemmy.zip 2 points 1 year ago* (last edited 1 year ago)

Is it automated yet? (The autoposting that is)

We did a gitlab upgrade last week to 16.1and it went fine, but I noticed they never put out a vanilla v16.1.0 tag for gitlab-runner. There exist images such as Ubuntu-v16.1.0 but we usually just use the vanilla one. Anyone know what's up about that?

[-] lemmybenny@lemmy.world 1 points 1 year ago

So.... What has Microsoft broke this month? How is the patching going everyone?

load more comments
view more: next ›
this post was submitted on 11 Jul 2023
57 points (98.3% liked)

Sysadmin

7640 readers
1 users here now

A community dedicated to the profession of IT Systems Administration

No generic Lemmy issue posts please! Posts about Lemmy belong in one of these communities:
!lemmy@lemmy.ml
!lemmyworld@lemmy.world
!lemmy_support@lemmy.ml
!support@lemmy.world

founded 1 year ago
MODERATORS