Patch Assessment Content Update Release Notes for CCS 11.0

Version: 2015-21 Update Legal Notice Copyright © 2015 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This Symantec product may contain third party software for which Symantec is required to provide attribution to the third party (“Third Party Programs”). Some of the Third Party Programs are available under open source or free software licenses. The License Agreement accompanying the Software does not alter any rights or obligations you may have under those open source or free software licenses. Please see the Third Party Legal Notice Appendix to this Documentation or TPIP ReadMe File accompanying this Symantec product for more information on the Third Party Programs. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Symantec as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement. Symantec Corporation 350 Ellis Street Mountain View, CA 94043 http://www.symantec.com Patch Assessment Content Update (PACU)

This document includes the following topics:

■ Prerequisites for PACU

■ What's New in PACU 2015-21

■ Patch Assessment Content Updates for Windows in 2015-21

■ Patch Assessment Content Updates for UNIX in 2015-21

■ Comprehensive standard for Windows and UNIX on message-based content

■ Updates in PACU 2015-20

■ Contents of the PACU

Prerequisites for PACU The following are the prerequisites for installing the Patch Assessment Content Updates:

■ Before you install a Patch Assessment Content Update, you must have the Control Compliance Suite 11.0 installed on your computer.

■ To install PACU 2015-4 or later by using the LiveUpdate feature, you must apply Quick Fix 10557. A new signing certificate is used for all CCS files that are signed after February 12, 2015. Quick Fix 10557 includes the Symantec.CSM.AssemblyVerifier.dll, which contains the updated CCS certificate information necessary to validate the certificate. You can download the Quick Fix 10557 from the following location: Patch Assessment Content Update (PACU) 5 What's New in PACU 2015-21

http://www.symantec.com/docs/TECH228301

Note: If the Quick Fix 10557 is not applied, the Automatic Updates Installation job will fail. However, there is no impact on the manual installation of PACU without this Quick Fix.

■ To manually install PACU 2015-4 or later, on CCS 11.0 on Windows 2003 Server successfully, you must deploy a Microsoft hotfix. If the hotfix is not applied, the manual installation fails and the digital certificate validation error message is displayed. You must request for this hotfix via the Hotfix Download Available link at the following location: http://support.microsoft.com/kb/968730

■ Improvements have been made for the Comprehensive Windows Patch Assessment Standard in SCU 2013-2 by upgrading the patch scan xml from hfnetchk6b.xml to hf7b.xml. SCU 2013-2 is enhanced to support data collection using the hf7b.xml. Therefore, installation of SCU 2013-2 or a later version is now a prerequisite for the installation of PACU 2013-22 and later versions.

■ You must deploy a hotfix to get correct patch assessment results for "Comprehensive Patch Standard for AIX", which is a new standard provided with PACU 2013-25 and later versions. You can download and deploy the hotfix from the following location: http://www.symantec.com/business/support/index?page=content&id=TECH212480

What's New in PACU 2015-21 PACU 2015-21 contains the following updates:

■ Patch Assessment Content Updates for Windows in 2015-21 See “Patch Assessment Content Updates for Windows in 2015-21” on page 6.

■ Patch Assessment Content Updates for UNIX in 2015-21 See “Patch Assessment Content Updates for UNIX in 2015-21” on page 7.

■ Comprehensive standard for Windows and UNIX on message-based content See “Comprehensive standard for Windows and UNIX on message-based content” on page 7. PACU 2015-21 includes the updates from PACU 2015-20. Patch Assessment Content Update (PACU) 6 Patch Assessment Content Updates for Windows in 2015-21

Patch Assessment Content Updates for Windows in 2015-21 PACU 2015-21 contains checks for updates released by Microsoft in September 2015 on message-based content.

Updates for message-based content The following new patch bulletins are added in this release:

■ MS15-094 Cumulative Security Update for Internet Explorer (3089548)

■ MS15-096 Vulnerability in Active Directory Service Could Allow Denial of Service (3072595)

■ MS15-097 Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution (3089656)

■ MS15-098 Vulnerabilities in Windows Journal Could Allow Remote Code Execution (3089669)

■ MS15-100 Vulnerability in Windows Media Center Could Allow Remote Code Execution (3087918)

■ MS15-101 Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (3089662)

■ MS15-102 Vulnerabilities in Windows Task Management Could Allow Elevation of Privilege (3089657)

■ MS15-103 Vulnerabilities in Microsoft Exchange Server Could Allow Information Disclosure (3089250)

■ MS15-105 Vulnerability in Windows Hyper-V Could Allow Security Feature Bypass (3091287) Patch Assessment Content Update (PACU) 7 Patch Assessment Content Updates for UNIX in 2015-21

Patch Assessment Content Updates for UNIX in 2015-21 PACU 2015-21 updates the UNIX operating system and application patches for message-based content.

Updates for message-based content in Patch Policy Updates for the following UNIX platforms are available in this release.

■ HP-UX

■ Oracle Enterprise Linux (OEL)

■ Red Hat Enterprise Linux (RHEL)

■ Solaris

■ SUSE

Comprehensive standard for Windows and UNIX on message-based content PACU 2015-18 contains the comprehensive standard for the patch policy.

Table 1-1 Message-based data content patch policy and standard updates for Windows and UNIX

File Name Standard Version OS Patch Policy Version

ESM_OSPatches_Comprehensive.xml 1.1.63 2015.09.01

Updates in PACU 2015-20 The PACU 2015-20 contained the following updates:

■ Patch Assessment Content Updates for Windows in 2015-20 See “Patch Assessment Content Updates for Windows in 2015-20” on page 8.

■ Patch Assessment Content Updates for UNIX in 2015-20 See “Patch Assessment Content Updates for UNIX in 2015-20” on page 9. Patch Assessment Content Update (PACU) 8 Updates in PACU 2015-20

Patch Assessment Content Updates for Windows in 2015-20 PACU 2015-20 contains checks for updates released by Microsoft in September 2015 on raw-data content.

Updates for raw-data content

■ MS15-094 Cumulative Security Update for Internet Explorer (3089548)

■ MS15-096 Vulnerability in Active Directory Service Could Allow Denial of Service (3072595)

■ MS15-097 Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution (3089656)

■ MS15-098 Vulnerabilities in Windows Journal Could Allow Remote Code Execution (3089669)

■ MS15-099 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3089664)

■ MS15-100 Vulnerability in Windows Media Center Could Allow Remote Code Execution (3087918)

■ MS15-101 Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (3089662)

■ MS15-102 Vulnerabilities in Windows Task Management Could Allow Elevation of Privilege (3089657)

■ MS15-103 Vulnerabilities in Microsoft Exchange Server Could Allow Information Disclosure (3089250)

■ MS15-104 Vulnerabilities in Skype for Business Server and Lync Server Could Allow Elevation of Privilege (3089952)

■ MS15-105 Vulnerability in Windows Hyper-V Could Allow Security Feature Bypass (3091287) Patch Assessment Content Update (PACU) 9 Contents of the PACU

Patch Assessment Content Updates for UNIX in 2015-20 There are 115 updated patches and 350 new patches in dat (template) files for the following platforms:

Updates for raw-data content Updates for the following UNIX platforms are available in this release.

■ Sun Solaris

■ Linux

■ Ubuntu

■ HP-UX

Contents of the PACU PACU contains the following files:

Table 1-2 Contents of the PACU

Name Description

SEForMSPatches_Comprehensive.xml Raw-data content standard for Windows

SEForMSPatches_Less.xml Raw-data content standard for Windows

LinuxRecommendedPatches.dat Raw-data content updates for Linux platforms

HP-UXRecommendedPatches.dat Raw-data content updates for HP-UX platforms

AIXRecommendedPatches.dat Raw-data content updates for AIX platforms

SunOSRecommendedPatches.dat Raw-data content updates for Sun OS platforms

ESM_OSPatches_Comprehensive.xml Message-based content updates for Windows and UNIX

bvMSSecure.xml Raw-data content file for Windows data collection

hf7b.xml Raw-data content file for Windows data collection Patch Assessment Content Update (PACU) 10 Contents of the PACU

Table 1-2 Contents of the PACU (continued)

Name Description

BestPractice_OS_Patch_Updates.exe Patch Policy updates on message- based content for Windows and UNIX.

Comprehensive_AIXPatchStandard.xml Contains checks which evaluate on APAR and Packages for AIX OS

Symantec.CSM. Custom algorithm used for evaluating UnixPlatformContent.UnixPatchStandard.dll package checks in the Comprehensive Patch Standard for AIX. Version 11.0.14300.1004