Description of the security update for SharePoint Enterprise Server 2016: June 11, 2019

This security update resolves a cross-site-scripting (XSS) vulnerability that exists when Microsoft SharePoint Server does not correctly sanitize a specially crafted web request to an affected SharePoint server. This update also resolves a remote code execution vulnerability that exists in Microsoft Word software when it fails to correctly handle objects in memory. To learn more about the vulnerabilities, see the following:

• Microsoft Common Vulnerabilities and Exposures CVE-2019-1031
• Microsoft Common Vulnerabilities and Exposures CVE-2019-1032
• Microsoft Common Vulnerabilities and Exposures CVE-2019-1033
• Microsoft Common Vulnerabilities and Exposures CVE-2019-1034
• Microsoft Common Vulnerabilities and Exposures CVE-2019-1036

Note To apply this security update, you must have the release version of Microsoft SharePoint Enterprise Server 2016 installed on the computer.

This public update delivers Feature Pack 2 for SharePoint Server 2016. Feature Pack 2 contains the following feature:

• SharePoint Framework (SPFx)

This public update also delivers all the features that were included in Feature Pack 1 for SharePoint Server 2016, including the following:

• Administrative Actions Logging
• MinRole enhancements
• SharePoint Custom Tiles
• Hybrid Auditing (preview)
• Hybrid Taxonomy
• OneDrive API for SharePoint on-premises
• OneDrive for Business modern user experience (available to Software Assurance customers)

The OneDrive for Business modern user experience requires an active Software Assurance contract at the time that the experience is enabled, either by installation of the public update or by manual enablement. If you don't have an active Software Assurance contract at the time of enablement, you must turn off the OneDrive for Business modern user experience.

For more information, see the following Microsoft Docs articles:

• New features in November 2016 PU for SharePoint Server 2016 (Feature Pack 1)
• New features in September 2017 PU for SharePoint Server 2016 (Feature Pack 2)

Contains the following improvements in SharePoint Server 2016:

• Adds the new Japanese era name in the Japanese word breaker to make sure that the new era name can be correctly broken during a search.

• Spanish is now an option among the search language preference in the SharePoint classic search if users from Argentina and other countries from South America set Spanish as their language preferences in the browser.

Contains fixes for the following nonsecurity issues in SharePoint Server 2016:

• When you start crawling for some content that has many links, the crawl fails because the number of links exceeds a search limitation. After multiple failures, the content is deleted unexpectedly. After this update is installed, you can set the maximum number of links that are sent to the index by using the ContentPIMaxNumLinks property. To set ContentPIMaxNumLinks (for example, to 10,000), you can use commands that resemble the following:

  $ssa = Get-SPEnterpriseSearchServiceApplication
  $ssa.SetProperty("ContentPIMaxNumLinks", 10000)
  $ssa.Update()

• Assume that you enable McAfee Security for SharePoint Server 2016. When you access a large OneNote file that has an attachment in SharePoint Server 2016, an application pool crashes intermittently.

• You experience errors when you create a document that is set to use the DD/MM/YYYY date format. This issue may occur if users configure their My Site Profile information to use their local regional settings, such as French/Luxembourg.

• The SharePoint file plan report doesn’t generate the hyperlink for a URL that contains special characters, such as white spaces.

• Assume that you view a Datasheet View on a list by using the Internet Explorer browser. You try to paste a cell that has multiple lines of text from an Excel worksheet into a field that uses the Multiple lines of text type option in the Datasheet view. When you try to paste the cell, you receive an error message, and the paste operation fails.

Contains fixes for the following nonsecurity issues in Project Server 2016:

• Adds the PublishSummary method for the ProjectCollection class in the client-side object model (CSOM) so that project-level fields on a project can be published independently from the entire project.

• Updating resources through the client-side object model (CSOM) takes a long time or causes a time-out.

• When you update a task in a timesheet, after the status update is applied to the project, in Project you may observe unexpected results to the resource assignment. For example, the custom remaining work contour has changed to Flat. Or, the finished date of the assignment on a fixed duration task is earlier than expected.