Simplify and automate these patches and more with SolarWinds Patch Manager.
The Patch Manager catalog contains the following products:
Adobe
Apple
Mozilla
Change History (current month + 2):
03/10
03/04
03/02
02/16
02/11
01/11
12/23
12/17
12/14
12/10
12/09
12/08
12/03
12/01
11/25
11/23
11/13
11/12
11/10
11/09
11/03
11/01
10/27
10/22
Opera 72.0.3815.148
10/20
10/16
10/15
10/14
10/13
10/07
10/02
10/01
09/30
09/29
09/25
09/24
09/16
09/11
09/10
09/09
09/08
09/02
08/31
08/26
08/21
08/13
08/12
08/10
08/07
08/06
08/05
07/31
07/28
07/22
07/17
OpenJDK 8u262
07/16
07/15
07/14
07/09
07/08
07/07
07/03
07/02
07/01
They are listed in the table. The table was created in early May and there have been no patches for these applications since the time of creation.
I'm guessing we can treat this like a ''sticky" and check up every so often, eh? Thanks!
Actually, we are building out an automated way to get notified of changes to this table, along with a lot of other patch mgmt best practices and related content. Stay tuned.
Looking forward to it. Thanks!
Hi Grandgroove, checkout Patchzone! This is the community I was referring to in my note above.
http://thwack.solarwinds.com/community/application-and-server_tht/patchzone
Thank you for the link. I will check it out.
Will there be an upgrade package available for Adobe Reader 11.0.1? I'd like to get everyone on 11.0 updated, but I don't want to approve the non-upgrade package and have it push out to every system.
I checked the Adobe FTP site, and I didn't see a .MSP rollup file. That's usually when the upgrade-only patches get released. If that turns out to be the case, you can make a duplicate of the new Reader package and add prerequisites to check for an existing Adobe Reader installation.
The Adobe Reader 11.0.1 update is available from the Adobe Reader v11 catalog, as were the Adobe Reader v10 updates.
The Adobe Reader v11 catalog is available at: http://armmf.adobe.com/arm-manifests/win/SCUP/Reader11_Catalog.cab
Please see SolarWinds KB4460 for guidance on how to synchronize the new Adobe v11 catalogs with Patch Manager.
We have provided a Full Installation package for Reader v11.0.1, as we have done in the past for Reader v10 (when available), and will likely continue to do so.
I see Foxit PDF Reader is a new addition. Although I am glad to see new software being added, I am disappointed Foxit PDF Reader was chosen over PDF-XChange Viewer. PDF-XChange Viewer has all the features of Foxit with the additional ability to markup and save a PDF.
The brings up the question about how additional software suggestions are submitted to PM? I would really like PM to consider PDF-XChange Viewer:
http://www.tracker-software.com/product/pdf-xchange-viewer
"The No.1 rated BEST PDF Reader - as voted by Life Hacker Readers by a 2-1 margin for the 2nd year in a row!"
Thank you for the feedback, Mark. As it happens, we had not previously heard any requests for Tracker Software's PDF-XChange Viewer, but now that you've asked, I've forwarded your request to the packaging team and it will be added to the list. You can also post messages in the Patch Manager Feature Requests discussion area.
Why are we experiencing such delays while receiving Java packages? JRE7_U13 isn't available yet. JRE7_U11 was quite delayed as well, I had to make my own packages for it.
Adobe Flash 11.5.502.149 was released by the vendor on 2/7(Adobe - Security Bulletins: APSB13-04 - Security updates available for Adobe Flash Player). This appears to be a fairly serious security flaw. Can we expect this to be released to Catalog today? Thanks! -mark
Chris, I'm not understanding your compliant.
JRE7u11 was released by Oracle on Sunday, January 13 and was published to the Patch Manager catalog on Monday, January 14
JRE7u13 was released by Oracle on Friday, February 1 and was published to the Patch Manager catalog on Tuesday, February 5 (which is actually a bit misleading because the update was actually published around midnight Monday evening Feb 4).
In both cases, the updates were published to the catalog, the next business day after the vendor had publicly released the update.
It is not our practice to make announcements or promises as to when products or update packages will be released, but you can see from the data in the post above what our performance metrics have been for the past month, and the past year's delivery dates are documented in the attached worksheet. I encourage you to draw your own inferences from our historical delivery data.
Specifically, as regards Adobe Flash v11 (the v10 dates are identical) for the past six months:
11.5.502.146: Released by Adobe - Jan 8; Published to Catalog - Jan 8
11.5.502.135: Released by Adobe - Dec 11; Published to Catalog - Dec 11
11.5.502.100: Released by Adobe - Nov 6; Published to Catalog - Nov 6
11.4.402.287: Released by Adobe - Oct 8; Published to Catalog - Oct 9
11.4.402.278: Released by Adobe - Sep 18; Published to Catalog - Sep 19
11.4.402.265: Released by Adobe - Aug 21; Published to Catalog - Aug 21
Published to the Catalog at 9:30pm. :-)
In addition to JRE 7u17, Oracle has released the final-final patch for JRE6: JRE6u43. Java Downloads for All Operating Systems Version 6 Update 43
That is correct, Andrew. The omission of the JRE6 update was my error, I assumed that since Oracle said No More Java6 Updates after 2/28/13, that's what they meant. Now we'll get to see how many more zero-day exploits it takes before they actually do quit releasing JRE6 security fixes.
This post and the attached worksheet will be updated to reflect the JRE6 update when I post the update for publishing to the catalog.
I don't understand why you have packages for adobe acrobat 9, and adobe reader 11, but not adobe acrobat 11? Why not include adobe acrobat 11 with adobe reader 11 packages?
In addition, there is not an 'Upgrade' package for this latest version of adobe reader. However there was an upgrade with version 11.0.0.379. Why the inconsistency?
I would like to see standalone and upgrade packages for both reader and pro for each new version just like we see for java and flash. I find myself spending way to much time developing these packages myself.
We do not duplicate any content already provided direct by the vendors.
Adobe provides the following catalogs, which are configured to sync in Patch Manager automatically:
The packages for Acrobat 9 are created because Adobe does not publish an Acrobat v9 catalog, and the Reader v10 and Reader v11 packages published by SolarWinds are FULL INSTALL packages only .... because Adobe does not package Full Installers, only Update packages.
Your observation is correct, generally none of the Reader v11 packages came in "upgrade" packages. We did package an upgrade package for v11.0.0.379 because Adobe did not. Possibly because it was not a security update. I would have to check with the packaging group to get the specific details on that decision.
So, in general, all of this is driven by the first sentence in this reply. We do not duplicate what Adobe provides in its own Reader catalog, and we don't package any Acrobat v10 or v11 content.
Any updates on this "automated" way?
Certainly. Just "subscribe" to the document. On the right side of the screen in the menu select the option to "Receive email notifications". Anytime this document is updated, you'll get an email notification.
In addition you can subscribe via RSS feeds to some or all of the "Patch Manager" forums content on Thwack. From the Patch Manager forums main page, select "View feeds" in the Actions menu on the right side of the screen. That will take you to the RSS feed list for the Patch Manager forum. You can subscribe to just "Documents", for example, which would basically be this document as I don't think we have any other "documents" posted at this time, but I'd suggest just subscribing to the "All Content" feed.
The "All Content" one is too much info for me. Adding just the "Documents" link yields no RSS info. Does the RSS feed need to be updated on your end to include the Patch Manager .xls sheet?
I just subscribed to the "Documents" feed, and it returned four items.. which is an accurate reflection of the content. The documents are related to how to disable automatic updates for each of the products Foxit, Chrome, iTunes, and WinZip, dated from 5/10 to 5/27.
I presume that the 3rd Party Updates document will push into that feed as soon as its update, and I do have an update to post momentarily, so we'll know shortly. :-)
In addition to the Patch Manager forum feeds, the document is also available from the PatchZone blog feed and that feed is working.
Looks like it's working now. Thanks. Is there anyway to create a static link to the document so I can link right to it, rather than this page itself?
Yes, right click on the XLS link at the bottom of the page and "Copy shortcut" from the context menu.
The direct link is:
http://thwack.solarwinds.com/servlet/JiveServlet/download/167089-126-33022/Patchzone%20Table%20-%203rd%20party%20Patches.xlsx
I believe I tried that, but doesn't the link change when the file is updated?
Sent from my iPhone
Good point. I believe it does, as we "remove" the attachment and then "add" a new attachment when the spreadsheet is updated.
Please add the JAVA 1.7 JDK to the 3rd party patch list.
For requests for products to be added to the catalog, please post in the Patch Manager Feature Requests forum so that it will be seen by Product Management.
I’m not seeing the latest version of Firefox in Patch Manager. I updated the catalogs and ran a sync.
-Brandon
Thank you for directing me to the right place. Ideal has been created.
Brandon, I did a sampling of support and dev people inside SolarWinds who regularly sync content to their own Patch Manager installations, and nobody has experience similar issues. Likewise, I've not seen any issues on my own environments. Is the Firefox update the only one missing? If so, what happens if you launch a manual synchronization? If the sync fails, or if the Firefox package is still not present, my best suggestion is to open a support ticket via http://customerportal.solarwinds.com.
It showed up today when I checked. I wonder why the manual sync yesterday didn’t work. Are there other refresh settings related to the WSUS server I might need to modify?
What time yesterday (GMT) did your synchronization event run?
There are no other requirements. Synchronization is best handled as a scheduled event, and at the current time the best synchronization time to get the content as early as possible is about 1500-1600 GMT. If you synchronized earlier than 6/26 1500GMT, that would be one possible explanation.
That happens to me on occasion. Once this thread is updated with news of a new update being available, I usually give it a couple of hours before I attempt sync. It sounds like you might have synced at just the right time window to where it wasn’t quite ready.
Actually that experience should NOT be occurring.
By the time I get the notifications that updates have been published to the catalog, it's typically 30-60 minutes after I receive the notification that those updates are announced in this post.
I'll double-check with our teams to make sure that the catalogs are being published before the announcements are being pushed internally.
The other thing I'll point out here is that the best practice is to configure Patch Manager to schedule a daily synchronization (we publish updates almost daily) and to enable email notifications from the Patch Manager server that updates have been received. It's much more of a reliable task to automate the process and let the Patch Manager server get that content and tell you when it's actually there, than it is to monitor this post (which sometimes, to be sure, may not be updated for several hours after actual availability, depending on other activities in my work schedule) and then launch a synchronization in response.
Generally speaking, updates are published to the catalog by early morning -- it's now an overnight process for the most part -- so the optimum time to synchronize the SolarWinds catalog would be 1500-1600 GMT.
I may have overstated the occurrences. We have had Patch Manager for three years, and we are talking perhaps 5-6 total. We have a nightly scheduled sync at 11:00pm, and then I usually run a manual sync whenever there is an announcement of an update that we need. I just thought that the condition may be similar to what the other user was reporting.
Almost every time I publish an update it shows up in the Third Party Updates section, but says it's not downloaded (even though part of the publishing process was to download the file). Upon republishing, it usually works, but sometimes I have to do it a third time. Any ideas why?
There is a known issue when downloading/publishing content using the Package Download Assistant that does not auto-refresh the package list.
If you are downloading/publishing content that can be Direct Downloaded, a refresh is auto-generated
-Lawrence (from the Blackberry)
Even after refreshing it shows the package isn’t downloaded. If it shows not downloaded, can I still deploy it?
Typically this is an indication something was holding the content during publishing (probably AV software). McAfee seems to be the most common culprit.
Okay.. my previous reply, from the Blackberry, suffered from not being able to see the image... the subsequent reply did add some context, but the image makes the biggest difference.
"Downloaded" to the WSUS Server is a completely different thing than "Downloaded" to Patch Manager as part of the publishing process.
The reason the image above shows "not downloaded" is simply because the update is Not Approved. Once you add an Approval to that update, WSUS will simulate downloading the file (because, in fact, it's already there), and the icon will then show as "downloaded".
Strange…I wonder why it only happens sometimes then? An initial publish/download sometimes shows the downloaded icon, and sometimes I have to republish\download for it to work. I’ve never tried simply approving it and checking if the icon changed. I’ll try that next time.
What is this new ESR version of Flash I see?
ESR = "Extended Support Release". The ESR program is the maintenance of the downlevel version of Flash Player.
Flash Player v10 has reached End Of Life. The last release of Flash Player v10.3 was on June 11, 2013. Effective July 9, 2013, the ESR program now publishes Flash Player v11.7. (Flash v11.8 is the current release.)
No new significance in the process, really, just the explicit labelling of this older version as "ESR" (which we had not been doing previously).
Extended Support Release Updated to Flash Player 11.7!
You can find some info here...
Why would one want to stay on 11.7 ESR rather than upgrading to 11.8?
The most likely reason, given that Flash v11.8 is a brand new "feature" release, is that some organizations are a bit more conservative about deploying "feature" releases of products, than they are security updates.
Given the choice between v11.8.800.94, which contains new functionality (not yet tested by most organizations), and v11.7.700.232 ESR (which only contains security fixes, such is the purpose of the Extended Support Release program), there are likely many organizations who will choose to deploy v11.7.700.232 now, and v11.8.<whatever> later.
Can we get support for patching Trillian?
We're always interested in feedback and suggestions for catalog additions.
If you post the request in Patch Manager Feature Requests, the Product Manager will see it and handle it accordingly.
I haven't received an email update for this thread since 7/25, even though I'm subscribed and following. Any ideas why?
Also, the link takes me to a page where I see feature requests, but I don't see specific patches requested. Is there a seperate page for that?
Any updates to the above post/questions? Our security vulnerabilities are increasing by the minute
I'm looking into the question about email updates on this document and it's companion PatchZone thread, but I've spoken with others who also have email subs to this document, and they did receive an email notification on the last update on August 12.
I must confess, though, I'm somewhat confused by how the Email updates from this document would be causing you a backlog of security vulnerabilties. Everything announced in this document is after the update has been released to the Patch Manager catalog. Presumably you would be synchronizing that catalog on a daily basis automatically. (Please note that we do post updates to the catalog several times per week in most weeks.) The arrival of the updates to your Patch Manager server should be your official notification of the availability of the updates. The Patch Manager synchronization task does provide for email-based notifications when new updates arrive.
Neither the catalog, nor this document, should be used as a methodology for obtaining notifications of security vulnerabilities. There are other resources much better suited to that level of information.
Our purpose with this post is to provide a cross-reference to the content synchronized by Patch Manager, as well as an informative source to non-PatchManager customers (via PatchZone) to document the release of third-party updates. There are no guarantees of the timeliness of the updates to this document, and on occasion this document has not been updated for a couple of days after the actual release -- depending on my availability and other workloads.
If I remember correctly, the reason I switched from using the emails generated by the Patch Manager server was that it didn't include the version number of the patches.
Also, I'm getting an email like this:
However, it would be useful if it looked like:
Published Patch Version | New Release Version
This way we only see updates (in addition to their version numbers) for patches that we have published. In other words, it's not necessary for me to know a new Dell driver has been published if I don't publish those.
Any way to accomplish this? I believe we discussed this before, but obviously I missed something
Correct, it only displays the Product Category Name for Security or Critical Updates.
Beyond that, if you navigate to the Software Publishing node of the console, select the desired synchronization event, and then click on the Packages tab in the bottom half of the Details Pane, the complete list of package obtained during that synchronization event will be displayed.
Suggestions for revisions to the notification email are welcome and encouraged in the Feature Requests forum.
That's a pretty tedious way to do it. I'm surprised people haven't requested this before. It seems like a notification saying "Hey, new versions of your published packages are available," would be the main type of notification needed in an application like Patch Manager.
Is there a way to auto download/publish certain updates to certain groups when they are released to the catalog? If so, can there be an email notification when this happens? If not, is there a way to setup email notifications when certain updates are published manually? Thanks
There is not currently a methodology to auto-download or auto-publish updates to WSUS.
We do have an idea posted related to those ideas if you'd like to vote: http://thwack.solarwinds.com/ideas/1128
I know this is quite delayed considering when the initial response was generated, but I was directed here by SolarWinds support. I've also been experiencing delays in receiving JRE patches as well. Currently, JRE7u40 is available from the Java site, but Patch Manager still has JRE7u25 listed as the last available patch. All other 3rd-party updates appear to be coming in just fine.
JRE7u40 was just released by Oracle this morning.
The previous update was JRE7u25 released on June 19.
You're not missing any Java updates!
Okay, my apologies. Today was the first time in a while that I checked the Java site to see if there was an update and u40 was available, so it had me a little concerned.
JRE7u40 was published to the catalog shortly before 9am CT this morning.
I have three duplicate packages in my Apple package list. The original three packages are listed as Expired, but their replacements are identical in wording, MSI product code and references. Why wouldn't this be a revision? There could be a difference that I'm missing. I just want to make sure folks with the IOS 7 itch won't come breaking down my door.
Well, it would help if I mentioned them, eh? Sorry, it has been a looong day.
Apple Mobile Device Support 7.0.0.117 (x64) (upgrade)
Apple Mobile Device Support 7.0.0.117 (x86) (full install)
Apple Mobile Device Support 7.0.0.117 (x64) (full install)
I'm checking on this, Jay. I'm not seeing the differences either.
Is there a link where we could download the updated cab files? Like Java and Firefox. The reason I ask is our Patch Manager is running on a closed network.
While it is possible to download the catalog and manually import it into a disconnected server, even if you did download/import the catalog, it would still be necessary to obtain the installation files for each update independently. However, there is no supported methodology for manually importing the update binaries, and while it is possible, doing so is a particularly tedious effort.
The preferred mythology is to use a similar sort of export/import process as you're using for the WSUS server. This process is described in a Geek Speak article from earlier this year: Using Patch Manager in a Disconnected Network Environment
Is there any status page that self-refreshes with the status of patches? I couldn't find one in the PM console window.
Patch Manager provides email notifications for synchronization results.
There is no web-based resource that is automatically updated.
This page is manually updated (by me), typically around 9am in the morning (schedule permitting).
There were Skype and Thunderbird releases in the past 36 hours, which will be posted in the next 24 hours.
I'll check it out. I have been doing the download of the catalog and the installation files for Adobe and it been working great. Firefox on the other hand I can never seem to get it to work right. Every month it is a different issue.
There is only one problem with this setup. Our disconnected network is a classified system. So if we create the SAS on the same network as the PAS we cannot move the SAS onto a internet connected network.
Can we integrate the patch management with microsoft wsus and system center configuration manager?
Absolutely. See the Patch Manager Evaluation Guide for ConfigMgr 2012 for more details.
I see Flash 17 in the table but i am not seeing it in in my console under software publishing. The highest I see is Flash 16.
Hi,
Are you still seeing the issue ?
Flash 17 was added to the catalog on 13th March 12:45 GMT, When was last Sync operation performed to update the catalog ? if not please perform a catalog sync to bring down the updates.
Any word on when Chrome 43.0.2357.134 & Java 8u51 packages will be released?
They were released today!
Any chance we could get Webex software added to the set of patches available to be pushed?
I've added it to the "wish list". How about we also put it up for voting!
Vote here:
When will the new version of Google Chrome (47.0.2526.73) be released for Patch Manager?
Patch Manager has Adobe update packages for Flash Player, Shockwave, etc. However, I do not see any SolarWinds packaged Adobe Reader updates available. There are two areas under 'Software Publishing' for these. Adobe Packages (Packaged by SolarWinds) and Adobe Systems, Inc Packages (Stuff straight from Adobe). Will there be any SolarWinds packaged Adobe Reader updates available?
It is unlikely that SolarWinds will respond with a definite release date/time as it must be created and tested, but historically this happens fairly quickly; here are the last few:
46.0.2490.86 Released by vendor: 11/10/2015 Added to Patch Manager Catalog: 11/11/2015
46.0.2490.80 Released by vendor: 10/22/2015 Added to Patch Manager Catalog: 10/23/2015
46.0.2490.71 Released by vendor: 10/13/2015 Added to Patch Manager Catalog: 10/14/2015
45.0.2454.101 Released by vendor: 09/24/2015 Added to Patch Manager Catalog: 09/28/2015
45.0.2454.99 Released by vendor: 09/21/2015 Added to Patch Manager Catalog: 09/23/2015
SolarWinds will sometimes release Full installation packages for Adobe Reader but typically that is not for every minor version. You are correct that it has been a while since the last Full install version was added to the catalog - that was 11.0.10.32 on 12/9/2014.
You won't find any Reader update packages in the Adobe Packages folder since Adobe makes packages for the upgrades and SolarWinds does not want to duplicate what Adobe is already providing since that would be (even more) confusing.
Thanx for the feedback. BTW, I tested a few scenarios and what I found was the Adobe Reader 11.0.13 update was corrupted. I deleted it and re-downloaded it. I published it and it applied successfully. Sometimes the simple solution is the right one to try.
Well, 6 days since 47.0.2526.73 was released by Google and still no package from SolarWinds.
Chrome 47.0.2526.73 was added to catalog shortly. This delay is due to some unavoidable circumstances.
What a headache to keep up with all this, track it, troubleshoot it . . .
Thanks SW. Your work is recognized and much appreciated!
I downloaded the content for Firefox 43 Upgrade, but when I try to publish it, I get this. Tried deleting the content and downloaded it again. Same issue when trying to publish.
^^^^
Ok, disregard this post. I was going to delete it, but then thought that explaining it may help others. The Credential ring was using a password that had been changed, so things started to fail. I updated the password and all is well.
Have a great day!!!
The new Chrome 50 packages need to be updated. The applicability rule says "WindowsVersion greater than or equal to MajorVersion=5 MinorVersion=1 Service Pack Major = 2 Service Pack Minor=0 Product Type=Workstation", but Chrome 50 dropped support for Windows XP and Vista. As a test I installed it anyway on my XP test VM and it gives you this every time you run it.
Please re-sync catalog to get updated packages
Any word on Flash ActiveX 21.0.0.242, and Adobe Reader 11.0.16?
I see Adobe Reader 11.0.16. I have already downloaded and published it. However, the new version of Flash player has not been packaged yet. I see it for download from Adobe's distribution site, just looks like Solar Winds hasn't pushed it to Patch Manager yet...
I am not seeing the Adobe Reader Update, the last one I have is the 11.0.15. Is there something I need to check in my sync catalog?
I'm getting errors on my syncing.
I found this article. On the server where Patch Management is installed, is there plenty of free space available?
"CabLib Extract ERROR while extracting files from cabinet: failure writing to target file" (127114)
8.12 GB free.
Flash 21.0.0.242 published shortly to catalog, As hdwrguy mentioned space constraint could be the issue for this sync failure.
Flash 21.0.0.242 has been published and is in the catalog. Thank you!!
There's now 32.4 GB of free space and it's still failing with the same error. It says nothing about available space. It's saying that "The file is not a cabinet Stack Trace" See screenshot above...
