Oracle Solaris Third Party Bulletin - April 2015

Description

The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities fixed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated on the Tuesday closest to the 17th of the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability fixes deemed too critical to wait for the next monthly update.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin fixes as soon as possible.

Patch Availability

Please see My Oracle Support Note 1448883.1

Third Party Bulletin Schedule

Third Party Bulletins are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

  • 14 July 2015
  • 20 October 2015
  • 19 January 2016
  • 19 April 2016

References

Modification History

2015-April-14 Rev 1. Initial Release
2015-May-15 Rev 2. Added Multiple CVEs
2015-June-15 Rev 3. Added Multiple CVEs

Oracle Solaris Executive Summary

This Third Party Bulletin contains 44 new security fixes for the Oracle Solaris. 30 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

Oracle Solaris Risk Matrix

Revision 3: Published on 2015-06-15

CVE# Product Protocol Third Party
component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen­tication Confid­entiality Inte­grity Avail­ability
CVE-2015-0801 Solaris Multiple Firefox Yes 7.5 Network Low None Partial Partial Partial 11.2 See Note 11
CVE-2014-4617 Solaris Multiple GnuPG Yes 5.0 Network Low None None None Partial 11.2
CVE-2011-4091 Solaris Multiple Net6: C++ networking library Yes 5.0 Network Low None Partial None None 11.2 See Note 6
CVE-2014-3695 Solaris Multiple vino Yes 5.0 Network Low None None None Partial 11.2
CVE-2014-3696 Solaris Multiple vino Yes 5.0 Network Low None None None Partial 11.2
CVE-2014-3698 Solaris Multiple vino Yes 5.0 Network Low None Partial None None 11.2
CVE-2014-9709 Solaris Multiple GD2 Graphics Draw Library Yes 5.0 Network Low None None None Partial 11.2
CVE-2015-3811 Solaris Multiple Wireshark Yes 5.0 Network Low None None None Partial 11.2 See Note 12
CVE-2014-3694 Solaris Multiple vino Yes 4.3 Network Medium None None None Partial 11.2
CVE-2013-0308 Solaris Multiple Git Yes 4.3 Network Medium None None Partial None 11.2
CVE-2015-2774 Solaris Multiple Erlang Yes 4.3 Network Medium None Partial None None 11.2
CVE-2014-8092 Solaris Multiple X.Org Yes 4.3 Network Medium None None None Partial 11.2, 10 See Note 10
CVE-2015-3646 Solaris Multiple OpenStack Identity (Keystone) No 3.5 Network Medium Single Partial None None 11.2
CVE-2013-1569 Solaris None Localization (L10N) No 1.5 Local Medium Single None None Partial 11.2 See Note 7
CVE-2015-1205 Solaris None Localization (L10N) No 1.0 Local High Single None None Partial 11.2 See Note 9
CVE-2014-7926 Solaris None Localization (L10N) No 1.0 Local High Single None None Partial 11.2
CVE-2014-7923 Solaris None Localization (L10N) No 1.0 Local High Single None None Partial 11.2
CVE-2014-7940 Solaris None Localization (L10N) No 1.0 Local High Single None None Partial 11.2
CVE-2014-6591 Solaris None Localization (L10N) No 1.0 Local High Single Partial None None 11.2 See Note 8

Revision 2: Published on 2015-05-15

CVE# Product Protocol Third Party
component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen­tication Confid­entiality Inte­grity Avail­ability
CVE-2014-3158 Solaris Multiple Point-to-Point Protocol service Yes 7.5 Network Low None Partial Partial Partial 11.2
CVE-2014-9663 Solaris Multiple FreeType Yes 7.5 Network Low None Partial Partial Partial 11.2, 10 See Note 5
CVE-2015-1195 Solaris Multiple OpenStack Glance No 6.5 Network Low Single Partial Partial Partial 11.2
CVE-2015-1856 Solaris Multiple OpenStack Object Storage (Swift) No 5.5 Network Low Single None Partial Partial 11.2
CVE-2015-1799 Solaris NTP NTP No 5.4 Adjacent Network Medium None Partial Partial Partial 11.2, 10
CVE-2014-0227 Solaris Multiple Apache Tomcat Yes 5.1 Network High None Partial Partial Partial 11.2
CVE-2014-3566 Solaris Multiple Apache Tomcat Yes 5.0 Network Low None Partial None None 11.2
CVE-2014-9636 Solaris Multiple Unzip Yes 5.0 Network Low None None None Partial 11.2, 10
CVE-2015-3405 Solaris NTP NTP Yes 5.0 Network Low None None None Partial 11.2, 10
CVE-2015-2316 Solaris Multiple Django Python web framework Yes 4.3 Network Medium None None None Partial 11.2
CVE-2015-1852 Solaris Multiple Middleware for OpenStack Identity Yes 4.3 Network Medium None None Partial None 11.2
CVE-2015-1852 Solaris Multiple OpenStack Identity (Keystone) Yes 4.3 Network Medium None None Partial None 11.2
CVE-2014-9390 Solaris Multiple Mercurial source code management Yes 4.0 Network High None Partial Partial None 11.2
CVE-2015-2317 Solaris Multiple Django Python web framework Yes 2.6 Network High None None Partial None 11.2
CVE-2015-1798 Solaris NTP NTP Yes 2.6 Network High None None None Partial 11.2, 10

Revision 1: Published on 2015-04-14

CVE# Product Protocol Third Party
component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen­tication Confid­entiality Inte­grity Avail­ability
CVE-2015-1802 Solaris TCP X.Org No 8.5 Network Medium Single Complete Complete Complete 11.2, 10 See Note 1
CVE-2015-0292 Solaris SSL/TLS WAN Boot Yes 7.5 Network Low None Partial Partial Partial 11.2 See Note 3
CVE-2014-3566 Solaris SSL Java Web Console Yes 5.0 Network Low None Partial None None 11.2
CVE-2015-2188 Solaris Multiple Wireshark Yes 5.0 Network Low None None None Partial 11.2 See Note 2
CVE-2014-0339 Solaris HTTP Java Web Console Yes 4.3 Network Medium None None Partial None 11.2
CVE-2014-3924 Solaris HTTP Java Web Console Yes 4.3 Network Medium None None Partial None 11.2 See Note 4
CVE-2014-9623 Solaris Multiple OpenStack Glance No 4.0 Network Low Single None None Partial 11.2
CVE-2014-5353 Solaris Multiple Kerberos No 3.5 Network Medium Single None None Partial 11.2, 10
CVE-2015-0255 Solaris None X.Org No 3.2 Local Low Single Partial None Partial 11.2, 10
CVE-2014-9297 Solaris NTP NTP Yes 2.6 Network High None Partial None None 11.2, 10

Notes:

  1. This fix also addresses CVE-2015-1803 CVE-2015-1804.
  2. This fix also addresses CVE-2015-2189 CVE-2015-2190.
  3. This fix also addresses CVE-2015-0290 CVE-2015-0291 CVE-2015-0288 CVE-2015-1787 CVE-2015-0207 CVE-2015-0293 CVE-2015-0208 CVE-2015-0285 CVE-2015-0286 CVE-2015-0209 CVE-2015-0287 CVE-2015-0204 CVE-2015-0289.
  4. This fix also addresses CVE-2014-3884 CVE-2014-3886.
  5. This fix also addresses CVE-2014-9656 CVE-2014-9657 CVE-2014-9658 CVE-2014-9659 CVE-2014-9660 CVE-2014-9661 CVE-2014-9664 CVE-2014-9666 CVE-2014-9667 CVE-2014-9669 CVE-2014-9670 CVE-2014-9671 CVE-2014-9672 CVE-2014-9673 CVE-2014-9674 CVE-2014-9675.
  6. This fix also addresses CVE-2011-4093.
  7. This fix also addresses CVE-2013-2383 CVE-2013-2384 CVE-2013-2419.
  8. This fix also addresses CVE-2014-6511 CVE-2014-6585.
  9. This fix also addresses CVE-2014-9654.
  10. This fix also addresses CVE-2015-3418.
  11. This fix also addresses CVE-2014-1574 CVE-2014-1576 CVE-2014-1577 CVE-2014-1578 CVE-2014-1581 CVE-2014-1583 CVE-2014-1585 CVE-2014-1586 CVE-2014-1587 CVE-2014-1590 CVE-2014-1592 CVE-2014-1593 CVE-2014-1594 CVE-2014-8634 CVE-2014-8638 CVE-2014-8639 CVE-2014-8641 CVE-2015-0807 CVE-2015-0813 CVE-2015-0815 CVE-2015-0816 CVE-2015-0817 CVE-2015-0818 CVE-2015-0822 CVE-2015-0827 CVE-2015-0831 CVE-2015-0836.
  12. This fix also addresses CVE-2015-3812 CVE-2015-3814.