Oracle Solaris Third Party Bulletin - July 2015
Description
The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities fixed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated on the Tuesday closest to the 17th of the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability fixes deemed too critical to wait for the next monthly update.
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin fixes as soon as possible.
Patch Availability
Please see My Oracle Support Note 1448883.1
Third Party Bulletin Schedule
Third Party Bulletins are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:
- 20 October 2015
- 19 January 2016
- 19 April 2016
- 19 July 2016
References
Modification History
2015-September-15 |
Rev 6. Added CVE-2014-4650 for Python |
2015-September-04 |
Rev 5. Added CVE-2015-5722 for Bind |
2015-August-17 |
Rev 4. Multiple CVEs added |
2015-August-03 |
Rev 3. Added CVE-2015-5477 for Bind |
2015-July-20 |
Rev 2. Added CVE-2015-1793 for OpenSSL |
2015-July-14 |
Rev 1. Initial Release |
Oracle Solaris Executive Summary
This Third Party Bulletin contains 60 new security fixes for the Oracle Solaris. 53 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
Oracle Solaris Risk Matrix
Revision 6: Published on 2015-09-15
CVE# |
Product |
Protocol |
Third Party component |
Remote Exploit without Auth.? |
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) |
Supported Versions Affected |
Notes |
Base Score |
Access Vector |
Access Complexity |
Authentication |
Confidentiality |
Integrity |
Availability |
CVE-2014-4650 |
Solaris |
Multiple |
Python |
Yes |
5.0 |
Network |
Low |
None |
Partial |
None |
None |
10 |
|
Revision 5: Published on 2015-09-04
CVE# |
Product |
Protocol |
Third Party component |
Remote Exploit without Auth.? |
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) |
Supported Versions Affected |
Notes |
Base Score |
Access Vector |
Access Complexity |
Authentication |
Confidentiality |
Integrity |
Availability |
CVE-2015-5722 |
Solaris |
DNS |
Bind |
Yes |
7.8 |
Network |
Low |
None |
None |
None |
Complete |
11.2, 10 |
|
Revision 4: Published on 2015-08-17
CVE# |
Product |
Protocol |
Third Party component |
Remote Exploit without Auth.? |
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) |
Supported Versions Affected |
Notes |
Base Score |
Access Vector |
Access Complexity |
Authentication |
Confidentiality |
Integrity |
Availability |
CVE-2014-9495 |
Solaris |
Multiple |
LibPNG |
Yes |
7.5 |
Network |
Low |
None |
Partial |
Partial |
Partial |
11.2 |
|
CVE-2015-0973 |
Solaris |
Multiple |
LibPNG |
Yes |
7.5 |
Network |
Low |
None |
Partial |
Partial |
Partial |
11.2 |
|
CVE-2015-2326 |
Solaris |
Multiple |
PCRE |
Yes |
6.8 |
Network |
Medium |
None |
Partial |
Partial |
Partial |
11.2 |
See Note 1 |
CVE-2015-3210 |
Solaris |
Multiple |
PCRE |
Yes |
6.8 |
Network |
Medium |
None |
Partial |
Partial |
Partial |
11.2 |
|
CVE-2015-3217 |
Solaris |
Multiple |
PCRE |
Yes |
6.8 |
Network |
Medium |
None |
Partial |
Partial |
Partial |
11.2 |
|
CVE-2015-5073 |
Solaris |
Multiple |
PCRE |
Yes |
6.8 |
Network |
Medium |
None |
Partial |
Partial |
Partial |
11.2 |
|
CVE-2014-7142 |
Solaris |
Multiple |
Squid |
Yes |
6.4 |
Network |
Low |
None |
Partial |
None |
Partial |
11.2 |
See Note 7 |
CVE-2015-1038 |
Solaris |
Multiple |
P7ZIP |
Yes |
5.8 |
Network |
Medium |
None |
None |
Partial |
Partial |
11.2, 10 |
|
CVE-2015-3455 |
Solaris |
Multiple |
Squid |
Yes |
5.8 |
Network |
Medium |
None |
Partial |
Partial |
None |
11.2 |
|
CVE-2014-6270 |
Solaris |
Multiple |
Squid |
Yes |
5.1 |
Network |
High |
None |
Partial |
Partial |
Partial |
11.2 |
|
CVE-2014-0128 |
Solaris |
Multiple |
Squid |
Yes |
5.0 |
Network |
Low |
None |
None |
None |
Partial |
11.2 |
|
CVE-2014-3609 |
Solaris |
Multiple |
Squid |
Yes |
5.0 |
Network |
Low |
None |
None |
None |
Partial |
11.2 |
See Note 6 |
CVE-2014-3566 |
Solaris |
Multiple |
W3M |
Yes |
5.0 |
Network |
Low |
None |
Partial |
None |
None |
11.2 |
|
CVE-2014-3566 |
Solaris |
Multiple |
Ruby |
Yes |
5.0 |
Network |
Low |
None |
Partial |
None |
None |
11.2 |
|
CVE-2014-3566 |
Solaris |
Multiple |
Lynx |
Yes |
5.0 |
Network |
Low |
None |
Partial |
None |
None |
11.2 |
|
CVE-2014-9601 |
Solaris |
Multiple |
Python Imaging Library (PIL) |
Yes |
5.0 |
Network |
Low |
None |
None |
None |
Partial |
11.2 |
|
CVE-2015-1380 |
Solaris |
Multiple |
PRIVOXY |
Yes |
5.0 |
Network |
Low |
None |
None |
None |
Partial |
11.2 |
See Note 4 |
CVE-2015-4024 |
Solaris |
Multiple |
PHP |
Yes |
5.0 |
Network |
Low |
None |
None |
None |
Partial |
11.2 |
|
CVE-2013-6501 |
Solaris |
None |
PHP |
No |
4.6 |
Local |
Low |
None |
Partial |
Partial |
Partial |
11.2 |
|
CVE-2013-1821 |
Solaris |
Multiple |
Ruby |
Yes |
4.3 |
Network |
Medium |
None |
None |
None |
Partial |
11.2 |
See Note 5 |
CVE-2014-8964 |
Solaris |
Multiple |
PCRE |
Yes |
4.3 |
Network |
Medium |
None |
None |
None |
Partial |
11.2 |
|
CVE-2015-1855 |
Solaris |
Multiple |
Ruby |
Yes |
4.3 |
Network |
Medium |
None |
None |
Partial |
None |
11.2 |
|
CVE-2015-3219 |
Solaris |
Multiple |
OpenStack Horizon |
Yes |
4.3 |
Network |
Medium |
None |
None |
Partial |
None |
11.2 |
|
CVE-2015-1196 |
Solaris |
None |
GNU patch utility |
No |
3.6 |
Local |
Low |
None |
Partial |
Partial |
None |
11.2 |
|
CVE-2015-1545 |
Solaris |
Multiple |
OpenLDAP server |
No |
2.1 |
Network |
High |
Single |
None |
None |
null |
11.2 |
|
CVE-2015-1607 |
Solaris |
None |
GnuPG |
No |
1.2 |
Local |
High |
None |
Partial |
None |
None |
11.2 |
See Note 11 |
Revision 3: Published on 2015-08-03
CVE# |
Product |
Protocol |
Third Party component |
Remote Exploit without Auth.? |
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) |
Supported Versions Affected |
Notes |
Base Score |
Access Vector |
Access Complexity |
Authentication |
Confidentiality |
Integrity |
Availability |
CVE-2015-5477 |
Solaris |
DNS |
Bind |
Yes |
7.8 |
Network |
Low |
None |
None |
None |
Complete |
11.2, 10 |
|
Revision 2: Published on 2015-07-20
CVE# |
Product |
Protocol |
Third Party component |
Remote Exploit without Auth.? |
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) |
Supported Versions Affected |
Notes |
Base Score |
Access Vector |
Access Complexity |
Authentication |
Confidentiality |
Integrity |
Availability |
CVE-2015-1793 |
Solaris |
SSL/TLS |
OpenSSL |
Yes |
6.4 |
Network |
Low |
None |
Partial |
Partial |
None |
11.2 |
|
Revision 1: Published on 2015-07-14
CVE# |
Product |
Protocol |
Third Party component |
Remote Exploit without Auth.? |
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) |
Supported Versions Affected |
Notes |
Base Score |
Access Vector |
Access Complexity |
Authentication |
Confidentiality |
Integrity |
Availability |
CVE-2014-9425 |
Solaris |
Multiple |
PHP |
Yes |
7.5 |
Network |
Low |
None |
Partial |
Partial |
Partial |
11.2 |
|
CVE-2015-0231 |
Solaris |
Multiple |
PHP |
Yes |
7.5 |
Network |
Low |
None |
Partial |
Partial |
Partial |
11.2 |
|
CVE-2015-0261 |
Solaris |
Multiple |
TCPdump |
Yes |
7.5 |
Network |
Low |
None |
Partial |
Partial |
Partial |
11.2 |
See Note 9 |
CVE-2014-9653 |
Solaris |
Multiple |
PHP |
Yes |
7.5 |
Network |
Low |
None |
Partial |
Partial |
Partial |
11.2 |
|
CVE-2014-9705 |
Solaris |
Multiple |
PHP |
Yes |
7.5 |
Network |
Low |
None |
Partial |
Partial |
Partial |
11.2 |
|
CVE-2015-0273 |
Solaris |
Multiple |
PHP |
Yes |
7.5 |
Network |
Low |
None |
Partial |
Partial |
Partial |
11.2 |
|
CVE-2015-2331 |
Solaris |
Multiple |
PHP |
Yes |
7.5 |
Network |
Low |
None |
Partial |
Partial |
Partial |
11.2 |
|
CVE-2015-2787 |
Solaris |
Multiple |
PHP |
Yes |
7.5 |
Network |
Low |
None |
Partial |
Partial |
Partial |
11.2 |
|
CVE-2013-7439 |
Solaris |
Multiple |
X.Org |
Yes |
7.5 |
Network |
Low |
None |
Partial |
Partial |
Partial |
11.2, 10 |
|
CVE-2014-9462 |
Solaris |
Multiple |
Mercurial source code management |
Yes |
7.5 |
Network |
Low |
None |
Partial |
Partial |
Partial |
11.2 |
|
CVE-2015-0232 |
Solaris |
Multiple |
PHP |
Yes |
6.8 |
Network |
Medium |
None |
Partial |
Partial |
Partial |
11.2 |
|
CVE-2015-1351 |
Solaris |
Multiple |
PHP |
Yes |
6.8 |
Network |
Medium |
None |
Partial |
Partial |
Partial |
11.2 |
See Note 3 |
CVE-2015-1791 |
Solaris |
SSL/TLS |
OpenSSL |
Yes |
6.8 |
Network |
Medium |
None |
Partial |
Partial |
Partial |
11.2 |
|
CVE-2014-8768 |
Solaris |
Multiple |
TCPdump |
Yes |
6.4 |
Network |
Low |
None |
Partial |
None |
Partial |
11.2 |
See Note 8 |
CVE-2015-0255 |
Solaris |
Multiple |
Xsun server |
Yes |
6.4 |
Network |
Low |
None |
Partial |
None |
Partial |
11.2 |
|
CVE-2015-3294 |
Solaris |
Multiple |
DNSmasq |
Yes |
6.4 |
Network |
Low |
None |
Partial |
None |
Partial |
11.2 |
|
CVE-2014-3710 |
Solaris |
Multiple |
PHP |
Yes |
5.0 |
Network |
Low |
None |
None |
None |
Partial |
11.2 |
See Note 2 |
CVE-2014-3566 |
Solaris |
Multiple |
SLRN Usenet newsreader |
Yes |
5.0 |
Network |
Low |
None |
Partial |
None |
None |
11.2 |
|
CVE-2014-3566 |
Solaris |
Multiple |
PHP |
Yes |
5.0 |
Network |
Low |
None |
Partial |
None |
None |
11.2 |
|
CVE-2014-9652 |
Solaris |
Multiple |
PHP |
Yes |
5.0 |
Network |
Low |
None |
None |
None |
Partial |
11.2 |
|
CVE-2015-2348 |
Solaris |
Multiple |
PHP |
Yes |
5.0 |
Network |
Low |
None |
None |
Partial |
None |
11.2 |
|
CVE-2015-1792 |
Solaris |
SSL/TLS |
OpenSSL |
Yes |
5.0 |
Network |
Low |
None |
None |
None |
Partial |
11.2 |
|
CVE-2015-1790 |
Solaris |
SSL/TLS |
OpenSSL |
Yes |
5.0 |
Network |
Low |
None |
None |
None |
Partial |
11.2, 10 |
|
CVE-2015-1790 |
Solaris |
Multiple |
WanBoot |
Yes |
5.0 |
Network |
Low |
None |
None |
None |
Partial |
11.2 |
See Note 10 |
CVE-2015-1855 |
Solaris |
Multiple |
Ruby |
Yes |
4.3 |
Network |
Medium |
None |
None |
Partial |
None |
11.2 |
|
CVE-2015-1789 |
Solaris |
SSL/TLS |
OpenSSL |
Yes |
4.3 |
Network |
Medium |
None |
None |
None |
Partial |
11.2, 10 |
|
CVE-2015-1788 |
Solaris |
SSL/TLS |
OpenSSL |
Yes |
4.3 |
Network |
Medium |
None |
None |
None |
Partial |
11.2 |
|
CVE-2015-4000 |
Solaris |
SSL/TLS |
OpenSSL |
Yes |
4.3 |
Network |
Medium |
None |
None |
Partial |
None |
11.2, 10 |
|
CVE-2015-3988 |
Solaris |
Multiple |
OpenStack Horizon |
No |
3.5 |
Network |
Medium |
Single |
None |
Partial |
None |
11.2 |
|
CVE-2014-8991 |
Solaris |
None |
PIP |
No |
2.1 |
Local |
Low |
None |
None |
None |
Partial |
11.2 |
|
CVE-2014-6511 |
Solaris |
None |
Localization (L10N) |
No |
1.7 |
Local |
Low |
Single |
Partial |
None |
None |
11.2 |
|
Notes:
- This fix also addresses CVE-2015-2325.
- This fix also addresses CVE-2014-3622 CVE-2014-3668 CVE-2014-3669 CVE-2014-3670.
- This fix also addresses CVE-2015-1351 CVE-2015-1352 CVE-2015-2301 CVE-2015-2783 CVE-2015-3329 CVE-2015-3330.
- This fix also addresses CVE-2015-1381 CVE-2015-1382.
- This fix also addresses CVE-2014-8080 CVE-2014-8090.
- This fix also addresses CVE-2014-0128.
- This fix also addresses CVE-2014-7141.
- This fix also addresses CVE-2014-8767 CVE-2014-8769.
- This fix also addresses CVE-2015-2153 CVE-2015-2154 CVE-2015-2155.
- This fix also addresses CVE-2015-1789 CVE-2015-4000.
- This fix also addresses CVE-2015-1606.