Oracle Solaris Third Party Bulletin - July 2015

Description

The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities fixed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated on the Tuesday closest to the 17th of the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability fixes deemed too critical to wait for the next monthly update.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin fixes as soon as possible.

Patch Availability

Please see My Oracle Support Note 1448883.1

Third Party Bulletin Schedule

Third Party Bulletins are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

  • 20 October 2015
  • 19 January 2016
  • 19 April 2016
  • 19 July 2016

References

Modification History

2015-September-15 Rev 6. Added CVE-2014-4650 for Python
2015-September-04 Rev 5. Added CVE-2015-5722 for Bind
2015-August-17 Rev 4. Multiple CVEs added
2015-August-03 Rev 3. Added CVE-2015-5477 for Bind
2015-July-20 Rev 2. Added CVE-2015-1793 for OpenSSL
2015-July-14 Rev 1. Initial Release

Oracle Solaris Executive Summary

This Third Party Bulletin contains 60 new security fixes for the Oracle Solaris. 53 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

Oracle Solaris Risk Matrix

Revision 6: Published on 2015-09-15

CVE# Product Protocol Third Party component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen­tication Confid­entiality Inte­grity Avail­ability
CVE-2014-4650 Solaris Multiple Python Yes 5.0 Network Low None Partial None None 10

Revision 5: Published on 2015-09-04

CVE# Product Protocol Third Party component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen­tication Confid­entiality Inte­grity Avail­ability
CVE-2015-5722 Solaris DNS Bind Yes 7.8 Network Low None None None Complete 11.2, 10

Revision 4: Published on 2015-08-17

CVE# Product Protocol Third Party component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen­tication Confid­entiality Inte­grity Avail­ability
CVE-2014-9495 Solaris Multiple LibPNG Yes 7.5 Network Low None Partial Partial Partial 11.2
CVE-2015-0973 Solaris Multiple LibPNG Yes 7.5 Network Low None Partial Partial Partial 11.2
CVE-2015-2326 Solaris Multiple PCRE Yes 6.8 Network Medium None Partial Partial Partial 11.2 See Note 1
CVE-2015-3210 Solaris Multiple PCRE Yes 6.8 Network Medium None Partial Partial Partial 11.2
CVE-2015-3217 Solaris Multiple PCRE Yes 6.8 Network Medium None Partial Partial Partial 11.2
CVE-2015-5073 Solaris Multiple PCRE Yes 6.8 Network Medium None Partial Partial Partial 11.2
CVE-2014-7142 Solaris Multiple Squid Yes 6.4 Network Low None Partial None Partial 11.2 See Note 7
CVE-2015-1038 Solaris Multiple P7ZIP Yes 5.8 Network Medium None None Partial Partial 11.2, 10
CVE-2015-3455 Solaris Multiple Squid Yes 5.8 Network Medium None Partial Partial None 11.2
CVE-2014-6270 Solaris Multiple Squid Yes 5.1 Network High None Partial Partial Partial 11.2
CVE-2014-0128 Solaris Multiple Squid Yes 5.0 Network Low None None None Partial 11.2
CVE-2014-3609 Solaris Multiple Squid Yes 5.0 Network Low None None None Partial 11.2 See Note 6
CVE-2014-3566 Solaris Multiple W3M Yes 5.0 Network Low None Partial None None 11.2
CVE-2014-3566 Solaris Multiple Ruby Yes 5.0 Network Low None Partial None None 11.2
CVE-2014-3566 Solaris Multiple Lynx Yes 5.0 Network Low None Partial None None 11.2
CVE-2014-9601 Solaris Multiple Python Imaging Library (PIL) Yes 5.0 Network Low None None None Partial 11.2
CVE-2015-1380 Solaris Multiple PRIVOXY Yes 5.0 Network Low None None None Partial 11.2 See Note 4
CVE-2015-4024 Solaris Multiple PHP Yes 5.0 Network Low None None None Partial 11.2
CVE-2013-6501 Solaris None PHP No 4.6 Local Low None Partial Partial Partial 11.2
CVE-2013-1821 Solaris Multiple Ruby Yes 4.3 Network Medium None None None Partial 11.2 See Note 5
CVE-2014-8964 Solaris Multiple PCRE Yes 4.3 Network Medium None None None Partial 11.2
CVE-2015-1855 Solaris Multiple Ruby Yes 4.3 Network Medium None None Partial None 11.2
CVE-2015-3219 Solaris Multiple OpenStack Horizon Yes 4.3 Network Medium None None Partial None 11.2
CVE-2015-1196 Solaris None GNU patch utility No 3.6 Local Low None Partial Partial None 11.2
CVE-2015-1545 Solaris Multiple OpenLDAP server No 2.1 Network High Single None None null 11.2
CVE-2015-1607 Solaris None GnuPG No 1.2 Local High None Partial None None 11.2 See Note 11

Revision 3: Published on 2015-08-03

CVE# Product Protocol Third Party component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen­tication Confid­entiality Inte­grity Avail­ability
CVE-2015-5477 Solaris DNS Bind Yes 7.8 Network Low None None None Complete 11.2, 10

Revision 2: Published on 2015-07-20

CVE# Product Protocol Third Party component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen­tication Confid­entiality Inte­grity Avail­ability
CVE-2015-1793 Solaris SSL/TLS OpenSSL Yes 6.4 Network Low None Partial Partial None 11.2

Revision 1: Published on 2015-07-14

CVE# Product Protocol Third Party component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen­tication Confid­entiality Inte­grity Avail­ability
CVE-2014-9425 Solaris Multiple PHP Yes 7.5 Network Low None Partial Partial Partial 11.2
CVE-2015-0231 Solaris Multiple PHP Yes 7.5 Network Low None Partial Partial Partial 11.2
CVE-2015-0261 Solaris Multiple TCPdump Yes 7.5 Network Low None Partial Partial Partial 11.2 See Note 9
CVE-2014-9653 Solaris Multiple PHP Yes 7.5 Network Low None Partial Partial Partial 11.2
CVE-2014-9705 Solaris Multiple PHP Yes 7.5 Network Low None Partial Partial Partial 11.2
CVE-2015-0273 Solaris Multiple PHP Yes 7.5 Network Low None Partial Partial Partial 11.2
CVE-2015-2331 Solaris Multiple PHP Yes 7.5 Network Low None Partial Partial Partial 11.2
CVE-2015-2787 Solaris Multiple PHP Yes 7.5 Network Low None Partial Partial Partial 11.2
CVE-2013-7439 Solaris Multiple X.Org Yes 7.5 Network Low None Partial Partial Partial 11.2, 10
CVE-2014-9462 Solaris Multiple Mercurial source code management Yes 7.5 Network Low None Partial Partial Partial 11.2
CVE-2015-0232 Solaris Multiple PHP Yes 6.8 Network Medium None Partial Partial Partial 11.2
CVE-2015-1351 Solaris Multiple PHP Yes 6.8 Network Medium None Partial Partial Partial 11.2 See Note 3
CVE-2015-1791 Solaris SSL/TLS OpenSSL Yes 6.8 Network Medium None Partial Partial Partial 11.2
CVE-2014-8768 Solaris Multiple TCPdump Yes 6.4 Network Low None Partial None Partial 11.2 See Note 8
CVE-2015-0255 Solaris Multiple Xsun server Yes 6.4 Network Low None Partial None Partial 11.2
CVE-2015-3294 Solaris Multiple DNSmasq Yes 6.4 Network Low None Partial None Partial 11.2
CVE-2014-3710 Solaris Multiple PHP Yes 5.0 Network Low None None None Partial 11.2 See Note 2
CVE-2014-3566 Solaris Multiple SLRN Usenet newsreader Yes 5.0 Network Low None Partial None None 11.2
CVE-2014-3566 Solaris Multiple PHP Yes 5.0 Network Low None Partial None None 11.2
CVE-2014-9652 Solaris Multiple PHP Yes 5.0 Network Low None None None Partial 11.2
CVE-2015-2348 Solaris Multiple PHP Yes 5.0 Network Low None None Partial None 11.2
CVE-2015-1792 Solaris SSL/TLS OpenSSL Yes 5.0 Network Low None None None Partial 11.2
CVE-2015-1790 Solaris SSL/TLS OpenSSL Yes 5.0 Network Low None None None Partial 11.2, 10
CVE-2015-1790 Solaris Multiple WanBoot Yes 5.0 Network Low None None None Partial 11.2 See Note 10
CVE-2015-1855 Solaris Multiple Ruby Yes 4.3 Network Medium None None Partial None 11.2
CVE-2015-1789 Solaris SSL/TLS OpenSSL Yes 4.3 Network Medium None None None Partial 11.2, 10
CVE-2015-1788 Solaris SSL/TLS OpenSSL Yes 4.3 Network Medium None None None Partial 11.2
CVE-2015-4000 Solaris SSL/TLS OpenSSL Yes 4.3 Network Medium None None Partial None 11.2, 10
CVE-2015-3988 Solaris Multiple OpenStack Horizon No 3.5 Network Medium Single None Partial None 11.2
CVE-2014-8991 Solaris None PIP No 2.1 Local Low None None None Partial 11.2
CVE-2014-6511 Solaris None Localization (L10N) No 1.7 Local Low Single Partial None None 11.2

Notes:

  1. This fix also addresses CVE-2015-2325.
  2. This fix also addresses CVE-2014-3622 CVE-2014-3668 CVE-2014-3669 CVE-2014-3670.
  3. This fix also addresses CVE-2015-1351 CVE-2015-1352 CVE-2015-2301 CVE-2015-2783 CVE-2015-3329 CVE-2015-3330.
  4. This fix also addresses CVE-2015-1381 CVE-2015-1382.
  5. This fix also addresses CVE-2014-8080 CVE-2014-8090.
  6. This fix also addresses CVE-2014-0128.
  7. This fix also addresses CVE-2014-7141.
  8. This fix also addresses CVE-2014-8767 CVE-2014-8769.
  9. This fix also addresses CVE-2015-2153 CVE-2015-2154 CVE-2015-2155.
  10. This fix also addresses CVE-2015-1789 CVE-2015-4000.
  11. This fix also addresses CVE-2015-1606.