Oracle Solaris Bulletin

Cloud Account Sign in to Cloud Sign Up for Free Cloud Tier

Oracle Account

Oracle Solaris Third Party Bulletin - April 2016

Description

The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities fixed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated on the Tuesday closest to the 17th of the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability fixes deemed too critical to wait for the next monthly update.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin fixes as soon as possible.

Patch Availability

Please see My Oracle Support Note 1448883.1

Third Party Bulletin Schedule

Third Party Bulletins are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

19 July 2016
18 October 2016
17 January 2017
18 April 2017

References

Oracle Critical Patch Updates and Security Alerts main page [ Oracle Technology Network ]
Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions [ CPU FAQ ]
Risk Matrix definitions [ Risk Matrix Definitions ]
Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS Scoring ]

Modification History

2017-October-16	Rev 8. Added 11.3 as Supported Versions Affected for CVE-2016-2108
2016-September-21	Rev 7. Added new CVEs fixed via Firefox upgrade
2016-July-08	Rev 6. Added NTP CVEs
2016-June-27	Rev 5. Added OpenSSL CVE-2016-2177, CVE-2016-2178
2016-June-20	Rev 4. Added all CVEs fixed in Solaris 11.3 SRU9.4
2016-June-10	Rev 3. Added OpenSSL CVEs
2016-May-31	Rev 2. Added all CVEs fixed in Solaris 11.3 SRU8.7
2016-April-19	Rev 1. Initial Release

Oracle Solaris Executive Summary

This Third Party Bulletin contains 53 new security fixes for the Oracle Solaris. 41 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

Oracle Solaris Risk Matrix

Revision 7: Published on 2016-09-21

CVE#	Component	Protocol	Third Party component	Remote Exploit without Auth.?	CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)							Supported Versions Affected	Notes
CVE#	Component	Protocol	Third Party component	Remote Exploit without Auth.?	Base Score	Access Vector	Access Complexity	Authentication	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2014-1545	Solaris	Multiple	Firefox	Yes	10.0	Network	Low	None	Complete	Complete	Complete	11.3	See Note 13

Revision 6: Published on 2016-07-08

CVE#	Component	Protocol	Third Party component	Remote Exploit without Auth.?	CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)							Supported Versions Affected	Notes
CVE#	Component	Protocol	Third Party component	Remote Exploit without Auth.?	Base Score	Access Vector	Access Complexity	Authentication	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2016-1548	Solaris	NTP	NTP	Yes	6.4	Network	Low	None	None	Partial	Partial	11.3, 10	See Note 11
CVE-2016-4957	Solaris	NTP	NTP	Yes	5.0	Network	Low	None	None	None	Partial	11.3, 10
CVE-2016-4956	Solaris	NTP	NTP	Yes	5.0	Network	Low	None	None	None	Partial	11.3, 10
CVE-2016-4953	Solaris	NTP	NTP	Yes	4.3	Network	Medium	None	None	None	Partial	11.3, 10
CVE-2016-4954	Solaris	NTP	NTP	Yes	4.3	Network	Medium	None	None	None	Partial	11.3, 10
CVE-2016-4955	Solaris	NTP	NTP	Yes	2.6	Network	High	None	None	None	Partial	11.3, 10

Revision 5: Published on 2016-06-27

CVE#	Component	Protocol	Third Party component	Remote Exploit without Auth.?	CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)							Supported Versions Affected	Notes
CVE#	Component	Protocol	Third Party component	Remote Exploit without Auth.?	Base Score	Access Vector	Access Complexity	Authentication	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2016-2177	Solaris	SSL/TLS	OpenSSL	Yes	7.5	Network	Low	None	Partial	Partial	Partial	11.3, 10
CVE-2016-2178	Solaris	SSL/TLS	OpenSSL	No	2.1	Local	Low	None	Partial	None	None	11.3, 10

Revision 4: Published on 2016-06-20

CVE#	Component	Protocol	Third Party component	Remote Exploit without Auth.?	CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)							Supported Versions Affected	Notes
CVE#	Component	Protocol	Third Party component	Remote Exploit without Auth.?	Base Score	Access Vector	Access Complexity	Authentication	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2015-2806	Solaris	Multiple	GNU Libtasn1	Yes	10.0	Network	Low	None	Complete	Complete	Complete	11.3
CVE-2014-9679	Solaris	Multiple	Common Unix Printing System (CUPS)	Yes	6.8	Network	Medium	None	Partial	Partial	Partial	11.3
CVE-2015-8786	Solaris	Multiple	RabbitMQ	No	6.8	Network	Low	Single	None	None	Complete	11.3
CVE-2015-7546	Solaris	Multiple	OpenStack Identity (Keystone)	No	6.0	Network	Medium	Single	Partial	Partial	Partial	11.3
CVE-2015-5295	Solaris	Multiple	OpenStack Orchestration API (Heat)	No	5.5	Network	Low	Single	Partial	None	Partial	11.3
CVE-2016-3115	Solaris	SSH	OpenSSH	No	5.5	Network	Low	Single	Partial	Partial	None	11.3
CVE-2015-5223	Solaris	Multiple	OpenStack Object Storage (Swift)	Yes	5.0	Network	Low	None	Partial	None	None	11.3
CVE-2016-0738	Solaris	Multiple	OpenStack Object Storage (Swift)	Yes	5.0	Network	Low	None	None	None	Partial	11.3	See Note 8
CVE-2015-8853	Solaris	Multiple	Perl	Yes	5.0	Network	Low	None	None	None	Partial	11.3
CVE-2015-8665	Solaris	Multiple	LibTIFF	Yes	4.3	Network	Medium	None	None	None	Partial	11.3
CVE-2015-8683	Solaris	Multiple	LibTIFF	Yes	4.3	Network	Medium	None	None	None	Partial	11.3
CVE-2015-8781	Solaris	Multiple	LibTIFF	Yes	4.3	Network	Medium	None	None	None	Partial	11.3, 10	See Note 9
CVE-2015-1547	Solaris	Multiple	LibTIFF	Yes	4.3	Network	Medium	None	None	None	Partial	11.3, 10	See Note 10
CVE-2016-2512	Solaris	Multiple	Django Python web framework	Yes	4.3	Network	Medium	None	None	Partial	None	11.3
CVE-2016-4085	Solaris	Multiple	Wireshark	Yes	4.3	Network	Medium	None	None	None	Partial	11.3	See Note 12
CVE-2016-2513	Solaris	Multiple	Django Python web framework	Yes	2.6	Network	High	None	Partial	None	None	11.3

Revision 3: Published on 2016-06-10

CVE#	Component	Protocol	Third Party component	Remote Exploit without Auth.?	CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)							Supported Versions Affected	Notes
CVE#	Component	Protocol	Third Party component	Remote Exploit without Auth.?	Base Score	Access Vector	Access Complexity	Authentication	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2016-2108	Solaris	SSL/TLS	OpenSSL	Yes	10.0	Network	Low	None	Complete	Complete	Complete	11.3, 10
CVE-2016-2109	Solaris	SSL/TLS	OpenSSL	Yes	7.8	Network	Low	None	None	None	Complete	11.3, 10
CVE-2016-2176	Solaris	SSL/TLS	OpenSSL	Yes	6.4	Network	Low	None	Partial	None	Partial	11.3, 10
CVE-2016-2105	Solaris	SSL/TLS	OpenSSL	Yes	5.0	Network	Low	None	None	None	Partial	11.3, 10
CVE-2016-2106	Solaris	SSL/TLS	OpenSSL	Yes	5.0	Network	Low	None	None	None	Partial	11.3, 10
CVE-2016-2107	Solaris	SSL/TLS	OpenSSL	Yes	2.6	Network	High	None	Partial	None	None	11.3, 10	See Note 7

Revision 2: Published on 2016-05-31

CVE#	Component	Protocol	Third Party component	Remote Exploit without Auth.?	CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)							Supported Versions Affected	Notes
CVE#	Component	Protocol	Third Party component	Remote Exploit without Auth.?	Base Score	Access Vector	Access Complexity	Authentication	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2016-2315	Solaris	Multiple	Git	Yes	10.0	Network	Low	None	Complete	Complete	Complete	11.3	See Note 5
CVE-2016-2342	Solaris	Multiple	Quagga	Yes	7.6	Network	High	None	Complete	Complete	Complete	11.3
CVE-2015-7545	Solaris	Multiple	Git	Yes	7.5	Network	Low	None	Partial	Partial	Partial	11.3
CVE-2015-2695	Solaris	Kerberos	Kerberos	Yes	7.1	Network	Medium	None	None	None	Complete	11.3
CVE-2015-2697	Solaris	Kerberos	Kerberos	No	6.8	Network	Low	Single	None	None	Complete	11.3
CVE-2016-3068	Solaris	Multiple	Mercurial source code management	Yes	6.8	Network	Medium	None	Partial	Partial	Partial	11.3	See Note 4
CVE-2016-3115	Solaris	SSH	SSH	No	5.5	Network	Low	Single	Partial	Partial	None	11.3, 10
CVE-2014-3566	Solaris	SSL	Evolution	Yes	5.0	Network	Low	None	Partial	None	None	11.3
CVE-2015-7551	Solaris	None	Ruby	No	4.6	Local	Low	None	Partial	Partial	Partial	11.3
CVE-2015-8629	Solaris	Kerberos	Kerberos	No	2.1	Network	High	Single	Partial	None	None	11.3, 10

Revision 1: Published on 2016-04-19

CVE#	Component	Protocol	Third Party component	Remote Exploit without Auth.?	CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)							Supported Versions Affected	Notes
CVE#	Component	Protocol	Third Party component	Remote Exploit without Auth.?	Base Score	Access Vector	Access Complexity	Authentication	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2016-0705	Solaris	SSL/TLS	OpenSSL	Yes	10.0	Network	Low	None	Complete	Complete	Complete	11.3, 10
CVE-2016-0799	Solaris	SSL/TLS	WanBoot	Yes	10.0	Network	Low	None	Complete	Complete	Complete	10	See Note 1
CVE-2016-0798	Solaris	SSL/TLS	OpenSSL	Yes	7.8	Network	Low	None	None	None	Complete	11.3, 10
CVE-2015-3415	Solaris	Multiple	SQLite3	Yes	7.5	Network	Low	None	Partial	Partial	Partial	11.3, 10	See Note 3
CVE-2015-5602	Solaris	None	Sudo	No	7.2	Local	Low	None	Complete	Complete	Complete	11.3, 10
CVE-2015-4752	Solaris	None	MySQL	No	7.2	Local	Low	None	Complete	Complete	Complete	11.3	See Note 2
CVE-2016-2523	Solaris	Multiple	Wireshark	Yes	7.1	Network	Medium	None	None	None	Complete	11.3
CVE-2016-1283	Solaris	Multiple	PCRE	Yes	6.8	Network	Medium	None	Partial	Partial	Partial	11.3
CVE-2014-9766	Solaris	Multiple	X.Org	Yes	6.8	Network	Medium	None	Partial	Partial	Partial	11.3, 10
CVE-2015-3885	Solaris	Multiple	Dcraw	Yes	4.3	Network	Medium	None	None	None	Partial	11.3
CVE-2007-6720	Solaris	Multiple	Libmikmod	Yes	2.6	Network	High	None	None	None	Partial	11.3
CVE-2016-0702	Solaris	None	OpenSSL	No	1.9	Local	Medium	None	Partial	None	None	11.3, 10	See Note 6

Notes:

This fix also addresses CVE-2016-0703 CVE-2016-0704 CVE-2016-0797 CVE-2016-0800.
This fix also addresses CVE-2014-6464 CVE-2014-6469 CVE-2014-6491 CVE-2014-6494 CVE-2014-6500 CVE-2014-6507 CVE-2014-6555 CVE-2014-6559 CVE-2014-6568 CVE-2015-0374 CVE-2015-0382 CVE-2015-0411 CVE-2015-0432 CVE-2015-0433 CVE-2015-0499 CVE-2015-0505 CVE-2015-2568 CVE-2015-2571 CVE-2015-2573 CVE-2015-2582 CVE-2015-2620 CVE-2015-2643 CVE-2015-2648 CVE-2015-4737 CVE-2015-4792 CVE-2015-4802 CVE-2015-4807 CVE-2015-4815 CVE-2015-4816 CVE-2015-4819 CVE-2015-4826 CVE-2015-4830 CVE-2015-4836 CVE-2015-4858 CVE-2015-4861 CVE-2015-4864 CVE-2015-4870 CVE-2015-4879 CVE-2015-4913 CVE-2015-7744 CVE-2016-0505 CVE-2016-0546 CVE-2016-0596 CVE-2016-0597 CVE-2016-0598 CVE-2016-0600 CVE-2016-0606 CVE-2016-0608 CVE-2016-0609 CVE-2016-0616.
This fix also addresses CVE-2015-3414 CVE-2015-3416.
This fix also addresses CVE-2016-3069 CVE-2016-3630.
This fix also addresses CVE-2016-2324.
This fix also addresses CVE-2016-0702 CVE-2016-0797 CVE-2016-0799.
This fix also addresses CVE-2016-2106 CVE-2016-2107 CVE-2016-2108 CVE-2016-2109 CVE-2016-2176.
This fix also addresses CVE-2016-0737.
This fix also addresses CVE-2015-8782 CVE-2015-8783.
This fix also addresses CVE-2015-8784.
This fix also addresses CVE-2016-1551 CVE-2016-1549 CVE-2016-2516 CVE-2016-2517 CVE-2016-2518 CVE-2016-2519 CVE-2016-1547 CVE-2015-7704 CVE-2015-8138 CVE-2016-1550.
This fix also addresses CVE-2016-4085.
This fix also addresses CVE-2013-5609 CVE-2013-5610 CVE-2013-5611 CVE-2013-5612 CVE-2013-5613 CVE-2013-5614 CVE-2013-5615 CVE-2013-5616 CVE-2013-5618 CVE-2013-5619 CVE-2013-6629 CVE-2013-6630 CVE-2013-6671 CVE-2013-6672 CVE-2013-6673 CVE-2014-1477 CVE-2014-1478 CVE-2014-1479 CVE-2014-1480 CVE-2014-1481 CVE-2014-1482 CVE-2014-1483 CVE-2014-1484 CVE-2014-1485 CVE-2014-1486 CVE-2014-1487 CVE-2014-1488 CVE-2014-1489 CVE-2014-1493 CVE-2014-1494 CVE-2014-1496 CVE-2014-1497 CVE-2014-1498 CVE-2014-1499 CVE-2014-1500 CVE-2014-1501 CVE-2014-1502 CVE-2014-1504 CVE-2014-1505 CVE-2014-1506 CVE-2014-1507 CVE-2014-1508 CVE-2014-1509 CVE-2014-1510 CVE-2014-1511 CVE-2014-1512 CVE-2014-1513 CVE-2014-1514 CVE-2014-1518 CVE-2014-1519 CVE-2014-1520 CVE-2014-1522 CVE-2014-1523 CVE-2014-1524 CVE-2014-1525 CVE-2014-1526 CVE-2014-1527 CVE-2014-1528 CVE-2014-1529 CVE-2014-1530 CVE-2014-1531 CVE-2014-1532 CVE-2014-1533 CVE-2014-1534 CVE-2014-1536 CVE-2014-1537 CVE-2014-1538 CVE-2014-1539 CVE-2014-1540 CVE-2014-1541 CVE-2014-1542 CVE-2014-1543 CVE-2014-1544 CVE-2014-1547 CVE-2014-1548 CVE-2014-1549 CVE-2014-1550 CVE-2014-1551 CVE-2014-1552 CVE-2014-1553 CVE-2014-1554 CVE-2014-1555 CVE-2014-1556 CVE-2014-1557 CVE-2014-1559 CVE-2014-1561 CVE-2014-1562 CVE-2014-1563 CVE-2014-1564 CVE-2014-1565 CVE-2014-1566 CVE-2014-1567 CVE-2014-1568 CVE-2014-1569 CVE-2014-1575 CVE-2014-1580 CVE-2014-1582 CVE-2014-1584 CVE-2014-1588 CVE-2014-1589 CVE-2014-1591 CVE-2014-1595 CVE-2014-2018 CVE-2014-8631 CVE-2014-8632 CVE-2014-8635 CVE-2014-8636 CVE-2014-8637 CVE-2014-8640 CVE-2014-8642 CVE-2014-8643 CVE-2015-0797 CVE-2015-0798 CVE-2015-0799 CVE-2015-0800 CVE-2015-0802 CVE-2015-0803 CVE-2015-0804 CVE-2015-0805 CVE-2015-0806 CVE-2015-0808 CVE-2015-0810 CVE-2015-0811 CVE-2015-0812 CVE-2015-0814 CVE-2015-0819 CVE-2015-0820 CVE-2015-0821 CVE-2015-0823 CVE-2015-0824 CVE-2015-0825 CVE-2015-0826 CVE-2015-0828 CVE-2015-0829 CVE-2015-0830 CVE-2015-0832 CVE-2015-0833 CVE-2015-0834 CVE-2015-0835 CVE-2015-2706 CVE-2015-2708 CVE-2015-2709 CVE-2015-2710 CVE-2015-2711 CVE-2015-2712 CVE-2015-2713 CVE-2015-2714 CVE-2015-2715 CVE-2015-2716 CVE-2015-2717 CVE-2015-2718 CVE-2015-2720 CVE-2015-2721 CVE-2015-2722 CVE-2015-2724 CVE-2015-2725 CVE-2015-2726 CVE-2015-2727 CVE-2015-2728 CVE-2015-2729 CVE-2015-2730 CVE-2015-2731 CVE-2015-2733 CVE-2015-2734 CVE-2015-2735 CVE-2015-2736 CVE-2015-2737 CVE-2015-2738 CVE-2015-2739 CVE-2015-2740 CVE-2015-2741 CVE-2015-2742 CVE-2015-2743 CVE-2015-4473 CVE-2015-4474 CVE-2015-4475 CVE-2015-4476 CVE-2015-4477 CVE-2015-4478 CVE-2015-4479 CVE-2015-4480 CVE-2015-4481 CVE-2015-4482 CVE-2015-4483 CVE-2015-4484 CVE-2015-4485 CVE-2015-4486 CVE-2015-4487 CVE-2015-4488 CVE-2015-4489 CVE-2015-4490 CVE-2015-4491 CVE-2015-4492 CVE-2015-4493 CVE-2015-4495 CVE-2015-4496 CVE-2015-4497 CVE-2015-4498 CVE-2015-4500 CVE-2015-4501 CVE-2015-4502 CVE-2015-4503 CVE-2015-4504 CVE-2015-4505 CVE-2015-4506 CVE-2015-4507 CVE-2015-4508 CVE-2015-4509 CVE-2015-4510 CVE-2015-4511 CVE-2015-4512 CVE-2015-4513 CVE-2015-4514 CVE-2015-4515 CVE-2015-4516 CVE-2015-4517 CVE-2015-4518 CVE-2015-4519 CVE-2015-4520 CVE-2015-4521 CVE-2015-4522 CVE-2015-7174 CVE-2015-7175 CVE-2015-7176 CVE-2015-7177 CVE-2015-7178 CVE-2015-7179 CVE-2015-7180 CVE-2015-7181 CVE-2015-7182 CVE-2015-7183 CVE-2015-7184 CVE-2015-7185 CVE-2015-7186 CVE-2015-7187 CVE-2015-7188 CVE-2015-7189 CVE-2015-7190 CVE-2015-7191 CVE-2015-7192 CVE-2015-7193 CVE-2015-7194 CVE-2015-7195 CVE-2015-7196 CVE-2015-7197 CVE-2015-7198 CVE-2015-7199 CVE-2015-7200.