Oracle Solaris Third Party Bulletin - January 2025
Description
The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities addressed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated for the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability issues deemed too critical to wait for the next monthly update.
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin security patches as soon as possible.
Patch Availability
Please see My Oracle Support Note 1448883.1
Third Party Bulletin Schedule
Third Party Bulletins are released on the third Tuesday of January, April, July, and October. The next four dates are:
- 15 April 2025
- 15 July 2025
- 21 October 2025
- 20 January 2026
References
- Oracle Critical Patch Updates and Security Alerts main page [ Oracle Technology Network ]
- Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions [ CPU FAQ ]
- Risk Matrix definitions [ Risk Matrix Definitions ]
- Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS Scoring ]
Modification History
| Date | Note |
|---|---|
| 2025-March-18 | Rev 3. Added CVEs fixed in Solaris 11.4 SRU 79 |
| 2025-February-25 | Rev 2. Added CVEs fixed in Solaris 11.4 SRU 78 |
| 2025-January-21 | Rev 1. Initial Release with all CVEs fixed in Solaris 11.4 SRU 77 |
Oracle Solaris Executive Summary
This Oracle Solaris Bulletin contains 59 new security patches for the Oracle Solaris Operating System. 35 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
Oracle Solaris Third Party Bulletin Risk Matrix
Revision 3: Published on 2025-03-18
| CVE ID | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2017-10176 | Oracle Solaris | Network Security Services | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
High | None | None | 11.4 | See Note 1 |
| CVE-2025-22150 | Oracle Solaris | Node.js | HTTP | Yes | 6.8 | Network | High | None | Required | Un changed |
High | High | None | 11.4 | See Note 2 |
| CVE-2024-56374 | Oracle Solaris | Django | HTTP | Yes | 5.8 | Network | Low | None | None | Changed | None | None | Low | 11.4 | |
| CVE-2017-13693 | Oracle Solaris | Advanced Configuration and Power Interface | None | No | 3.3 | Local | Low | Low | None | Un changed |
Low | None | None | 11.4 | See Note 3 |
Revision 2: Published on 2025-02-25
| CVE ID | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2024-12085 | Oracle Solaris | Rsync | HTTP | Yes | 9.8 | Network | Low | None | None | Un changed |
High | High | High | 11.4 | See Note 4 |
| CVE-2024-50379 | Oracle Solaris | Apache Tomcat | HTTP | Yes | 9.8 | Network | Low | None | None | Un changed |
High | High | High | 11.4 | See Note 5 |
| CVE-2024-56732 | Oracle Solaris | Harfbuzz | HTTP | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | |
| CVE-2024-6345 | Oracle Solaris | Python Packaging Authority | HTTP | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | |
| CVE-2024-36474 | Oracle Solaris | libgsf | None | No | 8.4 | Local | Low | None | None | Un changed |
High | High | High | 11.4 | See Note 6 |
| CVE-2024-46951 | Oracle Solaris | Ghostscript | None | No | 7.8 | Local | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 7 |
| CVE-2024-48957 | Oracle Solaris | Libarchive | None | No | 7.8 | Local | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 8 |
| CVE-2024-9632 | Oracle Solaris | X.Org | None | No | 7.8 | Local | Low | Low | None | Un changed |
High | High | High | 11.4 | |
| CVE-2019-11729 | Oracle Solaris | Network Security Services | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2024-12254 | Oracle Solaris | Python | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2024-34155 | Oracle Solaris | Go Programming Language | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 9 |
| CVE-2024-45797 | Oracle Solaris | Suricata | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 10 |
| CVE-2024-52530 | Oracle Solaris | libsoup | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | High | None | 11.4 | |
| CVE-2024-52532 | Oracle Solaris | libsoup | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2025-0237 | Oracle Solaris | Firefox | Multiple | Yes | 7.5 | Network | High | None | Required | Un changed |
High | High | High | 11.4 | See Note 11 |
| CVE-2025-0237 | Oracle Solaris | Thunderbird | Multiple | Yes | 7.5 | Network | High | None | Required | Un changed |
High | High | High | 11.4 | See Note 12 |
| CVE-2024-56201 | Oracle Solaris | Jinja2 | None | No | 7.3 | Local | Low | Low | Required | Un changed |
High | High | High | 11.4 | See Note 13 |
| CVE-2025-0509 | Oracle Solaris | JDK 8 | Multiple | No | 7.3 | Adjacent Network |
High | High | Required | Changed | High | High | High | 11.4 | |
| CVE-2024-52533 | Oracle Solaris | GLib | HTTP | Yes | 7 | Network | High | None | None | Un changed |
Low | Low | High | 11.4 | |
| CVE-2016-1938 | Oracle Solaris | Network Security Services | HTTP | Yes | 6.5 | Network | Low | None | None | Un changed |
Low | Low | None | 11.4 | |
| CVE-2024-11612 | Oracle Solaris | 7-Zip | HTTP | Yes | 6.5 | Network | Low | None | Required | Un changed |
None | None | High | 11.4 | |
| CVE-2018-12404 | Oracle Solaris | Network Security Services | HTTP | Yes | 5.9 | Network | High | None | None | Un changed |
High | None | None | 11.4 | |
| CVE-2024-11053 | Oracle Solaris | curl | HTTP | Yes | 5.9 | Network | High | None | None | Un changed |
High | None | None | 11.4 | See Note 14 |
| CVE-2024-39936 | Oracle Solaris | Qt Toolkit | HTTP/2 | Yes | 5.9 | Network | High | None | None | Un changed |
High | None | None | 11.4 | |
| CVE-2023-20569 | Oracle Solaris | Kernel | None | No | 5.6 | Local | High | Low | None | Changed | High | None | None | 11.4 | |
| CVE-2023-49582 | Oracle Solaris | Apache Portable Runtime | None | No | 5.5 | Local | Low | Low | None | Un changed |
High | None | None | 11.4 | |
| CVE-2022-21271 | Oracle Solaris | Network Security Services | Multiple | Yes | 5.3 | Network | Low | None | None | Un changed |
None | None | Low | 11.4 | |
| CVE-2024-8508 | Oracle Solaris | Unbound | DNS | Yes | 5.3 | Network | Low | None | None | Un changed |
None | None | Low | 11.4 | |
| CVE-2024-45491 | Oracle Solaris | libexpat | None | No | 5.1 | Local | Low | None | None | Un changed |
None | Low | Low | 11.4 | See Note 15 |
| CVE-2024-52531 | Oracle Solaris | libsoup | None | No | 4.9 | Local | High | None | None | Un changed |
Low | Low | Low | 11.4 | |
| CVE-2020-12400 | Oracle Solaris | Cryptographic framework | None | No | 4.4 | Local | High | Low | Required | Un changed |
High | None | None | 11.4 | |
| CVE-2020-6829 | Oracle Solaris | Cryptographic framework | None | No | 4.4 | Local | High | Low | Required | Un changed |
High | None | None | 11.4 | |
| CVE-2023-6135 | Oracle Solaris | Cryptographic framework | Multiple | Yes | 4.3 | Network | Low | None | Required | Un changed |
Low | None | None | 11.4 | |
| CVE-2015-1197 | Oracle Solaris | cpio | None | No | 4 | Local | Low | None | None | Un changed |
None | Low | None | 11.4 | See Note 16 |
| CVE-2023-1972 | Oracle Solaris | GNU binary utilities | None | No | 2.5 | Local | High | None | Required | Un changed |
None | None | Low | 11.4 | |
| CVE-2024-9681 | Oracle Solaris | curl | None | No | 2.5 | Local | High | Low | None | Un changed |
Low | None | None | 11.4 | |
| CVE-2024-48651 | Oracle Solaris | ProFTPD | Multiple | No | 0 | Network | High | Low | None | Un changed |
None | None | None | 11.4 | |
Revision 1: Published on 2025-01-21
| CVE ID | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2024-53899 | Oracle Solaris | virtualenv | HTTP | Yes | 9.8 | Network | Low | None | None | Un changed |
High | High | High | 11.4 | See Note 17 |
| CVE-2024-53907 | Oracle Solaris | Django | HTTP | Yes | 9.8 | Network | Low | None | None | Un changed |
High | High | High | 11.4 | See Note 18 |
| CVE-2022-24810 | Oracle Solaris | Net-SNMP | None | No | 8.8 | Local | Low | Low | None | Changed | High | High | High | 11.4 | See Note 19 |
| CVE-2024-11691 | Oracle Solaris | Firefox | HTTP | Yes | 7.5 | Network | High | None | Required | Un changed |
High | High | High | 11.4 | See Note 20 |
| CVE-2024-11691 | Oracle Solaris | Thunderbird | HTTP | Yes | 7.5 | Network | High | None | Required | Un changed |
High | High | High | 11.4 | See Note 21 |
| CVE-2024-9781 | Oracle Solaris | Wireshark | None | No | 7 | Local | High | None | Required | Un changed |
High | High | High | 11.4 | See Note 22 |
| CVE-2024-10524 | Oracle Solaris | Wget | HTTP | Yes | 6.5 | Network | High | None | None | Changed | Low | Low | Low | 11.4 | |
| CVE-2024-6232 | Oracle Solaris | Python | HTTP | Yes | 6.5 | Network | Low | None | Required | Un changed |
None | None | High | 11.4 | |
| CVE-2024-9287 | Oracle Solaris | Python | None | No | 6.3 | Local | Low | High | Required | Changed | Low | High | None | 11.4 | |
| CVE-2024-9902 | Oracle Solaris | Ansible | None | No | 6.3 | Local | High | Low | Required | Un changed |
High | High | Low | 11.4 | |
| CVE-2024-5535 | Oracle Solaris | MySQL | Multiple | Yes | 5.9 | Network | High | None | None | Un changed |
None | None | High | 11.4 | See Note 23 |
| CVE-2024-6923 | Oracle Solaris | Python | HTTP | No | 5.5 | Network | Low | Low | Required | Un changed |
Low | Low | Low | 11.4 | |
| CVE-2024-8775 | Oracle Solaris | Ansible | None | No | 5.5 | Local | Low | Low | None | Un changed |
High | None | None | 11.4 | |
| CVE-2023-27043 | Oracle Solaris | Python | HTTP | Yes | 5.3 | Network | Low | None | None | Un changed |
None | Low | None | 11.4 | |
| CVE-2024-5569 | Oracle Solaris | Python | HTTP | Yes | 5.3 | Network | High | None | Required | Un changed |
None | None | High | 11.4 | See Note 24 |
| CVE-2024-8929 | Oracle Solaris | PHP | HTTP | Yes | 5.3 | Network | Low | None | None | Un changed |
Low | None | None | 11.4 | See Note 25 |
| CVE-2024-7592 | Oracle Solaris | Python | HTTP | No | 4.8 | Network | High | Low | Required | Un changed |
None | None | High | 11.4 | |
| CVE-2024-11168 | Oracle Solaris | Python | HTTP | Yes | 3.7 | Network | High | None | None | Un changed |
None | Low | None | 11.4 | |
Notes:
1. This patch also addresses CVE-2017-7781.2. This patch also addresses CVE-2025-23083 CVE-2025-23084 CVE-2025-23085 CVE-2025-23087 CVE-2025-23088 CVE-2025-23089.
3. This patch also addresses CVE-2017-13694.
4. This patch also addresses CVE-2024-12084 CVE-2024-12086 CVE-2024-12087 CVE-2024-12088 CVE-2024-12747.
5. This patch also addresses CVE-2024-54677.
6. This patch also addresses CVE-2024-42415.
7. This patch also addresses CVE-2024-46952 CVE-2024-46953 CVE-2024-46954 CVE-2024-46955 CVE-2024-46956.
8. This patch also addresses CVE-2024-20696 CVE-2024-48958.
9. This patch also addresses CVE-2024-34156 CVE-2024-34158.
10. This patch also addresses CVE-2024-45795 CVE-2024-45796 CVE-2024-47187 CVE-2024-47188 CVE-2024-47522.
11. This patch also addresses CVE-2025-0238 CVE-2025-0239 CVE-2025-0240 CVE-2025-0241 CVE-2025-0242 CVE-2025-0243.
12. This patch also addresses CVE-2025-0238 CVE-2025-0239 CVE-2025-0240 CVE-2025-0241 CVE-2025-0242 CVE-2025-0243.
13. This patch also addresses CVE-2024-56326.
14. This patch also addresses CVE-2020-11053.
15. This patch also addresses CVE-2024-45490 CVE-2024-45492.
16. This patch also addresses CVE-2023-7207 CVE-2023-7216.
17. This patch also addresses CVE-2024-53899.
18. This patch also addresses CVE-2024-53908.
19. This patch also addresses CVE-2020-15862 CVE-2022-24805.
20. This patch also addresses CVE-2024-10458 CVE-2024-10459 CVE-2024-10460 CVE-2024-10461 CVE-2024-10462 CVE-2024-10463 CVE-2024-10464 CVE-2024-10465 CVE-2024-10466 CVE-2024-10467 CVE-2024-11692 CVE-2024-11693 CVE-2024-11694 CVE-2024-11695 CVE-2024-11696 CVE-2024-11697 CVE-2024-11698 CVE-2024-11699.
21. This patch also addresses CVE-2024-10458 CVE-2024-10459 CVE-2024-10460 CVE-2024-10461 CVE-2024-10462 CVE-2024-10463 CVE-2024-10464 CVE-2024-10465 CVE-2024-10466 CVE-2024-10467 CVE-2024-11159 CVE-2024-11692 CVE-2024-11693 CVE-2024-11694 CVE-2024-11695 CVE-2024-11696 CVE-2024-11697 CVE-2024-11698 CVE-2024-11699.
22. This patch also addresses CVE-2024-8250.
23. This patch also addresses CVE-2024-21193 CVE-2024-21194 CVE-2024-21196 CVE-2024-21197 CVE-2024-21198 CVE-2024-21199 CVE-2024-21200 CVE-2024-21201 CVE-2024-21203 CVE-2024-21204 CVE-2024-21207 CVE-2024-21209 CVE-2024-21212 CVE-2024-21213 CVE-2024-21218 CVE-2024-21219 CVE-2024-21230 CVE-2024-21231 CVE-2024-21232 CVE-2024-21236 CVE-2024-21237 CVE-2024-21238 CVE-2024-21239 CVE-2024-21241 CVE-2024-21243 CVE-2024-21244 CVE-2024-21247 CVE-2024-7264.
24. This patch also addresses CVE-2024-8088.
25. This patch also addresses CVE-2024-11233 CVE-2024-11234 CVE-2024-11236 CVE-2024-4577 CVE-2024-8925 CVE-2024-8926 CVE-2024-8927 CVE-2024-8932 CVE-2024-9026.