Oracle Solaris Third Party Bulletin - October 2024
Description
The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities addressed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated for the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability issues deemed too critical to wait for the next monthly update.
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin security patches as soon as possible.
Patch Availability
Please see My Oracle Support Note 1448883.1
Third Party Bulletin Schedule
Third Party Bulletins are released on the third Tuesday of January, April, July, and October. The next four dates are:
- 21 January 2025
- 15 April 2025
- 15 July 2025
- 21 October 2025
References
- Oracle Critical Patch Updates and Security Alerts main page [ Oracle Technology Network ]
- Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions [ CPU FAQ ]
- Risk Matrix definitions [ Risk Matrix Definitions ]
- Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS Scoring ]
Modification History
| Date | Note |
|---|---|
| 2024-November-26 | Rev 2. Added CVEs fixed in Solaris 11.4 SRU 75 |
| 2024-October-15 | Rev 1. Initial Release with all CVEs fixed in Solaris 11.4 SRU 74 |
Oracle Solaris Executive Summary
This Oracle Solaris Bulletin contains 29 new security patches for the Oracle Solaris Operating System. 19 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
Oracle Solaris Third Party Bulletin Risk Matrix
Revision 2: Published on 2024-11-26
| CVE ID | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2024-41671 | Oracle Solaris | Twisted | Multiple | Yes | 8.3 | Network | Low | None | None | Changed | Low | Low | Low | 11.4 | See Note 1 |
| CVE-2024-24246 | Oracle Solaris | Qpdf | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2024-38535 | Oracle Solaris | Suricata | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 2 |
| CVE-2024-6239 | Oracle Solaris | Poppler | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2024-9392 | Oracle Solaris | Firefox | Multiple | Yes | 7.5 | Network | High | None | Required | Un changed |
High | High | High | 11.4 | See Note 3 |
| CVE-2024-9392 | Oracle Solaris | Thunderbird | Multiple | Yes | 7.5 | Network | High | None | Required | Un changed |
High | High | High | 11.4 | See Note 4 |
| CVE-2024-9680 | Oracle Solaris | Firefox | Multiple | Yes | 7.5 | Network | High | None | Required | Un changed |
High | High | High | 11.4 | |
| CVE-2024-36472 | Oracle Solaris | GNOME Shell | Multiple | Yes | 7.3 | Network | Low | None | None | Un changed |
Low | Low | Low | 11.4 | |
| CVE-2024-6655 | Oracle Solaris | Gdk-Pixbuf | None | No | 7 | Local | High | None | Required | Un changed |
High | High | High | 11.4 | |
| CVE-2024-40897 | Oracle Solaris | GStreamer | None | No | 6.7 | Local | High | Low | Required | Un changed |
High | High | High | 11.4 | |
| CVE-2020-35357 | Oracle Solaris | Gnu Scientific Library | None | Yes | 6.5 | Network | Low | None | Required | Un changed |
None | None | High | 11.4 | |
| CVE-2024-7006 | Oracle Solaris | LibTIFF | None | No | 6.2 | Local | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2024-0914 | Oracle Solaris | Pkcs#11 | Multiple | Yes | 5.9 | Network | High | None | None | Un changed |
High | None | None | 11.4 | |
| CVE-2024-6119 | Oracle Solaris | OpenSSL | SSL/TLS | Yes | 5.9 | Network | High | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2023-52722 | Oracle Solaris | Ghostscript | None | No | 5.5 | Local | Low | None | Required | Un changed |
None | High | None | 11.4 | See Note 5 |
| CVE-2024-38428 | Oracle Solaris | Wget | Multiple | No | 5.5 | Local | Low | None | Required | Un changed |
High | None | None | 11.4 | |
| CVE-2024-37371 | Oracle Solaris | Kerberos | Multiple | Yes | 5.3 | Network | Low | None | None | Un changed |
None | None | Low | 11.4 | See Note 6 |
| CVE-2023-52169 | Oracle Solaris | 7-Zip File Archiver | None | No | 4.9 | Local | High | None | None | Un changed |
Low | Low | Low | 11.4 | See Note 7 |
| CVE-2024-41965 | Oracle Solaris | VIM | None | No | 4.8 | Local | Low | Low | Required | Un changed |
Low | Low | Low | 11.4 | See Note 8 |
| CVE-2024-5535 | Oracle Solaris | OpenSSL | SSL/TLS | Yes | 4.8 | Network | High | None | None | Un changed |
Low | Low | None | 11.4 | |
| CVE-2024-35235 | Oracle Solaris | Common Unix Printing System (CUPS) | None | No | 4.4 | Local | Low | High | None | Un changed |
High | None | None | 11.4 | |
| CVE-2023-48232 | Oracle Solaris | VIM | Multiple | Yes | 4.3 | Network | Low | None | Required | Un changed |
None | None | Low | 11.4 | See Note 9 |
| CVE-2024-37535 | Oracle Solaris | Libvte | None | No | 4 | Local | Low | None | None | Un changed |
None | None | Low | 11.4 | See Note 10 |
| CVE-2024-43167 | Oracle Solaris | Unbound | None | No | 2.8 | Local | Low | Low | Required | Un changed |
None | None | Low | 11.4 | |
Revision 1: Published on 2024-10-15
| CVE ID | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2024-31744 | Oracle Solaris | JasPer | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2024-45230 | Oracle Solaris | Django | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 11 |
| CVE-2024-8381 | Oracle Solaris | Firefox | HTTP | Yes | 7.5 | Network | High | None | Required | Un changed |
High | High | High | 11.4 | See Note 12 |
| CVE-2024-8381 | Oracle Solaris | Thunderbird | HTTP | Yes | 7.5 | Network | High | None | Required | Un changed |
High | High | High | 11.4 | See Note 13 |
| CVE-2024-42353 | Oracle Solaris | WebOb | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 11.4 | |
Notes:
1. This patch also addresses CVE-2024-41810.2. This patch also addresses CVE-2024-38534 CVE-2024-38535 CVE-2024-38536.
3. This patch also addresses CVE-2024-8900 CVE-2024-9393 CVE-2024-9394 CVE-2024-9396 CVE-2024-9397 CVE-2024-9398 CVE-2024-9399 CVE-2024-9400 CVE-2024-9401 CVE-2024-9402.
4. This patch also addresses CVE-2024-8900 CVE-2024-9393 CVE-2024-9394 CVE-2024-9396 CVE-2024-9397 CVE-2024-9398 CVE-2024-9399 CVE-2024-9400 CVE-2024-9401 CVE-2024-9402.
5. This patch also addresses CVE-2024-29506 CVE-2024-29507 CVE-2024-29508 CVE-2024-29509 CVE-2024-29510 CVE-2024-29511 CVE-2024-33869 CVE-2024-33870 CVE-2024-33871.
6. This patch also addresses CVE-2024-37370.
7. This patch also addresses CVE-2023-52169.
8. This patch also addresses CVE-2024-41965.
9. This patch also addresses CVE-2023-48233 CVE-2023-48234 CVE-2023-48235 CVE-2023-48236 CVE-2023-48237.
10. This patch also addresses CVE-2024-37535.
11. This patch also addresses CVE-2024-45231.
12. This patch also addresses CVE-2024-8382 CVE-2024-8383 CVE-2024-8384 CVE-2024-8385 CVE-2024-8386 CVE-2024-8387.
13. This patch also addresses CVE-2024-8382 CVE-2024-8384 CVE-2024-8385 CVE-2024-8386 CVE-2024-8387 CVE-2024-8394.