Oracle Solaris Third Party Bulletin - October 2019
Description
The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities addressed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated on the Tuesday closest to the 17th of the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability issues deemed too critical to wait for the next monthly update.
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin security patches as soon as possible.
Patch Availability
Please see My Oracle Support Note 1448883.1
Third Party Bulletin Schedule
Third Party Bulletins are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:
- 14 January 2020
- 14 April 2020
- 14 July 2020
- 20 October 2020
References
- Oracle Critical Patch Updates and Security Alerts main page [ Oracle Technology Network ]
- Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions [ CPU FAQ ]
- Risk Matrix definitions [ Risk Matrix Definitions ]
- Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS Scoring ]
Modification History
| Date | Note |
|---|---|
| 2019-December-17 | Rev 3. Added CVEs fixed in Solaris 11.4 SRU 16 |
| 2019-November-19 | Rev 2. Added CVEs fixed in Solaris 11.4 SRU 15 |
| 2019-October-15 | Rev 1. Initial Release with all CVEs fixed in Solaris 11.3 LSU 36.15 and Solaris 11.4 SRU 14 |
Oracle Solaris Executive Summary
This Oracle Solaris Bulletin contains 84 new security patches for the Oracle Solaris Operating System. 59 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
Oracle Solaris Third Party Bulletin Risk Matrix
Revision 3: Published on 2019-12-17
| CVE# | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2019-18197 | Oracle Solaris | libxslt | Multiple | Yes | 9.8 | Network | Low | None | None | Un changed |
High | High | High | 11.4 | |
| CVE-2019-18218 | Oracle Solaris | PHP | Multiple | Yes | 9.8 | Network | Low | None | None | Un changed |
High | High | High | 11.4 | |
| CVE-2019-18224 | Oracle Solaris | Libidn | DNS | Yes | 9.8 | Network | Low | None | None | Un changed |
High | High | High | 11.4 | |
| CVE-2019-6978 | Oracle Solaris | LibGD | Multiple | Yes | 9.8 | Network | Low | None | None | Un changed |
High | High | High | 11.4 | |
| CVE-2019-8375 | Oracle Solaris | WebKitGTK | HTTP | Yes | 9.8 | Network | Low | None | None | Un changed |
High | High | High | 11.4 | |
| CVE-2019-17544 | Oracle Solaris | GNU Aspell | Multiple | Yes | 9.1 | Network | Low | None | None | Un changed |
High | None | High | 11.4 | |
| CVE-2019-17546 | Oracle Solaris | LibTIFF | Multiple | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | |
| CVE-2019-7635 | Oracle Solaris | LibSDL | None | No | 8.4 | Local | Low | None | None | Un changed |
High | High | High | 11.4 | |
| CVE-2019-11043 | Oracle Solaris | PHP | Multiple | Yes | 8.1 | Network | High | None | None | Un changed |
High | High | High | 11.4 | |
| CVE-2019-12290 | Oracle Solaris | Libidn | DNS | Yes | 7.5 | Network | Low | None | None | Un changed |
None | High | None | 11.4 | |
| CVE-2019-15903 | Oracle Solaris | libexpat | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2019-18217 | Oracle Solaris | ProFTPD | FTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2019-7548 | Oracle Solaris | SQLAlchemy | Multiple | Yes | 7.3 | Network | Low | None | None | Un changed |
Low | Low | Low | 11.4 | See Note 1 |
| CVE-2019-12749 | Oracle Solaris | dbus | None | No | 7 | Local | High | Low | None | Un changed |
High | High | High | 11.4 | |
| CVE-2019-13050 | Oracle Solaris | GnuPG | Multiple | Yes | 6.5 | Network | Low | None | Required | Un changed |
None | None | High | 11.4 | |
| CVE-2019-14980 | Oracle Solaris | ImageMagick | Multiple | Yes | 6.5 | Network | Low | None | Required | Un changed |
None | None | High | 11.4 | |
| CVE-2019-17595 | Oracle Solaris | Ncurses | Multiple | Yes | 6.5 | Network | Low | None | Required | Un changed |
None | None | High | 11.4 | See Note 2 |
| CVE-2019-8683 | Oracle Solaris | WebKitGTK | Multiple | Yes | 6.3 | Network | Low | None | Required | Un changed |
Low | Low | Low | 11.4 | |
| CVE-2019-16935 | Oracle Solaris | Python | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 11.4 | |
| CVE-2019-17547 | Oracle Solaris | ImageMagick | None | No | 5.9 | Local | Low | None | None | Un changed |
Low | Low | Low | 11.4 | |
| CVE-2017-10672 | Oracle Solaris | Xml::LibXML | Multiple | Yes | 5.6 | Network | High | None | None | Un changed |
Low | Low | Low | 11.4 | |
| CVE-2018-1000654 | Oracle Solaris | Libtasn1 | None | No | 5.5 | Local | Low | None | Required | Un changed |
None | None | High | 11.4 | |
| CVE-2018-20030 | Oracle Solaris | LibEXIF | None | No | 5.5 | Local | Low | None | Required | Un changed |
None | None | High | 11.4 | |
| CVE-2019-15903 | Oracle Solaris | Python | None | No | 5.5 | Local | Low | None | Required | Un changed |
None | None | High | 11.4 | |
| CVE-2019-1549 | Oracle Solaris | OpenSSL | TLS | Yes | 5.3 | Network | Low | None | None | Un changed |
Low | None | None | 11.4 | |
| CVE-2019-15682 | Oracle Solaris | RDesktop | RDP | Yes | 5.3 | Network | Low | None | None | Un changed |
None | None | Low | 11.4 | |
| CVE-2019-16680 | Oracle Solaris | File-roller | Multiple | Yes | 5.3 | Network | Low | None | None | Un changed |
None | Low | None | 11.4 | |
| CVE-2019-1547 | Oracle Solaris | OpenSSL | None | No | 4.7 | Local | High | Low | None | Un changed |
High | None | None | 11.4 | |
| CVE-2019-3832 | Oracle Solaris | Libsndfile | None | No | 4.7 | Local | High | None | Required | Un changed |
None | None | High | 11.4 | |
| CVE-2019-1563 | Oracle Solaris | OpenSSL | TLS | Yes | 3.7 | Network | High | None | None | Un changed |
Low | None | None | 11.4 | |
| CVE-2015-8100 | Oracle Solaris | Net-SNMP | None | No | 3.3 | Local | Low | Low | None | Un changed |
Low | None | None | 11.4 | |
| CVE-2019-9923 | Oracle Solaris | GNU Tar | None | No | 3.3 | Local | Low | None | Required | Un changed |
None | None | Low | 11.4 | |
Revision 2: Published on 2019-11-19
| CVE# | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2018-14349 | Oracle Solaris | Mutt | Multiple | Yes | 9.6 | Network | Low | None | Required | Changed | High | High | High | 11.4 | See Note 3 |
| CVE-2017-18266 | Oracle Solaris | xdg-utils | MIME | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | |
| CVE-2018-1000041 | Oracle Solaris | librsvg | Multiple | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | |
| CVE-2019-15903 | Oracle Solaris | Firefox | Multiple | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 4 |
| CVE-2019-15903 | Oracle Solaris | Thunderbird | Multiple | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 5 |
| CVE-2019-11459 | Oracle Solaris | Evince | None | No | 7.8 | Local | Low | Low | None | Un changed |
High | High | High | 11.4 | See Note 6 |
| CVE-2018-1000880 | Oracle Solaris | libarchive | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 7 |
| CVE-2018-19052 | Oracle Solaris | lighttpd | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
High | None | None | 11.4 | See Note 8 |
| CVE-2019-11596 | Oracle Solaris | Memcached | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 9 |
| CVE-2019-9518 | Oracle Solaris | Node.js | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 10 |
| CVE-2019-10216 | Oracle Solaris | Ghostscript | Multiple | Yes | 7.3 | Network | Low | None | None | Un changed |
Low | Low | Low | 11.4 | |
| CVE-2019-12525 | Oracle Solaris | Squid | Multiple | Yes | 7.3 | Network | Low | None | None | Un changed |
Low | Low | Low | 11.4 | See Note 11 |
| CVE-2019-14811 | Oracle Solaris | Ghostscript | Multiple | Yes | 7.3 | Network | Low | None | None | Un changed |
Low | Low | Low | 11.4 | See Note 12 |
| CVE-2016-10166 | Oracle Solaris | PHP | Multiple | Yes | 6.5 | Network | Low | None | None | Un changed |
Low | None | Low | 11.4 | See Note 13 |
| CVE-2018-17294 | Oracle Solaris | Liblouis | Multiple | Yes | 6.5 | Network | Low | None | Required | Un changed |
None | None | High | 11.4 | |
| CVE-2019-14287 | Oracle Solaris | Sudo | Multiple | No | 6.4 | Local | High | High | None | Un changed |
High | High | High | , 10 | |
| CVE-2019-13636 | Oracle Solaris | GNU patch utility | Multiple | Yes | 5.9 | Network | High | None | None | Un changed |
None | High | None | , 10 | See Note 14 |
| CVE-2018-1000858 | Oracle Solaris | GnuPG | HTTP | Yes | 5.4 | Network | Low | None | Required | Un changed |
Low | None | Low | 11.4 | |
| CVE-2018-12910 | Oracle Solaris | libsoup | HTTP | Yes | 5.3 | Network | Low | None | None | Un changed |
None | None | Low | 11.4 | |
| CVE-2019-1010299 | Oracle Solaris | Rust | Multiple | Yes | 5.3 | Network | Low | None | None | Un changed |
Low | None | None | 11.4 | |
| CVE-2019-13627 | Oracle Solaris | Libgcrypt | None | No | 4.7 | Local | High | Low | None | Un changed |
High | None | None | 11.4 | |
| CVE-2019-14973 | Oracle Solaris | LibTIFF | None | No | 4.7 | Local | High | None | Required | Un changed |
None | None | High | 11.4 | |
| CVE-2017-9778 | Oracle Solaris | GNU Debugger (GDB) | None | No | 3.3 | Local | Low | None | Required | Un changed |
None | None | Low | 11.4 | |
| CVE-2018-18074 | Oracle Solaris | Requests | HTTP | No | 2.6 | Adjacent Network |
High | None | Required | Un changed |
Low | None | None | 11.4 | |
Revision 1: Published on 2019-10-15
| CVE# | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2019-2774 | Oracle Solaris | MySQL | Multiple | Yes | 9.8 | Network | Low | None | None | Un changed |
High | High | High | 11.4 | See Note 15 |
| CVE-2017-12652 | Oracle Solaris | libpng | Multiple | Yes | 9.8 | Network | Low | None | None | Un changed |
High | High | High | 11.4 | |
| CVE-2017-12652 | Oracle Solaris | libpng | Multiple | Yes | 9.8 | Network | Low | None | None | Un changed |
High | High | High | 11.4 | |
| CVE-2017-12652 | Oracle Solaris | libpng | Multiple | Yes | 9.8 | Network | Low | None | None | Un changed |
High | High | High | 11.4 | |
| CVE-2019-11068 | Oracle Solaris | libxslt | Multiple | Yes | 9.8 | Network | Low | None | None | Un changed |
High | High | High | 11.4 | |
| CVE-2019-11740 | Oracle Solaris | Firefox | Multiple | Yes | 9.8 | Network | Low | None | None | Un changed |
High | High | High | 11.4 | See Note 16 |
| CVE-2018-20174 | Oracle Solaris | rdesktop | RDP | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 17 |
| CVE-2019-12795 | Oracle Solaris | gvfs | None | No | 7.8 | Local | Low | Low | None | Un changed |
High | High | High | 11.4 | |
| CVE-2019-11739 | Oracle Solaris | Thunderbird | None | No | 7.8 | Local | Low | Low | None | Un changed |
High | High | High | 11.4 | See Note 18 |
| CVE-2018-11782 | Oracle Solaris | Apache Subversion | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 19 |
| CVE-2019-10092 | Oracle Solaris | Apache HTTP server | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 20 |
| CVE-2019-12293 | Oracle Solaris | Poppler | None | No | 6.6 | Local | Low | None | Required | Un changed |
Low | Low | High | 11.4 | See Note 21 |
| CVE-2019-16163 | Oracle Solaris | Oniguruma | Multiple | Yes | 6.5 | Network | Low | None | Required | Un changed |
None | None | High | 11.4 | See Note 22 |
| CVE-2019-2730 | Oracle Solaris | MySQL | Multiple | No | 6.5 | Network | Low | Low | None | Un changed |
None | None | High | 11.4 | See Note 23 |
| CVE-2019-14494 | Oracle Solaris | Poppler | Multiple | Yes | 6.5 | Network | Low | None | Required | Un changed |
None | None | High | 11.4 | See Note 24 |
| CVE-2019-7663 | Oracle Solaris | LibTIFF | Multiple | Yes | 6.5 | Network | Low | None | Required | Un changed |
None | None | High | 11.4 | See Note 25 |
| CVE-2019-9511 | Oracle Solaris | Nghttp2 | Multiple | No | 6.5 | Network | Low | Low | None | Un changed |
None | None | High | 11.4 | See Note 26 |
| CVE-2019-11358 | Oracle Solaris | Django | Multiple | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 11.4 | |
| CVE-2019-12973 | Oracle Solaris | OpenJPEG | None | No | 5.5 | Local | Low | None | Required | Un changed |
None | None | High | 11.4 | See Note 27 |
| CVE-2018-20843 | Oracle Solaris | libexpat | Multiple | Yes | 5.3 | Network | Low | None | None | Un changed |
None | None | Low | 11.4 | |
| CVE-2019-12308 | Oracle Solaris | Django | Multiple | Yes | 5.3 | Network | Low | None | None | Un changed |
Low | None | None | 11.4 | See Note 28 |
| CVE-2018-20852 | Oracle Solaris | Python | Multiple | Yes | 5.3 | Network | Low | None | None | Un changed |
Low | None | None | 11.4 | |
| CVE-2019-14232 | Oracle Solaris | Django | Multiple | Yes | 5.3 | Network | Low | None | None | Un changed |
Low | None | None | 11.4 | See Note 29 |
| CVE-2019-16319 | Oracle Solaris | Wireshark | Multiple | Yes | 5.3 | Network | Low | None | None | Un changed |
None | None | Low | 11.4 | |
| CVE-2018-17983 | Oracle Solaris | Mercurial | None | No | 5.1 | Local | High | None | None | Un changed |
None | High | None | 11.4 | See Note 30 |
| CVE-2018-0494 | Oracle Solaris | Wget | Multiple | Yes | 4.3 | Network | Low | None | Required | Un changed |
None | Low | None | 10 | |
| CVE-2018-12900 | Oracle Solaris | LibTIFF | None | No | 3.3 | Local | Low | None | Required | Un changed |
None | None | Low | 11.4 | See Note 31 |
| CVE-2019-6128 | Oracle Solaris | LibTIFF | None | No | 3.3 | Local | Low | None | Required | Un changed |
None | None | Low | 11.4 | |
Notes:
1. This patch also addresses CVE-2019-7164.2. This patch also addresses CVE-2019-17594.
3. This patch also addresses CVE-2018-14350 CVE-2018-14351 CVE-2018-14352 CVE-2018-14353 CVE-2018-14354 CVE-2018-14355 CVE-2018-14356 CVE-2018-14357 CVE-2018-14358 CVE-2018-14359 CVE-2018-14362.
4. This patch also addresses CVE-2019-11757 CVE-2019-11758 CVE-2019-11759 CVE-2019-11760 CVE-2019-11761 CVE-2019-11762 CVE-2019-11763 CVE-2019-11764.
5. This patch also addresses CVE-2019-11757 CVE-2019-11758 CVE-2019-11759 CVE-2019-11760 CVE-2019-11761 CVE-2019-11762 CVE-2019-11763 CVE-2019-11764.
6. This patch also addresses CVE-2017-1000159.
7. This patch also addresses CVE-2018-1000877 CVE-2018-1000878 CVE-2018-1000879 CVE-2019-1000019 CVE-2019-1000020 CVE-2019-18408.
8. This patch also addresses CVE-2019-11072.
9. This patch also addresses CVE-2019-15026.
10. This patch also addresses CVE-2019-9511 CVE-2019-9513 CVE-2019-9514 CVE-2019-9515 CVE-2019-9516 CVE-2019-9517.
11. This patch also addresses CVE-2018-1172 CVE-2019-12527 CVE-2019-12529 CVE-2019-13345.
12. This patch also addresses CVE-2019-14812 CVE-2019-14813 CVE-2019-14817.
13. This patch also addresses CVE-2019-11034 CVE-2019-11035 CVE-2019-11036 CVE-2019-11038 CVE-2019-11039 CVE-2019-11040 CVE-2019-11041 CVE-2019-11042 CVE-2019-13224 CVE-2019-6977 CVE-2019-9020 CVE-2019-9021 CVE-2019-9022 CVE-2019-9023 CVE-2019-9024 CVE-2019-9637 CVE-2019-9638 CVE-2019-9639 CVE-2019-9640 CVE-2019-9641.
14. This patch also addresses CVE-2018-1000156 CVE-2019-13638.
15. This patch also addresses CVE-2019-2737 CVE-2019-2738 CVE-2019-2739 CVE-2019-2740 CVE-2019-2741 CVE-2019-2757 CVE-2019-2758 CVE-2019-2778 CVE-2019-2791 CVE-2019-2797 CVE-2019-2805 CVE-2019-2819 CVE-2019-3822.
16. This patch also addresses CVE-2019-11742 CVE-2019-11743 CVE-2019-11744 CVE-2019-11746 CVE-2019-11752 CVE-2019-11753 CVE-2019-9812.
17. This patch also addresses CVE-2018-20175 CVE-2018-20176 CVE-2018-20177 CVE-2018-20178 CVE-2018-20179 CVE-2018-20180 CVE-2018-20181 CVE-2018-20182 CVE-2018-8791 CVE-2018-8792 CVE-2018-8793 CVE-2018-8794 CVE-2018-8795 CVE-2018-8796 CVE-2018-8797 CVE-2018-8798 CVE-2018-8799 CVE-2018-8800.
18. This patch also addresses CVE-2019-11740 CVE-2019-11742 CVE-2019-11743 CVE-2019-11744 CVE-2019-11746 CVE-2019-11752 CVE-2019-9812.
19. This patch also addresses CVE-2019-0203.
20. This patch also addresses CVE-2019-10081 CVE-2019-10082 CVE-2019-10097 CVE-2019-10098 CVE-2019-9517.
21. This patch also addresses CVE-2019-11026 CVE-2019-14494.
22. This patch also addresses CVE-2019-13224 CVE-2019-13225.
23. This patch also addresses CVE-2019-2737 CVE-2019-2738 CVE-2019-2739 CVE-2019-2740 CVE-2019-2805 CVE-2019-2819.
24. This patch also addresses CVE-2019-9959.
25. This patch also addresses CVE-2018-12900.
26. This patch also addresses CVE-2019-9513.
27. This patch also addresses CVE-2018-5727 CVE-2018-6616.
28. This patch also addresses CVE-2019-11358 CVE-2019-12781.
29. This patch also addresses CVE-2019-14233 CVE-2019-14234 CVE-2019-14235.
30. This patch also addresses CVE-2019-3902.
31. This patch also addresses CVE-2018-19210.