Oracle Solaris Third Party Bulletin - October 2020
Description
The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities addressed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated on the Tuesday closest to the 17th of the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability issues deemed too critical to wait for the next monthly update.
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin security patches as soon as possible.
Patch Availability
Please see My Oracle Support Note 1448883.1
Third Party Bulletin Schedule
Third Party Bulletins are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:
- 19 January 2021
- 20 April 2021
- 20 July 2021
- 19 October 2021
References
- Oracle Critical Patch Updates and Security Alerts main page [ Oracle Technology Network ]
- Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions [ CPU FAQ ]
- Risk Matrix definitions [ Risk Matrix Definitions ]
- Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS Scoring ]
Modification History
| Date | Note |
|---|---|
| 2021-January-06 | Rev 4. Added X.Org CVEs fixed in Solaris 11.4 SRU 27 |
| 2020-December-18 | Rev 3. Added CVEs fixed in Solaris 11.4 SRU 28 |
| 2020-November-18 | Rev 2. Added CVEs fixed in Solaris 11.4 SRU 27 |
| 2020-October-20 | Rev 1. Initial Release with all CVEs fixed in Solaris 11.3 LSU 36.23 and Solaris 11.4 SRU 26 |
Oracle Solaris Executive Summary
This Oracle Solaris Bulletin contains 60 new security patches for the Oracle Solaris Operating System. 42 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
Oracle Solaris Third Party Bulletin Risk Matrix
Revision 4: Published on 2021-01-06
| CVE# | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2020-14345 | Oracle Solaris | X.Org | Multiple | No | 7.8 | Local | High | Low | None | Changed | High | High | High | 11.4 | |
| CVE-2020-14346 | Oracle Solaris | X.Org | Multiple | No | 7.8 | Local | High | Low | None | Changed | High | High | High | 11.4 | |
| CVE-2020-14361 | Oracle Solaris | X.Org | Multiple | No | 7.8 | Local | Low | Low | None | Un changed |
High | High | High | 11.4 | |
| CVE-2020-14362 | Oracle Solaris | X.Org | Multiple | No | 7.8 | Local | Low | Low | None | Un changed |
High | High | High | 11.4 | |
| CVE-2020-14363 | Oracle Solaris | X.Org | Multiple | No | 7.8 | Local | Low | Low | None | Un changed |
High | High | High | 11.4 | |
| CVE-2020-14344 | Oracle Solaris | X.Org | Multiple | No | 7.5 | Local | High | Low | Required | Changed | High | High | High | 11.4 | |
| CVE-2020-14347 | Oracle Solaris | X.Org | Multiple | No | 3.8 | Local | Low | Low | None | Changed | Low | None | None | 11.4 | |
Revision 3: Published on 2020-12-18
| CVE# | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2020-15683 | Oracle Solaris | Firefox | Multiple | Yes | 9.8 | Network | Low | None | None | Un changed |
High | High | High | 11.4 | See Note 1 |
| CVE-2020-15683 | Oracle Solaris | Thunderbird | Multiple | Yes | 9.8 | Network | Low | None | None | Un changed |
High | High | High | 11.4 | See Note 2 |
| CVE-2020-27347 | Oracle Solaris | Terminal Multiplexer | Multiple | No | 8.5 | Network | High | Low | None | Changed | High | High | High | 11.4 | |
| CVE-2019-20919 | Oracle Solaris | Perl | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2020-15999 | Oracle Solaris | FreeType | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4, 10 | |
| CVE-2020-16012 | Oracle Solaris | Firefox | Multiple | Yes | 7.5 | Network | High | None | Required | Un changed |
High | High | High | 11.4 | See Note 3 |
| CVE-2020-16012 | Oracle Solaris | Thunderbird | Multiple | Yes | 7.5 | Network | High | None | Required | Un changed |
High | High | High | 11.4 | See Note 4 |
| CVE-2020-26575 | Oracle Solaris | Wireshark | FBZERO | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2020-25613 | Oracle Solaris | Ruby | HTTP | Yes | 7.3 | Network | Low | None | None | Un changed |
Low | Low | Low | 11.4 | |
| CVE-2020-26116 | Oracle Solaris | Python | Multiple | Yes | 7.2 | Network | Low | None | None | Changed | Low | Low | None | 11.4 | |
| CVE-2020-14765 | Oracle Solaris | MySQL | Multiple | No | 6.5 | Network | Low | Low | None | Un changed |
None | None | High | 11.4 | See Note 5 |
| CVE-2020-14878 | Oracle Solaris | MySQL | Multiple | No | 6.5 | Network | Low | Low | None | Un changed |
None | None | High | 11.4 | See Note 6 |
| CVE-2020-26159 | Oracle Solaris | Oniguruma | Multiple | No | 6.5 | Network | Low | Low | None | Un changed |
None | None | High | 11.4 | |
| CVE-2020-7069 | Oracle Solaris | PHP | HTTP | Yes | 6.5 | Network | Low | None | None | Un changed |
Low | Low | None | 11.4 | See Note 7 |
| CVE-2020-24659 | Oracle Solaris | GnuTLS | SSL/TLS | Yes | 5.9 | Network | High | None | None | Un changed |
None | None | High | 11.4 | |
Revision 2: Published on 2020-11-18
| CVE# | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2019-11734 | Oracle Solaris | Firefox | Multiple | Yes | 9.8 | Network | Low | None | None | Un changed |
High | High | High | 11.4 | See Note 8 |
| CVE-2020-5311 | Oracle Solaris | Pillow | Multiple | Yes | 9.8 | Network | Low | None | None | Un changed |
High | High | High | 11.4 | See Note 9 |
| CVE-2020-12416 | Oracle Solaris | Thunderbird | Multiple | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 10 |
| CVE-2020-15670 | Oracle Solaris | Firefox | Multiple | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | |
| CVE-2020-15670 | Oracle Solaris | Thunderbird | Multiple | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | |
| CVE-2020-15673 | Oracle Solaris | Firefox | Multiple | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 11 |
| CVE-2020-15673 | Oracle Solaris | Thunderbird | Multiple | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 12 |
| CVE-2020-15889 | Oracle Solaris | Lua | Multiple | Yes | 8.1 | Network | High | None | None | Un changed |
High | High | High | 11.4 | See Note 13 |
| CVE-2020-24342 | Oracle Solaris | Lua | None | No | 7.8 | Local | Low | None | Required | Un changed |
High | High | High | 11.4 | |
| CVE-2019-3829 | Oracle Solaris | GnuTLS | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 14 |
| CVE-2019-6706 | Oracle Solaris | Lua | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2020-13871 | Oracle Solaris | SQLite | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 15 |
| CVE-2020-24369 | Oracle Solaris | Lua | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 16 |
| CVE-2020-24583 | Oracle Solaris | Django | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
High | None | None | 11.4 | See Note 17 |
| CVE-2020-25219 | Oracle Solaris | libproxy | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2020-25862 | Oracle Solaris | Wireshark | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 18 |
| CVE-2020-11501 | Oracle Solaris | GnuTLS | TLS | Yes | 7.4 | Network | High | None | None | Un changed |
High | High | None | 11.4 | See Note 19 |
| CVE-2019-14869 | Oracle Solaris | Ghostscript | Multiple | Yes | 7.3 | Network | Low | None | None | Un changed |
Low | Low | Low | 11.4 | |
| CVE-2020-13596 | Oracle Solaris | Django | Multiple | Yes | 6.5 | Network | Low | None | Required | Un changed |
High | None | None | 11.4 | See Note 20 |
| CVE-2020-17489 | Oracle Solaris | GNOME Shell | Multiple | No | 6.5 | Network | Low | Low | None | Un changed |
High | None | None | 11.4 | |
| CVE-2019-5481 | Oracle Solaris | libcurl | Multiple | No | 6.3 | Adjacent Network |
Low | None | None | Un changed |
Low | Low | Low | 11.4 | See Note 21 |
| CVE-2019-20892 | Oracle Solaris | Net-SNMP | SNMP | Yes | 5.9 | Network | High | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2020-14093 | Oracle Solaris | Mutt | Multiple | Yes | 5.9 | Network | High | None | None | Un changed |
High | None | None | 11.4 | See Note 22 |
| CVE-2020-14422 | Oracle Solaris | Python | Multiple | Yes | 5.9 | Network | High | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2020-14928 | Oracle Solaris | GNOME evolution-data-server | Multiple | Yes | 5.9 | Network | High | None | None | Un changed |
None | High | None | 11.4 | |
| CVE-2020-12049 | Oracle Solaris | DBus | None | No | 5.5 | Local | Low | Low | None | Un changed |
None | None | High | 11.4 | |
| CVE-2020-8177 | Oracle Solaris | curl | Multiple | No | 5.4 | Network | High | Low | Required | Un changed |
None | High | Low | 11.4 | |
| CVE-2020-16117 | Oracle Solaris | GNOME evolution-data-server | Multiple | Yes | 5.3 | Network | High | None | Required | Un changed |
None | None | High | 11.4 | |
| CVE-2020-15025 | Oracle Solaris | NTP | Multiple | No | 4.9 | Network | Low | High | None | Un changed |
None | None | High | , 10 | |
| CVE-2018-20781 | Oracle Solaris | GNOME Keyring | None | No | 4.2 | Local | Low | High | Required | Un changed |
High | None | None | 11.4 | |
Revision 1: Published on 2020-10-20
| CVE# | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2020-9862 | Oracle Solaris | WebKitGTK | Multiple | Yes | 9.8 | Network | Low | None | None | Un changed |
High | High | High | 11.4 | See Note 23 |
| CVE-2017-5226 | Oracle Solaris | WebKitGTK | Multiple | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 24 |
| CVE-2020-15663 | Oracle Solaris | Firefox | Multiple | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 25 |
| CVE-2020-15663 | Oracle Solaris | Thunderbird | Multiple | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 26 |
| CVE-2020-24606 | Oracle Solaris | Squid | Multiple | Yes | 8.6 | Network | Low | None | None | Changed | None | None | High | 11.4 | |
| CVE-2020-10531 | Oracle Solaris | Node.js | TLS | Yes | 7.4 | Network | High | None | None | Un changed |
High | High | None | 11.4 | See Note 27 |
| CVE-2020-12825 | Oracle Solaris | libcroco | Multiple | Yes | 7.1 | Network | Low | None | Required | Un changed |
None | Low | High | 11.4 | |
| CVE-2020-12825 | Oracle Solaris | GNU gettext | Multiple | Yes | 7.1 | Network | Low | None | Required | Un changed |
None | Low | High | 11.4 | |
Notes:
1. This patch also addresses CVE-2020-15969.2. This patch also addresses CVE-2020-15969.
3. This patch also addresses CVE-2020-15999 CVE-2020-26950 CVE-2020-26951 CVE-2020-26953 CVE-2020-26956 CVE-2020-26958 CVE-2020-26959 CVE-2020-26960 CVE-2020-26961 CVE-2020-26965 CVE-2020-26966 CVE-2020-26968.
4. This patch also addresses CVE-2020-15999 CVE-2020-26950 CVE-2020-26951 CVE-2020-26953 CVE-2020-26956 CVE-2020-26958 CVE-2020-26959 CVE-2020-26960 CVE-2020-26961 CVE-2020-26965 CVE-2020-26966 CVE-2020-26968.
5. This patch also addresses CVE-2020-14672 CVE-2020-14769 CVE-2020-14793 CVE-2020-14812 CVE-2020-14867.
6. This patch also addresses CVE-2020-14672 CVE-2020-14760 CVE-2020-14765 CVE-2020-14769 CVE-2020-14771 CVE-2020-14775 CVE-2020-14776 CVE-2020-14789 CVE-2020-14790 CVE-2020-14793 CVE-2020-14809 CVE-2020-14812 CVE-2020-14814 CVE-2020-14827 CVE-2020-14828 CVE-2020-14829 CVE-2020-14830 CVE-2020-14837 CVE-2020-14839 CVE-2020-14845 CVE-2020-14846 CVE-2020-14852 CVE-2020-14860 CVE-2020-14861 CVE-2020-14866 CVE-2020-14867 CVE-2020-14868 CVE-2020-14869 CVE-2020-14870 CVE-2020-14873 CVE-2020-14891 CVE-2020-14893.
7. This patch also addresses CVE-2020-7070.
8. This patch also addresses CVE-2019-11735 CVE-2019-11736 CVE-2019-11737 CVE-2019-11738 CVE-2019-11741 CVE-2019-11747 CVE-2019-11748 CVE-2019-11749 CVE-2019-11750 CVE-2019-11751 CVE-2019-11754 CVE-2019-11756 CVE-2019-11765 CVE-2019-17000 CVE-2019-17002 CVE-2019-17013 CVE-2019-17014 CVE-2019-17018 CVE-2019-17019 CVE-2019-17020 CVE-2019-17023 CVE-2019-17025 CVE-2020-12402 CVE-2020-12415 CVE-2020-12416 CVE-2020-12422 CVE-2020-12423 CVE-2020-12424 CVE-2020-12425 CVE-2020-12426 CVE-2020-15648 CVE-2020-15653 CVE-2020-15654 CVE-2020-15655 CVE-2020-15656 CVE-2020-15657 CVE-2020-15658.
9. This patch also addresses CVE-2020-10177 CVE-2020-10378 CVE-2020-10379 CVE-2020-10994 CVE-2020-11538.
10. This patch also addresses CVE-2020-12402 CVE-2020-12415 CVE-2020-12423 CVE-2020-12425 CVE-2020-12426 CVE-2020-15648 CVE-2020-15653 CVE-2020-15654 CVE-2020-15655 CVE-2020-15656 CVE-2020-15657 CVE-2020-15658.
11. This patch also addresses CVE-2020-15676 CVE-2020-15677 CVE-2020-15678.
12. This patch also addresses CVE-2020-15676 CVE-2020-15677 CVE-2020-15678.
13. This patch also addresses CVE-2020-15888 CVE-2020-15945.
14. This patch also addresses CVE-2019-3836.
15. This patch also addresses CVE-2020-15358.
16. This patch also addresses CVE-2020-24370 CVE-2020-24371.
17. This patch also addresses CVE-2020-24584.
18. This patch also addresses CVE-2020-25863 CVE-2020-25866.
19. This patch also addresses CVE-2020-13777.
20. This patch also addresses CVE-2020-13254.
21. This patch also addresses CVE-2019-5435 CVE-2019-5436 CVE-2019-5482.
22. This patch also addresses CVE-2020-14154 CVE-2020-14954.
23. This patch also addresses CVE-2020-9893 CVE-2020-9894 CVE-2020-9895 CVE-2020-9915 CVE-2020-9925.
24. This patch also addresses CVE-2020-13753 CVE-2020-9802 CVE-2020-9803 CVE-2020-9805 CVE-2020-9806 CVE-2020-9807 CVE-2020-9843 CVE-2020-9850.
25. This patch also addresses CVE-2020-15664.
26. This patch also addresses CVE-2020-15664.
27. This patch also addresses CVE-2020-11080 CVE-2020-8172 CVE-2020-8174.