Oracle Solaris Third Party Bulletin - July 2019

Description

The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities fixed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated on the Tuesday closest to the 17th of the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability fixes deemed too critical to wait for the next monthly update.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin fixes as soon as possible.

Patch Availability

Please see My Oracle Support Note 1448883.1

Third Party Bulletin Schedule

Third Party Bulletins are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

  • 15 October 2019
  • 14 January 2020
  • 14 April 2020
  • 14 July 2020

References

Modification History

2019-October-03 Rev 4. Added CVE-2015-9381, CVE-2015-9382 and CVE-2015-9383
2019-September-17 Rev 3. Added CVEs fixed in Solaris 11.4 SRU 13
2019-August-20 Rev 2. Added CVEs fixed in Solaris 11.4 SRU 12
2019-July-16 Rev 1. Initial Release with all CVEs fixed in Solaris 11.3 LSU 36.13 and Solaris 11.4 SRU 11

Oracle Solaris Executive Summary

This Oracle Solaris Bulletin contains 47 new security fixes for the Oracle Solaris Operating System.  40 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 

Oracle Solaris Third Party Bulletin Risk Matrix

Revision 4: Published on 2019-10-03

CVE# Product ThirdParty component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Attack Vector Attack Complexity Privs Req'd User Interact Scope Confid­entiality Inte­grity Avail­ability
CVE-2015-9381 Oracle Solaris FreeType Multiple Yes 8.8 Network Low None Required Un changed High High High 11.3, 10 See Note 1

Revision 3: Published on 2019-09-17

CVE# Product ThirdParty component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Attack Vector Attack Complexity Privs Req'd User Interact Scope Confid­entiality Inte­grity Avail­ability
CVE-2019-1000012 Oracle Solaris Elixir Multiple Yes 8.8 Network Low None Required Un changed High High High 11.4  
CVE-2019-13454 Oracle Solaris ImageMagick Multiple Yes 8.8 Network Low None Required Un changed High High High 11.4 See Note 2
CVE-2019-5953 Oracle Solaris Wget Multiple Yes 8.8 Network Low None Required Un changed High High High 11.4, 10 See Note 3
CVE-2019-6116 Oracle Solaris Ghostscript None No 7.8 Local Low None Required Un changed High High High 11.4 See Note 4
CVE-2019-13117 Oracle Solaris libxslt Multiple Yes 7.5 Network Low None None Un changed High None None 11.4 See Note 5
CVE-2019-6116 Oracle Solaris Ghostscript Multiple Yes 7.3 Network Low None None Un changed Low Low Low 11.4 See Note 6
CVE-2019-11597 Oracle Solaris ImageMagick Multiple Yes 6.5 Network Low None Required Un changed None None High 11.4 See Note 7
CVE-2019-11729 Oracle Solaris NSS TLS Yes 6.1 Network Low None Required Changed Low Low None 11.4 See Note 8
CVE-2019-12900 Oracle Solaris BZip None No 4 Local Low None None Un changed None None Low 11.4  
CVE-2019-1010220 Oracle Solaris TCPdump None No 3.3 Local Low None Required Un changed None None Low 11.4 See Note 9

Revision 2: Published on 2019-08-20

CVE# Product Third Party component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Attack Vector Attack Complexity Privs Req'd User Interact Scope Confid­entiality Inte­grity Avail­ability
CVE-2019-12450 Oracle Solaris Glib Multiple Yes 9.8 Network Low None None Un changed High High High 11.4  
CVE-2019-9947 Oracle Solaris Python 3.7 Multiple Yes 9.8 Network Low None None Un changed High High High 11.4 See Note 10
CVE-2019-9947 Oracle Solaris Python 2.7 Multiple Yes 9.8 Network Low None None Un changed High High High 11.4 See Note 11
CVE-2019-9947 Oracle Solaris Python 3.5 Multiple Yes 9.8 Network Low None None Un changed High High High 11.4 See Note 12
CVE-2019-9947 Oracle Solaris Python 3.4 Multiple Yes 9.8 Network Low None None Un changed High High High 11.4 See Note 13
CVE-2019-12735 Oracle Solaris Vim None No 8.6 Local Low None Required Changed High High High 11.4  
CVE-2019-13045 Oracle Solaris Irssi Multiple Yes 8.1 Network High None None Un changed High High High 11.4  
CVE-2019-11730 Oracle Solaris Firefox Multiple Yes 7.5 Network High None Required Un changed High High High 11.4 See Note 14
CVE-2019-11730 Oracle Solaris Thunderbird Multiple Yes 7.5 Network High None Required Un changed High High High 11.4 See Note 15
CVE-2019-1559 Oracle Solaris MySQL 5.7.25 Multiple Yes 7.5 Network Low None None Un changed High None None 11.4 See Note 16
CVE-2018-20406 Oracle Solaris Python 3.7 Multiple Yes 7.4 Network High None None Un changed High High None 11.4 See Note 17
CVE-2019-0199 Oracle Solaris Apache Tomcat Multiple Yes 6.3 Network Low None Required Un changed Low Low Low 11.4 See Note 18
CVE-2019-1559 Oracle Solaris MySQL 5.6.43 Multiple Yes 5.9 Network High None None Un changed High None None 11.4 See Note 19
CVE-2019-6471 Oracle Solaris BIND DNS Yes 5.9 Network High None None Un changed None None High 11.4, 10  
CVE-2019-13619 Oracle Solaris Wireshark Multiple Yes 5.3 Network Low None None Un changed None None Low 11.4  

Revision 1: Published on 2019-07-16

CVE# Product Third Party component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Attack Vector Attack Complexity Privs Req'd User Interact Scope Confid­entiality Inte­grity Avail­ability
CVE-2018-1000805 Oracle Solaris Paramiko SSH Yes 9.8 Network Low None None Un changed High High High 11.4  
CVE-2019-10906 Oracle Solaris Jinja HTML Yes 9 Network High None None Changed High High High 11.4  
CVE-2019-11704 Oracle Solaris Thunderbird Multiple Yes 9 Network High None None Changed High High High 11.4 See Note 20
CVE-2019-11707 Oracle Solaris Firefox Multiple Yes 8.8 Network Low None Required Un changed High High High 11.4  
CVE-2017-18342 Oracle Solaris PyYAML Multiple Yes 8.1 Network High None None Un changed High High High 11.4  
CVE-2018-14423 Oracle Solaris OpenJPEG Multiple Yes 7.5 Network Low None None Un changed None None High 11.4  
CVE-2019-3855 Oracle Solaris Libssh2 SSH Yes 7.5 Network High None Required Un changed High High High 11.4 See Note 21
CVE-2018-6467 Oracle Solaris BIND DNS Yes 7.5 Network Low None None Un changed None None High 11.4, 10  
CVE-2019-11324 Oracle Solaris Urllib3 HTTP Yes 7.5 Network Low None None Un changed None High None 11.4  
CVE-2019-11708 Oracle Solaris Firefox Multiple Yes 7.5 Network High None Required Un changed High High High 11.4  
CVE-2019-11707 Oracle Solaris Thunderbird Multiple Yes 7.5 Network High None Required Un changed High High High 11.4 See Note 22
CVE-2017-12613 Oracle Solaris Apache Portable Runtime (APR) Multiple Yes 7.4 Network High None None Un changed High None High 10  
CVE-2019-8321 Oracle Solaris RubyGems Multiple Yes 7.4 Network High None None Un changed None High High 11.4 See Note 23
CVE-2018-18508 Oracle Solaris Netscape Security Services (NSS) Multiple Yes 6.5 Network Low None Required Un changed None None High 11.4  
CVE-2019-11236 Oracle Solaris Urllib3 HTTP Yes 6.5 Network Low None None Un changed Low Low None 11.4 See Note 24
CVE-2017-12618 Oracle Solaris Apache Portable Runtime (APR) None No 5.5 Local Low Low None Un changed None None High 10  
CVE-2018-16329 Oracle Solaris ImageMagick Multiple Yes 5.3 Network Low None None Un changed None None Low 11.4, 10 See Note 25
CVE-2018-20467 Oracle Solaris ImageMagick Multiple Yes 5.3 Network Low None None Un changed None None Low 11.4, 10  
CVE-2018-19787 Oracle Solaris Lxml Multiple Yes 5.3 Network Low None None Un changed None None Low 11.4 See Note 26
CVE-2018-5727 Oracle Solaris OpenJPEG Multiple Yes 4.3 Network Low None Required Un changed None None Low 11.4 See Note 27
CVE-2019-3870 Oracle Solaris Samba Multiple No 4.2 Network High Low None Un changed None Low Low 11.4 See Note 28
CVE-2017-11164 Oracle Solaris Apache HTTP Server None No 3.3 Local Low None Required Un changed None None Low 10  

Notes:

  1. This fix also addresses CVE-2015-9382 CVE-2015-9383.
  2. This fix also addresses CVE-2019-12974 CVE-2019-12975 CVE-2019-12976 CVE-2019-12977 CVE-2019-12978 CVE-2019-12979 CVE-2019-13295 CVE-2019-13296 CVE-2019-13297 CVE-2019-13298 CVE-2019-13299 CVE-2019-13300 CVE-2019-13301 CVE-2019-13302 CVE-2019-13303 CVE-2019-13304 CVE-2019-13305 CVE-2019-13306 CVE-2019-13307 CVE-2019-13308 CVE-2019-13309 CVE-2019-13311 CVE-2019-13391.
  3. This fix also addresses CVE-2018-20483.
  4. This fix also addresses CVE-2019-3839.
  5. This fix also addresses CVE-2019-13118.
  6. This fix also addresses CVE-2019-3835 CVE-2019-3838.
  7. This fix also addresses CVE-2019-10714 CVE-2019-11470 CVE-2019-11472 CVE-2019-11598 CVE-2019-13133 CVE-2019-13134 CVE-2019-13135 CVE-2019-13136 CVE-2019-13137 CVE-2019-7175 CVE-2019-7395 CVE-2019-7396 CVE-2019-7397 CVE-2019-7398.
  8. This fix also addresses CVE-2019-11727 CVE-2019-11729.
  9. This fix also addresses CVE-2017-16808 CVE-2018-19519.
  10. This fix also addresses CVE-2019-10160 CVE-2019-5010 CVE-2019-9636.
  11. This fix also addresses CVE-2018-14647 CVE-2019-10160 CVE-2019-5010 CVE-2019-9636 CVE-2019-9740 CVE-2019-9948.
  12. This fix also addresses CVE-2018-14647 CVE-2018-20406 CVE-2019-10160 CVE-2019-5010 CVE-2019-9636 CVE-2019-9740 CVE-2019-9948.
  13. This fix also addresses CVE-2018-14647 CVE-2018-20406 CVE-2019-10160 CVE-2019-5010 CVE-2019-9636 CVE-2019-9740 CVE-2019-9948.
  14. This fix also addresses CVE-2019-11709 CVE-2019-11711 CVE-2019-11712 CVE-2019-11713 CVE-2019-11715 CVE-2019-11717 CVE-2019-11719 CVE-2019-11729 CVE-2019-9811.
  15. This fix also addresses CVE-2019-11709 CVE-2019-11711 CVE-2019-11712 CVE-2019-11713 CVE-2019-11715 CVE-2019-11717 CVE-2019-11719 CVE-2019-11729 CVE-2019-9811.
  16. This fix also addresses CVE-2019-2566 CVE-2019-2581 CVE-2019-2592 CVE-2019-2614 CVE-2019-2627 CVE-2019-2628 CVE-2019-2632 CVE-2019-2683.
  17. This fix also addresses CVE-2019-9740 CVE-2019-9948.
  18. This fix also addresses CVE-2019-0221 CVE-2019-10072.
  19. This fix also addresses CVE-2019-2614 CVE-2019-2627 CVE-2019-2683.
  20. This fix also addresses CVE-2019-11703 CVE-2019-11705 CVE-2019-11706.
  21. This fix also addresses CVE-2019-3856 CVE-2019-3857 CVE-2019-3858 CVE-2019-3859 CVE-2019-3860 CVE-2019-3861 CVE-2019-3862 CVE-2019-3863.
  22. This fix also addresses CVE-2019-11708.
  23. This fix also addresses CVE-2019-8320 CVE-2019-8322 CVE-2019-8323 CVE-2019-8324 CVE-2019-8325.
  24. This fix also addresses CVE-2018-20060.
  25. This fix also addresses CVE-2018-15607.
  26. This fix also addresses CVE-2018-19591.
  27. This fix also addresses CVE-2018-5785 CVE-2018-6616.
  28. This fix also addresses CVE-2019-3880.