Oracle Solaris Third Party Bulletin - July 2020
Description
The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities addressed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated on the Tuesday closest to the 17th of the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability issues deemed too critical to wait for the next monthly update.
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin security patches as soon as possible.
Patch Availability
Please see My Oracle Support Note 1448883.1
Third Party Bulletin Schedule
Third Party Bulletins are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:
- 20 October 2020
- 19 January 2021
- 20 April 2021
- 20 July 2021
References
- Oracle Critical Patch Updates and Security Alerts main page [ Oracle Technology Network ]
- Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions [ CPU FAQ ]
- Risk Matrix definitions [ Risk Matrix Definitions ]
- Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS Scoring ]
Modification History
| Date | Note |
|---|---|
| 2020-September-15 | Rev 3. Added CVEs fixed in Solaris 11.4 SRU 25 |
| 2020-August-18 | Rev 2. Added CVEs fixed in Solaris 11.4 SRU 24 |
| 2020-July-14 | Rev 1. Initial Release with all CVEs fixed in Solaris 11.3 LSU 36.21 and Solaris 11.4 SRU 23 |
Oracle Solaris Executive Summary
This Oracle Solaris Bulletin contains 60 new security patches for the Oracle Solaris Operating System. 47 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
Oracle Solaris Third Party Bulletin Risk Matrix
Revision 3: Published on 2020-09-15
| CVE# | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2020-11984 | Oracle Solaris | Apache HTTP server | HTTP | Yes | 9.8 | Network | Low | None | None | Un changed |
High | High | High | 11.4, 10 | See Note 1 |
| CVE-2020-12417 | Oracle Solaris | Firefox | Multiple | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 2 |
| CVE-2020-12417 | Oracle Solaris | Thunderbird | Multiple | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 3 |
| CVE-2020-15659 | Oracle Solaris | Firefox | Multiple | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 4 |
| CVE-2020-15659 | Oracle Solaris | Thunderbird | Multiple | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 5 |
| CVE-2019-11048 | Oracle Solaris | PHP | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2019-20907 | Oracle Solaris | Python | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2020-11080 | Oracle Solaris | Nghttp2 | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2020-8620 | Oracle Solaris | BIND | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4, 10 | |
| CVE-2020-11996 | Oracle Solaris | Apache Tomcat | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2020-13934 | Oracle Solaris | Apache Tomcat | HTTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 6 |
| CVE-2020-15466 | Oracle Solaris | Wireshark | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2020-17498 | Oracle Solaris | Wireshark | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | |
| CVE-2020-1967 | Oracle Solaris | MySQL 5.6 | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 7 |
| CVE-2020-1967 | Oracle Solaris | MySQL 5.7 | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 8 |
| CVE-2020-15389 | Oracle Solaris | OpenJPEG | Multiple | Yes | 7 | Network | High | None | None | Un changed |
Low | Low | High | 11.4 | |
| CVE-2019-14868 | Oracle Solaris | KornShell | None | No | 7 | Local | High | Low | None | Un changed |
High | High | High | 11.4 | |
| CVE-2020-13962 | Oracle Solaris | Qt Toolkit | Multiple | Yes | 5.3 | Network | Low | None | None | Un changed |
None | None | Low | 11.4 | |
| CVE-2020-17507 | Oracle Solaris | Qt Toolkit | Multiple | Yes | 5.3 | Network | Low | None | None | Un changed |
None | None | Low | 11.4 | |
Revision 2: Published on 2020-08-18
| CVE# | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2020-13630 | Oracle Solaris | SQLite3 | Multiple | Yes | 9.8 | Network | Low | None | None | Un changed |
High | High | High | 11.4 | See Note 9 |
| CVE-2019-11745 | Oracle Solaris | Netscape Security Services | Multiple | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 10 |
| CVE-2020-11793 | Oracle Solaris | WebKitGTK | Multiple | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | |
| CVE-2020-3895 | Oracle Solaris | WebKitGTK | Multiple | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 11 |
| CVE-2020-3909 | Oracle Solaris | libxml2 | Multiple | Yes | 8.8 | Network | Low | None | Required | Un changed |
High | High | High | 11.4 | See Note 12 |
| CVE-2019-18634 | Oracle Solaris | Sudo | None | No | 7.8 | Local | Low | Low | None | Un changed |
High | High | High | 11.4 | |
| CVE-2019-20044 | Oracle Solaris | Zsh | None | No | 7.8 | Local | Low | Low | None | Un changed |
High | High | High | 11.4 | |
| CVE-2019-14855 | Oracle Solaris | GnuPG | None | Yes | 7.5 | Network | Low | None | None | Un changed |
High | None | None | 11.4 | |
| CVE-2019-17040 | Oracle Solaris | Rsyslog | Syslog | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 13 |
| CVE-2019-9232 | Oracle Solaris | Firefox | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
High | None | None | 11.4 | See Note 14 |
| CVE-2019-9232 | Oracle Solaris | Thunderbird | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
High | None | None | 11.4 | See Note 15 |
| CVE-2020-11008 | Oracle Solaris | Git | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
High | None | None | 11.4 | See Note 16 |
| CVE-2020-11868 | Oracle Solaris | ntpd | NTP | Yes | 7.5 | Network | Low | None | None | Un changed |
None | None | High | 11.4 | See Note 17 |
| CVE-2020-5260 | Oracle Solaris | Git | Multiple | Yes | 7.5 | Network | Low | None | None | Un changed |
High | None | None | 11.4 | |
| CVE-2020-10108 | Oracle Solaris | Twisted Web | Multiple | Yes | 7.3 | Network | Low | None | None | Un changed |
Low | Low | Low | 11.4 | See Note 18 |
| CVE-2020-10663 | Oracle Solaris | Ruby | Multiple | Yes | 7.3 | Network | Low | None | None | Un changed |
Low | Low | Low | 11.4 | See Note 19 |
| CVE-2019-18348 | Oracle Solaris | Python 2.7 | Multiple | Yes | 6.5 | Network | Low | None | None | Un changed |
Low | Low | None | 11.4, 10 | See Note 20 |
| CVE-2019-18348 | Oracle Solaris | Python | Multiple | Yes | 6.5 | Network | Low | None | None | Un changed |
Low | Low | None | 11.4 | See Note 21 |
| CVE-2020-11736 | Oracle Solaris | GNOME Archive Manager | Multiple | Yes | 6.5 | Network | Low | None | Required | Un changed |
High | None | None | 11.4 | |
| CVE-2020-2780 | Oracle Solaris | MySQL 5.6 | Multiple | No | 6.5 | Network | Low | Low | None | Un changed |
None | None | High | 11.4 | See Note 22 |
| CVE-2020-2780 | Oracle Solaris | MySQL 5.7 | Multiple | No | 6.5 | Network | Low | Low | None | Un changed |
None | None | High | 11.4 | See Note 23 |
| CVE-2020-8492 | Oracle Solaris | Python | Multiple | Yes | 6.5 | Network | Low | None | Required | Un changed |
None | None | High | 11.4 | See Note 24 |
| CVE-2019-1010180 | Oracle Solaris | GNU Debugger (GDB) | None | No | 6.1 | Local | Low | None | Required | Un changed |
High | None | Low | 11.4 | |
| CVE-2019-11358 | Oracle Solaris | RabbitMQ | Multiple | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 11.4 | |
| CVE-2020-11022 | Oracle Solaris | JQuery | Multiple | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 11.4 | See Note 25 |
| CVE-2020-9366 | Oracle Solaris | GNU Screen | None | No | 6.1 | Local | Low | None | Required | Changed | Low | Low | Low | 11.4 | |
| CVE-2019-2007 | Oracle Solaris | Vim | None | No | 6 | Local | Low | High | None | Un changed |
None | High | High | 11.4 | See Note 26 |
| CVE-2020-1945 | Oracle Solaris | Apache Ant | None | No | 5.9 | Local | Low | None | None | Un changed |
Low | Low | Low | 11.4 | |
| CVE-2020-6750 | Oracle Solaris | GLib | Multiple | Yes | 5.9 | Network | High | None | None | Un changed |
High | None | None | 11.4 | |
| CVE-2020-8618 | Oracle Solaris | BIND | DNS | No | 4.9 | Network | Low | High | None | Un changed |
None | None | High | 11.4, 10 | See Note 27 |
| CVE-2020-13645 | Oracle Solaris | GLib | TLS | Yes | 4.8 | Network | High | None | None | Un changed |
Low | Low | None | 11.4 | |
| CVE-2019-5068 | Oracle Solaris | Mesa | None | No | 4.4 | Local | Low | Low | None | Un changed |
Low | Low | None | 11.4 | |
| CVE-2019-14834 | Oracle Solaris | dnsmasq | Multiple | Yes | 3.7 | Network | High | None | None | Un changed |
None | None | Low | 11.4 | |
| CVE-2019-11291 | Oracle Solaris | RabbitMQ | None | No | 3.5 | Network | Low | High | Required | Un changed |
Low | Low | None | 11.4 | |
Revision 1: Published on 2020-07-14
| CVE# | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2020-1747 | Oracle Solaris | PyYAML | Multiple | Yes | 9.8 | Network | Low | None | None | Un changed |
High | High | High | 11.4 | |
| CVE-2020-12762 | Oracle Solaris | JSON-C | None | No | 7.8 | Local | Low | None | Required | Un changed |
High | High | High | 11.4 | |
| CVE-2020-12137 | Oracle Solaris | Mailman | Multiple | Yes | 7.5 | Network | High | None | Required | Un changed |
High | High | High | 11.4 | |
| CVE-2020-12399 | Oracle Solaris | Firefox | Multiple | Yes | 7.5 | Network | High | None | Required | Un changed |
High | High | High | 11.4 | See Note 28 |
| CVE-2020-12398 | Oracle Solaris | Thunderbird | Multiple | Yes | 7.5 | Network | High | None | Required | Un changed |
High | High | High | 11.4 | See Note 29 |
| CVE-2018-13796 | Oracle Solaris | Mailman | Multiple | Yes | 6.5 | Network | Low | None | Required | Un changed |
None | High | None | 11.4 | See Note 30 |
| CVE-2020-12108 | Oracle Solaris | Mailman | Multiple | Yes | 6.5 | Network | Low | None | Required | Un changed |
None | High | None | 11.4 | |
Notes:
1. This patch also addresses CVE-2020-11985 CVE-2020-11993 CVE-2020-9490.2. This patch also addresses CVE-2020-12418 CVE-2020-12419 CVE-2020-12420 CVE-2020-12421.
3. This patch also addresses CVE-2020-12418 CVE-2020-12419 CVE-2020-12420 CVE-2020-12421.
4. This patch also addresses CVE-2020-15652 CVE-2020-6463 CVE-2020-6514.
5. This patch also addresses CVE-2020-15652 CVE-2020-6463 CVE-2020-6514.
6. This patch also addresses CVE-2020-13935.
7. This patch also addresses CVE-2020-14539 CVE-2020-14550 CVE-2020-14559.
8. This patch also addresses CVE-2020-14539 CVE-2020-14540 CVE-2020-14547 CVE-2020-14550 CVE-2020-14553 CVE-2020-14559 CVE-2020-14576.
9. This patch also addresses CVE-2020-13434 CVE-2020-13435 CVE-2020-13631 CVE-2020-13632.
10. This patch also addresses CVE-2019-11756.
11. This patch also addresses CVE-2020-3885 CVE-2020-3894 CVE-2020-3897 CVE-2020-3899 CVE-2020-3900 CVE-2020-3901 CVE-2020-3902.
12. This patch also addresses CVE-2020-3910 CVE-2020-3911.
13. This patch also addresses CVE-2019-17041 CVE-2019-17042.
14. This patch also addresses CVE-2019-9235 CVE-2019-9325 CVE-2019-9371.
15. This patch also addresses CVE-2019-9235 CVE-2019-9325 CVE-2019-9371.
16. This patch also addresses CVE-2020-5260.
17. This patch also addresses CVE-2018-8956 CVE-2020-13817.
18. This patch also addresses CVE-2020-10109.
19. This patch also addresses CVE-2020-10933.
20. This patch also addresses CVE-2016-10739 CVE-2019-9740 CVE-2019-9947.
21. This patch also addresses CVE-2016-10739 CVE-2019-9740 CVE-2019-9947.
22. This patch also addresses CVE-2020-2752 CVE-2020-2763 CVE-2020-2804 CVE-2020-2812 CVE-2020-2814 CVE-2020-2922.
23. This patch also addresses CVE-2020-2572 CVE-2020-2584 CVE-2020-2660 CVE-2020-2760 CVE-2020-2763 CVE-2020-2765 CVE-2020-2780 CVE-2020-2804 CVE-2020-2812 CVE-2020-2922.
24. This patch also addresses CVE-2020-8315.
25. This patch also addresses CVE-2020-11023.
26. This patch also addresses CVE-2019-20079.
27. This patch also addresses CVE-2020-8619.
28. This patch also addresses CVE-2020-12405 CVE-2020-12406 CVE-2020-12410.
29. This patch also addresses CVE-2020-12399 CVE-2020-12405 CVE-2020-12406 CVE-2020-12410.
30. This patch also addresses CVE-2020-12108.