Oracle Solaris Third Party Bulletin

Cloud Account Sign in to Cloud Sign Up for Free Cloud Tier

Oracle Account

Oracle Solaris Third Party Bulletin - April 2019

Description

The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities fixed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated on the Tuesday closest to the 17th of the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability fixes deemed too critical to wait for the next monthly update.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin fixes as soon as possible.

Patch Availability

Please see My Oracle Support Note 1448883.1

Third Party Bulletin Schedule

Third Party Bulletins are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

16 July 2019
15 October 2019
14 January 2020
14 April 2020

References

Oracle Critical Patch Updates and Security Alerts main page [ Oracle Technology Network ]
Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions [ CPU FAQ ]
Risk Matrix definitions [ Risk Matrix Definitions ]
Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS Scoring ]

Modification History

2019-June-25	Rev 3. Added CVEs fixed in Solaris 11.4 SRU 10
2019-May-29	Rev 2. Added CVEs fixed in Solaris 11.4 SRU 9
2019-April-16	Rev 1. Initial Release with all CVEs fixed in Solaris 11.3 LSU 36.10 and Solaris 11.4 SRU 8

Oracle Solaris Executive Summary

This Oracle Solaris Bulletin contains 44 new security fixes for the Oracle Solaris Operating System. 28 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

Oracle Solaris Third Party Bulletin Risk Matrix

Revision 3: Published on 2019-06-25

CVE#	Product	Third Party component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Third Party component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complexity	PrivsReq'd	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2019-9797	Oracle Solaris	Firefox	Multiple	Yes	8.8	Network	Low	None	Required	Unchanged	High	High	High	11.4	See Note 1
CVE-2019-9797	Oracle Solaris	Thunderbird	Multiple	Yes	8.8	Network	Low	None	Required	Unchanged	High	High	High	11.4	See Note 2
CVE-2019-9903	Oracle Solaris	Poppler	None	Yes	8.8	Network	Low	None	Required	Unchanged	High	High	High	11.4	See Note 3
CVE-2019-12295	Oracle Solaris	Wireshark	Multiple	Yes	7.5	Network	Low	None	None	Unchanged	None	None	High	11.4
CVE-2017-18258	Oracle Solaris	libxml2	None	Yes	5.6	Network	High	None	None	Unchanged	Low	Low	Low	11.3, 10
CVE-2019-8936	Oracle Solaris	NTP	NTP	No	5.3	Network	High	Low	None	Unchanged	None	None	High	11.4, 10
CVE-2018-20650	Oracle Solaris	Poppler	None	Yes	4.3	Network	Low	None	Required	Unchanged	None	None	Low	11.4
CVE-2019-9936	Oracle Solaris	SQLite3	None	No	3.3	Local	Low	Low	None	Unchanged	Low	None	None	11.4	See Note 4
CVE-2018-6260	Oracle Solaris	NVIDIA Graphics Driver	None	No	2.2	Local	High	Low	Required	Unchanged	Low	None	None	11.4

Revision 2: Published on 2019-05-29

CVE#	Product	Third Party component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Third Party component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complexity	PrivsReq'd	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2019-9636	Oracle Solaris	Python	Multiple	Yes	9.8	Network	Low	None	None	Unchanged	High	High	High	11.4
CVE-2019-9636	Oracle Solaris	Python	Multiple	Yes	9.8	Network	Low	None	None	Unchanged	High	High	High	11.4
CVE-2019-9636	Oracle Solaris	Python	Multiple	Yes	9.8	Network	Low	None	None	Unchanged	High	High	High	11.4
CVE-2018-18356	Oracle Solaris	Thunderbird	Multiple	Yes	8.8	Network	Low	None	Required	Unchanged	High	High	High	11.4	See Note 5
CVE-2018-18505	Oracle Solaris	Thunderbird	Multiple	Yes	8.8	Network	Low	None	Required	Unchanged	High	High	High	11.4	See Note 6
CVE-2019-6212	Oracle Solaris	WebKitGTK+	Multiple	Yes	8.8	Network	Low	None	Required	Unchanged	High	High	High	11.4	See Note 7
CVE-2019-9794	Oracle Solaris	Thunderbird	Multiple	Yes	8.8	Network	Low	None	Required	Unchanged	High	High	High	11.4	See Note 8
CVE-2019-9810	Oracle Solaris	Firefox	Multiple	Yes	8.8	Network	Low	None	Required	Unchanged	High	High	High	11.4	See Note 9
CVE-2019-0215	Oracle Solaris	Apache HTTP server	HTTP	No	8.2	Local	Low	Low	Required	Changed	High	High	High	11.4, 10	See Note 10
CVE-2018-1000876	Oracle Solaris	GNU binary utilities	None	No	7.8	Local	Low	None	Required	Unchanged	High	High	High	11.4	See Note 11
CVE-2018-1000876	Oracle Solaris	GNU binary utilities	None	No	7.8	Local	Low	None	Required	Unchanged	High	High	High	11.4
CVE-2019-0199	Oracle Solaris	Apache Tomcat	HTTP	Yes	7.5	Network	Low	None	None	Unchanged	None	None	High	11.4, 10
CVE-2019-10899	Oracle Solaris	Wireshark	None	Yes	7.5	Network	Low	None	None	Unchanged	None	None	High	11.4	See Note 12
CVE-2019-6116	Oracle Solaris	Ghostscript	Multiple	Yes	7.3	Network	Low	None	None	Unchanged	Low	Low	Low	11.4
CVE-2018-17985	Oracle Solaris	GNU binary utilities	None	No	5.5	Local	Low	None	Required	Unchanged	None	None	High	11.4	See Note 13
CVE-2019-6975	Oracle Solaris	Django	Multiple	Yes	5.3	Network	Low	None	None	Unchanged	None	None	Low	11.4
CVE-2013-4288	Oracle Solaris	PolicyKit	None	No	4.7	Network	Low	High	None	Unchanged	Low	Low	Low	11.4	See Note 14
CVE-2019-3498	Oracle Solaris	Django	Multiple	Yes	4.3	Network	Low	None	Required	Unchanged	None	Low	None	11.4
CVE-2017-11164	Oracle Solaris	PCRE	None	No	3.3	Local	Low	None	Required	Unchanged	None	None	Low	11.4
CVE-2018-9234	Oracle Solaris	GnuPG	OpenPGP	No	2.2	Local	High	Low	Required	Unchanged	None	Low	None	11.4

Revision 1: Published on 2019-04-16

CVE#	Product	Third Party component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Third Party component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complexity	PrivsReq'd	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2018-18312	Oracle Solaris	Perl	Multiple	Yes	9.8	Network	Low	None	None	Unchanged	High	High	High	11.4	See Note 15
CVE-2015-7995	Oracle Solaris	libxslt	Multiple	Yes	8.8	Network	Low	None	Required	Unchanged	High	High	High	11.4, 11.3	See Note 16
CVE-2018-18506	Oracle Solaris	Firefox	Multiple	Yes	8.8	Network	Low	None	Required	Unchanged	High	High	High	11.4	See Note 17
CVE-2018-5745	Oracle Solaris	BIND	DNS	Yes	7.5	Network	Low	None	None	Unchanged	None	None	High	11.4, 10	See Note 18
CVE-2019-9208	Oracle Solaris	Wireshark	Multiple	Yes	7.5	Network	Low	None	None	Unchanged	None	None	High	11.4	See Note 19
CVE-2018-0734	Oracle Solaris	MySQL	Multiple	No	7.1	Network	Low	Low	None	Unchanged	High	Low	None	11.4	See Note 20
CVE-2018-0734	Oracle Solaris	MySQL	Multiple	No	7.1	Network	Low	Low	None	Unchanged	High	Low	None	11.4	See Note 21
CVE-2018-10194	Oracle Solaris	Ghostscript	Multiple	No	7	Local	High	None	Required	Unchanged	High	High	High	11.3
CVE-2016-1549	Oracle Solaris	NTP	NTP	No	6.5	Network	Low	Low	None	Unchanged	None	High	None	11.4, 10	See Note 22
CVE-2018-5741	Oracle Solaris	BIND	DNS	No	6.5	Network	Low	Low	None	Unchanged	None	High	None	11.4, 10
CVE-2018-14404	Oracle Solaris	libxml2	Multiple	Yes	6.5	Network	Low	None	Required	Unchanged	None	None	High	11.4, 10
CVE-2019-1559	Oracle Solaris	OpenSSL	SSL/TLS	Yes	5.9	Network	High	None	None	Unchanged	High	None	None	11.4, 11.3, 10
CVE-2018-17189	Oracle Solaris	Apache HTTP server	HTTP	Yes	4.3	Network	Low	None	Required	Unchanged	None	None	Low	11.4	See Note 23
CVE-2018-17189	Oracle Solaris	Apache HTTP server	HTTP	Yes	4.3	Network	Low	None	Required	Unchanged	None	None	Low	11.4
CVE-2017-16879	Oracle Solaris	ncurses	None	No	3.3	Local	Low	None	Required	Unchanged	None	None	Low	11.4	See Note 24

Notes:

1. This fix also addresses CVE-2018-18511 CVE-2019-11691 CVE-2019-11692 CVE-2019-11693 CVE-2019-11694 CVE-2019-11698 CVE-2019-5798 CVE-2019-7317 CVE-2019-9800 CVE-2019-9815 CVE-2019-9816 CVE-2019-9817 CVE-2019-9818 CVE-2019-9819 CVE-2019-9820.

2. This fix also addresses CVE-2018-18511 CVE-2019-11691 CVE-2019-11692 CVE-2019-11693 CVE-2019-11694 CVE-2019-11698 CVE-2019-5798 CVE-2019-7317 CVE-2019-9800 CVE-2019-9815 CVE-2019-9816 CVE-2019-9817 CVE-2019-9818 CVE-2019-9819 CVE-2019-9820.

3. This fix also addresses CVE-2018-20662 CVE-2019-10873 CVE-2019-7310 CVE-2019-9200 CVE-2019-9631.

4. This fix also addresses CVE-2019-9937.

5. This fix also addresses CVE-2018-18509 CVE-2019-5785.

6. This fix also addresses CVE-2016-5824 CVE-2017-16541 CVE-2018-12361 CVE-2018-12367 CVE-2018-12371 CVE-2018-12376 CVE-2018-12377 CVE-2018-12378 CVE-2018-12379 CVE-2018-12383 CVE-2018-12385 CVE-2018-12389 CVE-2018-12390 CVE-2018-12391 CVE-2018-12392 CVE-2018-12393 CVE-2018-12405 CVE-2018-17466 CVE-2018-18492 CVE-2018-18493 CVE-2018-18494 CVE-2018-18498 CVE-2018-18499 CVE-2018-18500 CVE-2018-18501 CVE-2018-18512 CVE-2018-18513 CVE-2018-5156 CVE-2018-5187.

7. This fix also addresses CVE-2019-6215 CVE-2019-6216 CVE-2019-6217 CVE-2019-6226 CVE-2019-6227 CVE-2019-6229 CVE-2019-6233 CVE-2019-6234.

8. This fix also addresses CVE-2018-18506 CVE-2019-9788 CVE-2019-9790 CVE-2019-9791 CVE-2019-9792 CVE-2019-9793 CVE-2019-9795 CVE-2019-9796 CVE-2019-9801 CVE-2019-9810 CVE-2019-9813.

9. This fix also addresses CVE-2019-9813.

10. This fix also addresses CVE-2019-0196 CVE-2019-0197 CVE-2019-0211 CVE-2019-0217 CVE-2019-0220.

11. This fix also addresses CVE-2018-17358 CVE-2018-17359 CVE-2018-17360 CVE-2018-18309 CVE-2018-18605 CVE-2018-18606 CVE-2018-18607 CVE-2018-19931 CVE-2018-19932 CVE-2018-20002 CVE-2018-20623 CVE-2018-20651 CVE-2018-20671.

12. This fix also addresses CVE-2019-10894 CVE-2019-10895 CVE-2019-10896 CVE-2019-10901 CVE-2019-10903.

13. This fix also addresses CVE-2018-10372 CVE-2018-10373 CVE-2018-10534 CVE-2018-10535 CVE-2018-12641 CVE-2018-12697 CVE-2018-12698 CVE-2018-12699 CVE-2018-12700 CVE-2018-12934 CVE-2018-13033 CVE-2018-17358 CVE-2018-17359 CVE-2018-17360 CVE-2018-17794 CVE-2018-6759 CVE-2018-7208 CVE-2018-7568 CVE-2018-7569 CVE-2018-7570 CVE-2018-7642 CVE-2018-7643 CVE-2018-8945 CVE-2018-9138 CVE-2018-9996.

14. This fix also addresses CVE-2018-1116.

15. This fix also addresses CVE-2018-18313 CVE-2018-18314.

16. This fix also addresses CVE-2015-9019 CVE-2016-1683 CVE-2016-1684 CVE-2016-4607 CVE-2016-4610 CVE-2017-5029.

17. This fix also addresses CVE-2019-9788 CVE-2019-9790 CVE-2019-9791 CVE-2019-9792 CVE-2019-9793 CVE-2019-9794 CVE-2019-9795 CVE-2019-9796 CVE-2019-9801.

18. This fix also addresses CVE-2018-5744 CVE-2019-6465.

19. This fix also addresses CVE-2019-9209.

20. This fix also addresses CVE-2019-2420 CVE-2019-2434 CVE-2019-2455 CVE-2019-2481 CVE-2019-2482 CVE-2019-2486 CVE-2019-2503 CVE-2019-2507 CVE-2019-2510 CVE-2019-2528 CVE-2019-2529 CVE-2019-2531 CVE-2019-2532 CVE-2019-2534 CVE-2019-2537.

21. This fix also addresses CVE-2019-2455 CVE-2019-2481 CVE-2019-2482 CVE-2019-2503 CVE-2019-2507 CVE-2019-2529 CVE-2019-2531 CVE-2019-2534 CVE-2019-2537.

22. This fix also addresses CVE-2018-7170.

23. This fix also addresses CVE-2018-17199 CVE-2019-0190.

24. This fix also addresses CVE-2017-13728 CVE-2017-13729 CVE-2017-13730 CVE-2017-13731 CVE-2017-13732 CVE-2017-13733 CVE-2017-13734.