Oracle Solaris Third Party Bulletin

Oracle Solaris Third Party Bulletin - January 2025

Description

The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities addressed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated for the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability issues deemed too critical to wait for the next monthly update.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin security patches as soon as possible.

Patch Availability

Please see My Oracle Support Note 1448883.1

Third Party Bulletin Schedule

Third Party Bulletins are released on the third Tuesday of January, April, July, and October. The next four dates are:

15 April 2025
15 July 2025
21 October 2025
20 January 2026

References

Oracle Critical Patch Updates and Security Alerts main page [ Oracle Technology Network ]
Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions [ CPU FAQ ]
Risk Matrix definitions [ Risk Matrix Definitions ]
Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS Scoring ]

Modification History

Date	Note
2025-February-25	Rev 2. Added CVEs fixed in Solaris 11.4 SRU 78
2025-January-21	Rev 1. Initial Release with all CVEs fixed in Solaris 11.4 SRU 77

Oracle Solaris Executive Summary

This Oracle Solaris Bulletin contains 55 new security patches for the Oracle Solaris Operating System. 32 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

Oracle Solaris Third Party Bulletin Risk Matrix

Revision 2: Published on 2025-02-25

CVE ID	Product	Third Party component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE ID	Product	Third Party component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complexity	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2024-12085	Oracle Solaris	Rsync	HTTP	Yes	9.8	Network	Low	None	None	Un changed	High	High	High	11.4	See Note 1
CVE-2024-50379	Oracle Solaris	Apache Tomcat	HTTP	Yes	9.8	Network	Low	None	None	Un changed	High	High	High	11.4	See Note 2
CVE-2024-56732	Oracle Solaris	Harfbuzz	HTTP	Yes	8.8	Network	Low	None	Required	Un changed	High	High	High	11.4
CVE-2024-6345	Oracle Solaris	Python Packaging Authority	HTTP	Yes	8.8	Network	Low	None	Required	Un changed	High	High	High	11.4
CVE-2024-36474	Oracle Solaris	libgsf	None	No	8.4	Local	Low	None	None	Un changed	High	High	High	11.4	See Note 3
CVE-2024-46951	Oracle Solaris	Ghostscript	None	No	7.8	Local	Low	None	Required	Un changed	High	High	High	11.4	See Note 4
CVE-2024-48957	Oracle Solaris	Libarchive	None	No	7.8	Local	Low	None	Required	Un changed	High	High	High	11.4	See Note 5
CVE-2024-9632	Oracle Solaris	X.Org	None	No	7.8	Local	Low	Low	None	Un changed	High	High	High	11.4
CVE-2019-11729	Oracle Solaris	Network Security Services	HTTP	Yes	7.5	Network	Low	None	None	Un changed	None	None	High	11.4
CVE-2024-12254	Oracle Solaris	Python	HTTP	Yes	7.5	Network	Low	None	None	Un changed	None	None	High	11.4
CVE-2024-34155	Oracle Solaris	Go Programming Language	HTTP	Yes	7.5	Network	Low	None	None	Un changed	None	None	High	11.4	See Note 6
CVE-2024-45797	Oracle Solaris	Suricata	HTTP	Yes	7.5	Network	Low	None	None	Un changed	None	None	High	11.4	See Note 7
CVE-2024-52530	Oracle Solaris	libsoup	HTTP	Yes	7.5	Network	Low	None	None	Un changed	None	High	None	11.4
CVE-2024-52532	Oracle Solaris	libsoup	HTTP	Yes	7.5	Network	Low	None	None	Un changed	None	None	High	11.4
CVE-2025-0237	Oracle Solaris	Firefox	Multiple	Yes	7.5	Network	High	None	Required	Un changed	High	High	High	11.4	See Note 8
CVE-2025-0237	Oracle Solaris	Thunderbird	Multiple	Yes	7.5	Network	High	None	Required	Un changed	High	High	High	11.4	See Note 9
CVE-2024-56201	Oracle Solaris	Jinja2	None	No	7.3	Local	Low	Low	Required	Un changed	High	High	High	11.4	See Note 10
CVE-2025-0509	Oracle Solaris	JDK 8	Multiple	No	7.3	Adjacent Network	High	High	Required	Changed	High	High	High	11.4
CVE-2024-52533	Oracle Solaris	GLib	HTTP	Yes	7	Network	High	None	None	Un changed	Low	Low	High	11.4
CVE-2016-1938	Oracle Solaris	Network Security Services	HTTP	Yes	6.5	Network	Low	None	None	Un changed	Low	Low	None	11.4
CVE-2024-11612	Oracle Solaris	7-Zip	HTTP	Yes	6.5	Network	Low	None	Required	Un changed	None	None	High	11.4
CVE-2018-12404	Oracle Solaris	Network Security Services	HTTP	Yes	5.9	Network	High	None	None	Un changed	High	None	None	11.4
CVE-2024-11053	Oracle Solaris	curl	HTTP	Yes	5.9	Network	High	None	None	Un changed	High	None	None	11.4	See Note 11
CVE-2024-39936	Oracle Solaris	Qt Toolkit	HTTP/2	Yes	5.9	Network	High	None	None	Un changed	High	None	None	11.4
CVE-2023-20569	Oracle Solaris	Kernel	None	No	5.6	Local	High	Low	None	Changed	High	None	None	11.4
CVE-2023-49582	Oracle Solaris	Apache Portable Runtime	None	No	5.5	Local	Low	Low	None	Un changed	High	None	None	11.4
CVE-2022-21271	Oracle Solaris	Network Security Services	Multiple	Yes	5.3	Network	Low	None	None	Un changed	None	None	Low	11.4
CVE-2024-8508	Oracle Solaris	Unbound	DNS	Yes	5.3	Network	Low	None	None	Un changed	None	None	Low	11.4
CVE-2024-45491	Oracle Solaris	libexpat	None	No	5.1	Local	Low	None	None	Un changed	None	Low	Low	11.4	See Note 12
CVE-2024-52531	Oracle Solaris	libsoup	None	No	4.9	Local	High	None	None	Un changed	Low	Low	Low	11.4
CVE-2020-12400	Oracle Solaris	Cryptographic framework	None	No	4.4	Local	High	Low	Required	Un changed	High	None	None	11.4
CVE-2020-6829	Oracle Solaris	Cryptographic framework	None	No	4.4	Local	High	Low	Required	Un changed	High	None	None	11.4
CVE-2023-6135	Oracle Solaris	Cryptographic framework	Multiple	Yes	4.3	Network	Low	None	Required	Un changed	Low	None	None	11.4
CVE-2015-1197	Oracle Solaris	cpio	None	No	4	Local	Low	None	None	Un changed	None	Low	None	11.4	See Note 13
CVE-2023-1972	Oracle Solaris	GNU binary utilities	None	No	2.5	Local	High	None	Required	Un changed	None	None	Low	11.4
CVE-2024-9681	Oracle Solaris	curl	None	No	2.5	Local	High	Low	None	Un changed	Low	None	None	11.4
CVE-2024-48651	Oracle Solaris	ProFTPD	Multiple	No	0	Network	High	Low	None	Un changed	None	None	None	11.4

Revision 1: Published on 2025-01-21

CVE ID	Product	Third Party component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE ID	Product	Third Party component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complexity	Privs Req'd	User Interact	Scope	Confid- entiality	Inte- grity	Avail- ability	Supported Versions Affected	Notes
CVE-2024-53899	Oracle Solaris	virtualenv	HTTP	Yes	9.8	Network	Low	None	None	Un changed	High	High	High	11.4	See Note 14
CVE-2024-53907	Oracle Solaris	Django	HTTP	Yes	9.8	Network	Low	None	None	Un changed	High	High	High	11.4	See Note 15
CVE-2022-24810	Oracle Solaris	Net-SNMP	None	No	8.8	Local	Low	Low	None	Changed	High	High	High	11.4	See Note 16
CVE-2024-11691	Oracle Solaris	Firefox	HTTP	Yes	7.5	Network	High	None	Required	Un changed	High	High	High	11.4	See Note 17
CVE-2024-11691	Oracle Solaris	Thunderbird	HTTP	Yes	7.5	Network	High	None	Required	Un changed	High	High	High	11.4	See Note 18
CVE-2024-9781	Oracle Solaris	Wireshark	None	No	7	Local	High	None	Required	Un changed	High	High	High	11.4	See Note 19
CVE-2024-10524	Oracle Solaris	Wget	HTTP	Yes	6.5	Network	High	None	None	Changed	Low	Low	Low	11.4
CVE-2024-6232	Oracle Solaris	Python	HTTP	Yes	6.5	Network	Low	None	Required	Un changed	None	None	High	11.4
CVE-2024-9287	Oracle Solaris	Python	None	No	6.3	Local	Low	High	Required	Changed	Low	High	None	11.4
CVE-2024-9902	Oracle Solaris	Ansible	None	No	6.3	Local	High	Low	Required	Un changed	High	High	Low	11.4
CVE-2024-5535	Oracle Solaris	MySQL	Multiple	Yes	5.9	Network	High	None	None	Un changed	None	None	High	11.4	See Note 20
CVE-2024-6923	Oracle Solaris	Python	HTTP	No	5.5	Network	Low	Low	Required	Un changed	Low	Low	Low	11.4
CVE-2024-8775	Oracle Solaris	Ansible	None	No	5.5	Local	Low	Low	None	Un changed	High	None	None	11.4
CVE-2023-27043	Oracle Solaris	Python	HTTP	Yes	5.3	Network	Low	None	None	Un changed	None	Low	None	11.4
CVE-2024-5569	Oracle Solaris	Python	HTTP	Yes	5.3	Network	High	None	Required	Un changed	None	None	High	11.4	See Note 21
CVE-2024-8929	Oracle Solaris	PHP	HTTP	Yes	5.3	Network	Low	None	None	Un changed	Low	None	None	11.4	See Note 22
CVE-2024-7592	Oracle Solaris	Python	HTTP	No	4.8	Network	High	Low	Required	Un changed	None	None	High	11.4
CVE-2024-11168	Oracle Solaris	Python	HTTP	Yes	3.7	Network	High	None	None	Un changed	None	Low	None	11.4

Notes:

1. This patch also addresses CVE-2024-12084 CVE-2024-12086 CVE-2024-12087 CVE-2024-12088 CVE-2024-12747.

2. This patch also addresses CVE-2024-54677.

3. This patch also addresses CVE-2024-42415.

4. This patch also addresses CVE-2024-46952 CVE-2024-46953 CVE-2024-46954 CVE-2024-46955 CVE-2024-46956.

5. This patch also addresses CVE-2024-20696 CVE-2024-48958.

6. This patch also addresses CVE-2024-34156 CVE-2024-34158.

7. This patch also addresses CVE-2024-45795 CVE-2024-45796 CVE-2024-47187 CVE-2024-47188 CVE-2024-47522.

8. This patch also addresses CVE-2025-0238 CVE-2025-0239 CVE-2025-0240 CVE-2025-0241 CVE-2025-0242 CVE-2025-0243.

9. This patch also addresses CVE-2025-0238 CVE-2025-0239 CVE-2025-0240 CVE-2025-0241 CVE-2025-0242 CVE-2025-0243.

10. This patch also addresses CVE-2024-56326.

11. This patch also addresses CVE-2020-11053.

12. This patch also addresses CVE-2024-45490 CVE-2024-45492.

13. This patch also addresses CVE-2023-7207 CVE-2023-7216.

14. This patch also addresses CVE-2024-53899.

15. This patch also addresses CVE-2024-53908.

16. This patch also addresses CVE-2020-15862 CVE-2022-24805.

17. This patch also addresses CVE-2024-10458 CVE-2024-10459 CVE-2024-10460 CVE-2024-10461 CVE-2024-10462 CVE-2024-10463 CVE-2024-10464 CVE-2024-10465 CVE-2024-10466 CVE-2024-10467 CVE-2024-11692 CVE-2024-11693 CVE-2024-11694 CVE-2024-11695 CVE-2024-11696 CVE-2024-11697 CVE-2024-11698 CVE-2024-11699.

18. This patch also addresses CVE-2024-10458 CVE-2024-10459 CVE-2024-10460 CVE-2024-10461 CVE-2024-10462 CVE-2024-10463 CVE-2024-10464 CVE-2024-10465 CVE-2024-10466 CVE-2024-10467 CVE-2024-11159 CVE-2024-11692 CVE-2024-11693 CVE-2024-11694 CVE-2024-11695 CVE-2024-11696 CVE-2024-11697 CVE-2024-11698 CVE-2024-11699.

19. This patch also addresses CVE-2024-8250.

20. This patch also addresses CVE-2024-21193 CVE-2024-21194 CVE-2024-21196 CVE-2024-21197 CVE-2024-21198 CVE-2024-21199 CVE-2024-21200 CVE-2024-21201 CVE-2024-21203 CVE-2024-21204 CVE-2024-21207 CVE-2024-21209 CVE-2024-21212 CVE-2024-21213 CVE-2024-21218 CVE-2024-21219 CVE-2024-21230 CVE-2024-21231 CVE-2024-21232 CVE-2024-21236 CVE-2024-21237 CVE-2024-21238 CVE-2024-21239 CVE-2024-21241 CVE-2024-21243 CVE-2024-21244 CVE-2024-21247 CVE-2024-7264.

21. This patch also addresses CVE-2024-8088.

22. This patch also addresses CVE-2024-11233 CVE-2024-11234 CVE-2024-11236 CVE-2024-4577 CVE-2024-8925 CVE-2024-8926 CVE-2024-8927 CVE-2024-8932 CVE-2024-9026.