Oracle Solaris Third Party Bulletin

Cloud Account Sign in to Cloud Sign Up for Free Cloud Tier

Oracle Account

Oracle Solaris Third Party Bulletin - October 2018

Description

The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities fixed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated on the Tuesday closest to the 17th of the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability fixes deemed too critical to wait for the next monthly update.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin fixes as soon as possible.

Patch Availability

Please see My Oracle Support Note 1448883.1

Third Party Bulletin Schedule

Third Party Bulletins are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

15 January 2019
16 April 2019
16 July 2019
15 October 2019

References

Oracle Critical Patch Updates and Security Alerts main page [ Oracle Technology Network ]
Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions [ CPU FAQ ]
Risk Matrix definitions [ Risk Matrix Definitions ]
Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS Scoring ]

Modification History

2018-December-14	Rev 3. Added all CVEs fixed in Solaris 11.4 SRU 4
2018-November-20	Rev 2. Added all CVEs fixed in Solaris 11.4 SRU 3
2018-October-16	Rev 1. Initial Release with all CVEs fixed in Solaris 11.3 LSU 36 and Solaris 11.4 SRU 2

Oracle Solaris Executive Summary

This Oracle Solaris Bulletin contains 33 new security fixes for the Oracle Solaris Operating System. 18 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

Oracle Solaris Third Party Bulletin Risk Matrix

Revision 3: Published on 2018-12-14

CVE#	Product	Third Party component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Third Party component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2018-3187	Solaris	MySQL	Multiple	No	8.8	Network	Low	Low	None	Unchanged	High	High	High	11.4	See Note 1
CVE-2018- 1000810	Solaris	Rust Language	None	No	7.8	Local	Low	Low	None	Unchanged	High	High	High	11.4
CVE-2017-8816	Solaris	libcurl	Multiple	Yes	7.5	Network	High	None	Required	Unchanged	High	High	High	11.4	See Note 2
CVE-2018-5784	Solaris	GIMP	Multiple	Yes	7.5	Network	Low	None	None	Unchanged	None	None	High	11.4	See Note 3
CVE-2018-19131	Solaris	Squid	Multiple	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.4	See Note 4
CVE-2018-18065	Solaris	Net-SNMP	Multiple	Yes	5.3	Network	High	None	Required	Unchanged	None	None	High	11.4
CVE-2018-6188	Solaris	Django Python web framework	Multiple	Yes	5.3	Network	Low	None	None	Unchanged	Low	None	None	11.4	See Note 5
CVE-2018-16328	Solaris	ImageMagick	None	No	4.7	Local	High	None	Required	Unchanged	None	None	High	11.4	See Note 6
CVE-2017-14245	Solaris	Libsndfile	None	No	4.4	Local	Low	None	Required	Unchanged	Low	None	Low	11.4	See Note 7
CVE-2018-16839	Solaris	libcurl	None	No	4.4	Local	Low	None	Required	Unchanged	Low	None	Low	11.4	See Note 8
CVE-2014-10070	Solaris	Zsh Shell	None	No	3.3	Local	Low	None	Required	Unchanged	None	None	Low	11.4, 10	See Note 9

Revision 2: Published on 2018-11-20

CVE#	Product	Third Party component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Third Party component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2018-14665	Solaris	X.Org	None	No	8.8	Local	Low	Low	None	Changed	High	High	High	11.4
CVE-2018-17456	Solaris	Git	Multiple	Yes	8.8	Network	Low	None	Required	Unchanged	High	High	High	11.4
CVE-2018-4246	Solaris	WebKitGTK+	Multiple	Yes	8.8	Network	Low	None	Required	Unchanged	High	High	High	11.4	See Note 10
CVE-2016-6489	Solaris	Nettle	Multiple	Yes	7.5	Network	Low	None	None	Unchanged	High	None	None	11.4
CVE-2018-5740	Solaris	Bind	DNS	Yes	7.5	Network	Low	None	None	Unchanged	None	None	High	11.4
CVE-2017-10789	Solaris	Mysql module for perl	Multiple	Yes	6.8	Network	High	None	Required	Unchanged	High	High	None	11.4	See Note 11
CVE-2018-14036	Solaris	Accounts Service	Multiple	No	6.5	Network	Low	Low	None	Unchanged	High	None	None	11.4
CVE-2017-17433	Solaris	RSYNC	Multiple	No	6.3	Network	Low	Low	None	Unchanged	Low	Low	Low	11.4, 10	See Note 12
CVE-2018-17082	Solaris	PHP	Multiple	Yes	6.1	Network	Low	None	Required	Changed	Low	Low	None	11.4
CVE-2018-14598	Solaris	Libraries: Libx11	Multiple	Yes	5.9	Network	High	None	None	Unchanged	None	None	High	11.4	See Note 13
CVE-2017-6888	Solaris	Flac	None	No	5.5	Local	Low	None	Required	Unchanged	None	None	High	11.4
CVE-2018- 1000161	Solaris	NMap	Multiple	No	5.5	Network	Low	Low	Required	Unchanged	Low	Low	Low	11.4
CVE-2018-11784	Solaris	Apache Tomcat	Multiple	Yes	5.3	Network	Low	None	None	Unchanged	None	Low	None	11.4
CVE-2018-12086	Solaris	Wireshark	Multiple	Yes	5.3	Network	Low	None	None	Unchanged	None	None	Low	11.4	See Note 14
CVE-2016-9841	Solaris	RSYNC	None	No	3.3	Local	Low	None	Required	Unchanged	None	None	Low	11.4	See Note 15
CVE-2018-11439	Solaris	Taglib Audio Meta-Data Library	None	No	3.3	Local	Low	None	Required	Unchanged	None	None	Low	11.4
CVE-2018-15173	Solaris	NMap	None	No	3.3	Local	Low	None	Required	Unchanged	None	None	Low	11.4

Revision 1: Published on 2018-10-16

CVE#	Product	Third Party component	Protocol	Remote Exploit without Auth.?	CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)									Supported Versions Affected	Notes
CVE#	Product	Third Party component	Protocol	Remote Exploit without Auth.?	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2017-12176	Solaris	X.Org	Multiple	No	7.5	AdjacentNetwork	High	None	None	Unchanged	High	High	High	11.3	See Note 16
CVE-2017-9224	Solaris	Oniguruma	Multiple	Yes	6.5	Network	High	None	None	Unchanged	None	Low	High	11.4	See Note 17
CVE-2018- 1000168	Solaris	NGHttp2	Multiple	Yes	5.9	Network	High	None	None	Unchanged	None	None	High	11.4
CVE-2018-14851	Solaris	PHP	Multiple	Yes	5.9	Network	High	None	None	Unchanged	None	None	High	11.4	See Note 18
CVE-2018-7409	Solaris	UnixODBC	Multiple	Yes	5.3	Network	Low	None	None	Unchanged	None	None	Low	11.4	See Note 19

Notes:

This fix also addresses CVE-2016-9843 CVE-2018-2767 CVE-2018-3058 CVE-2018-3066 CVE-2018-3081 CVE-2018-3133 CVE-2018-3143 CVE-2018-3144 CVE-2018-3155 CVE-2018-3156 CVE-2018-3161 CVE-2018-3162 CVE-2018-3171 CVE-2018-3173 CVE-2018-3174 CVE-2018-3185 CVE-2018-3200 CVE-2018-3247 CVE-2018-3251 CVE-2018-3276 CVE-2018-3277 CVE-2018-3278 CVE-2018-3282 CVE-2018-3283 CVE-2018-3284.
This fix also addresses CVE-2018-14618.
This fix also addresses CVE-2017-17942 CVE-2017-18013 CVE-2018-15209.
This fix also addresses CVE-2018-19132.
This fix also addresses CVE-2017-12794 CVE-2018-7536 CVE-2018-7537.
This fix also addresses CVE-2017-18250 CVE-2018-10177 CVE-2018-11625 CVE-2018-12599 CVE-2018-12600 CVE-2018-13153 CVE-2018-14434 CVE-2018-14435 CVE-2018-14436 CVE-2018-14437 CVE-2018-14551 CVE-2018-16323 CVE-2018-16412 CVE-2018-16413 CVE-2018-16640 CVE-2018-16642 CVE-2018-16643 CVE-2018-16644 CVE-2018-16645 CVE-2018-16749 CVE-2018-16750 CVE-2018-18023 CVE-2018-18024 CVE-2018-18025 CVE-2018-18544 CVE-2018-9135.
This fix also addresses CVE-2017-14246 CVE-2017-14634 CVE-2017-17456 CVE-2017-17457 CVE-2017-6892 CVE-2018-13139 CVE-2018-13419.
This fix also addresses CVE-2017-14618 CVE-2018-14618 CVE-2018-16840 CVE-2018-16842.
This fix also addresses CVE-2014-10071 CVE-2014-10072 CVE-2016-10714 CVE-2017-18205 CVE-2017-18206 CVE-2018-1071 CVE-2018-1083 CVE-2018-1100 CVE-2018-7548 CVE-2018-7549.
This fix also addresses CVE-2018-11646 CVE-2018-11712 CVE-2018-11713 CVE-2018-12293 CVE-2018-12294 CVE-2018-12911 CVE-2018-4101 CVE-2018-4113 CVE-2018-4114 CVE-2018-4117 CVE-2018-4118 CVE-2018-4119 CVE-2018-4120 CVE-2018-4121 CVE-2018-4122 CVE-2018-4125 CVE-2018-4127 CVE-2018-4128 CVE-2018-4129 CVE-2018-4133 CVE-2018-4146 CVE-2018-4161 CVE-2018-4162 CVE-2018-4163 CVE-2018-4165 CVE-2018-4190 CVE-2018-4192 CVE-2018-4199 CVE-2018-4200 CVE-2018-4201 CVE-2018-4204 CVE-2018-4214 CVE-2018-4218 CVE-2018-4222 CVE-2018-4232 CVE-2018-4233 CVE-2018-4261 CVE-2018-4262 CVE-2018-4263 CVE-2018-4264 CVE-2018-4265 CVE-2018-4266 CVE-2018-4267 CVE-2018-4270 CVE-2018-4271 CVE-2018-4272 CVE-2018-4273 CVE-2018-4278 CVE-2018-4284.
This fix also addresses CVE-2015-3152.
This fix also addresses CVE-2017-17434 CVE-2018-5764.
This fix also addresses CVE-2018-14599 CVE-2018-14600.
14. This fix also addresses CVE-2018-18225 CVE-2018-18226 CVE-2018-18227.
This fix also addresses CVE-2016-9840 CVE-2016-9842 CVE-2016-9843.
This fix also addresses CVE-2017-12176 CVE-2017-12177 CVE-2017-12178 CVE-2017-12179 CVE-2017-12180 CVE-2017-12181 CVE-2017-12182 CVE-2017-12183 CVE-2017-12184 CVE-2017-12185 CVE-2017-12186 CVE-2017-12187.
This fix also addresses CVE-2017-9225 CVE-2017-9226 CVE-2017-9227 CVE-2017-9228 CVE-2017-9229.
This fix also addresses CVE-2018-14883.
This fix also addresses CVE-2018-7485.