Oracle Solaris Third Party Bulletin - July 2017

Description

The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities fixed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated on the Tuesday closest to the 17th of the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability fixes deemed too critical to wait for the next monthly update.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin fixes as soon as possible.

Patch Availability

Please see My Oracle Support Note 1448883.1

Third Party Bulletin Schedule

Third Party Bulletins are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

  • 17 October 2017
  • 16 January 2018
  • 17 April 2018
  • 17 July 2018

References

Modification History

2017-September-18 Rev 4. Added all CVEs fixed in Solaris 11.3 SRU 24
2017-August-18 Rev 3. Added all CVEs fixed in Solaris 11.3 SRU 23
2017-July-25 Rev 2. Added CVE-2017-11103
2017-July-18 Rev 1. Initial Release

Oracle Solaris Executive Summary

This Third Party Bulletin contains 47 new security fixes for Oracle Solaris. 31 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

Oracle Solaris Third Party Bulletin Risk Matrix

Revision 4: Published on 2017-09-18

CVE# Product ThirdParty component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Attack Vector Attack Complex Privs Req'd User Interact Scope Confid­entiality Inte­grity Avail­ability
CVE-2017-9800 Solaris Apache Subversion Multiple No 9.9 Network Low Low None Changed High High High 11.3
CVE-2016-10328 Solaris FreeType Multiple Yes 8.8 Network Low None Required Unchanged High High High 11.3, 10 See Note 1
CVE-2017-1000116 Solaris Mercurial source code management Multiple No 8.8 Network Low Low None Unchanged High High High 11.3
CVE-2017-10972 Solaris X.Org None No 8.8 Local Low Low None Changed High High High 11.3 See Note 2
CVE-2016-1238 Solaris Perl None No 8.2 Local Low Low Required Changed High High High 11.3, 10
VE-2017-11406 Solaris Wireshark Multiple Yes 7.5 Network Low None None Unchanged None None High 11.3 See Note 3
CVE-2017-8779 Solaris Remote Procedure Call (RPC) Multiple Yes 7.5 Network Low None None Unchanged None None High 11.3
CVE-2017-3167 Solaris Apache HTTP server Multiple Yes 7.4 Network High None None Unchanged High High None 11.3, 10 See Note 4
CVE-2017-9788 Solaris Apache HTTP server Multiple Yes 7.4 Network High None None Unchanged High None High 11.3, 10 See Note 5
CVE-2017-7802 Solaris Thunderbird Multiple Yes 7.3 Network Low None None Unchanged Low Low Low 11.3 See Note 6
CVE-2017-1000115 Solaris Mercurial source code management None No 6.6 Local Low Low Required Unchanged None High High 11.3
CVE-2017-9233 Solaris libexpat Multiple Yes 6.5 Network Low None Required Unchanged None None High 11.3
CVE-2017-7802 Solaris Firefox Multiple Yes 6.3 Network Low None Required Unchanged Low Low Low 11.3 See Note 7
CVE-2017-7659 Solaris Apache HTTP server Multiple Yes 5.9 Network High None None Unchanged None None High 11.3, 10
CVE-2015-7697 Solaris Unzip Multiple No 5 Network High Low None Unchanged Low Low Low 11.3 See Note 8
CVE-2017-1000117 Solaris CVS Multiple Yes 5 Network High None Required Unchanged Low Low Low 11.3 See Note 9
CVE-2017-12562 Solaris Libsndfile None No 4.7 Local High None Required Unchanged None None High 11.3
CVE-2017-11114 Solaris Links Text-based Web Browser Multiple No 3.5 Adjacent Network Low Low None Unchanged None None Low 11.3
CVE-2014-9913 Solaris Unzip None No 3.3 Local Low None Required Unchanged None None Low 11.3

Revision 3: Published on 2017-08-18

CVE# Product ThirdParty component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Attack Vector Attack Complex Privs Req'd User Interact Scope Confid­entiality Inte­grity Avail­ability
CVE-2017-11108 Solaris TCPdump Multiple Yes 7.5 Network Low None None Unchanged None None High 11.3
CVE-2017-5664 Solaris Apache Tomcat Multiple Yes 7.5 Network Low None None Unchanged None High None 11.3, 10
CVE-2017-7244 Solaris PCRE Multiple Yes 7.5 Network Low None None Unchanged None None High 11.3, 10 See Note 10
CVE-2017-7507 Solaris GnuTLS SSL/TLS Yes 7.5 Network Low None None Unchanged None None High 11.3
CVE-2017-3167 Solaris Apache HTTP server HTTP Yes 7.4 Network High None None Unchanged High High None 11.3 See Note 11
CVE-2017-9351 Solaris Wireshark Multiple Yes 5.9 Network High None None Unchanged None None High 11.3 See Note 12
CVE-2016-7123 Solaris Mailman Multiple Yes 5.6 Network High None None Unchanged Low Low Low 11.3 See Note 13
CVE-2017-7960 Solaris LibCroco None No 5.5 Local Low None Required Unchanged None None High 11.3 See Note 14
CVE-2015-4024 Solaris PHP Multiple Yes 5.3 Network Low None None Unchanged None None Low 11.3
CVE-2016-7444 Solaris GnuTLS SSL/TLS Yes 5.3 Network Low None None Unchanged None Low None 11.3 See Note 15
CVE-2016-10253 Solaris Erlang None No 4.4 Local Low Low None Unchanged Low Low None 11.3 See Note 16
CVE-2016-9584 Solaris LibiCal None No 4.4 Local Low None Required Unchanged Low None Low 11.3, 10 See Note 17

Revision 2: Published on 2017-07-25

CVE# Product ThirdParty component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Attack Vector Attack Complex Privs Req'd User Interact Scope Confid­entiality Inte­grity Avail­ability
CVE-2017-11103 Solaris Samba Kerberos Yes 8.1 Network High None None Unchanged High High High 10

Revision 1: Published on 2017-07-18

CVE# Product ThirdParty component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Attack Vector Attack Complex Privs Req'd User Interact Scope Confid­entiality Inte­grity Avail­ability
CVE-2014-1236 Solaris Graphviz Multiple Yes 9.8 Network Low None None Unchanged High High High 11.3 See Note 18
CVE-2016-6290 Solaris PHP Multiple Yes 9.8 Network Low None None Unchanged High High High 11.3 See Note 19
CVE-2016-9935 Solaris PHP Multiple Yes 9.8 Network Low None None Unchanged High High High 11.3
CVE-2015-4026 Solaris PHP Multiple Yes 8.8 Network Low None Required Unchanged High High High 11.3 See Note 20
CVE-2017-0350 Solaris NVIDIA-GFX Kernel driver None No 8.8 Local Low Low None Changed High High High 11.3
CVE-2017-0351 Solaris NVIDIA-GFX Kernel driver None No 8.8 Local Low Low None Changed High High High 11.3
CVE-2012-6706 Solaris UnRAR Multiple Yes 8.8 Network Low None Required Unchanged High High High 11.3
CVE-2017-0352 Solaris NVIDIA-GFX Kernel driver None No 8.2 Local Low High None Changed High High High 11.3
CVE-2016-5385 Solaris PHP Multiple Yes 8.1 Network High None None Unchanged High High High 11.3
CVE-2017-5419 Solaris Thunderbird Multiple Yes 7.3 Network Low None None Unchanged Low Low Low 11.3 See Note 21
CVE-2017-7778 Solaris Firefox Multiple Yes 7.3 Network Low None None Unchanged Low Low Low 11.3 See Note 22
CVE-2017-7778 Solaris Thunderbird Multiple Yes 7.3 Network Low None None Unchanged Low Low Low 11.3 See Note 23
CVE-2017-5194 Solaris Irssi Multiple Yes 5.3 Network Low None None Unchanged None None Low 11.3 See Note 24
CVE-2017-9468 Solaris Irssi Multiple Yes 3.7 Network High None None Unchanged None None Low 11.3 See Note 25
CVE-2016-10087 Solaris LibPNG None No 3.3 Local Low None Required Unchanged None None Low 11.3, 10

Notes:

  1. This fix also addresses CVE-2017-8105 CVE-2017-8287.
  2. This fix also addresses CVE-2017-10971.
  3. This fix also addresses CVE-2017-11407 CVE-2017-11408 CVE-2017-11410 CVE-2017-11411 CVE-2017-7702 CVE-2017-9350.
  4. This fix also addresses CVE-2017-3169 CVE-2017-7668 CVE-2017-7679.
  5. This fix also addresses CVE-2017-9789.
  6. This fix also addresses CVE-2017-7753 CVE-2017-7779 CVE-2017-7782 CVE-2017-7784 CVE-2017-7785 CVE-2017-7786 CVE-2017-7787 CVE-2017-7791 CVE-2017-7792 CVE-2017-7800 CVE-2017-7801 CVE-2017-7803 CVE-2017-7804 CVE-2017-7807 CVE-2017-7809.
  7. This fix also addresses CVE-2017-7753 CVE-2017-7779 CVE-2017-7782 CVE-2017-7784 CVE-2017-7785 CVE-2017-7786 CVE-2017-7787 CVE-2017-7791 CVE-2017-7792 CVE-2017-7798 CVE-2017-7800 CVE-2017-7801 CVE-2017-7803 CVE-2017-7804 CVE-2017-7807 CVE-2017-7809.
  8. This fix also addresses CVE-2015-7696.
  9. This fix also addresses CVE-2017-12836.
  10. This fix also addresses CVE-2017-7186 CVE-2017-7245 CVE-2017-7246.
  11. This fix also addresses CVE-2017-3169 CVE-2017-7668 CVE-2017-7679.
  12. This fix also addresses CVE-2017-9343 CVE-2017-9344 CVE-2017-9345 CVE-2017-9346 CVE-2017-9347 CVE-2017-9348 CVE-2017-9349 CVE-2017-9350 CVE-2017-9352 CVE-2017-9353 CVE-2017-9354.
  13. This fix also addresses CVE-2016-6893.
  14. This fix also addresses CVE-2017-7961.
  15. This fix also addresses CVE-2016-4456.
  16. This fix also addresses CVE-2015-2774.
  17. This fix also addresses CVE-2016-5824.
  18. This fix also addresses CVE-2014-0978 CVE-2014-9157.
  19. This fix also addresses CVE-2016-6288 CVE-2016-6289 CVE-2016-6290 CVE-2016-6292 CVE-2016-6294 CVE-2016-6295 CVE-2016-6296 CVE-2016-6297.
  20. This fix also addresses CVE-2013-6501 CVE-2015-4021 CVE-2015-4022 CVE-2015-4024 CVE-2015-4025 CVE-2016-6293 CVE-2016-6294 CVE-2016-6297.
  21. This fix also addresses CVE-2017-5399 CVE-2017-5403 CVE-2017-5406 CVE-2017-5407 CVE-2017-5411 CVE-2017-5412 CVE-2017-5413 CVE-2017-5414 CVE-2017-5416 CVE-2017-5418 CVE-2017-5421 CVE-2017-5422 CVE-2017-5425 CVE-2017-5426.
  22. This fix also addresses CVE-2017-5470 CVE-2017-5472 CVE-2017-7749 CVE-2017-7750 CVE-2017-7751 CVE-2017-7752 CVE-2017-7754 CVE-2017-7755 CVE-2017-7756 CVE-2017-7757 CVE-2017-7758 CVE-2017-7760 CVE-2017-7761 CVE-2017-7763 CVE-2017-7764 CVE-2017-7765 CVE-2017-7766 CVE-2017-7767 CVE-2017-7768.
  23. This fix also addresses CVE-2017-5470 CVE-2017-5472 CVE-2017-7749 CVE-2017-7750 CVE-2017-7751 CVE-2017-7752 CVE-2017-7754 CVE-2017-7756 CVE-2017-7757 CVE-2017-7758 CVE-2017-7763 CVE-2017-7764 CVE-2017-7765.
  24. This fix also addresses CVE-2017-5193 CVE-2017-5195 CVE-2017-5196.
  25. This fix also addresses CVE-2017-9469.