Oracle Solaris Third Party Bulletin - October 2015

Related Vulnerabilities: CVE-2016-0777   CVE-2016-0778   CVE-2015-8000   CVE-2015-4491   CVE-2013-1438   CVE-2014-3566   CVE-2015-7830   CVE-2015-1270   CVE-2015-4760   CVE-2015-2632   CVE-2015-2731   CVE-2015-5600   CVE-2014-6507   CVE-2014-3634   CVE-2014-6052   CVE-2015-0411   CVE-2014-3564   CVE-2014-8097   CVE-2014-9512   CVE-2014-2653   CVE-2014-9365   CVE-2013-6371   CVE-2015-0248   CVE-2015-1819   CVE-2015-3200   CVE-2015-4020   CVE-2015-5143   CVE-2015-4651   CVE-2015-3183   CVE-2015-0253   CVE-2015-5963   CVE-2014-0032   CVE-2015-5144   CVE-2015-6241   CVE-2015-0251   CVE-2015-2922   CVE-2013-1569   CVE-2014-8146   CVE-2014-0230   CVE-2014-8111   CVE-2013-4262   CVE-2013-7393   CVE-2014-3504   CVE-2014-3522   CVE-2014-3528   CVE-2014-3683   CVE-2013-6370   CVE-2012-5615   CVE-2013-1511   CVE-2013-3793   CVE-2014-2432   CVE-2014-2440   CVE-2014-2494   CVE-2014-4243   CVE-2014-4260   CVE-2014-4274   CVE-2014-4287   CVE-2014-6464   CVE-2014-6484   CVE-2014-6494   CVE-2014-6496   CVE-2014-6505   CVE-2014-6520   CVE-2014-6530   CVE-2014-6551   CVE-2014-6555   CVE-2014-6559   CVE-2014-6568   CVE-2015-0391   CVE-2015-0432   CVE-2015-0433   CVE-2015-0499   CVE-2015-0505   CVE-2015-2573   CVE-2013-2376   CVE-2013-5807   CVE-2014-0384   CVE-2014-2438   CVE-2015-0441   CVE-2013-1502   CVE-2013-3794   CVE-2013-3801   CVE-2013-3805   CVE-2013-3809   CVE-2013-3812   CVE-2013-5891   CVE-2014-0420   CVE-2014-2419   CVE-2014-2430   CVE-2014-2431   CVE-2014-2436   CVE-2014-4207   CVE-2014-4258   CVE-2014-6463   CVE-2014-6469   CVE-2014-6478   CVE-2014-6491   CVE-2014-6495   CVE-2014-6500   CVE-2015-0374   CVE-2015-0381   CVE-2015-0382   CVE-2015-2568   CVE-2015-2571   CVE-2015-0228   CVE-2015-3185   CVE-2014-8091   CVE-2014-8092   CVE-2014-8095   CVE-2014-8096   CVE-2014-8100   CVE-2014-8102   CVE-2015-3418   CVE-2015-2923   CVE-2014-6051   CVE-2014-8240   CVE-2014-8241   CVE-2013-2383   CVE-2013-2384   CVE-2013-2419   CVE-2014-8147   CVE-2015-2721   CVE-2015-2722   CVE-2015-2724   CVE-2015-2725   CVE-2015-2726   CVE-2015-2728   CVE-2015-2729   CVE-2015-2730   CVE-2015-2733   CVE-2015-2734   CVE-2015-2735   CVE-2015-2736   CVE-2015-2737   CVE-2015-2738   CVE-2015-2739   CVE-2015-2740   CVE-2015-2741   CVE-2015-2742   CVE-2015-2743   CVE-2015-4652   CVE-2014-7810   CVE-2015-5964   CVE-2015-6242   CVE-2015-6243   CVE-2015-6244   CVE-2015-6245   CVE-2015-6246   CVE-2015-6247   CVE-2015-6248   CVE-2015-6249   CVE-2015-3900  

Oracle Solaris Third Party Bulletin - October 2015


Description

The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities fixed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated on the Tuesday closest to the 17th of the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability fixes deemed too critical to wait for the next monthly update.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin fixes as soon as possible.


Patch Availability

Please see My Oracle Support Note 1448883.1


Third Party Bulletin Schedule

Third Party Bulletins are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

  • 19 January 2016
  • 19 April 2016
  • 19 July 2016
  • 18 October 2016

References


Modification History


2016-January-14 Rev 5. Added OpenSSH CVE-2016-0777 and CVE-2016-0778
2015-December-15 Rev 4. Added all CVEs fixed in Solaris 11.3SRU3.6
2015-November-16 Rev 3. Added all CVEs fixed in Solaris 11.3SRU2.4
2015-October-26 Rev 2. Added all CVEs fixed in Solaris 11.3 and 11.3SRU1.5
2015-October-20 Rev 1. Initial Release

 

 

Oracle Solaris Executive Summary

 

This Third Party Bulletin contains 51 new security fixes for the Oracle Solaris.  41 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 

 

Oracle Solaris Risk Matrix


Revision 5: Published on 2016-01-14



CVE# Product Protocol Third Party
component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-
tication
Confiden-
tiality
Integrity Avail-
ability
CVE-2016-0778 Solaris SSH OpenSSH Yes 5.1 Network High None Partial Partial Partial 11.3  
CVE-2016-0777 Solaris SSH OpenSSH Yes 4.3 Network Medium None Partial None None 11.3  


Revision 4: Published on 2015-12-15



CVE# Product Protocol Third Party
component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-
tication
Confiden-
tiality
Integrity Avail-
ability
CVE-2015-8000 Solaris Bind Bind/Postinstall script for Bind package Yes 7.1 Network Medium None None None Complete 11.3, 10  
CVE-2015-4491 Solaris Multiple gdk-pixbuf Yes 6.8 Network Medium None Partial Partial Partial 11.3, 10  
CVE-2013-1438 Solaris Multiple Dcraw Yes 4.3 Network Medium None None None Partial 11.3  
CVE-2014-3566 Solaris SSL/TLS Common Unix Printing System (CUPS) Yes 4.3 Network Medium None Partial None None 11.3  
CVE-2015-7830 Solaris Multiple Wireshark Yes 4.3 Network Medium None None None Partial 11.3  


Revision 3: Published on 2015-11-16



CVE# Product Protocol Third Party
component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-
tication
Confiden-
tiality
Integrity Avail-
ability
CVE-2015-1270 Solaris None Localization (L10N) No 1.5 Local Medium Single None None Partial 11.3  
CVE-2015-4760 Solaris None Localization (L10N) No 1.5 Local Medium Single None None Partial 11.3  
CVE-2015-2632 Solaris None Localization (L10N) No 1.0 Local High Single None None Partial 11.3  


Revision 2: Published on 2015-10-26



CVE# Product Protocol Third Party
component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-
tication
Confiden-
tiality
Integrity Avail-
ability
CVE-2015-2731 Solaris Multiple Firefox Yes 10.0 Network Low None Complete Complete Complete 11.3 See
Note 13
CVE-2015-5600 Solaris SSH OpenSSH Yes 8.5 Network Low None Partial None Complete 11.3  
CVE-2014-6507 Solaris Multiple MySQL No 8.0 Network Low Single Partial+ Partial+ Complete 11.3 See
Note 4
CVE-2014-6507 Solaris Multiple MySQL No 8.0 Network Low Single Partial+ Partial+ Complete 11.3 See
Note 6
CVE-2014-3634 Solaris Multiple RSYSLOG Yes 7.5 Network Low None Partial Partial Partial 11.3 See
Note 2
CVE-2014-6052 Solaris Multiple VNC Yes 7.5 Network Low None Partial Partial Partial 11.3 See
Note 10
CVE-2015-0411 Solaris Multiple MySQL Yes 7.5 Network Low None Partial Partial Partial 11.3 See
Note 5
CVE-2014-3564 Solaris Multiple GnuPG Yes 6.8 Network Medium None Partial Partial Partial 11.3  
CVE-2014-8097 Solaris None Xsun server No 6.8 Local Low Single Complete Complete Complete 10 See
Note 8
CVE-2014-9512 Solaris Multiple RSYNC Yes 6.4 Network Low None None Partial Partial 11.3, 10  
CVE-2014-2653 Solaris SSH OpenSSH Yes 5.8 Network Medium None None Partial Partial 11.3  
CVE-2014-9365 Solaris Multiple Python 3.4 Yes 5.8 Network Medium None Partial Partial None 11.3  
CVE-2013-6371 Solaris Multiple JSON-C Yes 5.0 Network Low None None None Partial 11.3 See
Note 3
CVE-2014-3566 Solaris SSL/TLS BitTorrent Client Yes 5.0 Network Low None Partial None None 11.3  
CVE-2014-3566 Solaris SSL/TLS Gnome-VFS Yes 5.0 Network Low None Partial None None 11.3  
CVE-2014-3566 Solaris SSL/TLS OpenSSL Yes 5.0 Network Low None Partial None None 11.3, 10  
CVE-2014-3566 Solaris SSL/TLS VNC Yes 5.0 Network Low None Partial None None 11.3  
CVE-2014-3566 Solaris SSL/TLS Pidgin Yes 5.0 Network Low None Partial None None 11.3  
CVE-2014-3566 Solaris SSL/TLS LibTLS Yes 5.0 Network Low None Partial None None 11.3  
CVE-2014-3566 Solaris SSL/TLS Ejabberd Yes 5.0 Network Low None Partial None None 11.3  
CVE-2014-3566 Solaris SSL/TLS Irssi Yes 5.0 Network Low None Partial None None 11.3  
CVE-2014-3566 Solaris SSL/TLS LibSoup Yes 5.0 Network Low None Partial None None 11.3  
CVE-2015-0248 Solaris Multiple Apache Subversion Yes 5.0 Network Low None None None Partial 11.3  
CVE-2015-1819 Solaris Multiple libxml2 Yes 5.0 Network Low None None None Partial 11.3  
CVE-2015-3200 Solaris Multiple Lighttpd Yes 5.0 Network Low None None Partial None 11.3  
CVE-2015-4020 Solaris Multiple Ruby Yes 5.0 Network Low None None Partial None 11.3 See
Note 18
CVE-2015-5143 Solaris Multiple Django Python web framework Yes 5.0 Network Low None None None Partial 11.3  
CVE-2015-4651 Solaris Multiple Wireshark Yes 5.0 Network Low None None None Partial 11.3 See
Note 14
CVE-2015-3183 Solaris HTTP Apache HTTP server Yes 5.0 Network Low None None Partial None 11.3  
CVE-2015-0253 Solaris HTTP Apache HTTP server Yes 5.0 Network Low None None None Partial 11.3 See
Note 7
CVE-2015-5963 Solaris Multiple Django Python web framework Yes 5.0 Network Low None None None Partial 11.3 See
Note 16
CVE-2014-0032 Solaris Multiple Apache Subversion Yes 4.3 Network Medium None None None Partial 11.3 See
Note 1
CVE-2015-5144 Solaris Multiple Django Python web framework Yes 4.3 Network Medium None None Partial None 11.3  
CVE-2015-6241 Solaris Multiple Wireshark Yes 4.3 Network Medium None None None Partial 11.3 See
Note 17
CVE-2015-0251 Solaris Multiple Apache Subversion No 4.0 Network Low Single None Partial None 11.3  
CVE-2015-2922 Solaris Multiple Network Configuration No 3.3 Adjacent
Network
Low None None None Partial 11.3 See
Note 9
CVE-2013-1569 Solaris None Localization (L10N) No 1.5 Local Medium Single None None Partial 11.3 See
Note 11
CVE-2014-8146 Solaris None Localization (L10N) No 1.0 Local High Single None None Partial 11.3 See
Note 12




Revision 1: Published on 2015-10-20



CVE# Product Protocol Third Party
component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-
tication
Confiden-
tiality
Integrity Avail-
ability
CVE-2015-5600 Solaris SSH SSH Yes 8.5 Network Low None Partial None Complete 11.2, 10  
CVE-2014-0230 Solaris HTTP Apache Tomcat Yes 5.0 Network Low None None None Partial 11.2, 10 See
Note 15
CVE-2014-8111 Solaris HTTP Apache HTTP server Yes 5.0 Network Low None Partial None None 11.2, 10  
 

 

Notes:

  1. This fix also addresses CVE-2013-4262 CVE-2013-7393 CVE-2014-3504 CVE-2014-3522 CVE-2014-3528.
  2. This fix also addresses CVE-2014-3683.
  3. This fix also addresses CVE-2013-6370.
  4. This fix also addresses CVE-2012-5615 CVE-2013-1511 CVE-2013-3793 CVE-2014-2432 CVE-2014-2440 CVE-2014-2494 CVE-2014-4243 CVE-2014-4260 CVE-2014-4274 CVE-2014-4287 CVE-2014-6464 CVE-2014-6484 CVE-2014-6494 CVE-2014-6496 CVE-2014-6505 CVE-2014-6507 CVE-2014-6520 CVE-2014-6530 CVE-2014-6551 CVE-2014-6555 CVE-2014-6559 CVE-2014-6568 CVE-2015-0391 CVE-2015-0432 CVE-2015-0433 CVE-2015-0499 CVE-2015-0505 CVE-2015-2573.
  5. This fix also addresses CVE-2013-2376 CVE-2013-5807 CVE-2014-0384 CVE-2014-2438 CVE-2015-0411 CVE-2015-0441.
  6. This fix also addresses CVE-2013-1502 CVE-2013-1511 CVE-2013-3794 CVE-2013-3801 CVE-2013-3805 CVE-2013-3809 CVE-2013-3812 CVE-2013-5891 CVE-2014-0420 CVE-2014-2419 CVE-2014-2430 CVE-2014-2431 CVE-2014-2432 CVE-2014-2436 CVE-2014-2440 CVE-2014-2494 CVE-2014-4207 CVE-2014-4243 CVE-2014-4258 CVE-2014-4260 CVE-2014-4287 CVE-2014-6463 CVE-2014-6464 CVE-2014-6469 CVE-2014-6478 CVE-2014-6484 CVE-2014-6491 CVE-2014-6494 CVE-2014-6495 CVE-2014-6496 CVE-2014-6500 CVE-2014-6505 CVE-2014-6507 CVE-2014-6520 CVE-2014-6530 CVE-2014-6555 CVE-2014-6559 CVE-2014-6568 CVE-2015-0374 CVE-2015-0381 CVE-2015-0382 CVE-2015-0391 CVE-2015-0432 CVE-2015-0433 CVE-2015-0499 CVE-2015-0505 CVE-2015-2568 CVE-2015-2571.
  7. This fix also addresses CVE-2015-0228 CVE-2015-3183 CVE-2015-3185.
  8. This fix also addresses CVE-2014-8091 CVE-2014-8092 CVE-2014-8095 CVE-2014-8096 CVE-2014-8100 CVE-2014-8102 CVE-2015-3418.
  9. This fix also addresses CVE-2015-2923.
  10. This fix also addresses CVE-2014-6051 CVE-2014-8240 CVE-2014-8241.
  11. This fix also addresses CVE-2013-2383 CVE-2013-2384 CVE-2013-2419.
  12. This fix also addresses CVE-2014-8147.
  13. This fix also addresses CVE-2015-2721 CVE-2015-2722 CVE-2015-2724 CVE-2015-2725 CVE-2015-2726 CVE-2015-2728 CVE-2015-2729 CVE-2015-2730 CVE-2015-2733 CVE-2015-2734 CVE-2015-2735 CVE-2015-2736 CVE-2015-2737 CVE-2015-2738 CVE-2015-2739 CVE-2015-2740 CVE-2015-2741 CVE-2015-2742 CVE-2015-2743.
  14. This fix also addresses CVE-2015-4652.
  15. This fix also addresses CVE-2014-7810.
  16. This fix also addresses CVE-2015-5964.
  17. This fix also addresses CVE-2015-6242 CVE-2015-6243 CVE-2015-6244 CVE-2015-6245 CVE-2015-6246 CVE-2015-6247 CVE-2015-6248 CVE-2015-6249.
  18. This fix also addresses CVE-2015-3900.