Oracle Solaris Third Party Bulletin - April 2025
Description
The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities addressed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated for the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability issues deemed too critical to wait for the next monthly update.
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin security patches as soon as possible.
Patch Availability
Please see My Oracle Support Note 1448883.1
Third Party Bulletin Schedule
Third Party Bulletins are released on the third Tuesday of January, April, July, and October. The next four dates are:
- 15 July 2025
- 21 October 2025
- 20 January 2026
- 21 April 2026
References
- Oracle Critical Patch Updates, Security Alerts and Bulletins
- Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions
- Risk Matrix Definitions
- Use of Common Vulnerability Scoring System (CVSS) by Oracle
Modification History
| Date | Note |
|---|---|
| 2025-June-18 | Rev 3. Added CVEs fixed in Solaris 11.4 SRU 82 |
| 2025-May-20 | Rev 2. Added CVEs fixed in Solaris 11.4 SRU 81 |
| 2025-April-15 | Rev 1. Initial Release with all CVEs fixed in Solaris 11.4 SRU 80 and Solaris 11.3 ESU 36.34 |
Oracle Solaris Executive Summary
This Oracle Solaris Bulletin contains 61 new security patches for the Oracle Solaris Operating System. 37 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
Oracle Solaris Third Party Bulletin Risk Matrix
Revision 3: Published on 2025-06-18
| CVE ID | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2025-23165 | Oracle Solaris | Node.js | Multiple | Yes | 6.5 | Network | Low | None | None | Un- changed |
Low | Low | None | 11.4 | See Note 1 |
| CVE-2025-47273 | Oracle Solaris | Python Packaging Authority | Multiple | No | 6.5 | Network | Low | Low | None | Un- changed |
None | High | None | 11.4 | |
| CVE-2025-32873 | Oracle Solaris | Django | Multiple | Yes | 5.3 | Network | Low | None | None | Un- changed |
None | None | Low | 11.4 | |
Revision 2: Published on 2025-05-20
| CVE ID | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2024-11053 | Oracle Solaris | MySQL | None | Yes | 9.1 | Network | Low | None | None | Un- changed |
High | High | None | 11.4 | See Note 2 |
| CVE-2024-40896 | Oracle Solaris | libxml2 | Multiple | Yes | 9.1 | Network | Low | None | None | Un- changed |
None | High | High | 11.4 | |
| CVE-2024-47538 | Oracle Solaris | GStreamer | Multiple | Yes | 8.8 | Network | Low | None | Required | Un- changed |
High | High | High | 11.4 | See Note 3 |
| CVE-2024-47606 | Oracle Solaris | GStreamer | Multiple | Yes | 8.8 | Network | Low | None | Required | Un- changed |
High | High | High | 11.4 | |
| CVE-2025-1244 | Oracle Solaris | GNU Emacs | Multiple | Yes | 8.8 | Network | Low | None | Required | Un- changed |
High | High | High | 11.4 | |
| CVE-2025-3028 | Oracle Solaris | Firefox | Multiple | Yes | 8.8 | Network | Low | None | Required | Un- changed |
High | High | High | 11.4 | See Note 4 |
| CVE-2025-3028 | Oracle Solaris | Thunderbird | Multiple | Yes | 8.8 | Network | Low | None | Required | Un- changed |
High | High | High | 11.4 | See Note 5 |
| CVE-2024-47537 | Oracle Solaris | GStreamer | None | No | 8.4 | Local | Low | None | None | Un- changed |
High | High | High | 11.4 | See Note 6 |
| CVE-2025-27830 | Oracle Solaris | Ghostscript | None | No | 8.4 | Local | Low | None | None | Un- changed |
High | High | High | 11.4 | See Note 7 |
| CVE-2020-10713 | Oracle Solaris | Grub Boot Loader | None | No | 8.2 | Local | Low | High | None | Changed | High | High | High | 11.4 | See Note 8 |
| CVE-2022-2601 | Oracle Solaris | Grub Boot Loader | None | No | 8.2 | Local | Low | High | None | Changed | High | High | High | 11.4 | See Note 9 |
| CVE-2024-56171 | Oracle Solaris | libxml2 | None | No | 7.8 | Local | High | None | None | Changed | High | High | None | 11.4 | See Note 10 |
| CVE-2025-26594 | Oracle Solaris | X.Org | None | No | 7.8 | Local | Low | Low | None | Un- changed |
High | High | High | 11.4 | See Note 11 |
| CVE-2023-40547 | Oracle Solaris | First Stage Bootloader For Secure Boot | Multiple | No | 7.5 | Adjacent Network |
High | None | None | Un- changed |
High | High | High | 11.4 | See Note 12 |
| CVE-2024-53580 | Oracle Solaris | iPerf | Multiple | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 11.4 | |
| CVE-2024-55605 | Oracle Solaris | Suricata | Multiple | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 11.4 | See Note 13 |
| CVE-2022-48622 | Oracle Solaris | Pidgin | None | No | 7.3 | Local | Low | Low | Required | Un- changed |
High | High | High | 11.4 | |
| CVE-2022-28737 | Oracle Solaris | First Stage Bootloader For Secure Boot | None | No | 6.5 | Local | Low | High | Required | Un- changed |
High | High | High | 11.4 | |
| CVE-2023-45322 | Oracle Solaris | libxml2 | Multiple | Yes | 6.5 | Network | Low | None | Required | Un- changed |
None | None | High | 11.4 | |
| CVE-2025-1938 | Oracle Solaris | Network Security Services | Multiple | Yes | 6.5 | Network | Low | None | Required | Un- changed |
None | None | High | 11.4 | See Note 14 |
| CVE-2025-25186 | Oracle Solaris | Ruby | Multiple | Yes | 6.5 | Network | Low | None | Required | Un- changed |
None | None | High | 11.4 | |
| CVE-2017-10176 | Oracle Solaris | Network Security Services | Multiple | Yes | 5.9 | Network | High | None | None | Un- changed |
High | None | None | 11.4 | See Note 15 |
| CVE-2024-25062 | Oracle Solaris | libxml2 | Multiple | Yes | 5.9 | Network | High | None | None | Un- changed |
None | None | High | 11.4 | |
| CVE-2024-50602 | Oracle Solaris | libexpat | Multiple | Yes | 5.9 | Network | High | None | None | Un- changed |
None | None | High | 11.4 | |
| CVE-2025-22871 | Oracle Solaris | Go Programming Language | Multiple | Yes | 5.9 | Network | High | None | None | Un- changed |
None | High | None | 11.4 | |
| CVE-2025-27219 | Oracle Solaris | Ruby | Multiple | Yes | 5.8 | Network | Low | None | None | Changed | None | None | Low | 11.4 | See Note 16 |
| CVE-2024-56826 | Oracle Solaris | OpenJPEG | None | No | 5.6 | Local | Low | Low | Required | Un- changed |
Low | None | High | 11.4 | See Note 17 |
| CVE-2024-11079 | Oracle Solaris | Ansible | Multiple | No | 5.5 | Network | High | Low | Required | Changed | Low | Low | Low | 11.4 | |
| CVE-2024-34459 | Oracle Solaris | libxml2 | None | No | 5.5 | Local | Low | None | Required | Un- changed |
None | None | High | 11.4 | |
| CVE-2024-50612 | Oracle Solaris | Libsndfile | None | No | 5.5 | Local | Low | Low | None | Un- changed |
None | None | High | 11.4 | |
| CVE-2025-1492 | Oracle Solaris | Wireshark | None | No | 5.5 | Local | Low | None | Required | Un- changed |
None | None | High | 11.4 | |
| CVE-2023-4692 | Oracle Solaris | Grub Boot Loader | None | No | 5.3 | Local | High | High | None | Changed | High | None | None | 11.4 | See Note 18 |
| CVE-2024-12133 | Oracle Solaris | GNU Libtasn1 | Multiple | Yes | 5.3 | Network | Low | None | None | Un- changed |
None | None | Low | 11.4 | |
| CVE-2024-52615 | Oracle Solaris | Avahi | Multiple | Yes | 5.3 | Network | Low | None | None | Un- changed |
None | Low | None | 11.4 | |
| CVE-2024-52616 | Oracle Solaris | Avahi | Multiple | Yes | 5.3 | Network | Low | None | None | Un- changed |
None | Low | None | 11.4 | |
| CVE-2025-26699 | Oracle Solaris | Django | Multiple | No | 5 | Network | Low | Low | None | Changed | None | None | Low | 11.4 | |
| CVE-2024-56378 | Oracle Solaris | Poppler | None | No | 4.4 | Local | Low | Low | None | Un- changed |
Low | None | Low | 11.4 | |
| CVE-2024-50349 | Oracle Solaris | Git | Multiple | Yes | 4.3 | Network | Low | None | Required | Un- changed |
None | Low | None | 11.4 | See Note 19 |
| CVE-2024-11053 | Oracle Solaris | libcurl | None | No | 4 | Local | Low | None | None | Un- changed |
None | None | Low | 11.4 | See Note 20 |
| CVE-2024-57970 | Oracle Solaris | Libarchive | None | No | 4 | Local | Low | None | None | Un- changed |
None | None | Low | 11.4 | |
| CVE-2024-46901 | Oracle Solaris | Apache Subversion | Multiple | No | 3.1 | Network | High | Low | None | Un- changed |
None | None | Low | 11.4 | |
| CVE-2024-57392 | Oracle Solaris | ProFTPD | Multiple | No | 0 | Network | Low | Low | None | Un- changed |
None | None | None | 11.4 | |
Revision 1: Published on 2025-04-15
| CVE ID | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2024-11704 | Oracle Solaris | Firefox | Multiple | Yes | 8.8 | Network | Low | None | Required | Un- changed |
High | High | High | 11.4 | See Note 21 |
| CVE-2024-11704 | Oracle Solaris | Thunderbird | Multiple | Yes | 8.8 | Network | Low | None | Required | Un- changed |
High | High | High | 11.4 | See Note 22 |
| CVE-2024-43097 | Oracle Solaris | Firefox | Multiple | Yes | 8.8 | Network | Low | None | Required | Un- changed |
High | High | High | 11.4 | See Note 23 |
| CVE-2024-43097 | Oracle Solaris | Thunderbird | Multiple | Yes | 8.8 | Network | Low | None | Required | Un- changed |
High | High | High | 11.4 | See Note 24 |
| CVE-2025-24813 | Oracle Solaris | Apache Tomcat | HTTP | Yes | 8.6 | Network | Low | None | None | Un- changed |
High | Low | Low | 11.4 | |
| CVE-2024-11187 | Oracle Solaris | Bind | DNS | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 11.4 | See Note 25 |
| CVE-2025-27516 | Oracle Solaris | Jinja2 | None | No | 7.3 | Local | Low | Low | Required | Un- changed |
High | High | High | 11.4 | |
| CVE-2025-0938 | Oracle Solaris | Python | HTTP | Yes | 6.8 | Network | High | None | None | Changed | None | High | None | 11.4 | |
| CVE-2025-26465 | Oracle Solaris | OpenSSH | SSH | Yes | 6.8 | Network | High | None | Required | Un- changed |
High | High | None | 11.4, 11.3 | |
| CVE-2024-49761 | Oracle Solaris | Ruby | HTTP | Yes | 6.5 | Network | Low | None | Required | Un- changed |
None | None | High | 11.4 | |
| CVE-2025-22870 | Oracle Solaris | Go Programming Language | HTTP | Yes | 6.5 | Network | Low | None | None | Un- changed |
Low | None | Low | 11.4 | |
| CVE-2024-45336 | Oracle Solaris | Go Programming Language | HTTP | Yes | 5.9 | Network | High | None | None | Un- changed |
High | None | None | 11.4 | See Note 26 |
| CVE-2025-26466 | Oracle Solaris | OpenSSH | SSH | Yes | 5.9 | Network | High | None | None | Un- changed |
None | None | High | 11.4 | |
| CVE-2024-11235 | Oracle Solaris | PHP | HTTP | Yes | 5.3 | Network | Low | None | None | Un- changed |
Low | None | None | 11.4 | See Note 27 |
| CVE-2024-13176 | Oracle Solaris | OpenSSL | None | No | 4.7 | Local | High | Low | None | Un- changed |
High | None | None | 11.4, 11.3, 10 | |
| CVE-2024-9143 | Oracle Solaris | OpenSSL | TLS | Yes | 3.7 | Network | High | None | None | Un- changed |
None | None | Low | 11.4, 11.3, 10 | |
Notes:
1. This patch also addresses CVE-2025-23166 CVE-2025-23167.2. This patch also addresses CVE-2025-21490 CVE-2025-21491 CVE-2025-21493 CVE-2025-21497 CVE-2025-21499 CVE-2025-21500 CVE-2025-21501 CVE-2025-21503 CVE-2025-21505 CVE-2025-21518 CVE-2025-21519 CVE-2025-21520 CVE-2025-21522 CVE-2025-21523 CVE-2025-21525 CVE-2025-21529 CVE-2025-21531 CVE-2025-21540 CVE-2025-21543 CVE-2025-21546 CVE-2025-21555 CVE-2025-21559.
3. This patch also addresses CVE-2024-47541 CVE-2024-47542 CVE-2024-47600 CVE-2024-47607 CVE-2024-47615 CVE-2024-47835.
4. This patch also addresses CVE-2025-3029 CVE-2025-3030.
5. This patch also addresses CVE-2025-3029 CVE-2025-3030.
6. This patch also addresses CVE-2024-47539 CVE-2024-47540 CVE-2024-47543 CVE-2024-47544 CVE-2024-47545 CVE-2024-47546 CVE-2024-47596 CVE-2024-47597 CVE-2024-47598 CVE-2024-47599 CVE-2024-47601 CVE-2024-47602 CVE-2024-47603 CVE-2024-47613 CVE-2024-47774 CVE-2024-47775 CVE-2024-47776 CVE-2024-47777 CVE-2024-47778 CVE-2024-47834.
7. This patch also addresses CVE-2024-46954 CVE-2025-27831 CVE-2025-27832 CVE-2025-27833 CVE-2025-27834 CVE-2025-27835 CVE-2025-27836 CVE-2025-27837 CVE-2025-46646.
8. This patch also addresses CVE-2020-14308 CVE-2020-14309 CVE-2020-14310 CVE-2020-14311 CVE-2020-15705 CVE-2020-15706 CVE-2020-15707.
9. This patch also addresses CVE-2020-14372 CVE-2020-25632 CVE-2020-25647 CVE-2020-27749 CVE-2020-27779 CVE-2021-20225 CVE-2021-20233 CVE-2021-3418 CVE-2021-3695 CVE-2021-3696 CVE-2021-3697 CVE-2021-3981 CVE-2022-28733 CVE-2022-28734 CVE-2022-28735 CVE-2022-28736 CVE-2022-3775.
10. This patch also addresses CVE-2025-24928 CVE-2025-27113.
11. This patch also addresses CVE-2025-2659 CVE-2025-26595 CVE-2025-26596 CVE-2025-26597 CVE-2025-26598 CVE-2025-26599 CVE-2025-26600 CVE-2025-26601.
12. This patch also addresses CVE-2023-40546 CVE-2023-40548 CVE-2023-40549 CVE-2023-40550 CVE-2023-40551.
13. This patch also addresses CVE-2024-55626 CVE-2024-55627 CVE-2024-55628 CVE-2024-55629.
14. This patch also addresses CVE-2024-6609.
15. This patch also addresses CVE-2017-7781.
16. This patch also addresses CVE-2025-27220 CVE-2025-27221.
17. This patch also addresses CVE-2024-56827.
18. This patch also addresses CVE-2023-4693.
19. This patch also addresses CVE-2024-52006.
20. This patch also addresses CVE-2025-0167 CVE-2025-0665 CVE-2025-0725.
21. This patch also addresses CVE-2025-1009 CVE-2025-1010 CVE-2025-1011 CVE-2025-1012 CVE-2025-1013 CVE-2025-1014 CVE-2025-1016 CVE-2025-1017.
22. This patch also addresses CVE-2025-0510 CVE-2025-1009 CVE-2025-1010 CVE-2025-1011 CVE-2025-1012 CVE-2025-1013 CVE-2025-1014 CVE-2025-1015 CVE-2025-1016 CVE-2025-1017.
23. This patch also addresses CVE-2025-1930 CVE-2025-1931 CVE-2025-1932 CVE-2025-1933 CVE-2025-1934 CVE-2025-1935 CVE-2025-1936 CVE-2025-1937 CVE-2025-1938.
24. This patch also addresses CVE-2025-1930 CVE-2025-1931 CVE-2025-1932 CVE-2025-1933 CVE-2025-1934 CVE-2025-1935 CVE-2025-1936 CVE-2025-1937 CVE-2025-1938.
25. This patch also addresses CVE-2024-12705.
26. This patch also addresses CVE-2024-45341.
27. This patch also addresses CVE-2025-1217 CVE-2025-1219 CVE-2025-1734 CVE-2025-1736 CVE-2025-1861.