The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities addressed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated for the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability issues deemed too critical to wait for the next monthly update.
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin security patches as soon as possible.
Please see My Oracle Support Note 1448883.1
Third Party Bulletins are released on the third Tuesday of January, April, July, and October. The next four dates are:
Date | Note |
---|---|
2025-June-18 | Rev 3. Added CVEs fixed in Solaris 11.4 SRU 82 |
2025-May-20 | Rev 2. Added CVEs fixed in Solaris 11.4 SRU 81 |
2025-April-15 | Rev 1. Initial Release with all CVEs fixed in Solaris 11.4 SRU 80 and Solaris 11.3 ESU 36.34 |
This Oracle Solaris Bulletin contains 61 new security patches for the Oracle Solaris Operating System. 37 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
CVE ID | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2025-23165 | Oracle Solaris | Node.js | Multiple | Yes | 6.5 | Network | Low | None | None | Un- changed |
Low | Low | None | 11.4 | See Note 1 |
CVE-2025-47273 | Oracle Solaris | Python Packaging Authority | Multiple | No | 6.5 | Network | Low | Low | None | Un- changed |
None | High | None | 11.4 | |
CVE-2025-32873 | Oracle Solaris | Django | Multiple | Yes | 5.3 | Network | Low | None | None | Un- changed |
None | None | Low | 11.4 |
CVE ID | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2024-11053 | Oracle Solaris | MySQL | None | Yes | 9.1 | Network | Low | None | None | Un- changed |
High | High | None | 11.4 | See Note 2 |
CVE-2024-40896 | Oracle Solaris | libxml2 | Multiple | Yes | 9.1 | Network | Low | None | None | Un- changed |
None | High | High | 11.4 | |
CVE-2024-47538 | Oracle Solaris | GStreamer | Multiple | Yes | 8.8 | Network | Low | None | Required | Un- changed |
High | High | High | 11.4 | See Note 3 |
CVE-2024-47606 | Oracle Solaris | GStreamer | Multiple | Yes | 8.8 | Network | Low | None | Required | Un- changed |
High | High | High | 11.4 | |
CVE-2025-1244 | Oracle Solaris | GNU Emacs | Multiple | Yes | 8.8 | Network | Low | None | Required | Un- changed |
High | High | High | 11.4 | |
CVE-2025-3028 | Oracle Solaris | Firefox | Multiple | Yes | 8.8 | Network | Low | None | Required | Un- changed |
High | High | High | 11.4 | See Note 4 |
CVE-2025-3028 | Oracle Solaris | Thunderbird | Multiple | Yes | 8.8 | Network | Low | None | Required | Un- changed |
High | High | High | 11.4 | See Note 5 |
CVE-2024-47537 | Oracle Solaris | GStreamer | None | No | 8.4 | Local | Low | None | None | Un- changed |
High | High | High | 11.4 | See Note 6 |
CVE-2025-27830 | Oracle Solaris | Ghostscript | None | No | 8.4 | Local | Low | None | None | Un- changed |
High | High | High | 11.4 | See Note 7 |
CVE-2020-10713 | Oracle Solaris | Grub Boot Loader | None | No | 8.2 | Local | Low | High | None | Changed | High | High | High | 11.4 | See Note 8 |
CVE-2022-2601 | Oracle Solaris | Grub Boot Loader | None | No | 8.2 | Local | Low | High | None | Changed | High | High | High | 11.4 | See Note 9 |
CVE-2024-56171 | Oracle Solaris | libxml2 | None | No | 7.8 | Local | High | None | None | Changed | High | High | None | 11.4 | See Note 10 |
CVE-2025-26594 | Oracle Solaris | X.Org | None | No | 7.8 | Local | Low | Low | None | Un- changed |
High | High | High | 11.4 | See Note 11 |
CVE-2023-40547 | Oracle Solaris | First Stage Bootloader For Secure Boot | Multiple | No | 7.5 | Adjacent Network |
High | None | None | Un- changed |
High | High | High | 11.4 | See Note 12 |
CVE-2024-53580 | Oracle Solaris | iPerf | Multiple | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 11.4 | |
CVE-2024-55605 | Oracle Solaris | Suricata | Multiple | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 11.4 | See Note 13 |
CVE-2022-48622 | Oracle Solaris | Pidgin | None | No | 7.3 | Local | Low | Low | Required | Un- changed |
High | High | High | 11.4 | |
CVE-2022-28737 | Oracle Solaris | First Stage Bootloader For Secure Boot | None | No | 6.5 | Local | Low | High | Required | Un- changed |
High | High | High | 11.4 | |
CVE-2023-45322 | Oracle Solaris | libxml2 | Multiple | Yes | 6.5 | Network | Low | None | Required | Un- changed |
None | None | High | 11.4 | |
CVE-2025-1938 | Oracle Solaris | Network Security Services | Multiple | Yes | 6.5 | Network | Low | None | Required | Un- changed |
None | None | High | 11.4 | See Note 14 |
CVE-2025-25186 | Oracle Solaris | Ruby | Multiple | Yes | 6.5 | Network | Low | None | Required | Un- changed |
None | None | High | 11.4 | |
CVE-2017-10176 | Oracle Solaris | Network Security Services | Multiple | Yes | 5.9 | Network | High | None | None | Un- changed |
High | None | None | 11.4 | See Note 15 |
CVE-2024-25062 | Oracle Solaris | libxml2 | Multiple | Yes | 5.9 | Network | High | None | None | Un- changed |
None | None | High | 11.4 | |
CVE-2024-50602 | Oracle Solaris | libexpat | Multiple | Yes | 5.9 | Network | High | None | None | Un- changed |
None | None | High | 11.4 | |
CVE-2025-22871 | Oracle Solaris | Go Programming Language | Multiple | Yes | 5.9 | Network | High | None | None | Un- changed |
None | High | None | 11.4 | |
CVE-2025-27219 | Oracle Solaris | Ruby | Multiple | Yes | 5.8 | Network | Low | None | None | Changed | None | None | Low | 11.4 | See Note 16 |
CVE-2024-56826 | Oracle Solaris | OpenJPEG | None | No | 5.6 | Local | Low | Low | Required | Un- changed |
Low | None | High | 11.4 | See Note 17 |
CVE-2024-11079 | Oracle Solaris | Ansible | Multiple | No | 5.5 | Network | High | Low | Required | Changed | Low | Low | Low | 11.4 | |
CVE-2024-34459 | Oracle Solaris | libxml2 | None | No | 5.5 | Local | Low | None | Required | Un- changed |
None | None | High | 11.4 | |
CVE-2024-50612 | Oracle Solaris | Libsndfile | None | No | 5.5 | Local | Low | Low | None | Un- changed |
None | None | High | 11.4 | |
CVE-2025-1492 | Oracle Solaris | Wireshark | None | No | 5.5 | Local | Low | None | Required | Un- changed |
None | None | High | 11.4 | |
CVE-2023-4692 | Oracle Solaris | Grub Boot Loader | None | No | 5.3 | Local | High | High | None | Changed | High | None | None | 11.4 | See Note 18 |
CVE-2024-12133 | Oracle Solaris | GNU Libtasn1 | Multiple | Yes | 5.3 | Network | Low | None | None | Un- changed |
None | None | Low | 11.4 | |
CVE-2024-52615 | Oracle Solaris | Avahi | Multiple | Yes | 5.3 | Network | Low | None | None | Un- changed |
None | Low | None | 11.4 | |
CVE-2024-52616 | Oracle Solaris | Avahi | Multiple | Yes | 5.3 | Network | Low | None | None | Un- changed |
None | Low | None | 11.4 | |
CVE-2025-26699 | Oracle Solaris | Django | Multiple | No | 5 | Network | Low | Low | None | Changed | None | None | Low | 11.4 | |
CVE-2024-56378 | Oracle Solaris | Poppler | None | No | 4.4 | Local | Low | Low | None | Un- changed |
Low | None | Low | 11.4 | |
CVE-2024-50349 | Oracle Solaris | Git | Multiple | Yes | 4.3 | Network | Low | None | Required | Un- changed |
None | Low | None | 11.4 | See Note 19 |
CVE-2024-11053 | Oracle Solaris | libcurl | None | No | 4 | Local | Low | None | None | Un- changed |
None | None | Low | 11.4 | See Note 20 |
CVE-2024-57970 | Oracle Solaris | Libarchive | None | No | 4 | Local | Low | None | None | Un- changed |
None | None | Low | 11.4 | |
CVE-2024-46901 | Oracle Solaris | Apache Subversion | Multiple | No | 3.1 | Network | High | Low | None | Un- changed |
None | None | Low | 11.4 | |
CVE-2024-57392 | Oracle Solaris | ProFTPD | Multiple | No | 0 | Network | Low | Low | None | Un- changed |
None | None | None | 11.4 |
CVE ID | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
CVE-2024-11704 | Oracle Solaris | Firefox | Multiple | Yes | 8.8 | Network | Low | None | Required | Un- changed |
High | High | High | 11.4 | See Note 21 |
CVE-2024-11704 | Oracle Solaris | Thunderbird | Multiple | Yes | 8.8 | Network | Low | None | Required | Un- changed |
High | High | High | 11.4 | See Note 22 |
CVE-2024-43097 | Oracle Solaris | Firefox | Multiple | Yes | 8.8 | Network | Low | None | Required | Un- changed |
High | High | High | 11.4 | See Note 23 |
CVE-2024-43097 | Oracle Solaris | Thunderbird | Multiple | Yes | 8.8 | Network | Low | None | Required | Un- changed |
High | High | High | 11.4 | See Note 24 |
CVE-2025-24813 | Oracle Solaris | Apache Tomcat | HTTP | Yes | 8.6 | Network | Low | None | None | Un- changed |
High | Low | Low | 11.4 | |
CVE-2024-11187 | Oracle Solaris | Bind | DNS | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 11.4 | See Note 25 |
CVE-2025-27516 | Oracle Solaris | Jinja2 | None | No | 7.3 | Local | Low | Low | Required | Un- changed |
High | High | High | 11.4 | |
CVE-2025-0938 | Oracle Solaris | Python | HTTP | Yes | 6.8 | Network | High | None | None | Changed | None | High | None | 11.4 | |
CVE-2025-26465 | Oracle Solaris | OpenSSH | SSH | Yes | 6.8 | Network | High | None | Required | Un- changed |
High | High | None | 11.4, 11.3 | |
CVE-2024-49761 | Oracle Solaris | Ruby | HTTP | Yes | 6.5 | Network | Low | None | Required | Un- changed |
None | None | High | 11.4 | |
CVE-2025-22870 | Oracle Solaris | Go Programming Language | HTTP | Yes | 6.5 | Network | Low | None | None | Un- changed |
Low | None | Low | 11.4 | |
CVE-2024-45336 | Oracle Solaris | Go Programming Language | HTTP | Yes | 5.9 | Network | High | None | None | Un- changed |
High | None | None | 11.4 | See Note 26 |
CVE-2025-26466 | Oracle Solaris | OpenSSH | SSH | Yes | 5.9 | Network | High | None | None | Un- changed |
None | None | High | 11.4 | |
CVE-2024-11235 | Oracle Solaris | PHP | HTTP | Yes | 5.3 | Network | Low | None | None | Un- changed |
Low | None | None | 11.4 | See Note 27 |
CVE-2024-13176 | Oracle Solaris | OpenSSL | None | No | 4.7 | Local | High | Low | None | Un- changed |
High | None | None | 11.4, 11.3, 10 | |
CVE-2024-9143 | Oracle Solaris | OpenSSL | TLS | Yes | 3.7 | Network | High | None | None | Un- changed |
None | None | Low | 11.4, 11.3, 10 |
Notes:
1. This patch also addresses CVE-2025-23166 CVE-2025-23167.