Oracle Solaris Third Party Bulletin - January 2015

Description

The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities fixed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated on the Tuesday closest to the 17th of the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability fixes deemed too critical to wait for the next monthly update.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin fixes as soon as possible.

Patch Availability

Please see My Oracle Support Note 1448883.1

Third Party Bulletin Schedule

Third Party Bulletins are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

  • 14 April 2015
  • 14 July 2015
  • 20 October 2015
  • 19 January 2016

References

Modification History

2015-January-20 Rev 1. Initial Release
2015-February-02 Rev 2. CVEs added for Unzip and OpenSSL
2015-February-16 Rev 3. CVEs added for multiple components
2015-March-23 Rev 4. CVEs added for multiple components
2015-April-01 Rev 5. CVEs added for OpenSSL

Oracle Solaris Executive Summary

This Third Party Bulletin contains 58 new security fixes for the Oracle Solaris.48 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

Oracle Solaris Risk Matrix

Revision 5: Published on 2015-April-01

CVE# Product Protocol Third Party component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen­tication Confid­entiality Inte­grity Avail­ability
CVE-2015-0292 Solaris SSL/TLS OpenSSL Yes 7.5 Network Low None Partial Partial Partial 11.2, 10  
CVE-2015-0209 Solaris SSL/TLS OpenSSL Yes 6.8 Network Medium None Partial Partial Partial 11.2  
CVE-2015-0286 Solaris SSL/TLS OpenSSL Yes 5.0 Network Low None None None Partial 11.2, 10  
CVE-2015-0287 Solaris SSL/TLS OpenSSL Yes 5.0 Network Low None None None Partial 11.2, 10  
CVE-2015-0289 Solaris SSL/TLS OpenSSL Yes 5.0 Network Low None None None Partial 11.2, 10  
CVE-2015-0293 Solaris SSL/TLS OpenSSL Yes 5.0 Network Low None None None Partial 11.2, 10  
CVE-2015-0288 Solaris SSL/TLS OpenSSL Yes 5.0 Network Low None None None Partial 11.2, 10  

Revision 4: Published on 2015-March-23

CVE# Product Protocol Third Party component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen­tication Confid­entiality Inte­grity Avail­ability
CVE-2004-1019 Solaris Multiple PHP Yes 10.0 Network Low None Complete Complete Complete 11.2 See Note 8
CVE-2015-0240 Solaris Multiple Samba Yes 10.0 Network Low None Complete Complete Complete 11.2, 10  
CVE-2014-7208 Solaris None Gparted No 7.2 Local Low None Complete Complete Complete 11.2  
CVE-2014-8098 Solaris Multiple NVIDIA-GFX Kernel driver No 6.5 Network Low Single Partial Partial Partial 11.2 See Note 7
CVE-2014-4049 Solaris Multiple PHP Yes 5.1 Network High None Partial Partial Partial 11.2  
CVE-2014-0237 Solaris Multiple PHP Yes 5.0 Network Low None None None Partial 11.2  
CVE-2014-0238 Solaris Multiple PHP Yes 5.0 Network Low None None None Partial 11.2  
CVE-2014-8088 Solaris Multiple PHP Yes 5.0 Network Low None Partial None None 11.2  
CVE-2015-0562 Solaris Multiple Wireshark Yes 5.0 Network Low None None None Partial 11.2 See Note 9
CVE-2015-0561 Solaris Multiple Wireshark Yes 5.0 Network Low None None None Partial 11.2  
CVE-2013-1752 Solaris Multiple Python 2.6 Yes 5.0 Network Low None None None Partial 11.2  
CVE-2014-4670 Solaris None PHP No 4.6 Local Low None Partial Partial Partial 11.2  
CVE-2014-2497 Solaris Multiple PHP Yes 4.3 Network Medium None None None Partial 11.2  
CVE-2014-3587 Solaris Multiple PHP Yes 4.3 Network Medium None None None Partial 11.2 See Note 5
CVE-2011-3201 Solaris Multiple Evolution Yes 4.3 Network Medium None Partial None None 11.2  
CVE-2012-2738 Solaris Multiple Libvte No 4.0 Network Low Single None None Partial 11.2 See Note 6
CVE-2014-5459 Solaris None PHP No 3.6 Local Low None None Partial Partial 11.2  
CVE-2014-4721 Solaris Multiple PHP Yes 2.6 Network High None Partial None None 11.2  

Revision 3: Published on 2015-February-16

CVE# Product Protocol Third Party component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen­tication Confid­entiality Inte­grity Avail­ability
CVE-2014-9496 Solaris Multiple Libsndfile Yes 10.0 Network Low None Complete Complete Complete 11.2  
CVE-2014-8962 Solaris Multiple libFLAC Yes 7.5 Network Low None Partial Partial Partial 11.2 See Note 4
CVE-2014-8145 Solaris Multiple Sox Yes 7.5 Network Low None Partial Partial Partial 11.2  
CVE-2014-9365 Solaris HTTP Python Yes 5.8 Network Medium None Partial Partial None 11.2  
CVE-2014-5355 Solaris Kerberos Kerberos Yes 5.0 Network Low None None None Partial 11.2, 10  
CVE-2014-3566 Solaris SSL Firefox Yes 4.3 Network Medium None Partial None None 11.2  
CVE-2014-3566 Solaris SSL Remote Administration Daemon (RAD) Yes 4.3 Network Medium None Partial None None 11.2  
CVE-2014-8124 Solaris HTTP OpenStack Horizon Yes 4.3 Network Medium None None None Partial 11.2  
CVE-2014-8124 Solaris HTTP Django authentication backend for OpenStack Yes 4.3 Network Medium None None None Partial 11.2  
CVE-2014-3566 Solaris SSL Elinks Text-based Web browser Yes 4.3 Network Medium None Partial None None 11.2  
CVE-2014-3566 Solaris SSL Erlang Yes 4.3 Network Medium None Partial None None 11.2  
CVE-2014-3566 Solaris SSL Links Text-based Web Browser Yes 4.3 Network Medium None Partial None None 11.2  
CVE-2014-3566 Solaris SSL Python 2.6 Yes 4.3 Network Medium None Partial None None 11.2  
CVE-2014-8150 Solaris HTTP Libcurl Yes 4.3 Network Medium None None Partial None 11.2  
CVE-2014-3566 Solaris SSL Python 2.7 Yes 4.3 Network Medium None Partial None None 11.2  
CVE-2014-9493 Solaris Multiple OpenStack Glance No 4.0 Network Low Single Partial None None 11.2  

Revision 2: Published on 2015-February-02

CVE# Product Protocol Third Party component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen­tication Confid­entiality Inte­grity Avail­ability
CVE-2014-8139 Solaris None Unzip No 6.6 Local Medium Single Complete Complete Complete 11.2, 10 See Note 3
CVE-2014-3571 Solaris SSL/TLS OpenSSL Yes 5.0 Network Low None None None Partial 11.2  
CVE-2015-0206 Solaris SSL/TLS OpenSSL Yes 5.0 Network Low None None None Partial 11.2  
CVE-2014-3569 Solaris SSL/TLS OpenSSL Yes 5.0 Network Low None None None Partial 11.2, 10  
CVE-2014-3572 Solaris SSL/TLS OpenSSL Yes 5.0 Network Low None None Partial None 11.2  
CVE-2015-0204 Solaris SSL/TLS OpenSSL Yes 5.0 Network Low None None Partial None 11.2, 10  
CVE-2015-0205 Solaris SSL/TLS OpenSSL Yes 5.0 Network Low None None Partial None 11.2  
CVE-2014-8275 Solaris SSL/TLS OpenSSL Yes 5.0 Network Low None None Partial None 11.2, 10  
CVE-2014-3570 Solaris SSL/TLS OpenSSL Yes 5.0 Network Low None Partial None None 11.2, 10  

Revision 1: Published on 2015-January-20

CVE# Product Protocol Third Party component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen­tication Confid­entiality Inte­grity Avail­ability
CVE-2014-4877 Solaris Multiple Wget Yes 9.3 Network Medium None Complete Complete Complete 11.2, 10  
CVE-2014-8500 Solaris DNS Bind Yes 7.8 Network Low None None None Complete 11.2, 10  
CVE-2014-8103 Solaris None X.Org No 6.8 Local Low Single Complete Complete Complete 11.2, 10 See Note1
CVE-2013-5704 Solaris HTTP Apache HTTP Server Yes 5.0 Network Low None None Partial None 11.2  
CVE-2014-8710 Solaris Multiple Wireshark Yes 5.0 Network Low None None None Partial 11.2 See Note2
CVE-2014-3660 Solaris Multiple libxml2 Yes 5.0 Network Low None None None Partial 11.2, 10  
CVE-2014-7821 Solaris DNS OpenStack Neutron No 4.0 Network Low Single None None Partial 11.2  
CVE-2014-7960 Solaris Multiple OpenStack Object Storage (Swift) No 4.0 Network Low Single None Partial None 11.2  

Notes:

  1. This fix also addresses CVE-2014-8091, CVE-2014-8092, CVE-2014-8093, CVE-2014-8094, CVE-2014-8095, CVE-2014-8096, CVE-2014-8097, CVE-2014-8098, CVE-2014-8099, CVE-2014-8100, CVE-2014-8101, CVE-2014-8102.
  2. This fix also addresses CVE-2014-8711, CVE-2014-8712, CVE-2014-8713, CVE-2014-8714.
  3. This fix also addresses CVE-2014-8140 and CVE-2014-8141.
  4. This fix also addresses CVE-2014-9028.
  5. This fix also addresses CVE-2014-0207, CVE-2014-2497, CVE-2014-3478, CVE-2014-3479, CVE-2014-3480, CVE-2014-3487, CVE-2014-3515, CVE-2014-3538, CVE-2014-3597, CVE-2014-3710, CVE-2014-3981, CVE-2014-4049, CVE-2014-4670, CVE-2014-4698, CVE-2014-4721, CVE-2014-5120.
  6. This fix also addresses CVE-2011-2198.
  7. This fix also addresses CVE-2014-8091 and CVE-2014-8298.
  8. This fix also addresses CVE-2014-8142.
  9. This fix also addresses CVE-2015-0563 and CVE-2015-0564.