Oracle Solaris Third Party Bulletin

Home Menu

Back ORACLE ACCOUNT

CLOUD ACCOUNT Sign in to Cloud

Oracle Cloud Free Tier

No results found

Your search did not match any results.

We suggest you try the following to help find what you're looking for:

Check the spelling of your keyword search.
Use synonyms for the keyword you typed, for example, try “application” instead of “software.”
Try one of the popular searches shown below.
Start a new search.

Trending Questions

Oracle Solaris Third Party Bulletin - January 2015

Description

The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities fixed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated on the Tuesday closest to the 17th of the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability fixes deemed too critical to wait for the next monthly update.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin fixes as soon as possible.

Patch Availability

Please see My Oracle Support Note 1448883.1

Third Party Bulletin Schedule

Third Party Bulletins are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

14 April 2015
14 July 2015
20 October 2015
19 January 2016

References

Oracle Critical Patch Updates and Security Alerts main page [ Oracle Technology Network ]
Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions [ CPU FAQ ]
Risk Matrix definitions [ Risk Matrix Definitions ]
Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS Scoring ]

Modification History

2015-January-20	Rev 1. Initial Release
2015-February-02	Rev 2. CVEs added for Unzip and OpenSSL
2015-February-16	Rev 3. CVEs added for multiple components
2015-March-23	Rev 4. CVEs added for multiple components
2015-April-01	Rev 5. CVEs added for OpenSSL

Oracle Solaris Executive Summary

This Third Party Bulletin contains 58 new security fixes for the Oracle Solaris.48 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

Oracle Solaris Risk Matrix

Revision 5: Published on 2015-April-01

CVE#	Product	Protocol	Third Party component	Remote Exploit without Auth.?	CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)							Supported Versions Affected	Notes
CVE#	Product	Protocol	Third Party component	Remote Exploit without Auth.?	Base Score	Access Vector	Access Complexity	Authentication	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2015-0292	Solaris	SSL/TLS	OpenSSL	Yes	7.5	Network	Low	None	Partial	Partial	Partial	11.2, 10
CVE-2015-0209	Solaris	SSL/TLS	OpenSSL	Yes	6.8	Network	Medium	None	Partial	Partial	Partial	11.2
CVE-2015-0286	Solaris	SSL/TLS	OpenSSL	Yes	5.0	Network	Low	None	None	None	Partial	11.2, 10
CVE-2015-0287	Solaris	SSL/TLS	OpenSSL	Yes	5.0	Network	Low	None	None	None	Partial	11.2, 10
CVE-2015-0289	Solaris	SSL/TLS	OpenSSL	Yes	5.0	Network	Low	None	None	None	Partial	11.2, 10
CVE-2015-0293	Solaris	SSL/TLS	OpenSSL	Yes	5.0	Network	Low	None	None	None	Partial	11.2, 10
CVE-2015-0288	Solaris	SSL/TLS	OpenSSL	Yes	5.0	Network	Low	None	None	None	Partial	11.2, 10

Revision 4: Published on 2015-March-23

CVE#	Product	Protocol	Third Party component	Remote Exploit without Auth.?	CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)							Supported Versions Affected	Notes
CVE#	Product	Protocol	Third Party component	Remote Exploit without Auth.?	Base Score	Access Vector	Access Complexity	Authentication	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2004-1019	Solaris	Multiple	PHP	Yes	10.0	Network	Low	None	Complete	Complete	Complete	11.2	See Note 8
CVE-2015-0240	Solaris	Multiple	Samba	Yes	10.0	Network	Low	None	Complete	Complete	Complete	11.2, 10
CVE-2014-7208	Solaris	None	Gparted	No	7.2	Local	Low	None	Complete	Complete	Complete	11.2
CVE-2014-8098	Solaris	Multiple	NVIDIA-GFX Kernel driver	No	6.5	Network	Low	Single	Partial	Partial	Partial	11.2	See Note 7
CVE-2014-4049	Solaris	Multiple	PHP	Yes	5.1	Network	High	None	Partial	Partial	Partial	11.2
CVE-2014-0237	Solaris	Multiple	PHP	Yes	5.0	Network	Low	None	None	None	Partial	11.2
CVE-2014-0238	Solaris	Multiple	PHP	Yes	5.0	Network	Low	None	None	None	Partial	11.2
CVE-2014-8088	Solaris	Multiple	PHP	Yes	5.0	Network	Low	None	Partial	None	None	11.2
CVE-2015-0562	Solaris	Multiple	Wireshark	Yes	5.0	Network	Low	None	None	None	Partial	11.2	See Note 9
CVE-2015-0561	Solaris	Multiple	Wireshark	Yes	5.0	Network	Low	None	None	None	Partial	11.2
CVE-2013-1752	Solaris	Multiple	Python 2.6	Yes	5.0	Network	Low	None	None	None	Partial	11.2
CVE-2014-4670	Solaris	None	PHP	No	4.6	Local	Low	None	Partial	Partial	Partial	11.2
CVE-2014-2497	Solaris	Multiple	PHP	Yes	4.3	Network	Medium	None	None	None	Partial	11.2
CVE-2014-3587	Solaris	Multiple	PHP	Yes	4.3	Network	Medium	None	None	None	Partial	11.2	See Note 5
CVE-2011-3201	Solaris	Multiple	Evolution	Yes	4.3	Network	Medium	None	Partial	None	None	11.2
CVE-2012-2738	Solaris	Multiple	Libvte	No	4.0	Network	Low	Single	None	None	Partial	11.2	See Note 6
CVE-2014-5459	Solaris	None	PHP	No	3.6	Local	Low	None	None	Partial	Partial	11.2
CVE-2014-4721	Solaris	Multiple	PHP	Yes	2.6	Network	High	None	Partial	None	None	11.2

Revision 3: Published on 2015-February-16

CVE#	Product	Protocol	Third Party component	Remote Exploit without Auth.?	CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)							Supported Versions Affected	Notes
CVE#	Product	Protocol	Third Party component	Remote Exploit without Auth.?	Base Score	Access Vector	Access Complexity	Authentication	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2014-9496	Solaris	Multiple	Libsndfile	Yes	10.0	Network	Low	None	Complete	Complete	Complete	11.2
CVE-2014-8962	Solaris	Multiple	libFLAC	Yes	7.5	Network	Low	None	Partial	Partial	Partial	11.2	See Note 4
CVE-2014-8145	Solaris	Multiple	Sox	Yes	7.5	Network	Low	None	Partial	Partial	Partial	11.2
CVE-2014-9365	Solaris	HTTP	Python	Yes	5.8	Network	Medium	None	Partial	Partial	None	11.2
CVE-2014-5355	Solaris	Kerberos	Kerberos	Yes	5.0	Network	Low	None	None	None	Partial	11.2, 10
CVE-2014-3566	Solaris	SSL	Firefox	Yes	4.3	Network	Medium	None	Partial	None	None	11.2
CVE-2014-3566	Solaris	SSL	Remote Administration Daemon (RAD)	Yes	4.3	Network	Medium	None	Partial	None	None	11.2
CVE-2014-8124	Solaris	HTTP	OpenStack Horizon	Yes	4.3	Network	Medium	None	None	None	Partial	11.2
CVE-2014-8124	Solaris	HTTP	Django authentication backend for OpenStack	Yes	4.3	Network	Medium	None	None	None	Partial	11.2
CVE-2014-3566	Solaris	SSL	Elinks Text-based Web browser	Yes	4.3	Network	Medium	None	Partial	None	None	11.2
CVE-2014-3566	Solaris	SSL	Erlang	Yes	4.3	Network	Medium	None	Partial	None	None	11.2
CVE-2014-3566	Solaris	SSL	Links Text-based Web Browser	Yes	4.3	Network	Medium	None	Partial	None	None	11.2
CVE-2014-3566	Solaris	SSL	Python 2.6	Yes	4.3	Network	Medium	None	Partial	None	None	11.2
CVE-2014-8150	Solaris	HTTP	Libcurl	Yes	4.3	Network	Medium	None	None	Partial	None	11.2
CVE-2014-3566	Solaris	SSL	Python 2.7	Yes	4.3	Network	Medium	None	Partial	None	None	11.2
CVE-2014-9493	Solaris	Multiple	OpenStack Glance	No	4.0	Network	Low	Single	Partial	None	None	11.2

Revision 2: Published on 2015-February-02

CVE#	Product	Protocol	Third Party component	Remote Exploit without Auth.?	CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)							Supported Versions Affected	Notes
CVE#	Product	Protocol	Third Party component	Remote Exploit without Auth.?	Base Score	Access Vector	Access Complexity	Authentication	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2014-8139	Solaris	None	Unzip	No	6.6	Local	Medium	Single	Complete	Complete	Complete	11.2, 10	See Note 3
CVE-2014-3571	Solaris	SSL/TLS	OpenSSL	Yes	5.0	Network	Low	None	None	None	Partial	11.2
CVE-2015-0206	Solaris	SSL/TLS	OpenSSL	Yes	5.0	Network	Low	None	None	None	Partial	11.2
CVE-2014-3569	Solaris	SSL/TLS	OpenSSL	Yes	5.0	Network	Low	None	None	None	Partial	11.2, 10
CVE-2014-3572	Solaris	SSL/TLS	OpenSSL	Yes	5.0	Network	Low	None	None	Partial	None	11.2
CVE-2015-0204	Solaris	SSL/TLS	OpenSSL	Yes	5.0	Network	Low	None	None	Partial	None	11.2, 10
CVE-2015-0205	Solaris	SSL/TLS	OpenSSL	Yes	5.0	Network	Low	None	None	Partial	None	11.2
CVE-2014-8275	Solaris	SSL/TLS	OpenSSL	Yes	5.0	Network	Low	None	None	Partial	None	11.2, 10
CVE-2014-3570	Solaris	SSL/TLS	OpenSSL	Yes	5.0	Network	Low	None	Partial	None	None	11.2, 10

Revision 1: Published on 2015-January-20

CVE#	Product	Protocol	Third Party component	Remote Exploit without Auth.?	CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)							Supported Versions Affected	Notes
CVE#	Product	Protocol	Third Party component	Remote Exploit without Auth.?	Base Score	Access Vector	Access Complexity	Authentication	Confidentiality	Integrity	Availability	Supported Versions Affected	Notes
CVE-2014-4877	Solaris	Multiple	Wget	Yes	9.3	Network	Medium	None	Complete	Complete	Complete	11.2, 10
CVE-2014-8500	Solaris	DNS	Bind	Yes	7.8	Network	Low	None	None	None	Complete	11.2, 10
CVE-2014-8103	Solaris	None	X.Org	No	6.8	Local	Low	Single	Complete	Complete	Complete	11.2, 10	See Note1
CVE-2013-5704	Solaris	HTTP	Apache HTTP Server	Yes	5.0	Network	Low	None	None	Partial	None	11.2
CVE-2014-8710	Solaris	Multiple	Wireshark	Yes	5.0	Network	Low	None	None	None	Partial	11.2	See Note2
CVE-2014-3660	Solaris	Multiple	libxml2	Yes	5.0	Network	Low	None	None	None	Partial	11.2, 10
CVE-2014-7821	Solaris	DNS	OpenStack Neutron	No	4.0	Network	Low	Single	None	None	Partial	11.2
CVE-2014-7960	Solaris	Multiple	OpenStack Object Storage (Swift)	No	4.0	Network	Low	Single	None	Partial	None	11.2

Notes:

This fix also addresses CVE-2014-8091, CVE-2014-8092, CVE-2014-8093, CVE-2014-8094, CVE-2014-8095, CVE-2014-8096, CVE-2014-8097, CVE-2014-8098, CVE-2014-8099, CVE-2014-8100, CVE-2014-8101, CVE-2014-8102.
This fix also addresses CVE-2014-8711, CVE-2014-8712, CVE-2014-8713, CVE-2014-8714.
This fix also addresses CVE-2014-8140 and CVE-2014-8141.
This fix also addresses CVE-2014-9028.
This fix also addresses CVE-2014-0207, CVE-2014-2497, CVE-2014-3478, CVE-2014-3479, CVE-2014-3480, CVE-2014-3487, CVE-2014-3515, CVE-2014-3538, CVE-2014-3597, CVE-2014-3710, CVE-2014-3981, CVE-2014-4049, CVE-2014-4670, CVE-2014-4698, CVE-2014-4721, CVE-2014-5120.
This fix also addresses CVE-2011-2198.
This fix also addresses CVE-2014-8091 and CVE-2014-8298.
This fix also addresses CVE-2014-8142.
This fix also addresses CVE-2015-0563 and CVE-2015-0564.