No results found

Your search did not match any results.

We suggest you try the following to help find what you’re looking for:

  • Check the spelling of your keyword search.
  • Use synonyms for the keyword you typed, for example, try “application” instead of “software.”
  • Try one of the popular searches shown below.
  • Start a new search.
Trending Questions
 

Oracle Solaris Third Party Bulletin - January 2021


Description

The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities addressed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated on the Tuesday closest to the 17th of the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability issues deemed too critical to wait for the next monthly update.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin security patches as soon as possible.


Patch Availability

Please see My Oracle Support Note 1448883.1


Third Party Bulletin Schedule

Third Party Bulletins are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

  • 20 April 2021
  • 20 July 2021
  • 19 October 2021
  • 18 January 2022

References


Modification History

Date Note
2021-March-16 Rev 4. Added CVEs fixed in Solaris 11.4 SRU 31
2021-February-16 Rev 3. Added CVEs fixed in Solaris 11.4 SRU 30
2021-January-28 Rev 2. Added CVE-2021-3156
2021-January-19 Rev 1. Initial Release with all CVEs fixed in Solaris 11.3 LSU 36.24 and Solaris 11.4 SRU 29

Oracle Solaris Executive Summary

This Oracle Solaris Bulletin contains 45 new security patches for the Oracle Solaris Operating System.  33 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 

 

Oracle Solaris Third Party Bulletin Risk Matrix

Revision 4: Published on 2021-03-16

CVE# Product Third
Party
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported
Versions
Affected
Notes
Base
Score
Attack
Vector
Attack
Complexity
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-16044 Oracle Solaris Firefox Multiple Yes 8.8 Network Low None Required Un
changed
High High High 11.4 See
Note 1
CVE-2020-35654 Oracle Solaris Python Imaging Library (PIL) Multiple Yes 8.8 Network Low None Required Un
changed
High High High 11.4 See
Note 2
CVE-2021-23978 Oracle Solaris Firefox Multiple Yes 8.8 Network Low None Required Un
changed
High High High 11.4 See
Note 3
CVE-2021-23978 Oracle Solaris Thunderbird Multiple Yes 8.8 Network Low None Required Un
changed
High High High 11.4 See
Note 4
CVE-2020-25681 Oracle Solaris DNSmasq Multiple Yes 8.1 Network High None None Un
changed
High High High 11.4 See
Note 5
CVE-2020-8625 Oracle Solaris Bind TSIG Yes 8.1 Network High None None Un
changed
High High High 11.4  
CVE-2020-27814 Oracle Solaris OpenJPEG None No 7.8 Local Low None Required Un
changed
High High High 11.4 See
Note 6
CVE-2020-26154 Oracle Solaris libproxy Multiple No 7.5 Adjacent
Network
High None None Un
changed
High High High 11.4  
CVE-2020-36221 Oracle Solaris OpenLDAP server LDAP Yes 7.5 Network Low None None Un
changed
None None High 11.4 See
Note 7
CVE-2021-21702 Oracle Solaris PHP Multiple Yes 7.5 Network Low None None Un
changed
None None High 11.4 See
Note 8
CVE-2020-15685 Oracle Solaris Thunderbird Multiple Yes 6.1 Network Low None Required Changed Low Low None 11.4 See
Note 9
CVE-2020-27783 Oracle Solaris Python-lxml HTTP Yes 6.1 Network Low None Required Changed Low Low None 11.4  
CVE-2020-25659 Oracle Solaris Python cryptographic standard library Multiple Yes 5.9 Network High None None Un
changed
High None None 11.4  

Revision 3: Published on 2021-02-16

CVE# Product Third
Party
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported
Versions
Affected
Notes
Base
Score
Attack
Vector
Attack
Complexity
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-15900 Oracle Solaris Ghostscript Multiple Yes 9.8 Network Low None None Un
changed
High High High 11.4  
CVE-2020-13543 Oracle Solaris WebKitGTK HTTP Yes 8.8 Network Low None Required Un
changed
High High High 11.4 See
Note 10
CVE-2020-26971 Oracle Solaris Thunderbird Multiple Yes 8.8 Network Low None Required Un
changed
High High High 11.4 See
Note 11
CVE-2020-26971 Oracle Solaris Firefox Multiple Yes 8.8 Network Low None Required Un
changed
High High High 11.4  
CVE-2020-12695 Oracle Solaris Pidgin Multiple No 8.2 Adjacent
Network
Low None None Changed High None Low 11.4  
CVE-2019-20916 Oracle Solaris PIP Multiple No 8 Network Low Low Required Un
changed
High High High 11.4  
CVE-2020-14360 Oracle Solaris X.Org None No 7.8 Local Low Low None Un
changed
High High High 11.4 See
Note 12
CVE-2020-11979 Oracle Solaris Apache Ant Multiple Yes 7.5 Network Low None None Un
changed
None High None 11.4 See
Note 13
CVE-2020-1472 Oracle Solaris SMB Server Multiple Yes 7.5 Network Low None None Un
changed
None None High 11.4  
CVE-2020-1967 Oracle Solaris OpenSSL TLS Yes 7.5 Network Low None None Un
changed
None None High 11.4  
CVE-2020-25692 Oracle Solaris OpenLDAP server LDAP Yes 7.5 Network Low None None Un
changed
None None High 11.4  
CVE-2020-26117 Oracle Solaris VNC Multiple Yes 7.5 Network Low None None Un
changed
None High None 11.4  
CVE-2020-27619 Oracle Solaris Python HTTP Yes 7.5 Network High None Required Un
changed
High High High 11.4  
CVE-2020-8037 Oracle Solaris TCPdump Multiple Yes 7.5 Network Low None None Un
changed
None None High 11.4  
CVE-2020-8277 Oracle Solaris Node.js DNS Yes 7.5 Network Low None None Un
changed
None None High 11.4  
CVE-2020-8252 Oracle Solaris Node.js HTTP Yes 7.4 Network High None None Un
changed
High High None 11.4 See
Note 14
CVE-2020-24977 Oracle Solaris libxml2 Multiple Yes 6.5 Network Low None None Un
changed
Low None Low 11.4  
CVE-2020-3299 Oracle Solaris Snort HTTP Yes 5.8 Network Low None None Changed None Low None 11.4  
CVE-2018-21232 Oracle Solaris re2c None No 5.5 Local Low None Required Un
changed
None None High 11.4  
CVE-2020-29385 Oracle Solaris GNOME None No 5.5 Local Low None Required Un
changed
None None High 11.4  
CVE-2019-7317 Oracle Solaris LibPNG Multiple Yes 5.3 Network High None Required Un
changed
None None High 11.4  
CVE-2020-26418 Oracle Solaris Wireshark None Yes 5.3 Network Low None None Un
changed
None None Low 11.4 See
Note 15
CVE-2020-28896 Oracle Solaris Mutt Multiple Yes 5.3 Network High None Required Un
changed
High None None 11.4  
CVE-2020-14323 Oracle Solaris Samba None No 5 Local Low Low Required Un
changed
None None High 11.4  
CVE-2020-14318 Oracle Solaris Samba Multiple No 4.3 Network Low Low None Un
changed
Low None None 11.4  
CVE-2019-9904 Oracle Solaris Graphviz None No 2.9 Local High None None Un
changed
None None Low 11.4  

Revision 2: Published on 2021-01-28

CVE# Product Third
Party
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported
Versions
Affected
Notes
Base
Score
Attack
Vector
Attack
Complexity
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2021-3156 Oracle Solaris Sudo None No 7.8 Local Low Low None Un
changed
High High High 11.4, 11.3, 10  

Revision 1: Published on 2021-01-19

CVE# Product Third
Party
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported
Versions
Affected
Notes
Base
Score
Attack
Vector
Attack
Complexity
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-26970 Oracle Solaris Thunderbird SMTP Yes 7.5 Network High None Required Un
changed
High High High 11.4  
CVE-2020-17527 Oracle Solaris Apache Tomcat HTTP Yes 7.5 Network Low None None Un
changed
High None None 11.4  
CVE-2020-1971 Oracle Solaris OpenSSL TLS Yes 5.9 Network High None None Un
changed
None None High 11.3, 10  
CVE-2020-13943 Oracle Solaris Apache Tomcat HTTP No 4.3 Network Low Low None Un
changed
Low None None 11.4  
CVE-2020-1968 Oracle Solaris OpenSSL TLS Yes 3.7 Network High None None Un
changed
Low None None 11.3, 10  

Notes:

1. This patch also addresses CVE-2020-26976 CVE-2021-23953 CVE-2021-23954 CVE-2021-23960 CVE-2021-23964.

2. This patch also addresses CVE-2020-35653 CVE-2020-35655.

3. This patch also addresses CVE-2021-23968 CVE-2021-23969 CVE-2021-23973.

4. This patch also addresses CVE-2021-23968 CVE-2021-23969 CVE-2021-23973.

5. This patch also addresses CVE-2020-25682 CVE-2020-25683 CVE-2020-25684 CVE-2020-25685 CVE-2020-25686 CVE-2020-25687.

6. This patch also addresses CVE-2020-27841 CVE-2020-27842 CVE-2020-27843 CVE-2020-27844 CVE-2020-27845.

7. This patch also addresses CVE-2020-36222 CVE-2020-36223 CVE-2020-36224 CVE-2020-36225 CVE-2020-36226 CVE-2020-36227 CVE-2020-36228 CVE-2020-36229 CVE-2020-36230.

8. This patch also addresses CVE-2020-7071.

9. This patch also addresses CVE-2020-16044 CVE-2020-26976 CVE-2021-23953 CVE-2021-23954 CVE-2021-23960 CVE-2021-23964.

10. This patch also addresses CVE-2020-13584 CVE-2020-9948 CVE-2020-9951 CVE-2020-9952 CVE-2020-9983.

11. This patch also addresses CVE-2020-16042 CVE-2020-26973 CVE-2020-26974 CVE-2020-26978 CVE-2020-35111 CVE-2020-35112 CVE-2020-35113.

12. This patch also addresses CVE-2020-25712.

13. This patch also addresses CVE-2020-1945.

14. This patch also addresses CVE-2020-8201 CVE-2020-8251 CVE-2020-8277.

15. This patch also addresses CVE-2020-26419 CVE-2020-26420 CVE-2020-26421.