No results found

Your search did not match any results.

We suggest you try the following to help find what you’re looking for:

  • Check the spelling of your keyword search.
  • Use synonyms for the keyword you typed, for example, try “application” instead of “software.”
  • Try one of the popular searches shown below.
  • Start a new search.
Trending Questions
 

Oracle Solaris Third Party Bulletin - July 2021

 

Description

The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities addressed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated on the Tuesday closest to the 17th of the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability issues deemed too critical to wait for the next monthly update.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin security patches as soon as possible.

 

Patch Availability

Please see My Oracle Support Note 1448883.1

 

Third Party Bulletin Schedule

Third Party Bulletins are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

  • 19 October 2021
  • 18 January 2022
  • 19 April 2022
  • 19 July 2022

References

 

Modification History

Date Note
2021-September-14 Rev 3. Added CVEs fixed in Solaris 11.4 SRU 37.
2021-August-26 Rev 2. Added CVEs fixed in Solaris 11.4 SRU 36.
2021-July-20 Rev 1. Initial Release with all CVEs fixed in Solaris 11.4 SRU 35. Solaris 11.3 ESU 36.26 released as well.

Oracle Solaris Executive Summary

This Oracle Solaris Bulletin contains 54 new security patches for the Oracle Solaris Operating System.  39 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 

Oracle Solaris Third Party Bulletin Risk Matrix

Revision 3: Published on 2021-09-14

CVE# Product Third
Party
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported
Versions
Affected
Notes
Base
Score
Attack
Vector
Attack
Complexity
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2021-34552 Oracle Solaris Python Imaging Library (PIL) Multiple Yes 9.8 Network Low None None Un
changed
High High High 11.4  
CVE-2021-35042 Oracle Solaris Django Multiple Yes 9.8 Network Low None None Un
changed
High High High 11.4  
CVE-2021-28091 Oracle Solaris Lasso Library Multiple No 8.8 Network Low Low None Un
changed
High High High 11.4  
CVE-2021-33503 Oracle Solaris Urllib3 Multiple Yes 7.5 Network Low None None Un
changed
None None High 11.4  
CVE-2021-32066 Oracle Solaris Ruby None No 7 Local High None Required Un
changed
High High High 11.4 See
Note 1
CVE-2021-38115 Oracle Solaris GD2 Graphics Draw Library Multiple Yes 6.5 Network Low None Required Un
changed
None None High 11.4  
CVE-2019-25051 Oracle Solaris GNU Aspell None No 5.5 Local Low Low None Un
changed
None None High 11.4  
CVE-2021-20243 Oracle Solaris ImageMagick None No 5.5 Local Low None Required Un
changed
None None High 11.4 See
Note 2
CVE-2019-11038 Oracle Solaris GD2 Graphics Draw Library Multiple Yes 5.3 Network Low None None Un
changed
Low None None 11.4  
CVE-2021-38165 Oracle Solaris Lynx Multiple Yes 5.3 Network High None Required Un
changed
High None None 11.4  
CVE-2021-3672 Oracle Solaris C-Ares Asychronous Dns Library None Yes 5 Network High None Required Un
changed
Low Low Low 11.4  

Revision 2: Published on 2021-08-26

CVE# Product Third
Party
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported
Versions
Affected
Notes
Base
Score
Attack
Vector
Attack
Complexity
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2021-20305 Oracle Solaris Nettle Multiple Yes 8.1 Network High None None Un
changed
High High High 11.4  
CVE-2021-31535 Oracle Solaris X.Org Multiple Yes 8.1 Network High None None Un
changed
High High High 11.4  
CVE-2021-3487 Oracle Solaris GNU binary utilities None No 7.8 Local Low None Required Un
changed
High High High 11.4 See
Note 3
CVE-2014-3591 Oracle Solaris Libgcrypt Multiple Yes 7.5 Network Low None None Un
changed
High None None 11.4 See
Note 4
CVE-2020-29361 Oracle Solaris p11-kit Multiple Yes 7.5 Network Low None None Un
changed
None None High 11.4 See
Note 5
CVE-2021-20230 Oracle Solaris Stunnel Multiple Yes 7.5 Network Low None None Un
changed
High None None 11.4  
CVE-2021-22222 Oracle Solaris Wireshark Multiple Yes 7.5 Network Low None None Un
changed
None None High 11.4  
CVE-2021-2388 Oracle Solaris JDK 8 Multiple Yes 7.5 Network High None Required Un
changed
High High High 11.4 See
Note 6
CVE-2021-25287 Oracle Solaris Python Imaging Library (PIL) Multiple Yes 7.5 Network Low None None Un
changed
None None High 11.4 See
Note 7
CVE-2021-20231 Oracle Solaris GnuTLS SSL/TLS Yes 7.4 Network High None None Un
changed
None High High 11.4 See
Note 8
CVE-2020-26116 Oracle Solaris Urllib3 Multiple Yes 6.5 Network Low None None Un
changed
Low Low None 11.4 See
Note 9
CVE-2021-25217 Oracle Solaris ISC DHCP No 6.5 Adjacent
Network
Low None None Un
changed
None None High 11.4  
CVE-2021-3450 Oracle Solaris Node.js Multiple No 6.3 Network Low Low None Un
changed
Low Low Low 11.4 See
Note 10
CVE-2021-20294 Oracle Solaris GNU binary utilities None No 6.1 Local Low None Required Un
changed
Low None High 11.4 See
Note 11
CVE-2021-28957 Oracle Solaris Python HTTP Yes 6.1 Network Low None Required Changed Low Low None 11.4  
CVE-2021-3426 Oracle Solaris Python HTTP No 5.7 Adjacent
Network
Low Low None Un
changed
High None None 11.4  
CVE-2021-29338 Oracle Solaris OpenJPEG None No 5.5 Local Low None Required Un
changed
None None High 11.4  
CVE-2003-1567 Oracle Solaris Install HTTP Yes 4.3 Network Low None Required Un
changed
Low None None 11.4 See
Note 12
CVE-2021-2369 Oracle Solaris JDK 7 Multiple Yes 4.3 Network Low None Required Un
changed
None Low None 11.4 See
Note 13
CVE-2020-25705 Oracle Solaris Kernel ICMP Yes 4 Network High None None Changed Low None None 11.4  
CVE-2020-11736 Oracle Solaris file-roller HTTP No 3.9 Local Low Low Required Un
changed
None Low Low 11.4 See
Note 14
CVE-2021-22876 Oracle Solaris libcurl HTTP Yes 3.7 Network High None None Un
changed
Low None None 11.4  
CVE-2021-22890 Oracle Solaris libcurl TLS Yes 3.7 Network High None None Un
changed
Low None None 11.4  
CVE-2021-20193 Oracle Solaris GNU Tar None No 3.3 Local Low None Required Un
changed
None None Low 11.4  

Revision 1: Published on 2021-07-20

CVE# Product Third
Party
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported
Versions
Affected
Notes
Base
Score
Attack
Vector
Attack
Complexity
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2020-18032 Oracle Solaris Graphviz HTTP Yes 9.8 Network Low None None Un
changed
High High High 11.4  
CVE-2021-3520 Oracle Solaris LZ4 Multiple Yes 9.8 Network Low None None Un
changed
High High High 11.4  
CVE-2021-32055 Oracle Solaris Mutt HTTP Yes 9.1 Network Low None None Un
changed
High None High 11.4  
CVE-2020-14387 Oracle Solaris rsync HTTP Yes 9.1 Network Low None None Un
changed
High High None 11.4  
CVE-2021-20240 Oracle Solaris GDK-PixBuf HTTP Yes 8.8 Network Low None Required Un
changed
High High High 11.4  
CVE-2021-29967 Oracle Solaris Firefox Multiple Yes 8.8 Network Low None Required Un
changed
High High High 11.4 See
Note 15
CVE-2021-29967 Oracle Solaris Thunderbird Multiple Yes 8.8 Network Low None Required Un
changed
High High High 11.4 See
Note 16
CVE-2021-3472 Oracle Solaris X.Org None No 7.8 Local Low Low None Un
changed
High High High 11.4  
CVE-2021-3560 Oracle Solaris Polkit None No 7.8 Local Low Low None Un
changed
High High High 11.4  
CVE-2021-27291 Oracle Solaris Pygments HTTP Yes 7.5 Network Low None None Un
changed
None None High 11.4  
CVE-2021-20270 Oracle Solaris Pygments HTTP Yes 7.5 Network Low None None Un
changed
None None High 11.4  
CVE-2021-28965 Oracle Solaris Ruby HTTP Yes 7.5 Network Low None None Un
changed
None High None 11.4  
CVE-2021-2307 Oracle Solaris MySQL Multiple Yes 7.5 Network Low None None Un
changed
None None High 11.4 See
Note 17
CVE-2021-31618 Oracle Solaris Apache HTTP server Multiple Yes 7.5 Network Low None None Un
changed
None None High 11.4, 10  
CVE-2021-3450 Oracle Solaris OpenSSL TLS Yes 7.4 Network High None None Un
changed
High High None 11.4 See
Note 18
CVE-2021-32052 Oracle Solaris Django HTTP Yes 7.4 Network High None None Un
changed
High High None 11.4  
CVE-2021-3449 Oracle Solaris OpenSSL TLS Yes 5.9 Network High None None Un
changed
None None High 11.4  
CVE-2021-33203 Oracle Solaris Django HTTP Yes 5.9 Network High None None Un
changed
None High None 11.4 See
Note 19
CVE-2021-3468 Oracle Solaris Avahi None No 5.5 Local Low Low None Un
changed
None None High 11.4  

Notes:

1. This patch also addresses CVE-2021-31799 CVE-2021-31810.

2. This patch also addresses CVE-2021-20244.

3. This patch also addresses CVE-2020-35448 CVE-2021-20284.

4. This patch also addresses CVE-2021-33560.

5. This patch also addresses CVE-2020-29362 CVE-2020-29363.

6. This patch also addresses CVE-2021-2341 CVE-2021-2369.

7. This patch also addresses CVE-2021-25288 CVE-2021-28675 CVE-2021-28676 CVE-2021-28677 CVE-2021-28678.

8. This patch also addresses CVE-2021-20232.

9. This patch also addresses CVE-2020-26137.

10. This patch also addresses CVE-2020-7774 CVE-2021-3449.

11. This patch also addresses CVE-2020-35448 CVE-2020-35493 CVE-2020-35494 CVE-2020-35495 CVE-2020-35496 CVE-2020-35507 CVE-2021-20197.

12. This patch also addresses CVE-2004-2320 CVE-2010-0386.

13. This patch also addresses CVE-2021-2341 CVE-2021-2432.

14. This patch also addresses CVE-2020-36314.

15. This patch also addresses CVE-2021-29951 CVE-2021-29964.

16. This patch also addresses CVE-2021-29951 CVE-2021-29956 CVE-2021-29957 CVE-2021-29964.

17. This patch also addresses CVE-2021-2146 CVE-2021-2154 CVE-2021-2162 CVE-2021-2166 CVE-2021-2169 CVE-2021-2171 CVE-2021-2174 CVE-2021-2179 CVE-2021-2180 CVE-2021-2194 CVE-2021-2226 CVE-2021-23841 CVE-2021-3449.

18. This patch also addresses CVE-2021-3449.

19. This patch also addresses CVE-2021-33571.