Oracle Solaris Third Party Bulletin - October 2015
Description
The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities fixed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated on the Tuesday closest to the 17th of the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability fixes deemed too critical to wait for the next monthly update.
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin fixes as soon as possible.
Patch Availability
Please see My Oracle Support Note 1448883.1
Third Party Bulletin Schedule
Third Party Bulletins are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:
- 19 January 2016
- 19 April 2016
- 19 July 2016
- 18 October 2016
References
Modification History
| 2016-January-14 | Rev 5. Added OpenSSH CVE-2016-0777 and CVE-2016-0778 |
| 2015-December-15 | Rev 4. Added all CVEs fixed in Solaris 11.3SRU3.6 |
| 2015-November-16 | Rev 3. Added all CVEs fixed in Solaris 11.3SRU2.4 |
| 2015-October-26 | Rev 2. Added all CVEs fixed in Solaris 11.3 and 11.3SRU1.5 |
| 2015-October-20 | Rev 1. Initial Release |
Oracle Solaris Executive Summary
This Third Party Bulletin contains 51 new security fixes for the Oracle Solaris. 41 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
Oracle Solaris Risk Matrix
Revision 5: Published on 2016-01-14
| CVE# |
Product |
Protocol |
Third Party component |
Remote Exploit without Auth.? |
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) |
Supported Versions Affected |
Notes |
| Base Score |
Access Vector |
Access Complexity |
Authentication |
Confidentiality |
Integrity |
Availability |
| CVE-2016-0778 | Solaris | SSH | OpenSSH | Yes | 5.1 | Network | High | None | Partial | Partial | Partial | 11.3 | |
|---|
| CVE-2016-0777 | Solaris | SSH | OpenSSH | Yes | 4.3 | Network | Medium | None | Partial | None | None | 11.3 | |
|---|
Revision 4: Published on 2015-12-15
| CVE# |
Product |
Protocol |
Third Party component |
Remote Exploit without Auth.? |
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) |
Supported Versions Affected |
Notes |
| Base Score |
Access Vector |
Access Complexity |
Authentication |
Confidentiality |
Integrity |
Availability |
| CVE-2015-8000 | Solaris | Bind | Bind/Postinstall script for Bind package | Yes | 7.1 | Network | Medium | None | None | None | Complete | 11.3, 10 | |
|---|
| CVE-2015-4491 | Solaris | Multiple | gdk-pixbuf | Yes | 6.8 | Network | Medium | None | Partial | Partial | Partial | 11.3, 10 | |
|---|
| CVE-2013-1438 | Solaris | Multiple | Dcraw | Yes | 4.3 | Network | Medium | None | None | None | Partial | 11.3 | |
|---|
| CVE-2014-3566 | Solaris | SSL/TLS | Common Unix Printing System (CUPS) | Yes | 4.3 | Network | Medium | None | Partial | None | None | 11.3 | |
|---|
| CVE-2015-7830 | Solaris | Multiple | Wireshark | Yes | 4.3 | Network | Medium | None | None | None | Partial | 11.3 | |
|---|
Revision 3: Published on 2015-11-16
| CVE# |
Product |
Protocol |
Third Party component |
Remote Exploit without Auth.? |
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) |
Supported Versions Affected |
Notes |
| Base Score |
Access Vector |
Access Complexity |
Authentication |
Confidentiality |
Integrity |
Availability |
| CVE-2015-1270 | Solaris | None | Localization (L10N) | No | 1.5 | Local | Medium | Single | None | None | Partial | 11.3 | |
|---|
| CVE-2015-4760 | Solaris | None | Localization (L10N) | No | 1.5 | Local | Medium | Single | None | None | Partial | 11.3 | |
|---|
| CVE-2015-2632 | Solaris | None | Localization (L10N) | No | 1.0 | Local | High | Single | None | None | Partial | 11.3 | |
|---|
Revision 2: Published on 2015-10-26
| CVE# |
Product |
Protocol |
Third Party component |
Remote Exploit without Auth.? |
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) |
Supported Versions Affected |
Notes |
| Base Score |
Access Vector |
Access Complexity |
Authentication |
Confidentiality |
Integrity |
Availability |
| CVE-2015-2731 | Solaris | Multiple | Firefox | Yes | 10.0 | Network | Low | None | Complete | Complete | Complete | 11.3 | See Note 13 |
|---|
| CVE-2015-5600 | Solaris | SSH | OpenSSH | Yes | 8.5 | Network | Low | None | Partial | None | Complete | 11.3 | |
|---|
| CVE-2014-6507 | Solaris | Multiple | MySQL | No | 8.0 | Network | Low | Single | Partial+ | Partial+ | Complete | 11.3 | See Note 4 |
|---|
| CVE-2014-6507 | Solaris | Multiple | MySQL | No | 8.0 | Network | Low | Single | Partial+ | Partial+ | Complete | 11.3 | See Note 6 |
|---|
| CVE-2014-3634 | Solaris | Multiple | RSYSLOG | Yes | 7.5 | Network | Low | None | Partial | Partial | Partial | 11.3 | See Note 2 |
|---|
| CVE-2014-6052 | Solaris | Multiple | VNC | Yes | 7.5 | Network | Low | None | Partial | Partial | Partial | 11.3 | See Note 10 |
|---|
| CVE-2015-0411 | Solaris | Multiple | MySQL | Yes | 7.5 | Network | Low | None | Partial | Partial | Partial | 11.3 | See Note 5 |
|---|
| CVE-2014-3564 | Solaris | Multiple | GnuPG | Yes | 6.8 | Network | Medium | None | Partial | Partial | Partial | 11.3 | |
|---|
| CVE-2014-8097 | Solaris | None | Xsun server | No | 6.8 | Local | Low | Single | Complete | Complete | Complete | 10 | See Note 8 |
|---|
| CVE-2014-9512 | Solaris | Multiple | RSYNC | Yes | 6.4 | Network | Low | None | None | Partial | Partial | 11.3, 10 | |
|---|
| CVE-2014-2653 | Solaris | SSH | OpenSSH | Yes | 5.8 | Network | Medium | None | None | Partial | Partial | 11.3 | |
|---|
| CVE-2014-9365 | Solaris | Multiple | Python 3.4 | Yes | 5.8 | Network | Medium | None | Partial | Partial | None | 11.3 | |
|---|
| CVE-2013-6371 | Solaris | Multiple | JSON-C | Yes | 5.0 | Network | Low | None | None | None | Partial | 11.3 | See Note 3 |
|---|
| CVE-2014-3566 | Solaris | SSL/TLS | BitTorrent Client | Yes | 5.0 | Network | Low | None | Partial | None | None | 11.3 | |
|---|
| CVE-2014-3566 | Solaris | SSL/TLS | Gnome-VFS | Yes | 5.0 | Network | Low | None | Partial | None | None | 11.3 | |
|---|
| CVE-2014-3566 | Solaris | SSL/TLS | OpenSSL | Yes | 5.0 | Network | Low | None | Partial | None | None | 11.3, 10 | |
|---|
| CVE-2014-3566 | Solaris | SSL/TLS | VNC | Yes | 5.0 | Network | Low | None | Partial | None | None | 11.3 | |
|---|
| CVE-2014-3566 | Solaris | SSL/TLS | Pidgin | Yes | 5.0 | Network | Low | None | Partial | None | None | 11.3 | |
|---|
| CVE-2014-3566 | Solaris | SSL/TLS | LibTLS | Yes | 5.0 | Network | Low | None | Partial | None | None | 11.3 | |
|---|
| CVE-2014-3566 | Solaris | SSL/TLS | Ejabberd | Yes | 5.0 | Network | Low | None | Partial | None | None | 11.3 | |
|---|
| CVE-2014-3566 | Solaris | SSL/TLS | Irssi | Yes | 5.0 | Network | Low | None | Partial | None | None | 11.3 | |
|---|
| CVE-2014-3566 | Solaris | SSL/TLS | LibSoup | Yes | 5.0 | Network | Low | None | Partial | None | None | 11.3 | |
|---|
| CVE-2015-0248 | Solaris | Multiple | Apache Subversion | Yes | 5.0 | Network | Low | None | None | None | Partial | 11.3 | |
|---|
| CVE-2015-1819 | Solaris | Multiple | libxml2 | Yes | 5.0 | Network | Low | None | None | None | Partial | 11.3 | |
|---|
| CVE-2015-3200 | Solaris | Multiple | Lighttpd | Yes | 5.0 | Network | Low | None | None | Partial | None | 11.3 | |
|---|
| CVE-2015-4020 | Solaris | Multiple | Ruby | Yes | 5.0 | Network | Low | None | None | Partial | None | 11.3 | See Note 18 |
|---|
| CVE-2015-5143 | Solaris | Multiple | Django Python web framework | Yes | 5.0 | Network | Low | None | None | None | Partial | 11.3 | |
|---|
| CVE-2015-4651 | Solaris | Multiple | Wireshark | Yes | 5.0 | Network | Low | None | None | None | Partial | 11.3 | See Note 14 |
|---|
| CVE-2015-3183 | Solaris | HTTP | Apache HTTP server | Yes | 5.0 | Network | Low | None | None | Partial | None | 11.3 | |
|---|
| CVE-2015-0253 | Solaris | HTTP | Apache HTTP server | Yes | 5.0 | Network | Low | None | None | None | Partial | 11.3 | See Note 7 |
|---|
| CVE-2015-5963 | Solaris | Multiple | Django Python web framework | Yes | 5.0 | Network | Low | None | None | None | Partial | 11.3 | See Note 16 |
|---|
| CVE-2014-0032 | Solaris | Multiple | Apache Subversion | Yes | 4.3 | Network | Medium | None | None | None | Partial | 11.3 | See Note 1 |
|---|
| CVE-2015-5144 | Solaris | Multiple | Django Python web framework | Yes | 4.3 | Network | Medium | None | None | Partial | None | 11.3 | |
|---|
| CVE-2015-6241 | Solaris | Multiple | Wireshark | Yes | 4.3 | Network | Medium | None | None | None | Partial | 11.3 | See Note 17 |
|---|
| CVE-2015-0251 | Solaris | Multiple | Apache Subversion | No | 4.0 | Network | Low | Single | None | Partial | None | 11.3 | |
|---|
| CVE-2015-2922 | Solaris | Multiple | Network Configuration | No | 3.3 | Adjacent Network | Low | None | None | None | Partial | 11.3 | See Note 9 |
|---|
| CVE-2013-1569 | Solaris | None | Localization (L10N) | No | 1.5 | Local | Medium | Single | None | None | Partial | 11.3 | See Note 11 |
|---|
| CVE-2014-8146 | Solaris | None | Localization (L10N) | No | 1.0 | Local | High | Single | None | None | Partial | 11.3 | See Note 12 |
|---|
Revision 1: Published on 2015-10-20
| CVE# |
Product |
Protocol |
Third Party
component |
Remote Exploit without Auth.? |
CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) |
Supported Versions Affected |
Notes |
| Base Score |
Access Vector |
Access Complexity |
Authentication |
Confidentiality |
Integrity |
Availability |
| CVE-2015-5600 | Solaris | SSH | SSH | Yes | 8.5 | Network | Low | None | Partial | None | Complete | 11.2, 10 | |
|---|
| CVE-2014-0230 | Solaris | HTTP | Apache Tomcat | Yes | 5.0 | Network | Low | None | None | None | Partial | 11.2, 10 | See Note 15 |
|---|
| CVE-2014-8111 | Solaris | HTTP | Apache HTTP server | Yes | 5.0 | Network | Low | None | Partial | None | None | 11.2, 10 | |
|---|
Notes:
- This fix also addresses CVE-2013-4262 CVE-2013-7393 CVE-2014-3504 CVE-2014-3522 CVE-2014-3528.
- This fix also addresses CVE-2014-3683.
- This fix also addresses CVE-2013-6370.
- This fix also addresses CVE-2012-5615 CVE-2013-1511 CVE-2013-3793 CVE-2014-2432 CVE-2014-2440 CVE-2014-2494 CVE-2014-4243 CVE-2014-4260 CVE-2014-4274 CVE-2014-4287 CVE-2014-6464 CVE-2014-6484 CVE-2014-6494 CVE-2014-6496 CVE-2014-6505 CVE-2014-6507 CVE-2014-6520 CVE-2014-6530 CVE-2014-6551 CVE-2014-6555 CVE-2014-6559 CVE-2014-6568 CVE-2015-0391 CVE-2015-0432 CVE-2015-0433 CVE-2015-0499 CVE-2015-0505 CVE-2015-2573.
- This fix also addresses CVE-2013-2376 CVE-2013-5807 CVE-2014-0384 CVE-2014-2438 CVE-2015-0411 CVE-2015-0441.
- This fix also addresses CVE-2013-1502 CVE-2013-1511 CVE-2013-3794 CVE-2013-3801 CVE-2013-3805 CVE-2013-3809 CVE-2013-3812 CVE-2013-5891 CVE-2014-0420 CVE-2014-2419 CVE-2014-2430 CVE-2014-2431 CVE-2014-2432 CVE-2014-2436 CVE-2014-2440 CVE-2014-2494 CVE-2014-4207 CVE-2014-4243 CVE-2014-4258 CVE-2014-4260 CVE-2014-4287 CVE-2014-6463 CVE-2014-6464 CVE-2014-6469 CVE-2014-6478 CVE-2014-6484 CVE-2014-6491 CVE-2014-6494 CVE-2014-6495 CVE-2014-6496 CVE-2014-6500 CVE-2014-6505 CVE-2014-6507 CVE-2014-6520 CVE-2014-6530 CVE-2014-6555 CVE-2014-6559 CVE-2014-6568 CVE-2015-0374 CVE-2015-0381 CVE-2015-0382 CVE-2015-0391 CVE-2015-0432 CVE-2015-0433 CVE-2015-0499 CVE-2015-0505 CVE-2015-2568 CVE-2015-2571.
- This fix also addresses CVE-2015-0228 CVE-2015-3183 CVE-2015-3185.
- This fix also addresses CVE-2014-8091 CVE-2014-8092 CVE-2014-8095 CVE-2014-8096 CVE-2014-8100 CVE-2014-8102 CVE-2015-3418.
- This fix also addresses CVE-2015-2923.
- This fix also addresses CVE-2014-6051 CVE-2014-8240 CVE-2014-8241.
- This fix also addresses CVE-2013-2383 CVE-2013-2384 CVE-2013-2419.
- This fix also addresses CVE-2014-8147.
- This fix also addresses CVE-2015-2721 CVE-2015-2722 CVE-2015-2724 CVE-2015-2725 CVE-2015-2726 CVE-2015-2728 CVE-2015-2729 CVE-2015-2730 CVE-2015-2733 CVE-2015-2734 CVE-2015-2735 CVE-2015-2736 CVE-2015-2737 CVE-2015-2738 CVE-2015-2739 CVE-2015-2740 CVE-2015-2741 CVE-2015-2742 CVE-2015-2743.
- This fix also addresses CVE-2015-4652.
- This fix also addresses CVE-2014-7810.
- This fix also addresses CVE-2015-5964.
- This fix also addresses CVE-2015-6242 CVE-2015-6243 CVE-2015-6244 CVE-2015-6245 CVE-2015-6246 CVE-2015-6247 CVE-2015-6248 CVE-2015-6249.
- This fix also addresses CVE-2015-3900.