Oracle Solaris Third Party Bulletin - April 2016


Description

The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities fixed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated on the Tuesday closest to the 17th of the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability fixes deemed too critical to wait for the next monthly update.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin fixes as soon as possible.


Patch Availability

Please see My Oracle Support Note 1448883.1


Third Party Bulletin Schedule

Third Party Bulletins are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

  • 19 July 2016
  • 18 October 2016
  • 17 January 2017
  • 18 April 2017

References


Modification History


2016-September-21 Rev 7. Added new CVEs fixed via Firefox upgrade
2016-July-08 Rev 6. Added NTP CVEs
2016-June-27 Rev 5. Added OpenSSL CVE-2016-2177, CVE-2016-2178
2016-June-20 Rev 4. Added all CVEs fixed in Solaris 11.3 SRU9.4
2016-June-10 Rev 3. Added OpenSSL CVEs
2016-May-31 Rev 2. Added all CVEs fixed in Solaris 11.3 SRU8.7
2016-April-19 Rev 1. Initial Release

 

 

Oracle Solaris Executive Summary

 

This Third Party Bulletin contains 53 new security fixes for the Oracle Solaris.  41 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 

 

Oracle Solaris Risk Matrix


Revision 7: Published on 2016-09-21



CVE# Product Protocol Third Party
component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-
tication
Confiden-
tiality
Integrity Avail-
ability
CVE-2014-1545 Solaris Multiple Firefox Yes 10.0 Network Low None Complete Complete Complete 11.3 See
Note 13


Revision 6: Published on 2016-07-08



CVE# Product Protocol Third Party
component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-
tication
Confiden-
tiality
Integrity Avail-
ability
CVE-2016-1548 Solaris NTP NTP Yes 6.4 Network Low None None Partial Partial 11.3, 10 See
Note 11
CVE-2016-4957 Solaris NTP NTP Yes 5.0 Network Low None None None Partial 11.3, 10  
CVE-2016-4956 Solaris NTP NTP Yes 5.0 Network Low None None None Partial 11.3, 10  
CVE-2016-4953 Solaris NTP NTP Yes 4.3 Network Medium None None None Partial 11.3, 10  
CVE-2016-4954 Solaris NTP NTP Yes 4.3 Network Medium None None None Partial 11.3, 10  
CVE-2016-4955 Solaris NTP NTP Yes 2.6 Network High None None None Partial 11.3, 10  


Revision 5: Published on 2016-06-27



CVE# Product Protocol Third Party
component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-
tication
Confiden-
tiality
Integrity Avail-
ability
CVE-2016-2177 Solaris SSL/TLS OpenSSL Yes 7.5 Network Low None Partial Partial Partial 11.3, 10  
CVE-2016-2178 Solaris SSL/TLS OpenSSL No 2.1 Local Low None Partial None None 11.3, 10  


Revision 4: Published on 2016-06-20



CVE# Product Protocol Third Party
component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-
tication
Confiden-
tiality
Integrity Avail-
ability
CVE-2015-2806 Solaris Multiple GNU Libtasn1 Yes 10.0 Network Low None Complete Complete Complete 11.3  
CVE-2014-9679 Solaris Multiple Common Unix Printing System (CUPS) Yes 6.8 Network Medium None Partial Partial Partial 11.3  
CVE-2015-8786 Solaris Multiple RabbitMQ No 6.8 Network Low Single None None Complete 11.3  
CVE-2015-7546 Solaris Multiple OpenStack Identity (Keystone) No 6.0 Network Medium Single Partial Partial Partial 11.3  
CVE-2015-5295 Solaris Multiple OpenStack Orchestration API (Heat) No 5.5 Network Low Single Partial None Partial 11.3  
CVE-2016-3115 Solaris SSH OpenSSH No 5.5 Network Low Single Partial Partial None 11.3  
CVE-2015-5223 Solaris Multiple OpenStack Object Storage (Swift) Yes 5.0 Network Low None Partial None None 11.3  
CVE-2016-0738 Solaris Multiple OpenStack Object Storage (Swift) Yes 5.0 Network Low None None None Partial 11.3 See
Note 8
CVE-2015-8853 Solaris Multiple Perl Yes 5.0 Network Low None None None Partial 11.3  
CVE-2015-8665 Solaris Multiple LibTIFF Yes 4.3 Network Medium None None None Partial 11.3  
CVE-2015-8683 Solaris Multiple LibTIFF Yes 4.3 Network Medium None None None Partial 11.3  
CVE-2015-8781 Solaris Multiple LibTIFF Yes 4.3 Network Medium None None None Partial 11.3, 10 See
Note 9
CVE-2015-1547 Solaris Multiple LibTIFF Yes 4.3 Network Medium None None None Partial 11.3, 10 See
Note 10
CVE-2016-2512 Solaris Multiple Django Python web framework Yes 4.3 Network Medium None None Partial None 11.3  
CVE-2016-4085 Solaris Multiple Wireshark Yes 4.3 Network Medium None None None Partial 11.3 See
Note 12
CVE-2016-2513 Solaris Multiple Django Python web framework Yes 2.6 Network High None Partial None None 11.3  


Revision 3: Published on 2016-06-10



CVE# Product Protocol Third Party
component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-
tication
Confiden-
tiality
Integrity Avail-
ability
CVE-2016-2108 Solaris SSL/TLS OpenSSL Yes 10.0 Network Low None Complete Complete Complete 10  
CVE-2016-2109 Solaris SSL/TLS OpenSSL Yes 7.8 Network Low None None None Complete 11.3, 10  
CVE-2016-2176 Solaris SSL/TLS OpenSSL Yes 6.4 Network Low None Partial None Partial 11.3, 10  
CVE-2016-2105 Solaris SSL/TLS OpenSSL Yes 5.0 Network Low None None None Partial 11.3, 10  
CVE-2016-2106 Solaris SSL/TLS OpenSSL Yes 5.0 Network Low None None None Partial 11.3, 10  
CVE-2016-2107 Solaris SSL/TLS OpenSSL Yes 2.6 Network High None Partial None None 11.3, 10 See
Note 7


Revision 2: Published on 2016-05-31



CVE# Product Protocol Third Party
component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-
tication
Confiden-
tiality
Integrity Avail-
ability
CVE-2016-2315 Solaris Multiple Git Yes 10.0 Network Low None Complete Complete Complete 11.3 See
Note 5
CVE-2016-2342 Solaris Multiple Quagga Yes 7.6 Network High None Complete Complete Complete 11.3  
CVE-2015-7545 Solaris Multiple Git Yes 7.5 Network Low None Partial Partial Partial 11.3  
CVE-2015-2695 Solaris Kerberos Kerberos Yes 7.1 Network Medium None None None Complete 11.3  
CVE-2015-2697 Solaris Kerberos Kerberos No 6.8 Network Low Single None None Complete 11.3  
CVE-2016-3068 Solaris Multiple Mercurial source code management Yes 6.8 Network Medium None Partial Partial Partial 11.3 See
Note 4
CVE-2016-3115 Solaris SSH SSH No 5.5 Network Low Single Partial Partial None 11.3, 10  
CVE-2014-3566 Solaris SSL Evolution Yes 5.0 Network Low None Partial None None 11.3  
CVE-2015-7551 Solaris None Ruby No 4.6 Local Low None Partial Partial Partial 11.3  
CVE-2015-8629 Solaris Kerberos Kerberos No 2.1 Network High Single Partial None None 11.3, 10  




Revision 1: Published on 2016-04-19



CVE# Product Protocol Third Party
component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-
tication
Confiden-
tiality
Integrity Avail-
ability
CVE-2016-0705 Solaris SSL/TLS OpenSSL Yes 10.0 Network Low None Complete Complete Complete 11.3, 10  
CVE-2016-0799 Solaris SSL/TLS WanBoot Yes 10.0 Network Low None Complete Complete Complete 10 See
Note 1
CVE-2016-0798 Solaris SSL/TLS OpenSSL Yes 7.8 Network Low None None None Complete 11.3, 10  
CVE-2015-3415 Solaris Multiple SQLite3 Yes 7.5 Network Low None Partial Partial Partial 11.3, 10 See
Note 3
CVE-2015-5602 Solaris None Sudo No 7.2 Local Low None Complete Complete Complete 11.3, 10  
CVE-2015-4752 Solaris None MySQL No 7.2 Local Low None Complete Complete Complete 11.3 See
Note 2
CVE-2016-2523 Solaris Multiple Wireshark Yes 7.1 Network Medium None None None Complete 11.3  
CVE-2016-1283 Solaris Multiple PCRE Yes 6.8 Network Medium None Partial Partial Partial 11.3  
CVE-2014-9766 Solaris Multiple X.Org Yes 6.8 Network Medium None Partial Partial Partial 11.3, 10  
CVE-2015-3885 Solaris Multiple Dcraw Yes 4.3 Network Medium None None None Partial 11.3  
CVE-2007-6720 Solaris Multiple Libmikmod Yes 2.6 Network High None None None Partial 11.3  
CVE-2016-0702 Solaris None OpenSSL No 1.9 Local Medium None Partial None None 11.3, 10 See
Note 6

 

Notes:

  1. This fix also addresses CVE-2016-0703 CVE-2016-0704 CVE-2016-0797 CVE-2016-0800.
  2. This fix also addresses CVE-2014-6464 CVE-2014-6469 CVE-2014-6491 CVE-2014-6494 CVE-2014-6500 CVE-2014-6507 CVE-2014-6555 CVE-2014-6559 CVE-2014-6568 CVE-2015-0374 CVE-2015-0382 CVE-2015-0411 CVE-2015-0432 CVE-2015-0433 CVE-2015-0499 CVE-2015-0505 CVE-2015-2568 CVE-2015-2571 CVE-2015-2573 CVE-2015-2582 CVE-2015-2620 CVE-2015-2643 CVE-2015-2648 CVE-2015-4737 CVE-2015-4792 CVE-2015-4802 CVE-2015-4807 CVE-2015-4815 CVE-2015-4816 CVE-2015-4819 CVE-2015-4826 CVE-2015-4830 CVE-2015-4836 CVE-2015-4858 CVE-2015-4861 CVE-2015-4864 CVE-2015-4870 CVE-2015-4879 CVE-2015-4913 CVE-2015-7744 CVE-2016-0505 CVE-2016-0546 CVE-2016-0596 CVE-2016-0597 CVE-2016-0598 CVE-2016-0600 CVE-2016-0606 CVE-2016-0608 CVE-2016-0609 CVE-2016-0616.
  3. This fix also addresses CVE-2015-3414 CVE-2015-3416.
  4. This fix also addresses CVE-2016-3069 CVE-2016-3630.
  5. This fix also addresses CVE-2016-2324.
  6. This fix also addresses CVE-2016-0702 CVE-2016-0797 CVE-2016-0799.
  7. This fix also addresses CVE-2016-2106 CVE-2016-2107 CVE-2016-2108 CVE-2016-2109 CVE-2016-2176.
  8. This fix also addresses CVE-2016-0737.
  9. This fix also addresses CVE-2015-8782 CVE-2015-8783.
  10. This fix also addresses CVE-2015-8784.
  11. This fix also addresses CVE-2016-1551 CVE-2016-1549 CVE-2016-2516 CVE-2016-2517 CVE-2016-2518 CVE-2016-2519 CVE-2016-1547 CVE-2015-7704 CVE-2015-8138 CVE-2016-1550.
  12. This fix also addresses CVE-2016-4085.
  13. This fix also addresses CVE-2013-5609 CVE-2013-5610 CVE-2013-5611 CVE-2013-5612 CVE-2013-5613 CVE-2013-5614 CVE-2013-5615 CVE-2013-5616 CVE-2013-5618 CVE-2013-5619 CVE-2013-6629 CVE-2013-6630 CVE-2013-6671 CVE-2013-6672 CVE-2013-6673 CVE-2014-1477 CVE-2014-1478 CVE-2014-1479 CVE-2014-1480 CVE-2014-1481 CVE-2014-1482 CVE-2014-1483 CVE-2014-1484 CVE-2014-1485 CVE-2014-1486 CVE-2014-1487 CVE-2014-1488 CVE-2014-1489 CVE-2014-1493 CVE-2014-1494 CVE-2014-1496 CVE-2014-1497 CVE-2014-1498 CVE-2014-1499 CVE-2014-1500 CVE-2014-1501 CVE-2014-1502 CVE-2014-1504 CVE-2014-1505 CVE-2014-1506 CVE-2014-1507 CVE-2014-1508 CVE-2014-1509 CVE-2014-1510 CVE-2014-1511 CVE-2014-1512 CVE-2014-1513 CVE-2014-1514 CVE-2014-1518 CVE-2014-1519 CVE-2014-1520 CVE-2014-1522 CVE-2014-1523 CVE-2014-1524 CVE-2014-1525 CVE-2014-1526 CVE-2014-1527 CVE-2014-1528 CVE-2014-1529 CVE-2014-1530 CVE-2014-1531 CVE-2014-1532 CVE-2014-1533 CVE-2014-1534 CVE-2014-1536 CVE-2014-1537 CVE-2014-1538 CVE-2014-1539 CVE-2014-1540 CVE-2014-1541 CVE-2014-1542 CVE-2014-1543 CVE-2014-1544 CVE-2014-1547 CVE-2014-1548 CVE-2014-1549 CVE-2014-1550 CVE-2014-1551 CVE-2014-1552 CVE-2014-1553 CVE-2014-1554 CVE-2014-1555 CVE-2014-1556 CVE-2014-1557 CVE-2014-1559 CVE-2014-1561 CVE-2014-1562 CVE-2014-1563 CVE-2014-1564 CVE-2014-1565 CVE-2014-1566 CVE-2014-1567 CVE-2014-1568 CVE-2014-1569 CVE-2014-1575 CVE-2014-1580 CVE-2014-1582 CVE-2014-1584 CVE-2014-1588 CVE-2014-1589 CVE-2014-1591 CVE-2014-1595 CVE-2014-2018 CVE-2014-8631 CVE-2014-8632 CVE-2014-8635 CVE-2014-8636 CVE-2014-8637 CVE-2014-8640 CVE-2014-8642 CVE-2014-8643 CVE-2015-0797 CVE-2015-0798 CVE-2015-0799 CVE-2015-0800 CVE-2015-0802 CVE-2015-0803 CVE-2015-0804 CVE-2015-0805 CVE-2015-0806 CVE-2015-0808 CVE-2015-0810 CVE-2015-0811 CVE-2015-0812 CVE-2015-0814 CVE-2015-0819 CVE-2015-0820 CVE-2015-0821 CVE-2015-0823 CVE-2015-0824 CVE-2015-0825 CVE-2015-0826 CVE-2015-0828 CVE-2015-0829 CVE-2015-0830 CVE-2015-0832 CVE-2015-0833 CVE-2015-0834 CVE-2015-0835 CVE-2015-2706 CVE-2015-2708 CVE-2015-2709 CVE-2015-2710 CVE-2015-2711 CVE-2015-2712 CVE-2015-2713 CVE-2015-2714 CVE-2015-2715 CVE-2015-2716 CVE-2015-2717 CVE-2015-2718 CVE-2015-2720 CVE-2015-2721 CVE-2015-2722 CVE-2015-2724 CVE-2015-2725 CVE-2015-2726 CVE-2015-2727 CVE-2015-2728 CVE-2015-2729 CVE-2015-2730 CVE-2015-2731 CVE-2015-2733 CVE-2015-2734 CVE-2015-2735 CVE-2015-2736 CVE-2015-2737 CVE-2015-2738 CVE-2015-2739 CVE-2015-2740 CVE-2015-2741 CVE-2015-2742 CVE-2015-2743 CVE-2015-4473 CVE-2015-4474 CVE-2015-4475 CVE-2015-4476 CVE-2015-4477 CVE-2015-4478 CVE-2015-4479 CVE-2015-4480 CVE-2015-4481 CVE-2015-4482 CVE-2015-4483 CVE-2015-4484 CVE-2015-4485 CVE-2015-4486 CVE-2015-4487 CVE-2015-4488 CVE-2015-4489 CVE-2015-4490 CVE-2015-4491 CVE-2015-4492 CVE-2015-4493 CVE-2015-4495 CVE-2015-4496 CVE-2015-4497 CVE-2015-4498 CVE-2015-4500 CVE-2015-4501 CVE-2015-4502 CVE-2015-4503 CVE-2015-4504 CVE-2015-4505 CVE-2015-4506 CVE-2015-4507 CVE-2015-4508 CVE-2015-4509 CVE-2015-4510 CVE-2015-4511 CVE-2015-4512 CVE-2015-4513 CVE-2015-4514 CVE-2015-4515 CVE-2015-4516 CVE-2015-4517 CVE-2015-4518 CVE-2015-4519 CVE-2015-4520 CVE-2015-4521 CVE-2015-4522 CVE-2015-7174 CVE-2015-7175 CVE-2015-7176 CVE-2015-7177 CVE-2015-7178 CVE-2015-7179 CVE-2015-7180 CVE-2015-7181 CVE-2015-7182 CVE-2015-7183 CVE-2015-7184 CVE-2015-7185 CVE-2015-7186 CVE-2015-7187 CVE-2015-7188 CVE-2015-7189 CVE-2015-7190 CVE-2015-7191 CVE-2015-7192 CVE-2015-7193 CVE-2015-7194 CVE-2015-7195 CVE-2015-7196 CVE-2015-7197 CVE-2015-7198 CVE-2015-7199 CVE-2015-7200.