Oracle Solaris Third Party Bulletin - July 2019


Description

The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities fixed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated on the Tuesday closest to the 17th of the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability fixes deemed too critical to wait for the next monthly update.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin fixes as soon as possible.


Patch Availability

Please see My Oracle Support Note 1448883.1


Third Party Bulletin Schedule

Third Party Bulletins are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

  • 15 October 2019
  • 14 January 2020
  • 14 April 2020
  • 14 July 2020

References


Modification History

2019-September-17 Rev 3. Added CVEs fixed in Solaris 11.4 SRU 13
2019-August-20 Rev 2. Added CVEs fixed in Solaris 11.4 SRU 12
2019-July-16 Rev 1. Initial Release with all CVEs fixed in Solaris 11.3 LSU 36.13 and Solaris 11.4 SRU 11

 

 

Oracle Solaris Executive Summary

 

This Oracle Solaris Bulletin contains 47 new security fixes for the Oracle Solaris Operating System.  40 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 

 

Oracle Solaris Third Party Bulletin Risk Matrix

 


Revision 3: Published on 2019-09-17



CVE# Product Third
Party
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported
Versions
Affected
Notes
Base
Score
Attack
Vector
Attack
Complexity
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2019-1000012 Oracle Solaris Elixir Multiple Yes 8.8 Network Low None Required Un
changed
High High High 11.4  
CVE-2019-13454 Oracle Solaris ImageMagick Multiple Yes 8.8 Network Low None Required Un
changed
High High High 11.4 See
Note 1
CVE-2019-5953 Oracle Solaris Wget Multiple Yes 8.8 Network Low None Required Un
changed
High High High 11.4, 10 See
Note 2
CVE-2019-6116 Oracle Solaris Ghostscript None No 7.8 Local Low None Required Un
changed
High High High 11.4 See
Note 3
CVE-2019-13117 Oracle Solaris libxslt Multiple Yes 7.5 Network Low None None Un
changed
High None None 11.4 See
Note 4
CVE-2019-6116 Oracle Solaris Ghostscript Multiple Yes 7.3 Network Low None None Un
changed
Low Low Low 11.4 See
Note 5
CVE-2019-11597 Oracle Solaris ImageMagick Multiple Yes 6.5 Network Low None Required Un
changed
None None High 11.4 See
Note 6
CVE-2019-11729 Oracle Solaris NSS TLS Yes 6.1 Network Low None Required Changed Low Low None 11.4 See
Note 7
CVE-2019-12900 Oracle Solaris BZip None No 4 Local Low None None Un
changed
None None Low 11.4  
CVE-2019-1010220 Oracle Solaris TCPdump None No 3.3 Local Low None Required Un
changed
None None Low 11.4 See
Note 8


Revision 2: Published on 2019-08-20



CVE# Product Third
Party
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported
Versions
Affected
Notes
Base
Score
Attack
Vector
Attack
Complexity
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2019-12450 Oracle Solaris Glib Multiple Yes 9.8 Network Low None None Un
changed
High High High 11.4  
CVE-2019-9947 Oracle Solaris Python 3.7 Multiple Yes 9.8 Network Low None None Un
changed
High High High 11.4 See
Note 9
CVE-2019-9947 Oracle Solaris Python 2.7 Multiple Yes 9.8 Network Low None None Un
changed
High High High 11.4 See
Note 10
CVE-2019-9947 Oracle Solaris Python 3.5 Multiple Yes 9.8 Network Low None None Un
changed
High High High 11.4 See
Note 11
CVE-2019-9947 Oracle Solaris Python 3.4 Multiple Yes 9.8 Network Low None None Un
changed
High High High 11.4 See
Note 12
CVE-2019-12735 Oracle Solaris Vim None No 8.6 Local Low None Required Changed High High High 11.4  
CVE-2019-13045 Oracle Solaris Irssi Multiple Yes 8.1 Network High None None Un
changed
High High High 11.4  
CVE-2019-11730 Oracle Solaris Firefox Multiple Yes 7.5 Network High None Required Un
changed
High High High 11.4 See
Note 13
CVE-2019-11730 Oracle Solaris Thunderbird Multiple Yes 7.5 Network High None Required Un
changed
High High High 11.4 See
Note 14
CVE-2019-1559 Oracle Solaris MySQL 5.7.25 Multiple Yes 7.5 Network Low None None Un
changed
High None None 11.4 See
Note 15
CVE-2018-20406 Oracle Solaris Python 3.7 Multiple Yes 7.4 Network High None None Un
changed
High High None 11.4 See
Note 16
CVE-2019-0199 Oracle Solaris Apache Tomcat Multiple Yes 6.3 Network Low None Required Un
changed
Low Low Low 11.4 See
Note 17
CVE-2019-1559 Oracle Solaris MySQL 5.6.43 Multiple Yes 5.9 Network High None None Un
changed
High None None 11.4 See
Note 18
CVE-2019-6471 Oracle Solaris BIND DNS Yes 5.9 Network High None None Un
changed
None None High 11.4, 10  
CVE-2019-13619 Oracle Solaris Wireshark Multiple Yes 5.3 Network Low None None Un
changed
None None Low 11.4  




Revision 1: Published on 2019-07-16



CVE# Product Third
Party
component
Protocol Remote
Exploit
without
Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported
Versions
Affected
Notes
Base
Score
Attack
Vector
Attack
Complexity
Privs
Req'd
User
Interact
Scope Confid-
entiality
Inte-
grity
Avail-
ability
CVE-2018-1000805 Oracle Solaris Paramiko SSH Yes 9.8 Network Low None None Un
changed
High High High 11.4  
CVE-2019-10906 Oracle Solaris Jinja HTML Yes 9 Network High None None Changed High High High 11.4  
CVE-2019-11704 Oracle Solaris Thunderbird Multiple Yes 9 Network High None None Changed High High High 11.4 See
Note 19
CVE-2019-11707 Oracle Solaris Firefox Multiple Yes 8.8 Network Low None Required Un
changed
High High High 11.4  
CVE-2017-18342 Oracle Solaris PyYAML Multiple Yes 8.1 Network High None None Un
changed
High High High 11.4  
CVE-2018-14423 Oracle Solaris OpenJPEG Multiple Yes 7.5 Network Low None None Un
changed
None None High 11.4  
CVE-2019-3855 Oracle Solaris Libssh2 SSH Yes 7.5 Network High None Required Un
changed
High High High 11.4 See
Note 20
CVE-2018-6467 Oracle Solaris BIND DNS Yes 7.5 Network Low None None Un
changed
None None High 11.4, 10  
CVE-2019-11324 Oracle Solaris Urllib3 HTTP Yes 7.5 Network Low None None Un
changed
None High None 11.4  
CVE-2019-11708 Oracle Solaris Firefox Multiple Yes 7.5 Network High None Required Un
changed
High High High 11.4  
CVE-2019-11707 Oracle Solaris Thunderbird Multiple Yes 7.5 Network High None Required Un
changed
High High High 11.4 See
Note 21
CVE-2017-12613 Oracle Solaris Apache Portable Runtime (APR) Multiple Yes 7.4 Network High None None Un
changed
High None High 10  
CVE-2019-8321 Oracle Solaris RubyGems Multiple Yes 7.4 Network High None None Un
changed
None High High 11.4 See
Note 22
CVE-2018-18508 Oracle Solaris Netscape Security Services (NSS) Multiple Yes 6.5 Network Low None Required Un
changed
None None High 11.4  
CVE-2019-11236 Oracle Solaris Urllib3 HTTP Yes 6.5 Network Low None None Un
changed
Low Low None 11.4 See
Note 23
CVE-2017-12618 Oracle Solaris Apache Portable Runtime (APR) None No 5.5 Local Low Low None Un
changed
None None High 10  
CVE-2018-16329 Oracle Solaris ImageMagick Multiple Yes 5.3 Network Low None None Un
changed
None None Low 11.4, 10 See
Note 24
CVE-2018-20467 Oracle Solaris ImageMagick Multiple Yes 5.3 Network Low None None Un
changed
None None Low 11.4, 10  
CVE-2018-19787 Oracle Solaris Lxml Multiple Yes 5.3 Network Low None None Un
changed
None None Low 11.4 See
Note 25
CVE-2018-5727 Oracle Solaris OpenJPEG Multiple Yes 4.3 Network Low None Required Un
changed
None None Low 11.4 See
Note 26
CVE-2019-3870 Oracle Solaris Samba Multiple No 4.2 Network High Low None Un
changed
None Low Low 11.4 See
Note 27
CVE-2017-11164 Oracle Solaris Apache HTTP Server None No 3.3 Local Low None Required Un
changed
None None Low 10  

 

Notes:

1. This fix also addresses CVE-2019-12974 CVE-2019-12975 CVE-2019-12976 CVE-2019-12977 CVE-2019-12978 CVE-2019-12979 CVE-2019-13295 CVE-2019-13296 CVE-2019-13297 CVE-2019-13298 CVE-2019-13299 CVE-2019-13300 CVE-2019-13301 CVE-2019-13302 CVE-2019-13303 CVE-2019-13304 CVE-2019-13305 CVE-2019-13306 CVE-2019-13307 CVE-2019-13308 CVE-2019-13309 CVE-2019-13311 CVE-2019-13391.

2. This fix also addresses CVE-2018-20483.

3. This fix also addresses CVE-2019-3839.

4. This fix also addresses CVE-2019-13118.

5. This fix also addresses CVE-2019-3835 CVE-2019-3838.

6. This fix also addresses CVE-2019-10714 CVE-2019-11470 CVE-2019-11472 CVE-2019-11598 CVE-2019-13133 CVE-2019-13134 CVE-2019-13135 CVE-2019-13136 CVE-2019-13137 CVE-2019-7175 CVE-2019-7395 CVE-2019-7396 CVE-2019-7397 CVE-2019-7398.

7. This fix also addresses CVE-2019-11727 CVE-2019-11729.

8. This fix also addresses CVE-2017-16808 CVE-2018-19519.

9. This fix also addresses CVE-2019-10160 CVE-2019-5010 CVE-2019-9636.

10. This fix also addresses CVE-2018-14647 CVE-2019-10160 CVE-2019-5010 CVE-2019-9636 CVE-2019-9740 CVE-2019-9948.

11. This fix also addresses CVE-2018-14647 CVE-2018-20406 CVE-2019-10160 CVE-2019-5010 CVE-2019-9636 CVE-2019-9740 CVE-2019-9948.

12. This fix also addresses CVE-2018-14647 CVE-2018-20406 CVE-2019-10160 CVE-2019-5010 CVE-2019-9636 CVE-2019-9740 CVE-2019-9948.

13. This fix also addresses CVE-2019-11709 CVE-2019-11711 CVE-2019-11712 CVE-2019-11713 CVE-2019-11715 CVE-2019-11717 CVE-2019-11719 CVE-2019-11729 CVE-2019-9811.

14. This fix also addresses CVE-2019-11709 CVE-2019-11711 CVE-2019-11712 CVE-2019-11713 CVE-2019-11715 CVE-2019-11717 CVE-2019-11719 CVE-2019-11729 CVE-2019-9811.

15. This fix also addresses CVE-2019-2566 CVE-2019-2581 CVE-2019-2592 CVE-2019-2614 CVE-2019-2627 CVE-2019-2628 CVE-2019-2632 CVE-2019-2683.

16. This fix also addresses CVE-2019-9740 CVE-2019-9948.

17. This fix also addresses CVE-2019-0221 CVE-2019-10072.

18. This fix also addresses CVE-2019-2614 CVE-2019-2627 CVE-2019-2683.

19. This fix also addresses CVE-2019-11703 CVE-2019-11705 CVE-2019-11706.

20. This fix also addresses CVE-2019-3856 CVE-2019-3857 CVE-2019-3858 CVE-2019-3859 CVE-2019-3860 CVE-2019-3861 CVE-2019-3862 CVE-2019-3863.

21. This fix also addresses CVE-2019-11708.

22. This fix also addresses CVE-2019-8320 CVE-2019-8322 CVE-2019-8323 CVE-2019-8324 CVE-2019-8325.

23. This fix also addresses CVE-2018-20060.

24. This fix also addresses CVE-2018-15607.

25. This fix also addresses CVE-2018-19591.

26. This fix also addresses CVE-2018-5785 CVE-2018-6616.

27. This fix also addresses CVE-2019-3880.