diff options
| author | Danielle Roberts <daroberts@google.com> | 2017-01-04 15:03:56 -0800 |
|---|---|---|
| committer | Danielle Roberts <daroberts@google.com> | 2017-01-04 15:42:25 -0800 |
| commit | 3ef1ef078ef07fcae765883a088e162e359bf9ad (patch) | |
| tree | 761f8267e79c7ed7d9468231393cb1dc8f82ba10 | |
| parent | 9ce1e12d016a29a8b7b945b472795b09dda2e869 (diff) | |
| download | source.android.com-3ef1ef078ef07fcae765883a088e162e359bf9ad.tar.gz | |
Docs: Add AOSP links to January 2017 security bulletin
Test: make online-sac-docs on staging 13
Bug: 33808338
Change-Id: I3e95b80284f6de41ac51fb5ae92e3d93533af571
| -rw-r--r-- | src/security/bulletin/2017-01-01.jd | 663 |
1 files changed, 346 insertions, 317 deletions
diff --git a/src/security/bulletin/2017-01-01.jd b/src/security/bulletin/2017-01-01.jd index 9a55fbaf..89a6e2b7 100644 --- a/src/security/bulletin/2017-01-01.jd +++ b/src/security/bulletin/2017-01-01.jd @@ -16,7 +16,7 @@ page.title=Android Security Bulletin—January 2017 See the License for the specific language governing permissions and limitations under the License. --> -<p><em>Published January 03, 2017</em></p> +<p><em>Published January 03, 2017 | Updated January 04, 2017</em></p> <p>The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Alongside the bulletin, we have released a security @@ -30,10 +30,9 @@ and Nexus update schedule</a> to learn how to check a device's security patch level.</p> <p>Partners were notified of the issues described in the bulletin on December 05, -2016 or earlier. Source code patches for these issues will be released to the -Android Open Source Project (AOSP) repository in the next 48 hours. We will -revise this bulletin with the AOSP links when they are available. This bulletin -also includes links to patches outside of AOSP.</p> +2016 or earlier. Source code patches for these issues have been released to the +Android Open Source Project (AOSP) repository and linked from this bulletin. +This bulletin also includes links to patches outside of AOSP.</p> <p>The most severe of these issues is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such @@ -586,7 +585,8 @@ remote code execution within the context of the Mediaserver process. </tr> <tr> <td>CVE-2017-0381</td> - <td>A-31607432</td> + <td><a href="https://android.googlesource.com/platform/external/libopus/+/0d052d64480a30e83fcdda80f4774624e044beb7"> + A-31607432</a></td> <td>Critical</td> <td>All</td> <td>5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1</td> @@ -598,9 +598,9 @@ remote code execution within the context of the Mediaserver process. <h3 id="rce-in-c-ares">Remote code execution vulnerability in c-ares</h3> <p> A remote code execution vulnerability in c-ares could enable an attacker using -a specially crafted request to execute arbitrary code in the context of a -privileged process. This issue is rated as Critical due to the possibility of -remote code execution in applications that use this library. +a specially crafted request to execute arbitrary code in the context of an +unprivileged process. This issue is rated as High due to the possibility of +remote code execution in an application that uses this library. </p> <table> @@ -620,7 +620,8 @@ remote code execution in applications that use this library. </tr> <tr> <td>CVE-2016-5180</td> - <td>A-32205736</td> + <td><a href="https://android.googlesource.com/platform/external/c-ares/+/f4baf84f285bfbdebb89b2fef8a955720f00c677"> + A-32205736</a></td> <td>High</td> <td>All</td> <td>7.0</td> @@ -629,8 +630,8 @@ remote code execution in applications that use this library. </table> -<h3 id="rce-in-framesequence">Remote code execution vulnerability in -Framesequence</h3> +<h3 id="rce-vulnerability-in-framesequence">Remote code +execution vulnerability in Framesequence</h3> <p> A remote code execution vulnerability in the Framesequence library could enable an attacker using a specially crafted file to execute arbitrary code in the @@ -638,7 +639,6 @@ context of an unprivileged process. This issue is rated as High due to the possibility of remote code execution in an application that uses the Framesequence library. </p> - <table> <col width="18%"> <col width="17%"> @@ -647,34 +647,32 @@ Framesequence library. <col width="18%"> <col width="17%"> <tr> - <th>CVE</th> - <th>References</th> - <th>Severity</th> - <th>Updated Google devices</th> - <th>Updated AOSP versions</th> - <th>Date reported</th> + <th>CVE</th> + <th>References</th> + <th>Severity</th> + <th>Updated Google devices</th> + <th>Updated AOSP versions</th> + <th>Date reported</th> </tr> <tr> - <td>CVE-2017-0382</td> - <td>A-32338390</td> - <td>High</td> - <td>All</td> - <td>5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1</td> - <td>Oct 21, 2016</td> + <td>CVE-2017-0382</td> + <td><a href="https://android.googlesource.com/platform/frameworks/ex/+/7f0e3dab5a892228d8dead7f0221cc9ae82474f7"> + A-32338390</a></td> + <td>High</td> + <td>All</td> + <td>5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1</td> + <td>Oct 21, 2016</td> </tr> </table> - - -<h3 id="eop-in-framework-apis">Elevation of privilege vulnerability in -Framework APIs</h3> +<h3 id="eop-in-framework-apis">Elevation of +privilege vulnerability in Framework APIs</h3> <p> An elevation of privilege vulnerability in the Framework APIs could enable a local malicious application to execute arbitrary code within the context of a -privileged process. This issue is rated as High because it could be used to -gain local access to elevated capabilities, which are not normally accessible -to a third-party application. +privileged process. This issue is rated as High because it could be used to gain +local access to elevated capabilities, which are not normally accessible to a +third-party application. </p> - <table> <col width="18%"> <col width="17%"> @@ -683,34 +681,32 @@ to a third-party application. <col width="18%"> <col width="17%"> <tr> - <th>CVE</th> - <th>References</th> - <th>Severity</th> - <th>Updated Google devices</th> - <th>Updated AOSP versions</th> - <th>Date reported</th> + <th>CVE</th> + <th>References</th> + <th>Severity</th> + <th>Updated Google devices</th> + <th>Updated AOSP versions</th> + <th>Date reported</th> </tr> <tr> - <td>CVE-2017-0383</td> - <td>A-31677614</td> - <td>High</td> - <td>All</td> - <td>7.0, 7.1</td> - <td>Sep 21, 2016</td> + <td>CVE-2017-0383</td> + <td><a href="https://android.googlesource.com/platform/frameworks/native/+/e5753ba087fa59ee02f6026cc13b1ceb42a1f266"> + A-31677614</a></td> + <td>High</td> + <td>All</td> + <td>7.0, 7.1</td> + <td>Sep 21, 2016</td> </tr> </table> - - -<h3 id="eop-in-audioserver">Elevation of privilege vulnerability in -Audioserver</h3> +<h3 id="eop-in-audioserver">Elevation of +privilege vulnerability in Audioserver</h3> <p> An elevation of privilege vulnerability in Audioserver could enable a local malicious application to execute arbitrary code within the context of a -privileged process. This issue is rated as High because it could be used to -gain local access to elevated capabilities, which are not normally accessible -to a third-party application. +privileged process. This issue is rated as High because it could be used to gain +local access to elevated capabilities, which are not normally accessible to a +third-party application. </p> - <table> <col width="18%"> <col width="17%"> @@ -719,41 +715,41 @@ to a third-party application. <col width="18%"> <col width="17%"> <tr> - <th>CVE</th> - <th>References</th> - <th>Severity</th> - <th>Updated Google devices</th> - <th>Updated AOSP versions</th> - <th>Date reported</th> + <th>CVE</th> + <th>References</th> + <th>Severity</th> + <th>Updated Google devices</th> + <th>Updated AOSP versions</th> + <th>Date reported</th> </tr> <tr> - <td>CVE-2017-0384</td> - <td>A-32095626</td> - <td>High</td> - <td>All</td> - <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1</td> - <td>Oct 11, 2016</td> + <td>CVE-2017-0384</td> + <td><a href="https://android.googlesource.com/platform/frameworks/av/+/321ea5257e37c8edb26e66fe4ee78cca4cd915fe"> + A-32095626</a></td> + <td>High</td> + <td>All</td> + <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1</td> + <td>Oct 11, 2016</td> </tr> <tr> - <td>CVE-2017-0385</td> - <td>A-32585400</td> - <td>High</td> - <td>All</td> - <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1</td> - <td>Oct 11, 2016</td> + <td>CVE-2017-0385</td> + <td><a href="https://android.googlesource.com/platform/hardware/qcom/audio/+/ed79f2cc961d7d35fdbbafdd235c1436bcd74358"> + A-32585400</a></td> + <td>High</td> + <td>All</td> + <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1</td> + <td>Oct 11, 2016</td> </tr> </table> - - -<h3 id="eop-in-libnl">Elevation of privilege vulnerability in libnl</h3> +<h3 id="eop-in-libnl">Elevation of privilege +vulnerability in libnl</h3> <p> An elevation of privilege vulnerability in the libnl library could enable a local malicious application to execute arbitrary code within the context of a -privileged process. This issue is rated as High because it could be used to -gain local access to elevated capabilities, which are not normally accessible -to a third-party application. +privileged process. This issue is rated as High because it could be used to gain +local access to elevated capabilities, which are not normally accessible to a +third-party application. </p> - <table> <col width="18%"> <col width="17%"> @@ -762,34 +758,32 @@ to a third-party application. <col width="18%"> <col width="17%"> <tr> - <th>CVE</th> - <th>References</th> - <th>Severity</th> - <th>Updated Google devices</th> - <th>Updated AOSP versions</th> - <th>Date reported</th> + <th>CVE</th> + <th>References</th> + <th>Severity</th> + <th>Updated Google devices</th> + <th>Updated AOSP versions</th> + <th>Date reported</th> </tr> <tr> - <td>CVE-2017-0386</td> - <td>A-32255299</td> - <td>High</td> - <td>All</td> - <td>5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1</td> - <td>Oct 18, 2016</td> + <td>CVE-2017-0386</td> + <td><a href="https://android.googlesource.com/platform/external/libnl/+/f0b40192efd1af977564ed6335d42a8bbdaf650a"> + A-32255299</a></td> + <td>High</td> + <td>All</td> + <td>5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1</td> + <td>Oct 18, 2016</td> </tr> </table> - - -<h3 id="eop-in-mediaserver">Elevation of privilege vulnerability in -Mediaserver</h3> +<h3 id="eop-in-mediaserver">Elevation of +privilege vulnerability in Mediaserver</h3> <p> An elevation of privilege vulnerability in Mediaserver could enable a local malicious application to execute arbitrary code within the context of a -privileged process. This issue is rated as High because it could be used to -gain local access to elevated capabilities, which are not normally accessible -to a third-party application. +privileged process. This issue is rated as High because it could be used to gain +local access to elevated capabilities, which are not normally accessible to a +third-party application. </p> - <table> <col width="18%"> <col width="17%"> @@ -798,24 +792,23 @@ to a third-party application. <col width="18%"> <col width="17%"> <tr> - <th>CVE</th> - <th>References</th> - <th>Severity</th> - <th>Updated Google devices</th> - <th>Updated AOSP versions</th> - <th>Date reported</th> + <th>CVE</th> + <th>References</th> + <th>Severity</th> + <th>Updated Google devices</th> + <th>Updated AOSP versions</th> + <th>Date reported</th> </tr> <tr> - <td>CVE-2017-0387</td> - <td>A-32660278</td> - <td>High</td> - <td>All</td> - <td>5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1</td> - <td>Nov 4, 2016</td> + <td>CVE-2017-0387</td> + <td><a href="https://android.googlesource.com/platform/frameworks/native/+/675e212c8c6653825cc3352c603caf2e40b00f9f"> + A-32660278</a></td> + <td>High</td> + <td>All</td> + <td>5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1</td> + <td>Nov 4, 2016</td> </tr> </table> - - <h3 id="id-in-external-storage-provider">Information disclosure vulnerability in External Storage Provider</h3> <p> @@ -824,7 +817,6 @@ enable a local secondary user to read data from an external storage SD card inserted by the primary user. This issue is rated as High because it could be used to access data without permission. </p> - <table> <col width="18%"> <col width="17%"> @@ -833,33 +825,31 @@ used to access data without permission. <col width="18%"> <col width="17%"> <tr> - <th>CVE</th> - <th>References</th> - <th>Severity</th> - <th>Updated Google devices</th> - <th>Updated AOSP versions</th> - <th>Date reported</th> + <th>CVE</th> + <th>References</th> + <th>Severity</th> + <th>Updated Google devices</th> + <th>Updated AOSP versions</th> + <th>Date reported</th> </tr> <tr> - <td>CVE-2017-0388</td> - <td>A-32523490</td> - <td>High</td> - <td>All</td> - <td>6.0, 6.0.1, 7.0, 7.1</td> - <td>Google internal</td> + <td>CVE-2017-0388</td> + <td><a href="https://android.googlesource.com/platform/frameworks/base/+/47e62b7fe6807a274ba760a8fecfd624fe792da9"> + A-32523490</a></td> + <td>High</td> + <td>All</td> + <td>6.0, 6.0.1, 7.0, 7.1</td> + <td>Google internal</td> </tr> </table> - - -<h3 id="dos-in-core-networking">Denial of service vulnerability in core -networking</h3> +<h3 id="dos-in-core-networking">Denial of service +vulnerability in core networking</h3> <p> A denial of service vulnerability in core networking could enable a remote attacker to use specially crafted network packet to cause a device hang or reboot. This issue is rated as High due to the possibility of remote denial of service. </p> - <table> <col width="18%"> <col width="17%"> @@ -868,31 +858,31 @@ service. <col width="18%"> <col width="17%"> <tr> - <th>CVE</th> - <th>References</th> - <th>Severity</th> - <th>Updated Google devices</th> - <th>Updated AOSP versions</th> - <th>Date reported</th> + <th>CVE</th> + <th>References</th> + <th>Severity</th> + <th>Updated Google devices</th> + <th>Updated AOSP versions</th> + <th>Date reported</th> </tr> <tr> - <td>CVE-2017-0389</td> - <td>A-31850211</td> - <td>High</td> - <td>All</td> - <td>6.0, 6.0.1, 7.0, 7.1</td> - <td>Jul 20, 2016</td> + <td>CVE-2017-0389</td> + <td><a href="https://android.googlesource.com/platform/frameworks/base/+/a014b6be3c7c6fb5cf9352a05baf84fca7a133c7"> + A-31850211</a> +[<a href="https://android.googlesource.com/platform/frameworks/base/+/47e81a2596b00ee7aaca58716ff164a1708b0b29">2</a>]</td> + <td>High</td> + <td>All</td> + <td>6.0, 6.0.1, 7.0, 7.1</td> + <td>Jul 20, 2016</td> </tr> </table> - - -<h3 id="dos-in-mediaserver">Denial of service vulnerability in Mediaserver</h3> +<h3 id="dos-in-mediaserver">Denial of service +vulnerability in Mediaserver</h3> <p> A denial of service vulnerability in Mediaserver could enable a remote attacker to use a specially crafted file to cause a device hang or reboot. This issue is rated as High due to the possibility of remote denial of service. </p> - <table> <col width="18%"> <col width="17%"> @@ -901,55 +891,57 @@ rated as High due to the possibility of remote denial of service. <col width="18%"> <col width="17%"> <tr> - <th>CVE</th> - <th>References</th> - <th>Severity</th> - <th>Updated Google devices</th> - <th>Updated AOSP versions</th> - <th>Date reported</th> + <th>CVE</th> + <th>References</th> + <th>Severity</th> + <th>Updated Google devices</th> + <th>Updated AOSP versions</th> + <th>Date reported</th> </tr> <tr> - <td>CVE-2017-0390</td> - <td>A-31647370</td> - <td>High</td> - <td>All</td> - <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1</td> - <td>Sep 19, 2016</td> + <td>CVE-2017-0390</td> + <td><a href="https://android.googlesource.com/platform/external/tremolo/+/5dc99237d49e73c27d3eca54f6ccd97d13f94de0"> + A-31647370</a></td> + <td>High</td> + <td>All</td> + <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1</td> + <td>Sep 19, 2016</td> </tr> <tr> - <td>CVE-2017-0391</td> - <td>A-32322258</td> - <td>High</td> - <td>All</td> - <td>6.0, 6.0.1, 7.0, 7.1</td> - <td>Oct 20, 2016</td> + <td>CVE-2017-0391</td> + <td><a href="https://android.googlesource.com/platform/external/libhevc/+/a33f6725d7e9f92330f995ce2dcf4faa33f6433f"> + A-32322258</a></td> + <td>High</td> + <td>All</td> + <td>6.0, 6.0.1, 7.0, 7.1</td> + <td>Oct 20, 2016</td> </tr> <tr> - <td>CVE-2017-0392</td> - <td>A-32577290</td> - <td>High</td> - <td>All</td> - <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1</td> - <td>Oct 29, 2016</td> + <td>CVE-2017-0392</td> + <td><a href="https://android.googlesource.com/platform/frameworks/av/+/453b351ac5bd2b6619925dc966da60adf6b3126c"> + A-32577290</a></td> + <td>High</td> + <td>All</td> + <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1</td> + <td>Oct 29, 2016</td> </tr> <tr> - <td>CVE-2017-0393</td> - <td>A-30436808</td> - <td>High</td> - <td>All</td> - <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1</td> - <td>Google internal</td> + <td>CVE-2017-0393</td> + <td><a href="https://android.googlesource.com/platform/external/libvpx/+/6886e8e0a9db2dbad723dc37a548233e004b33bc"> + A-30436808</a></td> + <td>High</td> + <td>All</td> + <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1</td> + <td>Google internal</td> </tr> </table> - - -<h3 id="dos-in-telephony">Denial of service vulnerability in Telephony</h3> +<h3 id="dos-in-telephony">Denial of service +vulnerability in Telephony</h3> <p> -A denial of service vulnerability in Telephony could enable a remote attacker -to cause a device hang or reboot. This issue is rated as High due to the +A denial of service vulnerability in Telephony could enable a remote attacker to +cause a device hang or reboot. This issue is rated as High due to the possibility of remote denial of service. </p> - <table> <col width="18%"> <col width="17%"> @@ -958,25 +950,25 @@ possibility of remote denial of service. <col width="18%"> <col width="17%"> <tr> - <th>CVE</th> - <th>References</th> - <th>Severity</th> - <th>Updated Google devices</th> - <th>Updated AOSP versions</th> - <th>Date reported</th> + <th>CVE</th> + <th>References</th> + <th>Severity</th> + <th>Updated Google devices</th> + <th>Updated AOSP versions</th> + <th>Date reported</th> </tr> <tr> - <td>CVE-2017-0394</td> - <td>A-31752213</td> - <td>High</td> - <td>All</td> - <td>5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1</td> - <td>Sep 23, 2016</td> + <td>CVE-2017-0394</td> + <td><a href="https://android.googlesource.com/platform/packages/services/Telephony/+/1cdced590675ce526c91c6f8983ceabb8038f58d"> + A-31752213</a></td> + <td>High</td> + <td>All</td> + <td>5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1</td> + <td>Sep 23, 2016</td> </tr> </table> - - -<h3 id="eop-in-contacts">Elevation of privilege vulnerability in Contacts</h3> +<h3 id="eop-in-contacts">Elevation of privilege +vulnerability in Contacts</h3> <p> An elevation of privilege vulnerability in Contacts could enable a local malicious application to silently create contact information. This issue is @@ -984,7 +976,6 @@ rated as Moderate because it is a local bypass of user interaction requirements (access to functionality that would normally require either user initiation or user permission). </p> - <table> <col width="18%"> <col width="17%"> @@ -993,33 +984,31 @@ user permission). <col width="18%"> <col width="17%"> <tr> - <th>CVE</th> - <th>References</th> - <th>Severity</th> - <th>Updated Google devices</th> - <th>Updated AOSP versions</th> - <th>Date reported</th> + <th>CVE</th> + <th>References</th> + <th>Severity</th> + <th>Updated Google devices</th> + <th>Updated AOSP versions</th> + <th>Date reported</th> </tr> <tr> - <td>CVE-2017-0395</td> - <td>A-32219099</td> - <td>Moderate</td> - <td>All</td> - <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1</td> - <td>Oct 15, 2016</td> + <td>CVE-2017-0395</td> + <td><a href="https://android.googlesource.com/platform/packages/apps/ContactsCommon/+/d47661ad82d402c1e0c90eb83970687d784add1b"> + A-32219099</a></td> + <td>Moderate</td> + <td>All</td> + <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1</td> + <td>Oct 15, 2016</td> </tr> </table> - - -<h3 id="id-in-mediaserver">Information disclosure vulnerability in -Mediaserver</h3> +<h3 id="id-in-mediaserver">Information +disclosure vulnerability in Mediaserver</h3> <p> An information disclosure vulnerability in Mediaserver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it could be used to access sensitive data without permission. </p> - <table> <col width="18%"> <col width="17%"> @@ -1028,41 +1017,40 @@ without permission. <col width="18%"> <col width="17%"> <tr> - <th>CVE</th> - <th>References</th> - <th>Severity</th> - <th>Updated Google devices</th> - <th>Updated AOSP versions</th> - <th>Date reported</th> + <th>CVE</th> + <th>References</th> + <th>Severity</th> + <th>Updated Google devices</th> + <th>Updated AOSP versions</th> + <th>Date reported</th> </tr> <tr> - <td>CVE-2017-0396</td> - <td>A-31781965</td> - <td>Moderate</td> - <td>All</td> - <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1</td> - <td>Sep 27, 2016</td> + <td>CVE-2017-0396</td> + <td><a href="https://android.googlesource.com/platform/frameworks/av/+/557bd7bfe6c4895faee09e46fc9b5304a956c8b7"> + A-31781965</a></td> + <td>Moderate</td> + <td>All</td> + <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1</td> + <td>Sep 27, 2016</td> </tr> <tr> - <td>CVE-2017-0397</td> - <td>A-32377688</td> - <td>Moderate</td> - <td>All</td> - <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1</td> - <td>Oct 21, 2016</td> + <td>CVE-2017-0397</td> + <td><a href="https://android.googlesource.com/platform/frameworks/av/+/7a3246b870ddd11861eda2ab458b11d723c7f62c"> + A-32377688</a></td> + <td>Moderate</td> + <td>All</td> + <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1</td> + <td>Oct 21, 2016</td> </tr> </table> - - -<h3 id="id-in-audioserver">Information disclosure vulnerability in -Audioserver</h3> +<h3 id="id-in-audioserver">Information +disclosure vulnerability in Audioserver</h3> <p> An information disclosure vulnerability in Audioserver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it could be used to access sensitive data without permission. </p> - <table> <col width="18%"> <col width="17%"> @@ -1071,72 +1059,81 @@ without permission. <col width="18%"> <col width="17%"> <tr> - <th>CVE</th> - <th>References</th> - <th>Severity</th> - <th>Updated Google devices</th> - <th>Updated AOSP versions</th> - <th>Date reported</th> + <th>CVE</th> + <th>References</th> + <th>Severity</th> + <th>Updated Google devices</th> + <th>Updated AOSP versions</th> + <th>Date reported</th> </tr> <tr> - <td>CVE-2017-0398</td> - <td>A-32438594</td> - <td>Moderate</td> - <td>All</td> - <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1</td> - <td>Oct 25, 2016</td> + <td>CVE-2017-0398</td> + <td><a href="https://android.googlesource.com/platform/frameworks/av/+/26965db50a617f69bdefca0d7533796c80374f2c"> + A-32438594</a></td> + <td>Moderate</td> + <td>All</td> + <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1</td> + <td>Oct 25, 2016</td> </tr> <tr> - <td>CVE-2017-0398</td> - <td>A-32635664</td> - <td>Moderate</td> - <td>All</td> - <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1</td> - <td>Oct 25, 2016</td> + <td>CVE-2017-0398</td> + <td><a href="https://android.googlesource.com/platform/frameworks/av/+/26965db50a617f69bdefca0d7533796c80374f2c"> + A-32635664</a></td> + <td>Moderate</td> + <td>All</td> + <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1</td> + <td>Oct 25, 2016</td> </tr> <tr> - <td>CVE-2017-0398</td> - <td>A-32624850</td> - <td>Moderate</td> - <td>All</td> - <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1</td> - <td>Oct 25, 2016</td> + <td>CVE-2017-0398</td> + <td><a href="https://android.googlesource.com/platform/frameworks/av/+/26965db50a617f69bdefca0d7533796c80374f2c"> + A-32624850</a></td> + <td>Moderate</td> + <td>All</td> + <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1</td> + <td>Oct 25, 2016</td> </tr> <tr> - <td>CVE-2017-0399</td> - <td>A-32247948</td> - <td>Moderate</td> - <td>All</td> - <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1</td> - <td>Oct 18, 2016</td> + <td>CVE-2017-0399</td> + <td><a href="https://android.googlesource.com/platform/frameworks/av/+/c66c43ad571ed2590dcd55a762c73c90d9744bac"> + A-32247948</a> +[<a href="https://android.googlesource.com/platform/hardware/qcom/audio/+/d72ea85c78a1a68bf99fd5804ad9784b4102fe57">2</a>]</td> + <td>Moderate</td> + <td>All</td> + <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1</td> + <td>Oct 18, 2016</td> </tr> <tr> - <td>CVE-2017-0400</td> - <td>A-32584034</td> - <td>Moderate</td> - <td>All</td> - <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1</td> - <td>Oct 25, 2016</td> + <td>CVE-2017-0400</td> + <td><a href="https://android.googlesource.com/platform/frameworks/av/+/c66c43ad571ed2590dcd55a762c73c90d9744bac"> + A-32584034</a> +[<a href="https://android.googlesource.com/platform/hardware/qcom/audio/+/d72ea85c78a1a68bf99fd5804ad9784b4102fe57">2</a>]</td> + <td>Moderate</td> + <td>All</td> + <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1</td> + <td>Oct 25, 2016</td> </tr> <tr> - <td>CVE-2017-0401</td> - <td>A-32448258</td> - <td>Moderate</td> - <td>All</td> - <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1</td> - <td>Oct 26, 2016</td> + <td>CVE-2017-0401</td> + <td><a href="https://android.googlesource.com/platform/frameworks/av/+/321ea5257e37c8edb26e66fe4ee78cca4cd915fe"> + A-32448258</a></td> + <td>Moderate</td> + <td>All</td> + <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1</td> + <td>Oct 26, 2016</td> </tr> <tr> - <td>CVE-2017-0402</td> - <td>A-32436341</td> - <td>Moderate</td> - <td>All</td> - <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1</td> - <td>Oct 25, 2016</td> + <td>CVE-2017-0402</td> + <td><a href="https://android.googlesource.com/platform/frameworks/av/+/c66c43ad571ed2590dcd55a762c73c90d9744bac"> + A-32436341</a> +[<a href="https://android.googlesource.com/platform/hardware/qcom/audio/+/d72ea85c78a1a68bf99fd5804ad9784b4102fe57">2</a>]</td> + <td>Moderate</td> + <td>All</td> + <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1</td> + <td>Oct 25, 2016</td> </tr> </table> - <h2 id="2017-01-05-details">2017-01-05 security patch level—Vulnerability details</h2> <p> @@ -2706,36 +2703,67 @@ access sensitive data without permission. <th>Date reported</th> </tr> <tr> - <td>CVE-2017-0399</td> - <td>A-32588756</td> - <td>Moderate</td> - <td>All</td> - <td>5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1</td> - <td>Oct 18, 2016</td> - </tr> - <tr> - <td>CVE-2017-0400</td> - <td>A-32438598</td> - <td>Moderate</td> - <td>All</td> - <td>5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1</td> - <td>Oct 25, 2016</td> - </tr> - <tr> - <td>CVE-2017-0401</td> - <td>A-32588016</td> - <td>Moderate</td> - <td>All</td> - <td>5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1</td> - <td>Oct 26, 2016</td> - </tr> - <tr> - <td>CVE-2017-0402</td> - <td>A-32588352</td> - <td>Moderate</td> - <td>All</td> - <td>5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1</td> - <td>Oct 25, 2016</td> + <td>CVE-2017-0399 + </td> + <td><a href="https://android.googlesource.com/platform/frameworks/av/+/c66c43ad571ed2590dcd55a762c73c90d9744bac"> + A-32588756</a> +[<a href="https://android.googlesource.com/platform/hardware/qcom/audio/+/d72ea85c78a1a68bf99fd5804ad9784b4102fe57">2</a>] + </td> + <td>Moderate + </td> + <td>All + </td> + <td>5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1 + </td> + <td>Oct 18, 2016 + </td> + </tr> + <tr> + <td>CVE-2017-0400 + </td> + <td><a href="https://android.googlesource.com/platform/frameworks/av/+/c66c43ad571ed2590dcd55a762c73c90d9744bac"> + A-32438598</a> +[<a href="https://android.googlesource.com/platform/hardware/qcom/audio/+/d72ea85c78a1a68bf99fd5804ad9784b4102fe57">2</a>] + </td> + <td>Moderate + </td> + <td>All + </td> + <td>5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1 + </td> + <td>Oct 25, 2016 + </td> + </tr> + <tr> + <td>CVE-2017-0401 + </td> + <td><a href="https://android.googlesource.com/platform/hardware/qcom/audio/+/ed79f2cc961d7d35fdbbafdd235c1436bcd74358"> + A-32588016</a> + </td> + <td>Moderate + </td> + <td>All + </td> + <td>5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1 + </td> + <td>Oct 26, 2016 + </td> + </tr> + <tr> + <td>CVE-2017-0402 + </td> + <td><a href="https://android.googlesource.com/platform/frameworks/av/+/c66c43ad571ed2590dcd55a762c73c90d9744bac"> + A-32588352</a> +[<a href="https://android.googlesource.com/platform/hardware/qcom/audio/+/d72ea85c78a1a68bf99fd5804ad9784b4102fe57">2</a>] + </td> + <td>Moderate + </td> + <td>All + </td> + <td>5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1 + </td> + <td>Oct 25, 2016 + </td> </tr> </table> @@ -2908,4 +2936,5 @@ belongs. These prefixes map as follows:</p> <h2 id="revisions">Revisions</h2> <ul> <li>January 03, 2017: Bulletin published.</li> + <li>January 04, 2017: Bulletin revised to include AOSP links.</li> </ul> |