Docs: February 2016 security bulletin

Bug: 26411900

Change-Id: I5390bfbece941df934745063931179feaeee87f9

5 files changed, 509 insertions, 1 deletions

diff --git a/src/security/bulletin/2016-01-01.jd b/src/security/bulletin/2016-01-01.jd
index 87ba6575..9878d747 100644
--- a/src/security/bulletin/2016-01-01.jd
+++ b/src/security/bulletin/2016-01-01.jd
@@ -257,7 +257,7 @@ possibly need to be repaired by re-flashing the operating system.</p>
     <td>CVE-2015-6638</td>
     <td>ANDROID-24673908*</td>
     <td>Critical</td>
-    <td>5.0, 5.5.1, 6.0, 6.0.1</td>
+    <td>5.0, 5.1.1, 6.0, 6.0.1</td>
     <td>Google Internal</td>
  </tr>
 </table>
diff --git a/src/security/bulletin/2016-02-01.jd b/src/security/bulletin/2016-02-01.jd
new file mode 100644
index 00000000..b209d6e9
--- /dev/null
+++ b/src/security/bulletin/2016-02-01.jd
@@ -0,0 +1,484 @@
+page.title=Nexus Security Bulletin - February 2016
+@jd:body
+
+<!--
+    Copyright 2016 The Android Open Source Project
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+-->
+<div id="qv-wrapper">
+  <div id="qv">
+    <h2>In this document</h2>
+    <ol id="auto-toc">
+   </ol>
+  </div>
+</div>
+
+<p><em>Published February 01, 2016</em></p>
+
+<p>We have released a security update to Nexus devices through an over-the-air
+(OTA) update as part of our Android Security Bulletin Monthly Release process.
+The Nexus firmware images have also been released to the <a href="https://developers.google.com/android/nexus/images">Google Developer site</a>. Builds LMY49G or later and Android M with Security Patch Level of February 1,
+2016 or later address these issues. Refer to the <a href="https://support.google.com/nexus/answer/4457705">Nexus documentation</a> for instructions on how to check the security patch level.</p>
+
+<p>Partners were notified about the issues described in the bulletin on January 4,
+2016 or earlier. Source code patches for these issues will be released to the
+Android Open Source Project (AOSP) repository over the next 48 hours. We will
+revise this bulletin with the AOSP links when they are available.</p>
+
+<p>The most severe of these issues is a Critical security vulnerability that could
+enable remote code execution on an affected device through multiple methods
+such as email, web browsing, and MMS when processing media files. The Remote Code
+Execution Vulnerability in Broadcom’s Wi-Fi driver is also Critical severity as
+it could allow remote code execution on an affected device while in Wi-Fi radio range.</p>
+
+<p>We have had no reports of active customer exploitation of these newly reported
+issues. Refer to the <a href="#mitigations">Mitigations</a> section for details on the <a href="https://source.android.com/security/enhancements/">Android security platform protections</a> and service protections such as SafetyNet, which improve the security of the
+Android platform. We encourage all customers to accept these updates to their
+devices.</p>
+
+<h2 id=security_vulnerability_summary>Security Vulnerability Summary</h2>
+
+
+<p>The table below contains a list of security vulnerabilities, the Common
+Vulnerability and Exposures ID (CVE), and their assessed severity. The <a href="https://source.android.com/security/overview/updates-resources.html#severity">severity assessment</a> is based on the effect that exploiting the vulnerability would possibly have
+on an affected device, assuming the platform and service mitigations are
+disabled for development purposes or if successfully bypassed.</p>
+<table>
+ <tr>
+    <th>Issue</th>
+    <th>CVE</th>
+    <th>Severity</th>
+ </tr>
+ <tr>
+    <td>Remote Code Execution Vulnerability in Broadcom Wi-Fi Driver</td>
+    <td>CVE-2016-0801<br />
+        CVE-2016-0802</td>
+    <td>Critical</td>
+ </tr>
+ <tr>
+    <td>Remote Code Execution Vulnerability in Mediaserver</td>
+    <td>CVE-2016-0803<br />
+        CVE-2016-0804</td>
+    <td>Critical</td>
+ </tr>
+ <tr>
+    <td>Elevation of Privilege Vulnerability in Qualcomm Performance Module</td>
+    <td>CVE-2016-0805</td>
+    <td>Critical</td>
+ </tr>
+ <tr>
+    <td>Elevation of Privilege Vulnerability in Qualcomm Wi-Fi Driver</td>
+    <td>CVE-2016-0806</td>
+    <td>Critical</td>
+ </tr>
+ <tr>
+    <td>Elevation of Privilege Vulnerability in the Debugger Daemon</td>
+    <td>CVE-2016-0807</td>
+    <td>Critical</td>
+ </tr>
+ <tr>
+    <td>Denial of Service Vulnerability in Minikin</td>
+    <td>CVE-2016-0808</td>
+    <td>High</td>
+ </tr>
+ <tr>
+    <td>Elevation of Privilege Vulnerability in Wi-Fi</td>
+    <td>CVE-2016-0809</td>
+    <td>High</td>
+ </tr>
+ <tr>
+    <td>Elevation of Privilege Vulnerability in Mediaserver</td>
+    <td>CVE-2016-0810</td>
+    <td>High</td>
+ </tr>
+ <tr>
+    <td>Information Disclosure Vulnerability in libmediaplayerservice</td>
+    <td>CVE-2016-0811</td>
+    <td>High</td>
+ </tr>
+ <tr>
+    <td>Elevation of Privilege Vulnerability in Setup Wizard</td>
+    <td>CVE-2016-0812<br />
+        CVE-2016-0813</td>
+    <td>Moderate</td>
+ </tr>
+</table>
+
+
+<h3 id=mitigations>Mitigations</h3>
+
+
+<p>This is a summary of the mitigations provided by the <a href="https://source.android.com/security/enhancements/index.html">Android security platform</a> and service protections such as SafetyNet. These capabilities reduce the
+likelihood that security vulnerabilities could be successfully exploited on
+Android.</p>
+
+<ul>
+  <li> Exploitation for many issues on Android is made more difficult by enhancements
+in newer versions of the Android platform. We encourage all users to update to
+the latest version of Android where possible.
+  <li> The Android Security team is actively monitoring for abuse with Verify Apps and
+SafetyNet which will warn about potentially harmful applications about to be
+installed. Device rooting tools are prohibited within Google Play. To protect
+users who install applications from outside of Google Play, Verify Apps is
+enabled by default and will warn users about known rooting applications. Verify
+Apps attempts to identify and block installation of known malicious
+applications that exploit a privilege escalation vulnerability. If such an
+application has already been installed, Verify Apps will notify the user and
+attempt to remove any such applications.
+  <li> As appropriate, Google Hangouts and Messenger applications do not automatically
+pass media to processes such as mediaserver.
+</ul>
+
+<h3 id=acknowledgements>Acknowledgements</h3>
+
+
+<p>We would like to thank these researchers for their contributions:</p>
+
+<ul>
+  <li> Android and Chrome Security Team: CVE-2016-0809, CVE-2016-0810
+  <li> Broadgate Team: CVE-2016-0801, CVE-2015-0802
+  <li> David Riley of the Google Pixel C Team: CVE-2016-0812
+  <li> Dongkwan Kim (<a href="mailto:dkay@kaist.ac.kr">dkay@kaist.ac.kr</a>) of System Security Lab, KAIST: CVE-2015-6614
+  <li> Gengjia Chen (<a href="https://twitter.com/@chengjia4574">@chengjia4574</a>) from Lab 0x031E of Qihoo 360 Technology Co. Ltd : CVE-2016-0805
+  <li> Hongil Kim (<a href="mailto:hongilk@kaist.ac.kr">hongilk@kaist.ac.kr</a>) of System Security Lab, KAIST: CVE-2015-6614
+  <li> Qidan He (<a href="https://twitter.com/@Flanker_hqd">@Flanker_hqd</a>) of
+       KeenLab (<a href="https://twitter.com/keen_lab">@keen_lab</a>), Tencent: CVE-2016-0811
+  <li> Seven Shen (<a href="https://twitter.com/@lingtongshen">@lingtongshen</a>) of Trend Micro (<a href="http://www.trendmicro.com">www.trendmicro.com</a>): CVE-2016-0803
+  <li> Weichao Sun (<a href="https://twitter.com/sunblate">@sunblate</a>) of Alibaba Inc: CVE-2016-0808
+  <li> Zach Riggle (<a href="https://twitter.com/@ebeip90">@ebeip90</a>) of the Android Security Team: CVE-2016-0807
+</ul>
+
+<h2 id=security_vulnerability_details>Security Vulnerability Details</h2>
+
+
+<p>In the sections below, we provide details for each of the security
+vulnerabilities listed in the <a href="#security_vulnerability_summary">Security Vulnerability Summary</a>
+above. There is a description of the issue, a severity rationale, and a table
+with the CVE, associated bug, severity, affected versions, and date reported.
+When available, we will link the AOSP commit that addressed the issue to the
+bug ID. When multiple changes relate to a single bug, additional AOSP
+references are linked to numbers following the bug ID.</p>
+
+<h3 id=remote_code_execution_vulnerability_in_broadcom_wi-fi_driver>Remote Code Execution Vulnerability in Broadcom Wi-Fi Driver</h3>
+
+
+<p>Multiple remote execution vulnerabilities in the Broadcom Wi-Fi driver could
+allow a remote attacker to use specially crafted wireless control message
+packets to corrupt kernel memory in a way that leads to remote code execution
+in the context of the kernel. These vulnerabilities can be triggered when the
+attacker and the victim are associated with the same network. This issue is
+rated as a Critical severity due to the possibility of remote code execution in
+the context of the kernel without requiring user interaction.</p>
+<table>
+ <tr>
+    <th>CVE</th>
+    <th>Bug(s)</th>
+    <th>Severity</th>
+    <th>Updated versions</th>
+    <th>Date reported</th>
+ </tr>
+ <tr>
+    <td>CVE-2016-0801</td>
+    <td>ANDROID-25662029</td>
+    <td>Critical</td>
+    <td>4.4.4, 5.0, 5.1.1, 6.0, 6.0.1</td>
+    <td>Oct 25, 2015</td>
+ </tr>
+ <tr>
+    <td>CVE-2016-0802</td>
+    <td>ANDROID-25306181</td>
+    <td>Critical</td>
+    <td>4.4.4, 5.0, 5.1.1, 6.0, 6.0.1</td>
+    <td>Oct 26,2015</td>
+ </tr>
+</table>
+
+
+<h3 id=remote_code_execution_vulnerability_in_mediaserver>Remote Code Execution Vulnerability in Mediaserver</h3>
+
+
+<p>During media file and data processing of a specially crafted file,
+vulnerabilities in mediaserver could allow an attacker to cause memory
+corruption and remote code execution as the mediaserver process.</p>
+
+<p>The affected functionality is provided as a core part of the operating system
+and there are multiple applications that allow it to be reached with remote
+content, most notably MMS and browser playback of media.</p>
+
+<p>This issue is rated as a Critical severity due to the possibility of remote
+code execution within the context of the mediaserver service. The mediaserver
+service has access to audio and video streams as well as access to privileges
+that third-party apps cannot normally access.</p>
+<table>
+ <tr>
+    <th>CVE</th>
+    <th>Bug(s)</th>
+    <th>Severity</th>
+    <th>Updated versions</th>
+    <th>Date reported</th>
+ </tr>
+ <tr>
+    <td>CVE-2016-0803</td>
+    <td>ANDROID-25812794</td>
+    <td>Critical</td>
+    <td>4.4.4, 5.0, 5.1.1, 6.0, 6.0.1</td>
+    <td>Nov 19, 2015</td>
+ </tr>
+ <tr>
+    <td>CVE-2016-0804</td>
+    <td>ANDROID-25070434</td>
+    <td>Critical</td>
+    <td>5.0, 5.1.1, 6.0, 6.0.1</td>
+    <td>Oct 12, 2015</td>
+ </tr>
+</table>
+
+
+<h3 id=elevation_of_privilege_vulnerability_in_qualcomm_performance_module>Elevation of Privilege Vulnerability in Qualcomm Performance Module</h3>
+
+
+<p>An elevation of privilege vulnerability in the performance event manager
+component for ARM processors from Qualcomm could enable a local malicious
+application to execute arbitrary code within the kernel. This issue is rated as
+a Critical severity due to the possibility of a local permanent device
+compromise and the device would possibly need to be repaired by re-flashing the
+operating system.</p>
+<table>
+ <tr>
+    <th>CVE</th>
+    <th>Bug(s)</th>
+    <th>Severity</th>
+    <th>Updated versions</th>
+    <th>Date reported</th>
+ </tr>
+ <tr>
+    <td>CVE-2016-0805</td>
+    <td>ANDROID-25773204</td>
+    <td>Critical</td>
+    <td>4.4.4, 5.0, 5.1.1, 6.0, 6.0.1</td>
+    <td>Nov 15, 2015</td>
+ </tr>
+</table>
+
+
+<h3 id=elevation_of_privilege_vulnerability_in_qualcomm_wifi_driver>Elevation of Privilege Vulnerability in Qualcomm WiFi Driver</h3>
+
+
+<p>There is a vulnerability in the Qualcomm Wi-Fi driver that could enable a local
+malicious application to execute arbitrary code within the context of the
+kernel. This issue is rated as a Critical severity due to the possibility of a
+local permanent device compromise and the device would possibly need to be
+repaired by re-flashing the operating system.</p>
+<table>
+ <tr>
+    <th>CVE</th>
+    <th>Bug(s)</th>
+    <th>Severity</th>
+    <th>Updated versions</th>
+    <th>Date reported</th>
+ </tr>
+ <tr>
+    <td>CVE-2016-0806</td>
+    <td>ANDROID-25344453</td>
+    <td>Critical</td>
+    <td>4.4.4, 5.0, 5.1.1, 6.0, 6.0.1</td>
+    <td>Nov 15, 2015</td>
+ </tr>
+</table>
+
+
+<h3 id=elevation_of_privilege_vulnerability_in_the_debuggerd>Elevation of Privilege Vulnerability in the Debuggerd </h3>
+
+
+<p>An elevation of privilege vulnerability in the Debuggerd component could enable
+a local malicious application to execute arbitrary code within the device root
+context. This issue is rated as a Critical severity due to the possibility of a
+local permanent device compromise and the device would possibly need to be
+repaired by re-flashing the operating system.</p>
+<table>
+ <tr>
+    <th>CVE</th>
+    <th>Bug(s)</th>
+    <th>Severity</th>
+    <th>Updated versions</th>
+    <th>Date reported</th>
+ </tr>
+ <tr>
+    <td>CVE-2016-0807</td>
+    <td>ANDROID-25187394</td>
+    <td>Critical</td>
+    <td>6.0 and 6.0.1</td>
+    <td>Google Internal</td>
+ </tr>
+</table>
+
+
+<h3 id=denial_of_service_vulnerability_in_minikin>Denial of Service Vulnerability in Minikin</h3>
+
+
+<p>A denial of service vulnerability in the Minikin library could allow a local
+attacker to temporarily block access to an affected device. An attacker could
+cause an untrusted font to be loaded and cause an overflow in the Minikin
+component which leads to a crash. This is rated as a high severity because
+Denial of Service leads to a continuous reboot loop.</p>
+<table>
+ <tr>
+    <th>CVE</th>
+    <th>Bug(s)</th>
+    <th>Severity</th>
+    <th>Updated versions</th>
+    <th>Date reported</th>
+ </tr>
+ <tr>
+    <td>CVE-2016-0808</td>
+    <td>ANDROID-25645298</td>
+    <td>High</td>
+    <td>5.0, 5.1.1, 6.0, 6.0.1</td>
+    <td>Nov 3, 2015</td>
+ </tr>
+</table>
+
+
+<h3 id=elevation_of_privilege_vulnerability_in_wi-fi>Elevation of Privilege Vulnerability in Wi-Fi</h3>
+
+
+<p>An elevation of privilege vulnerability in the Wi-Fi component could enable a
+local malicious application to execute arbitrary code within the System
+context. A device is only vulnerable to this issue while in local proximity.
+This issue is rated as High severity because it could be used to gain “<a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">normal</a>” capabilities remotely. Generally, these permissions are accessible only to
+third-party applications installed locally.</p>
+<table>
+ <tr>
+    <th>CVE</th>
+    <th>Bug(s)</th>
+    <th>Severity</th>
+    <th>Updated versions</th>
+    <th>Date reported</th>
+ </tr>
+ <tr>
+    <td>CVE-2016-0809</td>
+    <td>ANDROID-25753768</td>
+    <td>High</td>
+    <td>6.0, 6.0.1</td>
+    <td>Google Internal</td>
+ </tr>
+</table>
+
+
+<p>
+</p>
+
+<h3 id=elevation_of_privilege_vulnerability_in_mediaserver>Elevation of Privilege Vulnerability in Mediaserver </h3>
+
+
+<p>An elevation of privilege vulnerability in mediaserver could enable a local
+malicious application to execute arbitrary code within the context of an
+elevated system application. This issue is rated as High severity because it
+could be used to gain elevated capabilities, such as <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> or <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> permissions privileges, which are not accessible to a third-party application.</p>
+<table>
+ <tr>
+    <th>CVE</th>
+    <th>Bug(s)</th>
+    <th>Severity</th>
+    <th>Updated versions</th>
+    <th>Date reported</th>
+ </tr>
+ <tr>
+    <td>CVE-2016-0810</td>
+    <td>ANDROID-25781119</td>
+    <td>High</td>
+    <td>4.4.4, 5.0, 5.1.1, 6.0, 6.0.1</td>
+    <td>Google Internal</td>
+ </tr>
+</table>
+
+
+<h3 id=information_disclosure_vulnerability_in_libmediaplayerservice>Information Disclosure Vulnerability in libmediaplayerservice </h3>
+
+
+<p>An information disclosure vulnerability in libmediaplayerservice could permit a
+bypass of security measures in place to increase the difficulty of attackers
+exploiting the platform. These issues are rated as High severity because they
+could also be used to gain elevated capabilities, such as <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">Signature</a> or <a href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">SignatureOrSystem</a> permissions privileges, which are not accessible to third-party applications.</p>
+<table>
+ <tr>
+    <th>CVE</th>
+    <th>Bug(s)</th>
+    <th>Severity</th>
+    <th>Updated versions</th>
+    <th>Date reported</th>
+ </tr>
+ <tr>
+    <td>CVE-2016-0811</td>
+    <td>ANDROID-25800375</td>
+    <td>High</td>
+    <td>6.0, 6.0.1</td>
+    <td>Nov 16, 2015</td>
+ </tr>
+</table>
+
+
+<h3 id=elevation_of_privilege_vulnerability_in_setup_wizard>Elevation of Privilege Vulnerability in Setup Wizard</h3>
+
+
+<p>A vulnerability in the Setup Wizard could allow a malicious attacker to bypass
+the Factory Reset Protection and gain access to the device. This is rated as a
+Moderate severity because it potentially allows someone with physical access to
+a device to bypass the Factory Reset Protection, which enables an attacker to
+successfully reset a device, erasing all data.</p>
+<table>
+ <tr>
+    <th>CVE</th>
+    <th>Bug(s)</th>
+    <th>Severity</th>
+    <th>Updated versions</th>
+    <th>Date reported</th>
+ </tr>
+ <tr>
+    <td>CVE-2016-0812</td>
+    <td>ANDROID-25229538</td>
+    <td>Moderate</td>
+    <td>5.1.1, 6.0</td>
+    <td>Google Internal</td>
+ </tr>
+ <tr>
+    <td>CVE-2016-0813</td>
+    <td>ANDROID-25476219</td>
+    <td>Moderate</td>
+    <td>5.1.1, 6.0, 6.0.1</td>
+    <td>Google Internal</td>
+ </tr>
+</table>
+
+
+<p>
+</p>
+
+<p><strong>Common Questions and Answers</strong></p>
+
+<p>This section reviews answers to common questions that may occur after reading
+this bulletin.</p>
+
+<p><strong>1. How do I determine if my device is updated to address these issues?</strong></p>
+
+<p>Builds LMY49G or later and Android 6.0 with Security Patch Level of February 1,
+2016 or later address these issues. Refer to the <a href="https://support.google.com/nexus/answer/4457705">Nexus documentation</a> for instructions on how to check the security patch level. Device
+manufacturers that include these updates should set the patch string level to:
+[ro.build.version.security_patch]:[2016-02-01]</p>
+
+<h2 id=revisions>Revisions</h2>
+
+
+<ul>
+  <li> February 01, 2016: Bulletin published.
diff --git a/src/security/bulletin/index.jd b/src/security/bulletin/index.jd
index 7e1e96cd..25682ebc 100644
--- a/src/security/bulletin/index.jd
+++ b/src/security/bulletin/index.jd
@@ -33,6 +33,11 @@ month to the<a href="https://developers.google.com/android/nexus/images"> Google
     <th>Android Security Patch Level</th>
  </tr>
  <tr>
+    <td><a href="2016-02-01.html">February 2016</a></td>
+    <td>February 1, 2016</td>
+    <td>February 1, 2016: [2016-02-01]</td>
+ </tr>
+ <tr>
     <td><a href="2016-01-01.html">January 2016</a></td>
     <td>January 4, 2016</td>
     <td>January 1, 2016: [2016-01-01]</td>
diff --git a/src/security/overview/acknowledgements.jd b/src/security/overview/acknowledgements.jd
index 22eb8a8f..a74be9e8 100644
--- a/src/security/overview/acknowledgements.jd
+++ b/src/security/overview/acknowledgements.jd
@@ -40,8 +40,18 @@ Rewards</a> program.</p>
 
 <p>Abhishek Arya of Google Chrome Security Team</p>
 
+<p>Broadgate Team</p>
+
+<p>David Riley of the Google Pixel C Team</p>
+
+<p>Dongkwan Kim (<a href="mailto:dkay@kaist.ac.kr">dkay@kaist.ac.kr</a>) of System Security Lab, KAIST</p>
+
 <p>Gal Beniamini (<a href="https://twitter.com/@laginimaineb">@laginimaineb</a>, <a href="http://bits-please.blogspot.com/">http://bits-please.blogspot.com</a>)</p>
 
+<p>Gengjia Chen (<a href="https://twitter.com/@chengjia4574">@chengjia4574</a>) from Lab 0x031E of Qihoo 360 Technology Co. Ltd</p>
+
+<p>Hongil Kim (<a href="mailto:hongilk@kaist.ac.kr">hongilk@kaist.ac.kr</a>) of System Security Lab, KAIST</p>
+
 <p>Jann Horn (<a href="https://thejh.net/">https://thejh.net</a>)</p>
 
 <p>jfang of KEEN lab, Tencent (<a href="https://twitter.com/k33nteam">@K33nTeam</a>)</p>
@@ -54,12 +64,20 @@ Rewards</a> program.</p>
 
 <p>Quan Nguyen of Google Information Security Engineer Team</p>
 
+<p>Qidan He (<a href="https://twitter.com/@Flanker_hqd">@Flanker_hqd</a>) of KeenLab (<a href="https://twitter.com/keen_lab">@keen_lab</a>), Tencent</p>
+
 <p>Sen Nie (<a href="https://twitter.com/@nforest_">@nforest_</a>) of KEEN lab, Tencent (<a href="https://twitter.com/k33nteam">@K33nTeam</a>)</p>
 
+<p>Seven Shen (<a href="https://twitter.com/@lingtongshen">@lingtongshen</a>) of Trend Micro (<a href="http://www.trendmicro.com">www.trendmicro.com</a>)</p>
+
 <p>Tom Craig of Google X</p>
 
+<p>Weichao Sun (<a href="https://twitter.com/sunblate">@sunblate</a>) of Alibaba Inc</p>
+
 <p>Yabin Cui from Android Bionic Team</p>
 
+<p>Zach Riggle (<a href="https://twitter.com/@ebeip90">@ebeip90</a>) of the Android Security Team</p>
+
 </div>
 
 <h2 id=2015>2015</h2>
diff --git a/src/security/security_toc.cs b/src/security/security_toc.cs
index cf74b3d0..805905c6 100644
--- a/src/security/security_toc.cs
+++ b/src/security/security_toc.cs
@@ -50,6 +50,7 @@
       </a>
     </div>
     <ul>
+      <li><a href="<?cs var:toroot ?>security/bulletin/2016-02-01.html">February 2016</a></li>
       <li><a href="<?cs var:toroot ?>security/bulletin/2016-01-01.html">January 2016</a></li>
       <li><a href="<?cs var:toroot ?>security/bulletin/2015-12-01.html">December 2015</a></li>
       <li><a href="<?cs var:toroot ?>security/bulletin/2015-11-01.html">November 2015</a></li>