diff options
author | Android Partner Docs <noreply@android.com> | 2017-10-11 14:15:38 -0700 |
---|---|---|
committer | Clay Murphy <claym@google.com> | 2017-10-11 19:19:53 -0700 |
commit | 640dc96c73017d3bd2e2c507adcff02046ccfd3f (patch) | |
tree | 25296dfcb38dae95ee022015e64e78bbe646ff9c /en/security | |
parent | 4ede9c52630a6da877e7ca9c1c3801a34ddb7179 (diff) | |
download | source.android.com-640dc96c73017d3bd2e2c507adcff02046ccfd3f.tar.gz |
Docs: Changes to source.android.com
- 171873304 Update documentation for types-only minor version package. by Android Partner Docs <noreply@android.com>
- 171849317 Update CTS/CTS-Verifier downloads for CTS-Oct-2017 Releases by Android Partner Docs <noreply@android.com>
- 171727609 Updating panic button to 8.0 by hvm <hvm@google.com>
- 171724554 Fixing typo by hvm <hvm@google.com>
- 171604727 Removed gerund form to match TOC bar on left. by cqn <cqn@google.com>
- 171576699 Small editorial changes to make content more skimmable. by cqn <cqn@google.com>
- 171546973 Add Clang toolchain to home News section by claym <claym@google.com>
- 171540129 Corrected a typo from "has" to "have" in CTS public setup... by Android Partner Docs <noreply@android.com>
- 171354973 Clean-up edits for consistency on the HCI Requirements do... by cqn <cqn@google.com>
- 171242784 Explain Clang is lone supported toolchain going forward by claym <claym@google.com>
- 171198827 Added researcher acknowledgement by Android Partner Docs <noreply@android.com>
- 171178686 Added researcher acknowledgement by Android Partner Docs <noreply@android.com>
- 171169962 Added missing " to jit-workflow.png by daroberts <daroberts@google.com>
- 171167568 Announce KASAN+KCOV on the home page by daroberts <daroberts@google.com>
- 171093616 Updated Researcher acknowledgement by Android Partner Docs <noreply@android.com>
- 171086588 Add Building a Pixel kernel with KASAN +KCOV by daroberts <daroberts@google.com>
- 171084549 Move CVE-2017-0710 to Google devices section by Android Partner Docs <noreply@android.com>
- 171063850 Removed duped content that is now in /source/view-patches... by cqn <cqn@google.com>
- 171061697 Create a /source/view-patches page so that the nav does n... by cqn <cqn@google.com>
- 171050148 Update home page with October 2017 security release by daroberts <daroberts@google.com>
- 171028732 Devsite localized content from translation request 5cdc34... by Android Partner Docs <noreply@android.com>
- 170937091 Add tags for October security backport releases (these do... by Android Partner Docs <noreply@android.com>
- 170911440 Remove CVE-2017-0605 from bulletin by Android Partner Docs <noreply@android.com>
- 170883975 Add AOSP links to the Oct 2017 Android Security bulletin by daroberts <daroberts@google.com>
- 170883918 Add AOSP links to Oct 2017 Pixel bulletin by daroberts <daroberts@google.com>
PiperOrigin-RevId: 171873304
Change-Id: I51cdbbbf00bdf43374c06638a8db4f8e87dbcdf7
Diffstat (limited to 'en/security')
-rw-r--r-- | en/security/bulletin/2017-05-01.html | 40 | ||||
-rw-r--r-- | en/security/bulletin/2017-07-01.html | 37 | ||||
-rw-r--r-- | en/security/bulletin/2017-09-01.html | 7 | ||||
-rw-r--r-- | en/security/bulletin/2017-10-01.html | 30 | ||||
-rw-r--r-- | en/security/bulletin/pixel/2017-10-01.html | 44 | ||||
-rw-r--r-- | en/security/overview/acknowledgements.html | 5 |
6 files changed, 83 insertions, 80 deletions
diff --git a/en/security/bulletin/2017-05-01.html b/en/security/bulletin/2017-05-01.html index c92e4ffd..9fa83bc4 100644 --- a/en/security/bulletin/2017-05-01.html +++ b/en/security/bulletin/2017-05-01.html @@ -22,7 +22,7 @@ --> -<p><em>Published May 01, 2017 | Updated August 17, 2017</em></p> +<p><em>Published May 01, 2017 | Updated October 03, 2017</em></p> <p>The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Alongside the bulletin, we have released a security @@ -935,43 +935,6 @@ QC-CR#826589</a></td> <p>* Supported Google devices on Android 7.1.1 or later that have installed all available updates are not affected by this vulnerability.</p> - -<h3 id="eop-in-kernel-trace-subsystem">Elevation of privilege vulnerability in -kernel trace subsystem</h3> - -<p>An elevation of privilege vulnerability in the kernel trace subsystem could -enable a local malicious application to execute arbitrary code within the -context of the kernel. This issue is rated as Critical due to the possibility -of a local permanent device compromise, which may require reflashing the -operating system to repair the device.</p> - -<table> - <col width="19%"> - <col width="20%"> - <col width="10%"> - <col width="23%"> - <col width="17%"> - <tr> - <th>CVE</th> - <th>References</th> - <th>Severity</th> - <th>Updated Google devices</th> - <th>Date reported</th> - </tr> - <tr> - <td>CVE-2017-0605</td> - <td>A-35399704<br> - <a -href="https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=2161ae9a70b12cf18ac8e5952a20161ffbccb477"> -QC-CR#1048480</a></td> - <td>Critical</td> - <td>Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Pixel, Pixel XL, Pixel C, Android -One, Nexus Player</td> - <td>Feb 15, 2017</td> - </tr> -</table> - - <h3 id="vulnerabilities-in-qualcomm-components">Vulnerabilities in Qualcomm components</h3> @@ -3060,6 +3023,7 @@ belongs. These prefixes map as follows:</p> <li>August 10, 2017: Bulletin revised to include additional AOSP link for CVE-2017-0493.</li> <li>August 17, 2017: Bulletin revised to update reference numbers.</li> +<li>October 03, 2017: Bulletin revised to remove CVE-2017-0605.</li> </ul> </body> </html> diff --git a/en/security/bulletin/2017-07-01.html b/en/security/bulletin/2017-07-01.html index 19141843..cf74c941 100644 --- a/en/security/bulletin/2017-07-01.html +++ b/en/security/bulletin/2017-07-01.html @@ -687,13 +687,6 @@ kernel</a></td> <td>SCSI driver</td> </tr> <tr> - <td>CVE-2017-0710</td> - <td>A-34951864<a href="#asterisk">*</a></td> - <td>EoP</td> - <td>Moderate</td> - <td>TCB</td> - </tr> - <tr> <td>CVE-2017-7308</td> <td>A-36725304<br> <a href="//git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2b6867c2ce76c596676bec7d2d525af525fdc6e2">Upstream kernel</a> @@ -1445,6 +1438,32 @@ site</a>.</p> <td>July 05, 2017</td> </tr> </table> + +<p>Google device updates also contain patches for these security +vulnerabilities, if applicable:</p> + +<table> + <col width="17%"> + <col width="19%"> + <col width="9%"> + <col width="14%"> + <col width="39%"> + <tr> + <th>CVE</th> + <th>References</th> + <th>Type</th> + <th>Severity</th> + <th>Component</th> + </tr> + <tr> + <td>CVE-2017-0710</td> + <td>A-34951864<a href="#asterisk">*</a></td> + <td>EoP</td> + <td>Moderate</td> + <td>TCB</td> + </tr> +</table> + <h2 id="acknowledgements">Acknowledgements</h2> <p>We would like to thank these researchers for their contributions:</p> @@ -1503,7 +1522,7 @@ Ltd.</td> </tr> <tr> <td>CVE-2017-0665</td> - <td><a href="mailto:arnow117@gmail.com">Hanxiang Wen</a>, Mingjian Zhou (<a + <td><a href="mailto:zc1991@mail.ustc.edu.cn">Chi Zhang</a>,<a href="mailto:arnow117@gmail.com">Hanxiang Wen</a>, Mingjian Zhou (<a href="//twitter.com/Mingjian_Zhou">@Mingjian_Zhou</a>), and Xuxian Jiang of <a href="//c0reteam.org">C0RE Team</a></td> </tr> @@ -1749,7 +1768,7 @@ site</a>.</p> <td>September 19, 2017</td> <td>Updated acknowledgements for CVE-2017-0710.</td> </tr> - <tr> + <tr> <td>1.5</td> <td>September 26, 2017</td> <td>Updated acknowledgements for CVE-2017-0681.</td> diff --git a/en/security/bulletin/2017-09-01.html b/en/security/bulletin/2017-09-01.html index 56c94f05..f4346d78 100644 --- a/en/security/bulletin/2017-09-01.html +++ b/en/security/bulletin/2017-09-01.html @@ -20,7 +20,7 @@ See the License for the specific language governing permissions and limitations under the License. --> - <p><em>Published September 5, 2017 | Updated September 28, 2017</em></p> + <p><em>Published September 5, 2017 | Updated October 5, 2017</em></p> <p>The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of September 05, 2017 or later @@ -1155,6 +1155,11 @@ Zhou (<a href="https://twitter.com/Mingjian_Zhou">@Mingjian_Zhou</a>), and Xuxian Jiang of <a href="http://c0reteam.org">C0RE Team</a></td> </tr> <tr> + <td>CVE-2017-0755</td> + <td>Dawei Peng of Alibaba Mobile Security Team + (<a href="http://weibo.com/u/5622360291">weibo: Vinc3nt4H</a>)</td> + </tr> + <tr> <td>CVE-2017-0775, CVE-2017-0774, CVE-2017-0771</td> <td>Elphet and Gong Guang of Alpha Team, Qihoo 360 Technology Co. Ltd.</td> </tr> diff --git a/en/security/bulletin/2017-10-01.html b/en/security/bulletin/2017-10-01.html index 6ca5f4f6..dce1e591 100644 --- a/en/security/bulletin/2017-10-01.html +++ b/en/security/bulletin/2017-10-01.html @@ -20,7 +20,7 @@ See the License for the specific language governing permissions and limitations under the License. --> - <p><em>Published October 2, 2017</em></p> +<p><em>Published October 2, 2017 | Updated October 3, 2017</em></p> <p>The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of October 05, 2017 or later @@ -29,9 +29,9 @@ level, see <a href="https://support.google.com/pixelphone/answer/4457705#pixel_p Check & update your Android version</a>.</p> <p>Android partners are notified of all issues at least a month before -publication. Source code patches for these issues will be released -to the Android Open Source Project (AOSP) repository in the next 48 hours. -We will revise this bulletin with the AOSP links when they are available.</p> +publication. Source code patches for these issues have been released to the +Android Open Source Project (AOSP) repository and linked from this bulletin. +This bulletin also includes links to patches outside of AOSP.</p> <p>The most severe of these issues is a critical severity vulnerability in media framework that could enable a remote attacker using a specially crafted file to @@ -121,7 +121,7 @@ additional permissions.</p> </tr> <tr> <td>CVE-2017-0806</td> - <td>A-62998805</td> + <td><a href="https://android.googlesource.com/platform/frameworks/base/+/b87c968e5a41a1a09166199bf54eee12608f3900">A-62998805</a></td> <td>EoP</td> <td>High</td> <td>6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0</td> @@ -148,42 +148,42 @@ a privileged process.</p> </tr> <tr> <td>CVE-2017-0809</td> - <td>A-62673128</td> + <td><a href="https://android.googlesource.com/platform/frameworks/av/+/552a3b5df2a6876d10da20f72e4cc0d44ac2c790">A-62673128</a></td> <td>RCE</td> <td>Critical</td> <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0</td> </tr> <tr> <td>CVE-2017-0810</td> - <td>A-38207066</td> + <td><a href="https://android.googlesource.com/platform/external/libmpeg2/+/7737780815fe523ad7b0e49456eb75d27a30818a">A-38207066</a></td> <td>RCE</td> <td>Critical</td> <td>6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0</td> </tr> <tr> <td>CVE-2017-0811</td> - <td>A-37930177</td> + <td><a href="https://android.googlesource.com/platform/external/libhevc/+/25c0ffbe6a181b4a373c3c9b421ea449d457e6ed">A-37930177</a></td> <td>RCE</td> <td>Critical</td> <td>5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0</td> </tr> <tr> <td>CVE-2017-0812</td> - <td>A-62873231</td> + <td><a href="https://android.googlesource.com/device/google/dragon/+/7df7ec13b1d222ac3a66797fbe432605ea8f973f">A-62873231</a></td> <td>EoP</td> <td>High</td> <td>7.0, 7.1.1, 7.1.2, 8.0</td> </tr> <tr> <td>CVE-2017-0815</td> - <td>A-63526567</td> + <td><a href="https://android.googlesource.com/platform/frameworks/av/+/f490fc335772a9b14e78997486f4a572b0594c04">A-63526567</a></td> <td>ID</td> <td>Moderate</td> <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0</td> </tr> <tr> <td>CVE-2017-0816</td> - <td>A-63662938</td> + <td><a href="https://android.googlesource.com/platform/frameworks/av/+/f490fc335772a9b14e78997486f4a572b0594c04">A-63662938</a></td> <td>ID</td> <td>Moderate</td> <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0</td> @@ -210,7 +210,8 @@ process.</p> </tr> <tr> <td>CVE-2017-14496</td> - <td>A-64575136</td> + <td><a href="https://android.googlesource.com/platform/external/dnsmasq/+/ff755ca73c98a1f2706fe86996e4bf6215054834">A-64575136</a> + [<a href="https://android.googlesource.com/platform/external/dnsmasq/+/68a974de72b5091ce608815a349daaeb05cdeab5">2</a>]</td> <td>RCE</td> <td>High</td> <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0</td> @@ -502,6 +503,11 @@ Acknowledgements</a> page.</p> <td>October 2, 2017</td> <td>Bulletin published.</td> </tr> + <tr> + <td>1.1</td> + <td>October 3, 2017</td> + <td>Bulletin revised to include AOSP links.</td> + </tr> </table> </body> </html> diff --git a/en/security/bulletin/pixel/2017-10-01.html b/en/security/bulletin/pixel/2017-10-01.html index fd8eb49d..05e9d059 100644 --- a/en/security/bulletin/pixel/2017-10-01.html +++ b/en/security/bulletin/pixel/2017-10-01.html @@ -1,6 +1,6 @@ <html devsite> <head> - <title>Pixel/Nexus Security Bulletin—October 2017</title> + <title>Pixel / Nexus Security Bulletin—October 2017</title> <meta name="project_path" value="/_project.yaml" /> <meta name="book_path" value="/_book.yaml" /> </head> @@ -20,9 +20,9 @@ See the License for the specific language governing permissions and limitations under the License. --> - <p><em>Published October 2, 2017</em></p> +<p><em>Published October 2, 2017 | Updated October 3, 2017</em></p> -<p>The Pixel/ Nexus Security Bulletin contains details of security vulnerabilities +<p>The Pixel / Nexus Security Bulletin contains details of security vulnerabilities and functional improvements affecting <a href="https://support.google.com/pixelphone/answer/4457705#pixel_phones&nexus_devices"> supported Google Pixel and Nexus devices</a> (Google devices). For @@ -56,16 +56,14 @@ Google Developer site</a>.</p> </ul> <h2 id="patches">Security patches</h2> -Vulnerabilities are -grouped under the component that they affect. There is a description of the -issue and a table with the CVE, associated references, +Vulnerabilities are grouped under the component that they affect. There is a +description of the issue and a table with the CVE, associated references, <a href="#type">type of vulnerability</a>, <a href="/security/overview/updates-resources.html#severity">severity</a>, and updated Android Open Source Project (AOSP) versions (where applicable). -When available, we link the public -change that addressed the issue to the bug ID, like the AOSP change list. When -multiple changes relate to a single bug, additional references are linked to -numbers following the bug ID.</p> +When available, we link the public change that addressed the issue to the bug +ID, like the AOSP change list. When multiple changes relate to a single bug, +additional references are linked to numbers following the bug ID.</p> <h3 id="framework">Framework</h3> @@ -84,14 +82,15 @@ numbers following the bug ID.</p> </tr> <tr> <td>CVE-2017-0807</td> - <td>A-35056974</td> + <td>A-35056974<a href="#asterisk">*</a></td> <td>EoP</td> <td>High</td> <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2</td> </tr> <tr> <td>CVE-2017-0808</td> - <td>A-62301183</td> + <td><a href="https://android.googlesource.com/platform/libcore/+/809681f310663288e83587089abb7715c68f6924">A-62301183</a> + [<a href="https://android.googlesource.com/platform/libcore/+/100a8006a7baab1bb62820eb62577c0b0849fbc3">2</a>]</td> <td>ID</td> <td>Moderate</td> <td>7.0, 7.1.1, 7.1.2, 8.0</td> @@ -115,14 +114,14 @@ numbers following the bug ID.</p> </tr> <tr> <td>CVE-2017-0813</td> - <td>A-36531046</td> + <td><a href="https://android.googlesource.com/platform/frameworks/av/+/7fa3f552a6f34ed05c15e64ea30b8eed53f77a41">A-36531046</a></td> <td>DoS</td> <td>Moderate</td> <td>7.0, 7.1.1, 7.1.2</td> </tr> <tr> <td rowspan="2">CVE-2017-0814</td> - <td rowspan="2">A-62800140</td> + <td rowspan="2"><a href="https://android.googlesource.com/platform/external/tremolo/+/eeb4e45d5683f88488c083ecf142dc89bc3f0b47">A-62800140</a></td> <td>ID</td> <td>Moderate</td> <td>7.0, 7.1.1, 7.1.2, 8.0</td> @@ -134,14 +133,14 @@ numbers following the bug ID.</p> </tr> <tr> <td>CVE-2017-0817</td> - <td>A-63522430</td> + <td><a href="https://android.googlesource.com/platform/frameworks/av/+/d834160d9759f1098df692b34e6eeb548f9e317b">A-63522430</a></td> <td>ID</td> <td>Moderate</td> <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0</td> </tr> <tr> <td rowspan="2">CVE-2017-0818</td> - <td rowspan="2">A-63581671</td> + <td rowspan="2"><a href="https://android.googlesource.com/platform/frameworks/av/+/d07f5c14e811951ff9b411ceb84e7288e0d04aaf">A-63581671</a></td> <td>NSI</td> <td>NSI</td> <td>7.0, 7.1.1, 7.1.2, 8.0</td> @@ -153,7 +152,7 @@ numbers following the bug ID.</p> </tr> <tr> <td rowspan="2">CVE-2017-0819</td> - <td rowspan="2">A-63045918</td> + <td rowspan="2"><a href="https://android.googlesource.com/platform/external/libhevc/+/87fb7909c49e6a4510ba86ace1ffc83459c7e1b9">A-63045918</a></td> <td>NSI</td> <td>NSI</td> <td>7.0, 7.1.1, 7.1.2, 8.0</td> @@ -165,7 +164,7 @@ numbers following the bug ID.</p> </tr> <tr> <td rowspan="2">CVE-2017-0820</td> - <td rowspan="2">A-62187433</td> + <td rowspan="2"><a href="https://android.googlesource.com/platform/frameworks/av/+/8a3a2f6ea7defe1a81bb32b3c9f3537f84749b9d">A-62187433</a></td> <td>NSI</td> <td>NSI</td> <td>7.0, 7.1.1, 7.1.2, 8.0</td> @@ -194,14 +193,14 @@ numbers following the bug ID.</p> </tr> <tr> <td>CVE-2017-0822</td> - <td>A-63787722</td> + <td><a href="https://android.googlesource.com/platform/frameworks/base/+/c574568aaede7f652432deb7707f20ae54bbdf9a">A-63787722</a></td> <td>EoP</td> <td>Moderate</td> <td>6.0.1, 7.0, 7.1.1, 7.1.2, 8.0</td> </tr> <tr> <td>CVE-2017-0823</td> - <td>A-37896655</td> + <td><a href="https://android.googlesource.com/platform/hardware/ril/+/cd5f15f588a5d27e99ba12f057245bfe507f8c42">A-37896655</a></td> <td>ID</td> <td>Moderate</td> <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2</td> @@ -670,6 +669,11 @@ are not required for declaring a security patch level. <td>October 2, 2017</td> <td>Bulletin published.</td> </tr> + <tr> + <td>1.1</td> + <td>October 3, 2017</td> + <td>Bulletin revised to include AOSP links.</td> + </tr> </table> </body> </html> diff --git a/en/security/overview/acknowledgements.html b/en/security/overview/acknowledgements.html index d444a357..2179f646 100644 --- a/en/security/overview/acknowledgements.html +++ b/en/security/overview/acknowledgements.html @@ -153,6 +153,11 @@ href="http://c0reteam.org/">C0RE Team</a></td> <td>CVE-2017-0397, CVE-2017-0405, CVE-2017-0410, CVE-2017-0826</td> </tr> <tr> + <td>Dawei Peng of Alibaba Mobile Security Team + (<a href="http://weibo.com/u/5622360291">weibo: Vinc3nt4H</a>)</td> + <td>CVE-2017-0755</td> + </tr> + <tr> <td>Daxing Guo (<a href="https://twitter.com/freener0">@freener0</a>) of Xuanwu Lab, Tencent</td> <td>CVE-2017-0386, CVE-2017-0553, CVE-2017-0585, CVE-2017-0706</td> |