diff options
author | Android Partner Docs <noreply@android.com> | 2018-03-06 08:24:36 -0800 |
---|---|---|
committer | Clay Murphy <claym@google.com> | 2018-03-06 18:07:14 -0800 |
commit | 43bbaf851f9548aaabf5b5bfad30865024558847 (patch) | |
tree | 61fd461b701fec3e32da848ab82da00a66daed3f /en | |
parent | ae8cc47f7f443fc184778645b37620f61111797d (diff) | |
download | source.android.com-43bbaf851f9548aaabf5b5bfad30865024558847.tar.gz |
Docs: Changes to source.android.com
- 188025657 Devsite localized content from translation request c34f38... by Android Partner Docs <noreply@android.com>
- 188025647 Devsite localized content from translation request cc7908... by Android Partner Docs <noreply@android.com>
- 188025604 Devsite localized content from translation request 914da3... by Android Partner Docs <noreply@android.com>
- 188025598 Devsite localized content from translation request 5d672b... by Android Partner Docs <noreply@android.com>
- 188025591 Devsite localized content from translation request b724de... by Android Partner Docs <noreply@android.com>
- 187931517 Add tags for first batch of March 2018 Security Release. by Android Partner Docs <noreply@android.com>
- 187880962 Publish loclaized bulletins by Danielle Roberts <daroberts@google.com>
- 187878114 Publish March 2018 Pixel & Android bulletins by Danielle Roberts <daroberts@google.com>
- 187869445 Devsite localized content from translation request 2ce939... by Android Partner Docs <noreply@android.com>
- 187869429 Devsite localized content from translation request 157dc0... by Android Partner Docs <noreply@android.com>
- 187869408 Devsite localized content from translation request 967732... by Android Partner Docs <noreply@android.com>
- 187869396 Devsite localized content from translation request 8f3035... by Android Partner Docs <noreply@android.com>
- 187869393 Devsite localized content from translation request 7ba9b0... by Android Partner Docs <noreply@android.com>
- 187869348 Devsite localized content from translation request 317966... by Android Partner Docs <noreply@android.com>
- 187869333 Devsite localized content from translation request 90c878... by Android Partner Docs <noreply@android.com>
- 187869318 Devsite localized content from translation request 5b2157... by Android Partner Docs <noreply@android.com>
- 187654045 Add freeze files to all tenants except mivi, openthread, ... by Android Partner Docs <noreply@android.com>
- 187640068 Updated the code style guideline for static imports by Clay Murphy <claym@google.com>
- 187626488 Devsite localized content from translation request 4f0709... by Android Partner Docs <noreply@android.com>
- 187626483 Devsite localized content from translation request aab5c7... by Android Partner Docs <noreply@android.com>
- 187626480 Devsite localized content from translation request fff357... by Android Partner Docs <noreply@android.com>
- 187481368 Devsite localized content from translation request 67211a... by Android Partner Docs <noreply@android.com>
- 187481356 Devsite localized content from translation request 34bbcc... by Android Partner Docs <noreply@android.com>
- 187481352 Devsite localized content from translation request 3d886d... by Android Partner Docs <noreply@android.com>
- 187431256 Fixing the redundant "measurements" named anchor by Clay Murphy <claym@google.com>
- 187411404 Point third-party app developers at Studio. by Android Partner Docs <noreply@android.com>
- 187383462 Devsite localized content from translation request fe57b3... by Android Partner Docs <noreply@android.com>
- 187383417 Devsite localized content from translation request d4c384... by Android Partner Docs <noreply@android.com>
- 187383410 Devsite localized content from translation request 597800... by Android Partner Docs <noreply@android.com>
- 187383398 Devsite localized content from translation request 3739bb... by Android Partner Docs <noreply@android.com>
- 187365298 Emphasize ownership of linkToDeath in HIDL. by Android Partner Docs <noreply@android.com>
- 187194296 Updated broken link to manifest.xml by Christina Nguyen <cqn@google.com>
PiperOrigin-RevId: 188025657
Change-Id: Ib8e26f3424074a95a135bf3cba32c85e4fb18d88
Diffstat (limited to 'en')
-rw-r--r-- | en/_freeze.yaml | 2 | ||||
-rw-r--r-- | en/devices/architecture/hidl/services.html | 4 | ||||
-rw-r--r-- | en/devices/architecture/vintf/objects.html | 2 | ||||
-rw-r--r-- | en/devices/audio/latency_measurements.html | 2 | ||||
-rw-r--r-- | en/devices/tech/debug/gdb.html | 4 | ||||
-rw-r--r-- | en/security/_toc.yaml | 4 | ||||
-rw-r--r-- | en/security/bulletin/2018-03-01.html | 713 | ||||
-rw-r--r-- | en/security/bulletin/2018.html | 22 | ||||
-rw-r--r-- | en/security/bulletin/index.html | 22 | ||||
-rw-r--r-- | en/security/bulletin/pixel/2018-03-01.html | 704 | ||||
-rw-r--r-- | en/security/bulletin/pixel/2018.html | 21 | ||||
-rw-r--r-- | en/security/bulletin/pixel/index.html | 21 | ||||
-rw-r--r-- | en/security/overview/acknowledgements.html | 99 | ||||
-rw-r--r-- | en/setup/build-numbers.html | 18 | ||||
-rw-r--r-- | en/setup/code-style.html | 8 |
15 files changed, 1616 insertions, 30 deletions
diff --git a/en/_freeze.yaml b/en/_freeze.yaml new file mode 100644 index 00000000..d9f62224 --- /dev/null +++ b/en/_freeze.yaml @@ -0,0 +1,2 @@ +# DevSite V2 is moving to production servers, but sites will not be published unless manually specified. +# This freeze file prevents uploading of content to the production servers in V2 to prevent accidents.
\ No newline at end of file diff --git a/en/devices/architecture/hidl/services.html b/en/devices/architecture/hidl/services.html index a739dfce..805bc800 100644 --- a/en/devices/architecture/hidl/services.html +++ b/en/devices/architecture/hidl/services.html @@ -94,7 +94,9 @@ code, not in HIDL).</li> <li>Instantiate an object of the <code>hidl_death_recipient</code> subclass. </li> <li>Call the <code>linkToDeath()</code> method on the service to monitor, -passing in the <code>IDeathRecipient</code>'s interface object.</li> +passing in the <code>IDeathRecipient</code>'s interface object. Note that this +method does not take ownership of the death recipient or the proxy on which it +is called.</li> </ol> <p>A pseudocode example (C++ and Java are similar):</p> diff --git a/en/devices/architecture/vintf/objects.html b/en/devices/architecture/vintf/objects.html index 76d78ee0..c7ab09fd 100644 --- a/en/devices/architecture/vintf/objects.html +++ b/en/devices/architecture/vintf/objects.html @@ -32,7 +32,7 @@ format, although not all elements apply to both (for details on the schema, see <p>The Device manifest file is provided by the device. It lives in the Android source tree at <code>device/${VENDOR}/${DEVICE}/manifest.xml</code> and on the device at -<code><a href="https://android.googlesource.com/platform/system/libhidl/+/master/manifest.xml" class="external">/vendor/manifest.xml</a></code>. +<code><a href="https://android.googlesource.com/platform/system/libhidl/+/master/vintfdata/manifest.xml" class="external">/vintfdata/manifest.xml</a></code>. </p> <p>Example Device manifest:</p> diff --git a/en/devices/audio/latency_measurements.html b/en/devices/audio/latency_measurements.html index 9ec6e256..c4aed1f7 100644 --- a/en/devices/audio/latency_measurements.html +++ b/en/devices/audio/latency_measurements.html @@ -94,7 +94,7 @@ measuring unidirectional latency are described at and <a href="latency_measure.html#measuringInput">Measuring Input Latency</a>.</p> -<h2 id="measurements">Example measurements</h2> +<h2 id="examples">Example measurements</h2> <p>The measurements listed below are specific to a <a href="/setup/build-numbers.html">build number</a>. Devices are listed in diff --git a/en/devices/tech/debug/gdb.html b/en/devices/tech/debug/gdb.html index 27c99328..d021dae3 100644 --- a/en/devices/tech/debug/gdb.html +++ b/en/devices/tech/debug/gdb.html @@ -23,7 +23,9 @@ <p>The GNU Project debugger (GDB) is a commonly used Unix debugger. This page -details using <code>gdb</code> to debug Android apps and processes.</p> +details using <code>gdb</code> to debug Android apps and processes for platform +developers. For third-party app development, see +<a href="https://developer.android.com/studio/debug/index.html">Debug Your App</a>.</p> <h2 id=running>Debugging running apps or processes</h2> diff --git a/en/security/_toc.yaml b/en/security/_toc.yaml index 72de9f34..a48fdf29 100644 --- a/en/security/_toc.yaml +++ b/en/security/_toc.yaml @@ -45,6 +45,8 @@ toc: section: - title: 2018 Bulletins section: + - title: March + path: /security/bulletin/2018-03-01 - title: February path: /security/bulletin/2018-02-01 - title: January @@ -127,6 +129,8 @@ toc: path: /security/bulletin/pixel/index - title: 2018 Bulletins section: + - title: March + path: /security/bulletin/pixel/2018-03-01 - title: February path: /security/bulletin/pixel/2018-02-01 - title: January diff --git a/en/security/bulletin/2018-03-01.html b/en/security/bulletin/2018-03-01.html new file mode 100644 index 00000000..f269f461 --- /dev/null +++ b/en/security/bulletin/2018-03-01.html @@ -0,0 +1,713 @@ +<html devsite> + <head> + <title>Android Security Bulletin—March 2018</title> + <meta name="project_path" value="/_project.yaml" /> + <meta name="book_path" value="/_book.yaml" /> + </head> + <body> + <!-- + Copyright 2018 The Android Open Source Project + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + //www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + --> +<p><em>Published March 5, 2018</em></p> + +<p> +The Android Security Bulletin contains details of security vulnerabilities +affecting Android devices. Security patch levels of 2018-03-05 or later address +all of these issues. To learn how to check a device's security patch level, see +<a href="https://support.google.com/pixelphone/answer/4457705">Check and update +your Android version</a>. +</p> +<p> +Android partners are notified of all issues at least a month before publication. +Source code patches for these issues will be released to the Android Open Source +Project (AOSP) repository in the next 48 hours. We will revise this bulletin +with the AOSP links when they are available. +</p> +<p> +The most severe of these issues is a critical security vulnerability in Media +framework that could enable a remote attacker using a specially crafted file to +execute arbitrary code within the context of a privileged process. The +<a href="/security/overview/updates-resources.html#severity">severity +assessment</a> is based on the effect that exploiting the vulnerability would +possibly have on an affected device, assuming the platform and service +mitigations are turned off for development purposes or if successfully bypassed. +</p> +<p> +We have had no reports of active customer exploitation or abuse of these newly +reported issues. Refer to the +<a href="#mitigations">Android and Google Play Protect mitigations</a> +section for details on the +<a href="/security/enhancements/index.html">Android security platform protections</a> +and Google Play Protect, which improve the security of the Android platform. +</p> +<p class="note"> +<strong>Note:</strong> Information on the latest over-the-air update (OTA) and +firmware images for Google devices is available in the +<a href="/security/bulletin/pixel/2018-03-01.html">March 2018 +Pixel / Nexus Security Bulletin</a>. +</p> + +<h2 id="mitigations">Android and Google service mitigations</h2> +<p> +This is a summary of the mitigations provided by the +<a href="/security/enhancements/index.html">Android security platform</a> +and service protections such as +<a href="https://www.android.com/play-protect">Google Play Protect</a>. +These capabilities reduce the likelihood that security vulnerabilities +could be successfully exploited on Android. +</p> +<ul> +<li>Exploitation for many issues on Android is made more difficult by +enhancements in newer versions of the Android platform. We encourage all users +to update to the latest version of Android where possible.</li> +<li>The Android security team actively monitors for abuse through +<a href="https://www.android.com/play-protect">Google Play Protect</a> +and warns users about +<a href="/security/reports/Google_Android_Security_PHA_classifications.pdf">Potentially +Harmful Applications</a>. Google Play Protect is enabled by default on devices +with <a href="http://www.android.com/gms">Google Mobile Services</a>, and is +especially important for users who install apps from outside of Google +Play.</li> +</ul> +<h2 id="2018-03-01-details">2018-03-01 security patch level vulnerability details</h2> +<p> +In the sections below, we provide details for each of the security +vulnerabilities that apply to the 2018-03-01 patch level. Vulnerabilities are +grouped under the component that they affect. There is a description of the +issue and a table with the CVE, associated references, +<a href="#type">type of vulnerability</a>, +<a href="/security/overview/updates-resources.html#severity">severity</a>, +and updated AOSP versions (where applicable). When available, we link the public +change that addressed the issue to the bug ID, like the AOSP change list. When +multiple changes relate to a single bug, additional references are linked to +numbers following the bug ID. +</p> + +<h3 id="media-framework">Media framework</h3> +<p>The most severe vulnerability in this section could enable a remote attacker +using a specially crafted file to execute arbitrary code within the context of +a privileged process.</p> + +<table> + <col width="17%"> + <col width="19%"> + <col width="9%"> + <col width="14%"> + <col width="39%"> + <tr> + <th>CVE</th> + <th>References</th> + <th>Type</th> + <th>Severity</th> + <th>Updated AOSP versions</th> + </tr> + <tr> + <td>CVE-2017-13248</td> + <td>A-70349612</td> + <td>RCE</td> + <td>Critical</td> + <td>6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1</td> + </tr> + <tr> + <td>CVE-2017-13249</td> + <td>A-70399408</td> + <td>RCE</td> + <td>Critical</td> + <td>6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1</td> + </tr> + <tr> + <td>CVE-2017-13250</td> + <td>A-71375536</td> + <td>RCE</td> + <td>Critical</td> + <td>6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1</td> + </tr> + <tr> + <td>CVE-2017-13251</td> + <td>A-69269702</td> + <td>EoP</td> + <td>Critical</td> + <td>6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1</td> + </tr> + <tr> + <td>CVE-2017-13252</td> + <td>A-70526702</td> + <td>EoP</td> + <td>High</td> + <td>8.0, 8.1</td> + </tr> + <tr> + <td>CVE-2017-13253</td> + <td>A-71389378</td> + <td>EoP</td> + <td>High</td> + <td>8.0, 8.1</td> + </tr> +</table> + + +<h3 id="system">System</h3> +<p>The most severe vulnerability in this section could enable a proximate +attacker to execute arbitrary code within the context of a privileged +process.</p> + +<table> + <col width="17%"> + <col width="19%"> + <col width="9%"> + <col width="14%"> + <col width="39%"> + <tr> + <th>CVE</th> + <th>References</th> + <th>Type</th> + <th>Severity</th> + <th>Updated AOSP versions</th> + </tr> + <tr> + <td>CVE-2017-13255</td> + <td>A-68776054</td> + <td>RCE</td> + <td>Critical</td> + <td>5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1</td> + </tr> + <tr> + <td>CVE-2017-13256</td> + <td>A-68817966</td> + <td>RCE</td> + <td>Critical</td> + <td>5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1</td> + </tr> + <tr> + <td>CVE-2017-13272</td> + <td>A-67110137</td> + <td>RCE</td> + <td>Critical</td> + <td>7.0, 7.1.1, 7.1.2, 8.0, 8.1</td> + </tr> + <tr> + <td>CVE-2017-13266</td> + <td>A-69478941</td> + <td>RCE</td> + <td>Critical</td> + <td>5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1</td> + </tr> + <tr> + <td>CVE-2017-13257</td> + <td>A-67110692</td> + <td>ID</td> + <td>High</td> + <td>5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1</td> + </tr> + <tr> + <td>CVE-2017-13258</td> + <td>A-67863755</td> + <td>ID</td> + <td>High</td> + <td>5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1</td> + </tr> + <tr> + <td>CVE-2017-13259</td> + <td>A-68161546</td> + <td>ID</td> + <td>High</td> + <td>5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1</td> + </tr> + <tr> + <td>CVE-2017-13260</td> + <td>A-69177251</td> + <td>ID</td> + <td>High</td> + <td>5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1</td> + </tr> + <tr> + <td>CVE-2017-13261</td> + <td>A-69177292</td> + <td>ID</td> + <td>High</td> + <td>5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1</td> + </tr> + <tr> + <td>CVE-2017-13262</td> + <td>A-69271284</td> + <td>ID</td> + <td>High</td> + <td>5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1</td> + </tr> +</table> + +<h2 id="2018-03-05-details">2018-03-05 security patch level vulnerability details</h2> +<p> +In the sections below, we provide details for each of the security +vulnerabilities that apply to the 2018-03-05 patch level. Vulnerabilities are +grouped under the component that they affect and include details such as the +CVE, associated references, <a href="#type">type of vulnerability</a>, +<a href="/security/overview/updates-resources.html#severity">severity</a>, +component (where applicable), and updated AOSP versions (where applicable). When +available, we link the public change that addressed the issue to the bug ID, +like the AOSP change list. When multiple changes relate to a single bug, +additional references are linked to numbers following the bug ID. +</p> + +<h3 id="kernel-components">Kernel components</h3> +<p>The most severe vulnerability in this section could enable a local malicious +application to execute arbitrary code within the context of a privileged +process.</p> + +<table> + <col width="17%"> + <col width="19%"> + <col width="9%"> + <col width="14%"> + <col width="39%"> + <tr> + <th>CVE</th> + <th>References</th> + <th>Type</th> + <th>Severity</th> + <th>Component</th> + </tr> + <tr> + <td>CVE-2017-16530</td> + <td>A-69051940<br /> + <a +href="https://github.com/torvalds/linux/commit/786de92b3cb26012d3d0f00ee37adf14527f35c4"> +Upstream kernel</a></td> + <td>EoP</td> + <td>High</td> + <td>UAS driver</td> + </tr> + <tr> + <td>CVE-2017-16525</td> + <td>A-69050921<br /> + <a +href="https://github.com/torvalds/linux/commit/299d7572e46f98534033a9e65973f13ad1ce9047"> +Upstream kernel</a></td> + <td>EoP</td> + <td>High</td> + <td>USB driver</td> + </tr> + <tr> + <td>CVE-2017-16535</td> + <td>A-69052675<br /> + <a +href="https://github.com/torvalds/linux/commit/1c0edc3633b56000e18d82fc241e3995ca18a69e"> +Upstream kernel</a></td> + <td>ID</td> + <td>High</td> + <td>USB driver</td> + </tr> + <tr> + <td>CVE-2017-16533</td> + <td>A-69052348<br /> + <a +href="https://github.com/torvalds/linux/commit/f043bfc98c193c284e2cd768fefabe18ac2fed9b"> +Upstream kernel</a></td> + <td>ID</td> + <td>High</td> + <td>USB driver</td> + </tr> + <tr> + <td>CVE-2017-16531</td> + <td>A-69052055<br /> + <a +href="https://github.com/torvalds/linux/commit/bd7a3fe770ebd8391d1c7d072ff88e9e76d063eb"> +Upstream kernel</a></td> + <td>ID</td> + <td>High</td> + <td>USB driver</td> + </tr> + <tr> + <td>CVE-2017-16529</td> + <td>A-69051731<br /> + <a +href="https://github.com/torvalds/linux/commit/bfc81a8bc18e3c4ba0cbaa7666ff76be2f998991"> +Upstream kernel</a></td> + <td>ID</td> + <td>High</td> + <td>USB sound driver</td> + </tr> +</table> + + +<h3 id="nvidia-components">NVIDIA components</h3> +<p>The most severe vulnerability in this section could enable a local malicious +application to execute arbitrary code within the context of a privileged +process.</p> + +<table> + <col width="17%"> + <col width="19%"> + <col width="9%"> + <col width="14%"> + <col width="39%"> + <tr> + <th>CVE</th> + <th>References</th> + <th>Type</th> + <th>Severity</th> + <th>Component</th> + </tr> + <tr> + <td>CVE-2017-6281</td> + <td>A-66969318<a href="#asterisk">*</a><br /> + N-CVE-2017-6281</td> + <td>EoP</td> + <td>High</td> + <td>Libnvomx</td> + </tr> + <tr> + <td>CVE-2017-6286</td> + <td>A-64893247<a href="#asterisk">*</a><br /> + N-CVE-2017-6286</td> + <td>EoP</td> + <td>High</td> + <td>Libnvomx</td> + </tr> +</table> + + +<h3 id="qualcomm-components">Qualcomm components</h3> +<p>The most severe vulnerability in this section could enable a remote attacker +using a specially crafted file to execute arbitrary code within the context of +a privileged process.</p> + +<table> + <col width="17%"> + <col width="19%"> + <col width="9%"> + <col width="14%"> + <col width="39%"> + <tr> + <th>CVE</th> + <th>References</th> + <th>Type</th> + <th>Severity</th> + <th>Component</th> + </tr> + <tr> + <td>CVE-2017-18067</td> + <td>A-68992411<br /> + <a +href="https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=e1e9d0cb8a0bc33965d112725e205a78aab82986"> +QC-CR#2081734</a> [<a +href="https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/prima/commit/?id=4201fc6c8c7eb7dddcfb7f06b5f1012d7c5cf451">2</a>]</td> + <td>RCE</td> + <td>Critical</td> + <td>Wireless network driver</td> + </tr> + <tr> + <td>CVE-2017-15815</td> + <td>A-68992395<br /> + <a +href="https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=a5096157fd80350a0e0409e7ad96265ae60861f6"> +QC-CR#2093392</a></td> + <td>RCE</td> + <td>Critical</td> + <td>WLAN</td> + </tr> + <tr> + <td>CVE-2017-18068</td> + <td>A-70799990<br /> + <a +href="https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=b91ad6cf984a48ad52fe5af13cb3e0ac4bf012ed"> +QC-CR#2072064</a></td> + <td>EoP</td> + <td>High</td> + <td>WLAN</td> + </tr> + <tr> + <td>CVE-2017-18056</td> + <td>A-70237692<br /> + <a +href="https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=67cfe475cb8ea3dfa86c68fca536b4ddb5168e9d"> +QC-CR#2119404</a></td> + <td>EoP</td> + <td>High</td> + <td>WLAN</td> + </tr> + <tr> + <td>CVE-2017-18063</td> + <td>A-68992442<br /> + <a +href="https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=b9c0beac8f021f774f39df54e1f96fd87c2660f0"> +QC-CR#2114776</a></td> + <td>EoP</td> + <td>High</td> + <td>WLAN</td> + </tr> + <tr> + <td>CVE-2017-18064</td> + <td>A-68992438<br /> + <a +href="https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=84f144bedd81ad154a26c76fb322903c25374d20"> +QC-CR#2114323</a></td> + <td>EoP</td> + <td>High</td> + <td>WLAN</td> + </tr> + <tr> + <td>CVE-2017-15821</td> + <td>A-68992432<br /> + <a +href="https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=44cd589c8a0f5a245e0003a7d0c4be1b5f3ba890"> +QC-CR#2113072</a></td> + <td>EoP</td> + <td>High</td> + <td>WLAN</td> + </tr> + <tr> + <td>CVE-2017-14885</td> + <td>A-70237686<br /> + <a +href="https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=44e992e169dbd601f95e845961cb2181b167a553"> +QC-CR#2113758</a></td> + <td>EoP</td> + <td>High</td> + <td>WLAN</td> + </tr> + <tr> + <td>CVE-2017-18069</td> + <td>A-67582682<a href="#asterisk">*</a><br /> + QC-CR#2054772 QC-CR#2058471</td> + <td>ID</td> + <td>High</td> + <td>WLAN</td> + </tr> + <tr> + <td>CVE-2017-14882</td> + <td>A-68992424<br /> + <a +href="https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=cd10091f03f6255a47d7146eea5738f1f4ceea35"> +QC-CR#2101439</a></td> + <td>ID</td> + <td>High</td> + <td>WLAN</td> + </tr> + <tr> + <td>CVE-2017-14878</td> + <td>A-70237706<br /> + <a +href="https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=27f1c544d6737bcb3dc4bb114badcd47ce946a8b +">QC-CR#2064580</a> [<a +href="https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=2167cc91261a50bf145467f4d03c8730a0d23709 +">2</a>] [<a +href="https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=8952decf05939fad1cba625290ee7ae2ed528e12"> +3</a>]</td> + <td>DoS</td> + <td>High</td> + <td>Wireless network driver</td> + </tr> +</table> + + +<h3 id="qualcomm-closed-source-components">Qualcomm closed-source +components</h3> +<p>These vulnerabilities affect Qualcomm components and are described in +further detail in the appropriate Qualcomm AMSS security bulletin or security +alert. The severity assessment of these issues is provided directly by +Qualcomm.</p> + +<table> + <col width="17%"> + <col width="19%"> + <col width="9%"> + <col width="14%"> + <col width="39%"> + <tr> + <th>CVE</th> + <th>References</th> + <th>Type</th> + <th>Severity</th> + <th>Component</th> + </tr> + <tr> + <td>CVE-2017-17773</td> + <td>A-70221445 +QC-CR#2125554<a href="#asterisk">*</a></td> + <td>N/A</td> + <td>Critical</td> + <td>Closed-source component</td> + </tr> + <tr> + <td>CVE-2016-10393</td> + <td>A-68326806 +QC-CR#1055934<a href="#asterisk">*</a></td> + <td>N/A</td> + <td>High</td> + <td>Closed-source component</td> + </tr> +</table> + +<h2 id="common-questions-and-answers">Common questions and answers</h2> +<p> +This section answers common questions that may occur after reading this +bulletin.</p> +<p><strong>1. How do I determine if my device is updated to address these issues? +</strong></p> +<p>To learn how to check a device's security patch level, see +<a href="https://support.google.com/pixelphone/answer/4457705#pixel_phones&nexus_devices">Check +and update your Android version</a>.</p> +<ul> +<li>Security patch levels of 2018-03-01 or later address all issues associated +with the 2018-03-01 security patch level.</li> +<li>Security patch levels of 2018-03-05 or later address all issues associated +with the 2018-03-05 security patch level and all previous patch levels.</li> +</ul> +<p> +Device manufacturers that include these updates should set the patch string +level to: +</p> +<ul> +<li>[ro.build.version.security_patch]:[2018-03-01]</li> +<li>[ro.build.version.security_patch]:[2018-03-05]</li> +</ul> +<p> +<strong>2. Why does this bulletin have two security patch levels?</strong> +</p> +<p> +This bulletin has two security patch levels so that Android partners have the +flexibility to fix a subset of vulnerabilities that are similar across all +Android devices more quickly. Android partners are encouraged to fix all issues +in this bulletin and use the latest security patch level. +</p> +<ul> +<li>Devices that use the 2018-03-01 security patch level must include all issues +associated with that security patch level, as well as fixes for all issues +reported in previous security bulletins.</li> +<li>Devices that use the security patch level of 2018-03-05 or newer must +include all applicable patches in this (and previous) security +bulletins.</li> +</ul> +<p> +Partners are encouraged to bundle the fixes for all issues they are addressing +in a single update. +</p> +<p id="type"> +<strong>3. What do the entries in the <em>Type</em> column mean?</strong> +</p> +<p> +Entries in the <em>Type</em> column of the vulnerability details table reference +the classification of the security vulnerability. +</p> +<table> + <col width="25%"> + <col width="75%"> + <tr> + <th>Abbreviation</th> + <th>Definition</th> + </tr> + <tr> + <td>RCE</td> + <td>Remote code execution</td> + </tr> + <tr> + <td>EoP</td> + <td>Elevation of privilege</td> + </tr> + <tr> + <td>ID</td> + <td>Information disclosure</td> + </tr> + <tr> + <td>DoS</td> + <td>Denial of service</td> + </tr> + <tr> + <td>N/A</td> + <td>Classification not available</td> + </tr> +</table> +<p> +<strong>4. What do the entries in the <em>References</em> column mean?</strong> +</p> +<p> +Entries under the <em>References</em> column of the vulnerability details table +may contain a prefix identifying the organization to which the reference value +belongs. +</p> +<table> + <col width="25%"> + <col width="75%"> + <tr> + <th>Prefix</th> + <th>Reference</th> + </tr> + <tr> + <td>A-</td> + <td>Android bug ID</td> + </tr> + <tr> + <td>QC-</td> + <td>Qualcomm reference number</td> + </tr> + <tr> + <td>M-</td> + <td>MediaTek reference number</td> + </tr> + <tr> + <td>N-</td> + <td>NVIDIA reference number</td> + </tr> + <tr> + <td>B-</td> + <td>Broadcom reference number</td> + </tr> +</table> +<p id="asterisk"> +<strong>5. What does a * next to the Android bug ID in the <em>References</em> +column mean?</strong> +</p> +<p> +Issues that are not publicly available have a * next to the Android bug ID in +the <em>References</em> column. The update for that issue is generally contained +in the latest binary drivers for Nexus devices available from the <a +href="https://developers.google.com/android/nexus/drivers">Google Developer +site</a>. +</p> +<p> +<strong>6. Why are security vulnerabilities split between this bulletin and +device/partner security bulletins, such as the Pixel / Nexus bulletin?</strong> +</p> +<p> +Security vulnerabilities that are documented in this security bulletin are +required in order to declare the latest security patch level on Android devices. +Additional security vulnerabilities that are documented in the device/partner +security bulletins are not required for declaring a security patch level. +Android device and chipset manufacturers are encouraged to document the presence +of other fixes on their devices through their own security websites, such as the +<a href="https://security.samsungmobile.com/securityUpdate.smsb">Samsung</a>, +<a href="https://lgsecurity.lge.com/security_updates.html">LGE</a>, or +<a href="/security/bulletin/pixel/">Pixel / Nexus</a> +security bulletins. +</p> +<h2 id="versions">Versions</h2> +<table> + <col width="25%"> + <col width="25%"> + <col width="50%"> + <tr> + <th>Version</th> + <th>Date</th> + <th>Notes</th> + </tr> + <tr> + <td>1.0</td> + <td>March 5, 2018</td> + <td>Bulletin published.</td> + </tr> +</table> +</body></html> + diff --git a/en/security/bulletin/2018.html b/en/security/bulletin/2018.html index b1b9ccc4..0df103d8 100644 --- a/en/security/bulletin/2018.html +++ b/en/security/bulletin/2018.html @@ -37,16 +37,30 @@ of all bulletins, see the <a href="/security/bulletin/index.html">Android Securi <th>Security patch level</th> </tr> <tr> - <td><a href="/security/bulletin/2018-02-01.html">February 2018</a></td> + <td><a href="/security/bulletin/2018-03-01.html">March 2018</a></td> <td>Coming soon <!-- + <a href="/security/bulletin/2018-03-01.html">English</a> / + <a href="/security/bulletin/2018-03-01.html?hl=ja">日本語</a> / + <a href="/security/bulletin/2018-03-01.html?hl=ko">한국어</a> / + <a href="/security/bulletin/2018-03-01.html?hl=ru">ру́сский</a> / + <a href="/security/bulletin/2018-03-01.html?hl=zh-cn">中文 (中国)</a> / + <a href="/security/bulletin/2018-03-01.html?hl=zh-tw">中文 (台灣)</a> + --> + </td> + <td>March 2018</td> + <td>2018-03-01<br> + 2018-03-05</td> + </tr> + <tr> + <td><a href="/security/bulletin/2018-02-01.html">February 2018</a></td> + <td> <a href="/security/bulletin/2018-02-01.html">English</a> / <a href="/security/bulletin/2018-02-01.html?hl=ja">日本語</a> / <a href="/security/bulletin/2018-02-01.html?hl=ko">한국어</a> / <a href="/security/bulletin/2018-02-01.html?hl=ru">ру́сский</a> / <a href="/security/bulletin/2018-02-01.html?hl=zh-cn">中文 (中国)</a> / <a href="/security/bulletin/2018-02-01.html?hl=zh-tw">中文 (台灣)</a> - --> </td> <td>February 2018</td> <td>2018-02-01<br> @@ -54,15 +68,13 @@ of all bulletins, see the <a href="/security/bulletin/index.html">Android Securi </tr> <tr> <td><a href="/security/bulletin/2018-01-01.html">January 2018</a></td> - <td>Coming soon - <!-- + <td> <a href="/security/bulletin/2018-01-01.html">English</a> / <a href="/security/bulletin/2018-01-01.html?hl=ja">日本語</a> / <a href="/security/bulletin/2018-01-01.html?hl=ko">한국어</a> / <a href="/security/bulletin/2018-01-01.html?hl=ru">ру́сский</a> / <a href="/security/bulletin/2018-01-01.html?hl=zh-cn">中文 (中国)</a> / <a href="/security/bulletin/2018-01-01.html?hl=zh-tw">中文 (台灣)</a> - --> </td> <td>January 2018</td> <td>2018-01-01<br> diff --git a/en/security/bulletin/index.html b/en/security/bulletin/index.html index e87d468b..4cbf4c3b 100644 --- a/en/security/bulletin/index.html +++ b/en/security/bulletin/index.html @@ -68,16 +68,30 @@ Android Open Source Project (AOSP), the upstream Linux kernel, and system-on-chi <th>Security patch level</th> </tr> <tr> - <td><a href="/security/bulletin/2018-02-01.html">February 2018</a></td> + <td><a href="/security/bulletin/2018-03-01.html">March 2018</a></td> <td>Coming soon <!-- + <a href="/security/bulletin/2018-03-01.html">English</a> / + <a href="/security/bulletin/2018-03-01.html?hl=ja">日本語</a> / + <a href="/security/bulletin/2018-03-01.html?hl=ko">한국어</a> / + <a href="/security/bulletin/2018-03-01.html?hl=ru">ру́сский</a> / + <a href="/security/bulletin/2018-03-01.html?hl=zh-cn">中文 (中国)</a> / + <a href="/security/bulletin/2018-03-01.html?hl=zh-tw">中文 (台灣)</a> + --> + </td> + <td>March 5, 2018</td> + <td>2018-03-01<br> + 2018-03-05</td> + </tr> + <tr> + <td><a href="/security/bulletin/2018-02-01.html">February 2018</a></td> + <td> <a href="/security/bulletin/2018-02-01.html">English</a> / <a href="/security/bulletin/2018-02-01.html?hl=ja">日本語</a> / <a href="/security/bulletin/2018-02-01.html?hl=ko">한국어</a> / <a href="/security/bulletin/2018-02-01.html?hl=ru">ру́сский</a> / <a href="/security/bulletin/2018-02-01.html?hl=zh-cn">中文 (中国)</a> / <a href="/security/bulletin/2018-02-01.html?hl=zh-tw">中文 (台灣)</a> - --> </td> <td>February 5, 2018</td> <td>2018-02-01<br> @@ -85,15 +99,13 @@ Android Open Source Project (AOSP), the upstream Linux kernel, and system-on-chi </tr> <tr> <td><a href="/security/bulletin/2018-01-01.html">January 2018</a></td> - <td>Coming soon - <!-- + <td> <a href="/security/bulletin/2018-01-01.html">English</a> / <a href="/security/bulletin/2018-01-01.html?hl=ja">日本語</a> / <a href="/security/bulletin/2018-01-01.html?hl=ko">한국어</a> / <a href="/security/bulletin/2018-01-01.html?hl=ru">ру́сский</a> / <a href="/security/bulletin/2018-01-01.html?hl=zh-cn">中文 (中国)</a> / <a href="/security/bulletin/2018-01-01.html?hl=zh-tw">中文 (台灣)</a> - --> </td> <td>January 2, 2018</td> <td>2018-01-01<br> diff --git a/en/security/bulletin/pixel/2018-03-01.html b/en/security/bulletin/pixel/2018-03-01.html new file mode 100644 index 00000000..0cfec04a --- /dev/null +++ b/en/security/bulletin/pixel/2018-03-01.html @@ -0,0 +1,704 @@ +<html devsite> + <head> + <title>Pixel / Nexus Security Bulletin—March 2018</title> + <meta name="project_path" value="/_project.yaml" /> + <meta name="book_path" value="/_book.yaml" /> + </head> + <body> + <!-- + Copyright 2018 The Android Open Source Project + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + //www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + --> + + +<p><em>Published March 5, 2018</em></p> + +<p> +The Pixel / Nexus Security Bulletin contains details of security +vulnerabilities and functional improvements affecting +<a href="https://support.google.com/pixelphone/answer/4457705#pixel_phones&nexus_devices">supported +Google Pixel and Nexus devices</a> (Google devices). For Google devices, +security patch levels of 2018-03-05 or later address all issues in this +bulletin and all issues in the <a href="/security/bulletin/2018-03-01">March +2018 Android Security Bulletin</a>. To learn how to check a device's security +patch level, see <a href="https://support.google.com/pixelphone/answer/4457705">Check +and update your Android version</a>.</p> +<p> +All supported Google devices will receive an update to the 2018-03-05 patch +level. We encourage all customers to accept these updates to their devices. +</p> +<p class="note"> +<strong>Note:</strong> The Google device firmware images are available on the +<a href="https://developers.google.com/android/nexus/images">Google Developer +site</a>. +</p> + +<h2 id="announcements">Announcements</h2> +<p>In addition to the security vulnerabilities described in the +<a href="/security/bulletin/2018-03-01">March 2018 Android Security Bulletin</a>, +Google devices also contain patches for the security vulnerabilities +described below. Partners were notified of these issues at least a month ago +and may choose to incorporate them as part of their device updates.</p> + +<h2 id="security-patches">Security patches</h2> +<p> +Vulnerabilities are grouped under the component that they affect. There is a +description of the issue and a table with the CVE, associated references, +<a href="#type">type of vulnerability</a>, +<a href="https://source.android.com/security/overview/updates-resources.html#severity">severity</a>, +and updated Android Open Source Project (AOSP) versions (where applicable). When +available, we link the public change that addressed the issue to the bug ID, +like the AOSP change list. When multiple changes relate to a single bug, +additional references are linked to numbers following the bug ID. +</p> + +<h3 id="framework">Framework</h3> + +<table> + <col width="17%"> + <col width="19%"> + <col width="9%"> + <col width="14%"> + <col width="39%"> + <tr> + <th>CVE</th> + <th>References</th> + <th>Type</th> + <th>Severity</th> + <th>Updated AOSP versions</th> + </tr> + <tr> + <td>CVE-2017-13263</td> + <td>A-69383160</td> + <td>EoP</td> + <td>Moderate</td> + <td>8.0, 8.1</td> + </tr> +</table> + + +<h3 id="media-framework">Media framework</h3> + +<table> + <col width="17%"> + <col width="19%"> + <col width="9%"> + <col width="14%"> + <col width="39%"> + <tr> + <th>CVE</th> + <th>References</th> + <th>Type</th> + <th>Severity</th> + <th>Updated AOSP versions</th> + </tr> + <tr> + <td rowspan="2">CVE-2017-13264</td> + <td rowspan="2">A-70294343</td> + <td>NSI</td> + <td>NSI</td> + <td>7.0, 7.1.1, 7.1.2, 8.0, 8.1</td> + </tr> + <tr> + <td>DoS</td> + <td>High</td> + <td>6.0, 6.0.1</td> + </tr> + <tr> + <td rowspan="2">CVE-2017-13254</td> + <td rowspan="2">A-70239507</td> + <td>NSI</td> + <td>NSI</td> + <td>7.0, 7.1.1, 7.1.2, 8.0, 8.1</td> + </tr> + <tr> + <td>DoS</td> + <td>High</td> + <td>5.1.1, 6.0, 6.0.1</td> + </tr> +</table> + + +<h3 id="system">System</h3> + +<table> + <col width="17%"> + <col width="19%"> + <col width="9%"> + <col width="14%"> + <col width="39%"> + <tr> + <th>CVE</th> + <th>References</th> + <th>Type</th> + <th>Severity</th> + <th>Updated AOSP versions</th> + </tr> + <tr> + <td>CVE-2017-13265</td> + <td>A-36232423</td> + <td>EoP</td> + <td>Moderate</td> + <td>7.0, 7.1.1, 7.1.2, 8.0, 8.1</td> + </tr> + <tr> + <td>CVE-2017-13266</td> + <td>A-69478941</td> + <td>EoP</td> + <td>Moderate</td> + <td>5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1</td> + </tr> + <tr> + <td>CVE-2017-13268</td> + <td>A-67058064</td> + <td>ID</td> + <td>Moderate</td> + <td>5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1</td> + </tr> + <tr> + <td>CVE-2017-13269</td> + <td>A-68818034</td> + <td>ID</td> + <td>Moderate</td> + <td>5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1</td> + </tr> +</table> + + +<h3 id="kernel-components">Kernel components</h3> + +<table> + <col width="17%"> + <col width="19%"> + <col width="9%"> + <col width="14%"> + <col width="39%"> + <tr> + <th>CVE</th> + <th>References</th> + <th>Type</th> + <th>Severity</th> + <th>Component</th> + </tr> + <tr> + <td>CVE-2017-5754</td> + <td>A-69856074<a href="#asterisk">*</a></td> + <td>ID</td> + <td>High</td> + <td>Memory mapping</td> + </tr> + <tr> + <td>CVE-2017-13270</td> + <td>A-69474744<a href="#asterisk">*</a></td> + <td>EoP</td> + <td>Moderate</td> + <td>Mnh_sm driver</td> + </tr> + <tr> + <td>CVE-2017-13271</td> + <td>A-69006799<a href="#asterisk">*</a></td> + <td>EoP</td> + <td>Moderate</td> + <td>Mnh_sm driver</td> + </tr> + <tr> + <td>CVE-2017-16527</td> + <td>A-69051382<br /> +<a href="https://github.com/torvalds/linux/commit/124751d5e63c823092060074bd0abaae61aaa9c4"> +Upstream kernel</a></td> + <td>EoP</td> + <td>Moderate</td> + <td>USB sound driver</td> + </tr> + <tr> + <td>CVE-2017-15649</td> + <td>A-69160446<br /> +<a href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=008ba2a13f2d04c947adc536d19debb8fe66f110"> +Upstream kernel</a> +[<a href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4971613c1639d8e5f102c4e797c3bf8f83a5a69e">2</a>]</td> + <td>EoP</td> + <td>Moderate</td> + <td>Network driver</td> + </tr> + <tr> + <td>CVE-2017-1000111</td> + <td>A-68806121<br /> +<a href="http://patchwork.ozlabs.org/patch/800274/">Upstream kernel</a></td> + <td>EoP</td> + <td>Moderate</td> + <td>Network driver</td> + </tr> +</table> + + +<h3 id="nvidia-components">NVIDIA components</h3> + +<table> + <col width="17%"> + <col width="19%"> + <col width="9%"> + <col width="14%"> + <col width="39%"> + <tr> + <th>CVE</th> + <th>References</th> + <th>Type</th> + <th>Severity</th> + <th>Component</th> + </tr> + <tr> + <td>CVE-2017-6287</td> + <td>A-64893264<a href="#asterisk">*</a><br /> + N-CVE-2017-6287</td> + <td>ID</td> + <td>Moderate</td> + <td>Media framework</td> + </tr> + <tr> + <td>CVE-2017-6285</td> + <td>A-64893156<a href="#asterisk">*</a><br /> + N-CVE-2017-6285</td> + <td>ID</td> + <td>Moderate</td> + <td>Media framework</td> + </tr> + <tr> + <td>CVE-2017-6288</td> + <td>A-65482562<a href="#asterisk">*</a><br /> + N-CVE-2017-6288</td> + <td>ID</td> + <td>Moderate</td> + <td>Media framework</td> + </tr> +</table> + + +<h3 id="qualcomm-components">Qualcomm components</h3> + +<table> + <col width="17%"> + <col width="19%"> + <col width="9%"> + <col width="14%"> + <col width="39%"> + <tr> + <th>CVE</th> + <th>References</th> + <th>Type</th> + <th>Severity</th> + <th>Component</th> + </tr> + <tr> + <td>CVE-2017-18061</td> + <td>A-70237701<br /> +<a href="https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=b65cf2a007e88fe86dbd6d3269682fc585a4130f"> +QC-CR#2117246</a></td> + <td>EoP</td> + <td>Moderate</td> + <td>Wil6210</td> + </tr> + <tr> + <td>CVE-2017-18050</td> + <td>A-70237697<br /> +<a href="https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=63b57442d65dfdb4b4634ff32059b1bca8c72fb7"> +QC-CR#2119443</a></td> + <td>EoP</td> + <td>Moderate</td> + <td>Wma management</td> + </tr> + <tr> + <td>CVE-2017-18054</td> + <td>A-70237694<br /> +<a href="https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=6eefc756612e39fab49ff719b3dc9b94def53396"> +QC-CR#2119432</a></td> + <td>EoP</td> + <td>Moderate</td> + <td>Wma</td> + </tr> + <tr> + <td>CVE-2017-18055</td> + <td>A-70237693<br /> +<a href="https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=50a0554d12cff58b3ffbd51d3194304244b87023"> +QC-CR#2119430</a></td> + <td>EoP</td> + <td>Moderate</td> + <td>Wma</td> + </tr> + <tr> + <td>CVE-2017-18065</td> + <td>A-70237685<br /> +<a href="https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=a8bc0f90ef49ea0aee90047a17772e4eebff259a"> +QC-CR#2113423</a></td> + <td>EoP</td> + <td>Moderate</td> + <td>Wma</td> + </tr> + <tr> + <td>CVE-2017-18066</td> + <td>A-70235107<br /> +<a href="https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=ff11f44c0c10c94170f03a8698f73f7e08b74625"> +QC-CR#2107976</a></td> + <td>EoP</td> + <td>Moderate</td> + <td>Power driver</td> + </tr> + <tr> + <td>CVE-2017-18062</td> + <td>A-68992451<br /> +<a href="https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=d7927eb7c9c2d79a3e24cddd1e9447ab98bf6700"> +QC-CR#2115375</a></td> + <td>EoP</td> + <td>Moderate</td> + <td>Wma</td> + </tr> + <tr> + <td>CVE-2018-3561</td> + <td>A-68870904<a href="#asterisk">*</a><br /> + QC-CR#2068569</td> + <td>EoP</td> + <td>Moderate</td> + <td>Diagchar</td> + </tr> + <tr> + <td>CVE-2018-3560</td> + <td>A-68664502<a href="#asterisk">*</a><br /> + QC-CR#2142216</td> + <td>EoP</td> + <td>Moderate</td> + <td>Qdsp6v2 sound driver</td> + </tr> + <tr> + <td>CVE-2017-15834</td> + <td>A-70237704<br /> +<a href="https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=2e1b54e38f1516e70d9f6581c4f1ee935effb903"> +QC-CR#2111858</a></td> + <td>EoP</td> + <td>Moderate</td> + <td>Diagchar</td> + </tr> + <tr> + <td>CVE-2017-15833</td> + <td>A-70237702<br /> +<a href="https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=51ce6aec73d80e1f1fcc9c7fa71e9c2fcbdbc0fd"> +QC-CR#2059835</a></td> + <td>EoP</td> + <td>Moderate</td> + <td>Power driver</td> + </tr> + <tr> + <td>CVE-2017-15831</td> + <td>A-70237687<br /> +<a href="https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=31e6a657320e4299c659e3d57d38a89afe8c1ce1"> +QC-CR#2114255</a></td> + <td>EoP</td> + <td>Moderate</td> + <td>Wma</td> + </tr> + <tr> + <td>CVE-2017-15830</td> + <td>A-70237719<br /> +<a href="https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=8a7a2a9c5d203e3395811963061c79d3bc257ebe"> +QC-CR#2120725</a></td> + <td>EoP</td> + <td>Moderate</td> + <td>sme driver</td> + </tr> + <tr> + <td>CVE-2017-14889</td> + <td>A-70237700<br /> +<a href="https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=e11e9dc8298dc0632050cacce96e9652d017f755"> +QC-CR#2119803</a></td> + <td>EoP</td> + <td>Moderate</td> + <td>Wma</td> + </tr> + <tr> + <td>CVE-2017-14887</td> + <td>A-70237715<br /> +<a href="https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=4ce28e7c85f89e2c3555ec840b6adda47bd5dab0"> +QC-CR#2119673</a></td> + <td>EoP</td> + <td>Moderate</td> + <td>WLAN</td> + </tr> + <tr> + <td>CVE-2017-14879</td> + <td>A-63851638<a href="#asterisk">*</a><br /> + QC-CR#2056307</td> + <td>EoP</td> + <td>Moderate</td> + <td>IPA</td> + </tr> + <tr> + <td>CVE-2017-11082</td> + <td>A-66937387<br /> +<a href="https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-3.10.git;a=commit;h=2d4f8cd8d11f8fb1491a20d7e316cc0fd03eeb59"> +QC-CR#2071560</a></td> + <td>EoP</td> + <td>Moderate</td> + <td>WLAN</td> + </tr> + <tr> + <td>CVE-2017-11074</td> + <td>A-68940798<br /> +<a href="https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/prima/commit/?id=f5ae7b35c90f14b7e66b3a91d4fb247563a8a22b"> +QC-CR#2049138</a></td> + <td>EoP</td> + <td>Moderate</td> + <td>WLAN</td> + </tr> + <tr> + <td>CVE-2017-18052</td> + <td>A-70237712<br /> +<a href="https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=c04c4870bd86a5f878553d7acf207388f3d6c3bd"> +QC-CR#2119439</a></td> + <td>ID</td> + <td>Moderate</td> + <td>WLAN</td> + </tr> + <tr> + <td>CVE-2017-18057</td> + <td>A-70237709<br /> +<a href="https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=24d41d2bd3d98325b3800345f4ba27a334b3894b"> +QC-CR#2119403</a></td> + <td>ID</td> + <td>Moderate</td> + <td>WLAN</td> + </tr> + <tr> + <td>CVE-2017-18059</td> + <td>A-70237708<br /> +<a href="https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=217705da7726002ffe61dad51a6c9cc97c52f649"> +QC-CR#2119399</a></td> + <td>ID</td> + <td>Moderate</td> + <td>WLAN</td> + </tr> + <tr> + <td>CVE-2017-18060</td> + <td>A-70237707<br /> +<a href="https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=f3d81bd0b3cb992c214d94196b33168b02589c6b"> +QC-CR#2119394</a></td> + <td>ID</td> + <td>Moderate</td> + <td>WLAN</td> + </tr> + <tr> + <td>CVE-2017-18051</td> + <td>A-70237696<br /> +<a href="https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=38fba6a9f6ca3c7bf0c4c1bd84fa2b89fbcaeb93"> +QC-CR#2119442</a></td> + <td>ID</td> + <td>Moderate</td> + <td>WLAN</td> + </tr> + <tr> + <td>CVE-2017-18053</td> + <td>A-70237695<br /> +<a href="https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=da1c6e996ac7635c202296e31118f088f9427947"> +QC-CR#2119434</a></td> + <td>ID</td> + <td>Moderate</td> + <td>WLAN</td> + </tr> + <tr> + <td>CVE-2017-18058</td> + <td>A-70237690<br /> +<a href="https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=d6d42a10d4abf09299cdfacdd8aed5c26731b5ff"> +QC-CR#2119401</a></td> + <td>ID</td> + <td>Moderate</td> + <td>WLAN</td> + </tr> + <tr> + <td>CVE-2017-15855</td> + <td>A-38232131<a href="#asterisk">*</a><br /> + QC-CR#2139514</td> + <td>ID</td> + <td>Moderate</td> + <td>Camera_v2 driver</td> + </tr> + <tr> + <td>CVE-2017-15814</td> + <td>A-64836865<a href="#asterisk">*</a><br /> + QC-CR#2092793</td> + <td>ID</td> + <td>Moderate</td> + <td>Camera_v2 driver</td> + </tr> +</table> + +<h2 id="functional-updates">Functional updates</h2> +<p> +These updates are included for affected Pixel devices to address functionality +issues not related to the security of Pixel devices. The table includes +associated references; the affected category, such as Bluetooth or mobile data; +and a summary of the issue. +</p> + +<table> + <tr> + <th>References</th> + <th>Category</th> + <th>Improvements</th> + <th>Devices</th> + </tr> + <tr> + <td>A-70491468</td> + <td>Performance</td> + <td>Improve screen wake performance with fingerprint unlock</td> + <td>Pixel 2, Pixel 2 XL</td> + </tr> + <tr> + <td>A-69307875</td> + <td>Audio</td> + <td>Improve audio performance when recording video</td> + <td>Pixel 2 XL</td> + </tr> + <tr> + <td>A-70641186</td> + <td>Reporting</td> + <td>Improve crash reporting</td> + <td>Pixel 2, Pixel 2 XL</td> + </tr> +</table> + +<h2 id="common-questions-and-answers">Common questions and answers</h2> +<p> +This section answers common questions that may occur after reading this +bulletin. +</p> +<p> +<strong>1. How do I determine if my device is updated to address these issues? +</strong> +</p> +<p> +Security patch levels of 2018-03-05 or later address all issues associated with +the 2018-03-05 security patch level and all previous patch levels. To learn how +to check a device's security patch level, read the instructions on the +<a href="https://support.google.com/pixelphone/answer/4457705#pixel_phones&nexus_devices">Pixel +and Nexus update schedule</a>. +</p> +<p id="type"> +<strong>2. What do the entries in the <em>Type</em> column mean?</strong> +</p> +<p> +Entries in the <em>Type</em> column of the vulnerability details table reference +the classification of the security vulnerability. +</p> +<table> + <col width="25%"> + <col width="75%"> + <tr> + <th>Abbreviation</th> + <th>Definition</th> + </tr> + <tr> + <td>RCE</td> + <td>Remote code execution</td> + </tr> + <tr> + <td>EoP</td> + <td>Elevation of privilege</td> + </tr> + <tr> + <td>ID</td> + <td>Information disclosure</td> + </tr> + <tr> + <td>DoS</td> + <td>Denial of service</td> + </tr> + <tr> + <td>N/A</td> + <td>Classification not available</td> + </tr> +</table> +<p> +<strong>3. What do the entries in the <em>References</em> column mean?</strong> +</p> +<p> +Entries under the <em>References</em> column of the vulnerability details table +may contain a prefix identifying the organization to which the reference value +belongs. +</p> +<table> + <col width="25%"> + <col width="75%"> + <tr> + <th>Prefix</th> + <th>Reference</th> + </tr> + <tr> + <td>A-</td> + <td>Android bug ID</td> + </tr> + <tr> + <td>QC-</td> + <td>Qualcomm reference number</td> + </tr> + <tr> + <td>M-</td> + <td>MediaTek reference number</td> + </tr> + <tr> + <td>N-</td> + <td>NVIDIA reference number</td> + </tr> + <tr> + <td>B-</td> + <td>Broadcom reference number</td> + </tr> +</table> +<p id="asterisk"> +<strong>4. What does a * next to the Android bug ID in the <em>References</em> +column mean?</strong> +</p> +<p> +Issues that are not publicly available have a * next to the Android bug ID in +the <em>References</em> column. The update for that issue is generally contained +in the latest binary drivers for Nexus devices available from the +<a href="https://developers.google.com/android/nexus/drivers">Google Developer +site</a>. +</p> +<p> +<strong>5. Why are security vulnerabilities split between this bulletin and the +Android Security Bulletins?</strong> +</p> +<p> +Security vulnerabilities that are documented in the Android Security Bulletins +are required in order to declare the latest security patch level on Android +devices. Additional security vulnerabilities, such as those documented in this +bulletin, are not required for declaring a security patch level. +</p> +<h2 id="versions">Versions</h2> +<table> + <col width="25%"> + <col width="25%"> + <col width="50%"> + <tr> + <th>Version</th> + <th>Date</th> + <th>Notes</th> + </tr> + <tr> + <td>1.0</td> + <td>March 5, 2018</td> + <td>Bulletin published.</td> + </tr> +</table> + +</body></html> + + diff --git a/en/security/bulletin/pixel/2018.html b/en/security/bulletin/pixel/2018.html index 8ead20bd..a7dfa4b4 100644 --- a/en/security/bulletin/pixel/2018.html +++ b/en/security/bulletin/pixel/2018.html @@ -39,31 +39,42 @@ Bulletins</a> homepage.</p> <th>Security patch level</th> </tr> <tr> - <td><a href="/security/bulletin/pixel/2018-02-01.html">February 2018</a></td> + <td><a href="/security/bulletin/pixel/2018-03-01.html">March 2018</a></td> <td>Coming soon <!-- + <a href="/security/bulletin/pixel/2018-03-01.html">English</a> / + <a href="/security/bulletin/pixel/2018-03-01.html?hl=ja">日本語</a> / + <a href="/security/bulletin/pixel/2018-03-01.html?hl=ko">한국어</a> / + <a href="/security/bulletin/pixel/2018-03-01.html?hl=ru">ру́сский</a> / + <a href="/security/bulletin/pixel/2018-03-01.html?hl=zh-cn">中文 (中国)</a> / + <a href="/security/bulletin/pixel/2018-03-01.html?hl=zh-tw">中文 (台灣)</a> + --> + </td> + <td>March 2018</td> + <td>2018-03-05</td> + </tr> + <tr> + <td><a href="/security/bulletin/pixel/2018-02-01.html">February 2018</a></td> + <td> <a href="/security/bulletin/pixel/2018-02-01.html">English</a> / <a href="/security/bulletin/pixel/2018-02-01.html?hl=ja">日本語</a> / <a href="/security/bulletin/pixel/2018-02-01.html?hl=ko">한국어</a> / <a href="/security/bulletin/pixel/2018-02-01.html?hl=ru">ру́сский</a> / <a href="/security/bulletin/pixel/2018-02-01.html?hl=zh-cn">中文 (中国)</a> / <a href="/security/bulletin/pixel/2018-02-01.html?hl=zh-tw">中文 (台灣)</a> - --> </td> <td>February 2018</td> <td>2018-02-05</td> </tr> <tr> <td><a href="/security/bulletin/pixel/2018-01-01.html">January 2018</a></td> - <td>Coming soon - <!-- + <td> <a href="/security/bulletin/pixel/2018-01-01.html">English</a> / <a href="/security/bulletin/pixel/2018-01-01.html?hl=ja">日本語</a> / <a href="/security/bulletin/pixel/2018-01-01.html?hl=ko">한국어</a> / <a href="/security/bulletin/pixel/2018-01-01.html?hl=ru">ру́сский</a> / <a href="/security/bulletin/pixel/2018-01-01.html?hl=zh-cn">中文 (中国)</a> / <a href="/security/bulletin/pixel/2018-01-01.html?hl=zh-tw">中文 (台灣)</a> - --> </td> <td>January 2018</td> <td>2018-01-05</td> diff --git a/en/security/bulletin/pixel/index.html b/en/security/bulletin/pixel/index.html index 08183ad4..4a018ab9 100644 --- a/en/security/bulletin/pixel/index.html +++ b/en/security/bulletin/pixel/index.html @@ -59,31 +59,42 @@ AOSP 24–48 hours after the Pixel / Nexus bulletin is release <th>Security patch level</th> </tr> <tr> - <td><a href="/security/bulletin/pixel/2018-02-01.html">February 2018</a></td> + <td><a href="/security/bulletin/pixel/2018-03-01.html">March 2018</a></td> <td>Coming soon <!-- + <a href="/security/bulletin/pixel/2018-03-01.html">English</a> / + <a href="/security/bulletin/pixel/2018-03-01.html?hl=ja">日本語</a> / + <a href="/security/bulletin/pixel/2018-03-01.html?hl=ko">한국어</a> / + <a href="/security/bulletin/pixel/2018-03-01.html?hl=ru">ру́сский</a> / + <a href="/security/bulletin/pixel/2018-03-01.html?hl=zh-cn">中文 (中国)</a> / + <a href="/security/bulletin/pixel/2018-03-01.html?hl=zh-tw">中文 (台灣)</a> + --> + </td> + <td>March 5, 2018</td> + <td>2018-03-05</td> + </tr> + <tr> + <td><a href="/security/bulletin/pixel/2018-02-01.html">February 2018</a></td> + <td> <a href="/security/bulletin/pixel/2018-02-01.html">English</a> / <a href="/security/bulletin/pixel/2018-02-01.html?hl=ja">日本語</a> / <a href="/security/bulletin/pixel/2018-02-01.html?hl=ko">한국어</a> / <a href="/security/bulletin/pixel/2018-02-01.html?hl=ru">ру́сский</a> / <a href="/security/bulletin/pixel/2018-02-01.html?hl=zh-cn">中文 (中国)</a> / <a href="/security/bulletin/pixel/2018-02-01.html?hl=zh-tw">中文 (台灣)</a> - --> </td> <td>February 5, 2018</td> <td>2018-02-05</td> </tr> <tr> <td><a href="/security/bulletin/pixel/2018-01-01.html">January 2018</a></td> - <td>Coming soon - <!-- + <td> <a href="/security/bulletin/pixel/2018-01-01.html">English</a> / <a href="/security/bulletin/pixel/2018-01-01.html?hl=ja">日本語</a> / <a href="/security/bulletin/pixel/2018-01-01.html?hl=ko">한국어</a> / <a href="/security/bulletin/pixel/2018-01-01.html?hl=ru">ру́сский</a> / <a href="/security/bulletin/pixel/2018-01-01.html?hl=zh-cn">中文 (中国)</a> / <a href="/security/bulletin/pixel/2018-01-01.html?hl=zh-tw">中文 (台灣)</a> - --> </td> <td>January 2, 2018</td> <td>2018-01-05</td> diff --git a/en/security/overview/acknowledgements.html b/en/security/overview/acknowledgements.html index f9f73b0e..9d1250fd 100644 --- a/en/security/overview/acknowledgements.html +++ b/en/security/overview/acknowledgements.html @@ -38,6 +38,105 @@ Rewards</a> program.</p> acknowledgements were listed together.</p> +<h4 id="mar-2018">March</h4> + + + <table> + <col width="70%"> + <col width="30%"> + <tr> + <th>Researchers</th> + <th>CVEs</th> + </tr> + <tr> + <td>Billy Lau of Google</td> + <td>CVE-2017-14879</td> + </tr> + <tr> + <td>Daniel Micay of Copperhead Security</td> + <td>CVE-2017-13265</td> + </tr> + <tr> + <td><a href="mailto:shaodacheng2016@gmail.com">Dacheng Shao</a> and Mingjian +Zhou (周明建)</td> + <td>CVE-2017-6288</td> + </tr> + <tr> + <td>Elphet and Gong Guang of Alpha Team, Qihoo 360 Technology Co. Ltd.</td> + <td>CVE-2017-13254</td> + </tr> + <tr> + <td>Jake Corina of Shellphish Grill Team</td> + <td>CVE-2018-3560</td> + </tr> + <tr> + <td>Jianjun Dai (<a href="https://twitter.com/jioun_dai">@Jioun_dai</a>) and +Guang Gong of Alpha Team, Qihoo 360 Technology Co. Ltd.</td> + <td>CVE-2017-13266, CVE-2017-13256, CVE-2017-13255</td> + </tr> + <tr> + <td>Julian Rauchberger</td> + <td>CVE-2017-13258</td> + </tr> + <tr> + <td>Hongli Han (<a href="https://twitter.com/hexb1n">@hexb1n</a>), <a +href="mailto:shaodacheng2016@gmail.com">Dacheng Shao</a>, and Mingjian Zhou +(周明建) (<a href="https://twitter.com/Mingjian_Zhou">@Mingjian_Zhou</a>) of <a +href="http://c0reteam.org">C0RE Team</a></td> + <td>CVE-2017-6287</td> + </tr> + <tr> + <td>Hongli Han (<a href="https://twitter.com/HexB1n">@HexB1n</a>) and +Mingjian Zhou (周明建)(<a +href="https://twitter.com/Mingjian_Zhou">@Mingjian_Zhou</a>) of <a +href="http://c0reteam.org">C0RE Team</a></td> + <td>CVE-2017-6286, CVE-2017-6285, CVE-2017-6281</td> + </tr> + <tr> + <td>Pengfei Ding (丁鹏飞), Chenfu Bao (包沉浮), Lenx Wei (韦韬) of Baidu X-Lab +(百度安全实验室)</td> + <td>CVE-2017-13262, CVE-2017-13261, CVE-2017-13260, CVE-2017-11029, +CVE-2017-15814</td> + </tr> + <tr> + <td>Peter Pi of Tencent Security Platform Department</td> + <td>CVE-2017-13269</td> + </tr> + <tr> + <td>Tamir Zahavi-Brunner (<a +href="https://twitter.com/tamir_zb">@tamir_zb</a>) of Zimperium zLabs Team</td> + <td>CVE-2017-13253</td> + </tr> + <tr> + <td>Vasily Vasiliev</td> + <td>CVE-2017-13249, CVE-2017-13248, CVE-2017-13264</td> + </tr> + <tr> + <td>Wish Wu (<a href=" https://twitter.com/wish_wu">@wish_wu</a> <a +href="http://www.weibo.com/wishlinux">吴潍浠</a> 此彼) of Ant-financial Light-Year +Security Lab</td> + <td>CVE-2017-13259, CVE-2017-13272</td> + </tr> + <tr> + <td>Yaoguang Chen of Ant-financial Light-Year Security Lab (蚂蚁金服巴斯光年安全实验室)</td> + <td>CVE-2017-13257, CVE-2017-13268</td> + </tr> + <tr> + <td>Yonggang Guo (<a href="https://twitter.com/guoygang">@guoygang</a>) of +IceSword Lab, Qihoo 360 Technology Co. Ltd.</td> + <td>CVE-2017-13271</td> + </tr> + <tr> + <td>ZhangBo of Tencent Security Platform Department</td> + <td>CVE-2017-18069</td> + </tr> + <tr> + <td><a href="http://weibo.com/ele7enxxh">Zinuo Han</a> from Chengdu Security +Response Center of Qihoo 360 Technology Co. Ltd.</td> + <td>CVE-2017-13252, CVE-2017-13251, CVE-2018-3561</td> + </tr> +</table> + <h4 id="feb-2018">February</h4> <table> diff --git a/en/setup/build-numbers.html b/en/setup/build-numbers.html index 10f50cd5..16623580 100644 --- a/en/setup/build-numbers.html +++ b/en/setup/build-numbers.html @@ -214,6 +214,24 @@ site:</p> </thead> <tbody> <tr> + <td>OPM5.171019.017</td> + <td>android-8.1.0_r18</td> + <td>Oreo</td> + <td>Nexus 5X, Nexus 6P</td> + </tr> + <tr> + <td>OPM3.171019.016</td> + <td>android-8.1.0_r17</td> + <td>Oreo</td> + <td>Nexus 5X, Nexus 6P</td> + </tr> + <tr> + <td>OPM1.171019.021</td> + <td>android-8.1.0_r15</td> + <td>Oreo</td> + <td>Pixel 2 XL, Pixel 2, Pixel XL, Pixel</td> + </tr> + <tr> <td>OPM5.171019.015</td> <td>android-8.1.0_r14</td> <td>Oreo</td> diff --git a/en/setup/code-style.html b/en/setup/code-style.html index 3ea5a439..dbb9887f 100644 --- a/en/setup/code-style.html +++ b/en/setup/code-style.html @@ -388,12 +388,8 @@ pattern without extra engineering effort.</p> <p>IDEs can follow the style.</p> </li> </ul> -<p>The use and location of static imports have been mildly controversial -issues. Some people prefer static imports to be interspersed with the -remaining imports, while some prefer them to reside above or below all -other imports. Additionally, we have not yet determined how to make all IDEs use -the same ordering. Since many consider this a low priority issue, just use your -judgement and be consistent.</p> +<p>Put static imports above all the other imports ordered the same way as +regular imports.</p> <h3 id="use-spaces-for-indentation">Use Spaces for Indentation</h3> <p>We use four (4) space indents for blocks and never tabs. When in doubt, be |