diff options
| author | Android Partner Docs <noreply@android.com> | 2018-07-02 22:04:20 -0700 |
|---|---|---|
| committer | Clay Murphy <claym@google.com> | 2018-07-02 22:54:25 -0700 |
| commit | ae1a64f7c44664473c34f98bd1cf7f73308e5690 (patch) | |
| tree | 16e1c81c8fcc762e3ed21fd67f59cf0d64d3be5c /en | |
| parent | 0f8b4d96661fce8e3d83deaa0283b6745e5fcf0f (diff) | |
| download | source.android.com-ae1a64f7c44664473c34f98bd1cf7f73308e5690.tar.gz | |
Docs: Changes to source.android.com
- 203064863 Devsite localized content from translation request 946904. by Android Partner Docs <noreply@android.com>
- 203031181 Add 2018-07 tags. by Android Partner Docs <noreply@android.com>
- 202968884 July 2018 Android and Pixel bulletins by Danielle Roberts <daroberts@google.com>
- 202968311 Devsite localized content from translation request 946303. by Android Partner Docs <noreply@android.com>
- 202968298 Devsite localized content from translation request 941622. by Android Partner Docs <noreply@android.com>
- 202968290 Devsite localized content from translation request 946301. by Android Partner Docs <noreply@android.com>
- 202658249 Devsite localized content from translation request 940578. by Android Partner Docs <noreply@android.com>
PiperOrigin-RevId: 203064863
Change-Id: I26b77840ecd900e26a274cd59fe3c686778fd81e
Diffstat (limited to 'en')
| -rw-r--r-- | en/security/_toc.yaml | 4 | ||||
| -rw-r--r-- | en/security/bulletin/2018-07-01.html | 698 | ||||
| -rw-r--r-- | en/security/bulletin/2018.html | 16 | ||||
| -rw-r--r-- | en/security/bulletin/index.html | 17 | ||||
| -rw-r--r-- | en/security/bulletin/pixel/2018-07-01.html | 509 | ||||
| -rw-r--r-- | en/security/bulletin/pixel/2018.html | 17 | ||||
| -rw-r--r-- | en/security/bulletin/pixel/index.html | 15 | ||||
| -rw-r--r-- | en/security/overview/acknowledgements.html | 206 | ||||
| -rw-r--r-- | en/setup/start/build-numbers.html | 42 |
9 files changed, 1440 insertions, 84 deletions
diff --git a/en/security/_toc.yaml b/en/security/_toc.yaml index bb9d4e02..f21fb735 100644 --- a/en/security/_toc.yaml +++ b/en/security/_toc.yaml @@ -47,6 +47,8 @@ toc: section: - title: 2018 Bulletins section: + - title: July + path: /security/bulletin/2018-07-01 - title: June path: /security/bulletin/2018-06-01 - title: May @@ -137,6 +139,8 @@ toc: path: /security/bulletin/pixel/index - title: 2018 Bulletins section: + - title: July + path: /security/bulletin/pixel/2018-07-01 - title: June path: /security/bulletin/pixel/2018-06-01 - title: May diff --git a/en/security/bulletin/2018-07-01.html b/en/security/bulletin/2018-07-01.html new file mode 100644 index 00000000..c368b104 --- /dev/null +++ b/en/security/bulletin/2018-07-01.html @@ -0,0 +1,698 @@ +<html devsite> + <head> + <title>Android Security Bulletin—July 2018</title> + <meta name="project_path" value="/_project.yaml" /> + <meta name="book_path" value="/_book.yaml" /> + </head> + <body> + <!-- + Copyright 2018 The Android Open Source Project + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + //www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + --> +<p><em>Published July 2, 2018</em></p> + +<p> +The Android Security Bulletin contains details of security vulnerabilities +affecting Android devices. Security patch levels of 2018-07-05 or later address +all of these issues. To learn how to check a device's security patch level, see +<a href="https://support.google.com/pixelphone/answer/4457705">Check and update +your Android version</a>. +</p> +<p> +Android partners are notified of all issues at least a month before publication. +Source code patches for these issues will be released to the Android Open Source +Project (AOSP) repository in the next 48 hours. We will revise this bulletin +with the AOSP links when they are available. +</p> +<p> +The most severe of these issues is a critical security vulnerability in Media +framework that could enable a remote attacker using a specially crafted file to +execute arbitrary code within the context of a privileged process. The +<a href="/security/overview/updates-resources.html#severity">severity +assessment</a> is based on the effect that exploiting the vulnerability would +possibly have on an affected device, assuming the platform and service +mitigations are turned off for development purposes or if successfully bypassed. +</p> +<p> +We have had no reports of active customer exploitation or abuse of these newly +reported issues. Refer to the +<a href="#mitigations">Android and Google Play Protect mitigations</a> +section for details on the +<a href="/security/enhancements/index.html">Android security platform protections</a> +and Google Play Protect, which improve the security of the Android platform. +</p> +<p class="note"> +<strong>Note:</strong> Information on the latest over-the-air update (OTA) and +firmware images for Google devices is available in the +<a href="/security/bulletin/pixel/2018-07-01.html">July 2018 +Pixel / Nexus Security Bulletin</a>. +</p> + +<h2 id="mitigations">Android and Google service mitigations</h2> +<p> +This is a summary of the mitigations provided by the +<a href="/security/enhancements/index.html">Android security platform</a> +and service protections such as +<a href="https://www.android.com/play-protect">Google Play Protect</a>. +These capabilities reduce the likelihood that security vulnerabilities +could be successfully exploited on Android. +</p> +<ul> +<li>Exploitation for many issues on Android is made more difficult by +enhancements in newer versions of the Android platform. We encourage all users +to update to the latest version of Android where possible.</li> +<li>The Android security team actively monitors for abuse through +<a href="https://www.android.com/play-protect">Google Play Protect</a> +and warns users about +<a href="/security/reports/Google_Android_Security_PHA_classifications.pdf">Potentially +Harmful Applications</a>. Google Play Protect is enabled by default on devices +with <a href="http://www.android.com/gms">Google Mobile Services</a>, and is +especially important for users who install apps from outside of Google +Play.</li> +</ul> +<h2 id="2018-07-01-details">2018-07-01 security patch level vulnerability details</h2> +<p> +In the sections below, we provide details for each of the security +vulnerabilities that apply to the 2018-07-01 patch level. Vulnerabilities are +grouped under the component that they affect. There is a description of the +issue and a table with the CVE, associated references, +<a href="#type">type of vulnerability</a>, +<a href="/security/overview/updates-resources.html#severity">severity</a>, +and updated AOSP versions (where applicable). When available, we link the public +change that addressed the issue to the bug ID, like the AOSP change list. When +multiple changes relate to a single bug, additional references are linked to +numbers following the bug ID. +</p> + +<h3 id="framework">Framework</h3> +<p>The most severe vulnerability in this section could enable a remote attacker +using a specially crafted pac file to execute arbitrary code within the context +of a privileged process.</p> + +<table> + <col width="21%"> + <col width="21%"> + <col width="14%"> + <col width="14%"> + <col width="30%"> + <tr> + <th>CVE</th> + <th>References</th> + <th>Type</th> + <th>Severity</th> + <th>Updated AOSP versions</th> + </tr> + <tr> + <td>CVE-2018-9433</td> + <td>A-38196219</td> + <td>RCE</td> + <td>Critical</td> + <td>6.0, 6.0.1, 7.0, 7.1.1, 7.1.2</td> + </tr> + <tr> + <td>CVE-2018-9410</td> + <td>A-77822336</td> + <td>ID</td> + <td>High</td> + <td>8.0, 8.1</td> + </tr> +</table> + + +<h3 id="media-framework">Media framework</h3> +<p>The most severe vulnerability in this section could enable a remote attacker +using a specially crafted file to execute arbitrary code within the context of +a privileged process.</p> + +<table> + <col width="21%"> + <col width="21%"> + <col width="14%"> + <col width="14%"> + <col width="30%"> + <tr> + <th>CVE</th> + <th>References</th> + <th>Type</th> + <th>Severity</th> + <th>Updated AOSP versions</th> + </tr> + <tr> + <td>CVE-2018-9411</td> + <td>A-79376389</td> + <td>RCE</td> + <td>Critical</td> + <td>8.0, 8.1</td> + </tr> + <tr> + <td>CVE-2018-9424</td> + <td>A-76221123</td> + <td>EoP</td> + <td>High</td> + <td>8.0, 8.1</td> + </tr> + <tr> + <td>CVE-2018-9428</td> + <td>A-74122779</td> + <td>EoP</td> + <td>High</td> + <td>8.1</td> + </tr> + <tr> + <td>CVE-2018-9412</td> + <td>A-78029004</td> + <td>DoS</td> + <td>High</td> + <td>6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1</td> + </tr> + <tr> + <td>CVE-2018-9421</td> + <td>A-77237570</td> + <td>ID</td> + <td>High</td> + <td>6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1</td> + </tr> +</table> + + +<h3 id="system">System</h3> +<p>The most severe vulnerability in this section could enable a remote attacker +using a specially crafted file to execute arbitrary code within the context of +a privileged process.</p> + +<table> + <col width="21%"> + <col width="21%"> + <col width="14%"> + <col width="14%"> + <col width="30%"> + <tr> + <th>CVE</th> + <th>References</th> + <th>Type</th> + <th>Severity</th> + <th>Updated AOSP versions</th> + </tr> + <tr> + <td>CVE-2018-9365</td> + <td>A-74121126</td> + <td>RCE</td> + <td>Critical</td> + <td>6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1</td> + </tr> + <tr> + <td>CVE-2018-9432</td> + <td>A-73173182</td> + <td>EoP</td> + <td>High</td> + <td>6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1</td> + </tr> + <tr> + <td>CVE-2018-9420</td> + <td>A-77238656</td> + <td>ID</td> + <td>High</td> + <td>6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1</td> + </tr> + <tr> + <td>CVE-2018-9419</td> + <td>A-74121659</td> + <td>ID</td> + <td>High</td> + <td>7.0, 7.1.1, 7.1.2, 8.0, 8.1</td> + </tr> +</table> + + +<h2 id="2018-07-05-details">2018-07-05 security patch level vulnerability details</h2> +<p> +In the sections below, we provide details for each of the security +vulnerabilities that apply to the 2018-07-05 patch level. Vulnerabilities are +grouped under the component that they affect and include details such as the +CVE, associated references, <a href="#type">type of vulnerability</a>, +<a href="/security/overview/updates-resources.html#severity">severity</a>, +component (where applicable), and updated AOSP versions (where applicable). When +available, we link the public change that addressed the issue to the bug ID, +like the AOSP change list. When multiple changes relate to a single bug, +additional references are linked to numbers following the bug ID. +</p> + +<h3 id="kernel-components">Kernel components</h3> +<p>The most severe vulnerability in this section could enable a local malicious +application to execute arbitrary code within the context of a privileged +process.</p> + +<table> + <col width="21%"> + <col width="21%"> + <col width="14%"> + <col width="14%"> + <col width="30%"> + <tr> + <th>CVE</th> + <th>References</th> + <th>Type</th> + <th>Severity</th> + <th>Component</th> + </tr> + <tr> + <td>CVE-2018-5703</td> + <td>A-73543437<br> + <a href="https://patchwork.ozlabs.org/patch/801530/">Upstream kernel</a></td> + <td>EoP</td> + <td>High</td> + <td>IPV6 stack</td> + </tr> + <tr> + <td>CVE-2018-9422</td> + <td>A-74250718<br> + <a href="https://patchwork.kernel.org/patch/8265111/">Upstream kernel</a></td> + <td>EoP</td> + <td>High</td> + <td>futex</td> + </tr> + <tr> + <td>CVE-2018-9417</td> + <td>A-74447444*<br> + Upstream kernel<a href="#asterisk">*</a></td> + <td>EoP</td> + <td>High</td> + <td>USB driver</td> + </tr> + <tr> + <td>CVE-2018-6927</td> + <td>A-76106267<br> + <a href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=fbe0e839d1e22d88810f3ee3e2f1479be4c0aa4a">Upstream kernel</a></td> + <td>EoP</td> + <td>High</td> + <td>futex</td> + </tr> +</table> + + +<h3 id="qualcomm-components">Qualcomm components</h3> +<p>The most severe vulnerability in this section could enable a proximate +attacker using a specially crafted file to execute arbitrary code within the +context of a privileged process.</p> + +<table> + <col width="21%"> + <col width="21%"> + <col width="14%"> + <col width="14%"> + <col width="30%"> + <tr> + <th>CVE</th> + <th>References</th> + <th>Type</th> + <th>Severity</th> + <th>Component</th> + </tr> +<tr> + <td>CVE-2018-5872</td> + <td>A-77528138<br> + <a href="https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qca-wifi-host-cmn/commit/?id=7d65c1b32df795d4e95cdf2cfb624126f5125220">QC-CR#2183014</a></td> + <td>RCE</td> + <td>Critical</td> + <td>WLAN</td> + </tr> + <tr> + <td>CVE-2018-5855</td> + <td>A-77527719<br> + <a href="https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qca-wifi-host-cmn/commit/?id=61f4a467177afc23bdc1944ec61e52bed156c104">QC-CR#2181685</a></td> + <td>ID</td> + <td>High</td> + <td>WLAN</td> + </tr> + <tr> + <td>CVE-2017-13077, CVE-2017-13078</td> + <td>A-78285557<br> + <a href="https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=5c671a69c57ce4fd84f0eaf082b336a49d0cf5dd">QC-CR#2133114</a></td> + <td>ID</td> + <td>High</td> + <td>WLAN</td> + </tr> + <tr> + <td>CVE-2018-5873</td> + <td>A-77528487<br> + <a href="https://source.codeaurora.org/quic/la/kernel/msm-4.9/commit/?id=34742aaf7cb16c95edba4a7afed6d2c4fa7e434b">QC-CR#2166382</a></td> + <td>EoP</td> + <td>High</td> + <td>nsfs</td> + </tr> + <tr> + <td>CVE-2018-5838</td> + <td>A-63146462<a href="#asterisk">*</a><br> + QC-CR#2151011</td> + <td>EoP</td> + <td>High</td> + <td>OpenGL ES driver</td> + </tr> + <tr> + <td>CVE-2018-3586</td> + <td>A-63165135<a href="#asterisk">*</a><br> + QC-CR#2139538<br> + QC-CR#2073777</td> + <td>RCE</td> + <td>High</td> + <td>ADSPRPC heap manager</td> + </tr> +</table> + + +<h3 id="qualcomm-closed-source-components">Qualcomm closed-source components</h3> +<p>These vulnerabilities affect Qualcomm components and are described in +further detail in the appropriate Qualcomm AMSS security bulletin or security +alert. The severity assessment of these issues is provided directly by Qualcomm.</p> + +<table> + <col width="21%"> + <col width="21%"> + <col width="14%"> + <col width="14%"> + <col width="30%"> + <tr> + <th>CVE</th> + <th>References</th> + <th>Type</th> + <th>Severity</th> + <th>Component</th> + </tr> + <tr> + <td>CVE-2017-18171</td> + <td>A-78240792<a href="#asterisk">*</a></td> + <td>N/A</td> + <td>Critical</td> + <td>Closed-source component</td> + </tr> + <tr> + <td>CVE-2017-18277</td> + <td>A-78240715<a href="#asterisk">*</a></td> + <td>N/A</td> + <td>High</td> + <td>Closed-source component</td> + </tr> + <tr> + <td>CVE-2017-18172</td> + <td>A-78240449<a href="#asterisk">*</a></td> + <td>N/A</td> + <td>High</td> + <td>Closed-source component</td> + </tr> + <tr> + <td>CVE-2017-18170</td> + <td>A-78240612<a href="#asterisk">*</a></td> + <td>N/A</td> + <td>High</td> + <td>Closed-source component</td> + </tr> + <tr> + <td>CVE-2017-15841</td> + <td>A-78240794<a href="#asterisk">*</a></td> + <td>N/A</td> + <td>High</td> + <td>Closed-source component</td> + </tr> + <tr> + <td>CVE-2017-18173</td> + <td>A-78240199<a href="#asterisk">*</a></td> + <td>N/A</td> + <td>High</td> + <td>Closed-source component</td> + </tr> + <tr> + <td>CVE-2017-18278</td> + <td>A-78240071<a href="#asterisk">*</a></td> + <td>N/A</td> + <td>High</td> + <td>Closed-source component</td> + </tr> + <tr> + <td>CVE-2016-2108</td> + <td>A-78240736<a href="#asterisk">*</a></td> + <td>N/A</td> + <td>Critical</td> + <td>Closed-source component</td> + </tr> + <tr> + <td>CVE-2017-18275</td> + <td>A-78242049<a href="#asterisk">*</a></td> + <td>N/A</td> + <td>High</td> + <td>Closed-source component</td> + </tr> + <tr> + <td>CVE-2017-18279</td> + <td>A-78241971<a href="#asterisk">*</a></td> + <td>N/A</td> + <td>High</td> + <td>Closed-source component</td> + </tr> + <tr> + <td>CVE-2017-18274</td> + <td>A-78241834<a href="#asterisk">*</a></td> + <td>N/A</td> + <td>High</td> + <td>Closed-source component</td> + </tr> + <tr> + <td>CVE-2017-18276</td> + <td>A-78241375<a href="#asterisk">*</a></td> + <td>N/A</td> + <td>High</td> + <td>Closed-source component</td> + </tr> + <tr> + <td>CVE-2017-18131</td> + <td>A-68989823<a href="#asterisk">*</a></td> + <td>N/A</td> + <td>High</td> + <td>Closed-source component</td> + </tr> + <tr> + <td>CVE-2018-11259</td> + <td>A-72951265<a href="#asterisk">*</a></td> + <td>N/A</td> + <td>Critical</td> + <td>Closed-source component</td> + </tr> + <tr> + <td>CVE-2018-11258</td> + <td>A-72951054<a href="#asterisk">*</a></td> + <td>N/A</td> + <td>High</td> + <td>Closed-source component</td> + </tr> + <tr> + <td>CVE-2018-11257</td> + <td>A-74235874<a href="#asterisk">*</a></td> + <td>N/A</td> + <td>Critical</td> + <td>Closed-source component</td> + </tr> + <tr> + <td>CVE-2018-5837</td> + <td>A-74236406<a href="#asterisk">*</a></td> + <td>N/A</td> + <td>High</td> + <td>Closed-source component</td> + </tr> + <tr> + <td>CVE-2018-5876</td> + <td>A-77485022<a href="#asterisk">*</a></td> + <td>N/A</td> + <td>Critical</td> + <td>Closed-source component</td> + </tr> + <tr> + <td>CVE-2018-5875</td> + <td>A-77485183<a href="#asterisk">*</a></td> + <td>N/A</td> + <td>Critical</td> + <td>Closed-source component</td> + </tr> + <tr> + <td>CVE-2018-5874</td> + <td>A-77485139<a href="#asterisk">*</a></td> + <td>N/A</td> + <td>Critical</td> + <td>Closed-source component</td> + </tr> + <tr> + <td>CVE-2018-5882</td> + <td>A-77483830<a href="#asterisk">*</a></td> + <td>N/A</td> + <td>High</td> + <td>Closed-source component</td> + </tr> + <tr> + <td>CVE-2018-5878</td> + <td>A-77484449<a href="#asterisk">*</a></td> + <td>N/A</td> + <td>High</td> + <td>Closed-source component</td> + </tr> +</table> + +<h2 id="common-questions-and-answers">Common questions and answers</h2> +<p>This section answers common questions that may occur after reading this bulletin.</p> +<p><strong>1. How do I determine if my device is updated to address these issues?</strong></p> +<p>To learn how to check a device's security patch level, see +<a href="https://support.google.com/pixelphone/answer/4457705#pixel_phones&nexus_devices">Check +and update your Android version</a>.</p> +<ul> +<li>Security patch levels of 2018-07-01 or later address all issues associated +with the 2018-07-01 security patch level.</li> +<li>Security patch levels of 2018-07-05 or later address all issues associated +with the 2018-07-05 security patch level and all previous patch levels.</li> +</ul> +<p>Device manufacturers that include these updates should set the patch string level to:</p> +<ul> + <li>[ro.build.version.security_patch]:[2018-07-01]</li> + <li>[ro.build.version.security_patch]:[2018-07-05]</li> +</ul> +<p><strong>2. Why does this bulletin have two security patch levels?</strong></p> +<p> +This bulletin has two security patch levels so that Android partners have the +flexibility to fix a subset of vulnerabilities that are similar across all +Android devices more quickly. Android partners are encouraged to fix all issues +in this bulletin and use the latest security patch level. +</p> +<ul> +<li>Devices that use the 2018-07-01 security patch level must include all issues +associated with that security patch level, as well as fixes for all issues +reported in previous security bulletins.</li> +<li>Devices that use the security patch level of 2018-07-05 or newer must +include all applicable patches in this (and previous) security +bulletins.</li> +</ul> +<p> +Partners are encouraged to bundle the fixes for all issues they are addressing +in a single update. +</p> +<p id="type"> +<strong>3. What do the entries in the <em>Type</em> column mean?</strong> +</p> +<p> +Entries in the <em>Type</em> column of the vulnerability details table reference +the classification of the security vulnerability. +</p> +<table> + <col width="25%"> + <col width="75%"> + <tr> + <th>Abbreviation</th> + <th>Definition</th> + </tr> + <tr> + <td>RCE</td> + <td>Remote code execution</td> + </tr> + <tr> + <td>EoP</td> + <td>Elevation of privilege</td> + </tr> + <tr> + <td>ID</td> + <td>Information disclosure</td> + </tr> + <tr> + <td>DoS</td> + <td>Denial of service</td> + </tr> + <tr> + <td>N/A</td> + <td>Classification not available</td> + </tr> +</table> +<p> +<strong>4. What do the entries in the <em>References</em> column mean?</strong> +</p> +<p> +Entries under the <em>References</em> column of the vulnerability details table +may contain a prefix identifying the organization to which the reference value belongs. +</p> +<table> + <col width="25%"> + <col width="75%"> + <tr> + <th>Prefix</th> + <th>Reference</th> + </tr> + <tr> + <td>A-</td> + <td>Android bug ID</td> + </tr> + <tr> + <td>QC-</td> + <td>Qualcomm reference number</td> + </tr> + <tr> + <td>M-</td> + <td>MediaTek reference number</td> + </tr> + <tr> + <td>N-</td> + <td>NVIDIA reference number</td> + </tr> + <tr> + <td>B-</td> + <td>Broadcom reference number</td> + </tr> +</table> +<p id="asterisk"> +<strong>5. What does a * next to the Android bug ID in the <em>References</em> +column mean?</strong> +</p> +<p> +Issues that are not publicly available have a * next to the Android bug ID in +the <em>References</em> column. The update for that issue is generally contained +in the latest binary drivers for Pixel / Nexus devices available from the +<a href="https://developers.google.com/android/drivers">Google Developer site</a>. +</p> +<p> +<strong>6. Why are security vulnerabilities split between this bulletin and +device/partner security bulletins, such as the Pixel / Nexus bulletin?</strong> +</p> +<p> +Security vulnerabilities that are documented in this security bulletin are +required in order to declare the latest security patch level on Android devices. +Additional security vulnerabilities that are documented in the +device / partner security bulletins are not required for declaring +a security patch level. Android device and chipset manufacturers are encouraged +to document the presence of other fixes on their devices through their own security +websites, such as the +<a href="https://security.samsungmobile.com/securityUpdate.smsb">Samsung</a>, +<a href="https://lgsecurity.lge.com/security_updates.html">LGE</a>, or +<a href="/security/bulletin/pixel/">Pixel / Nexus</a> +security bulletins. +</p> +<h2 id="versions">Versions</h2> +<table> + <col width="25%"> + <col width="25%"> + <col width="50%"> + <tr> + <th>Version</th> + <th>Date</th> + <th>Notes</th> + </tr> + <tr> + <td>1.0</td> + <td>July 2, 2018</td> + <td>Bulletin published.</td> + </tr> +</table> +</body></html> + diff --git a/en/security/bulletin/2018.html b/en/security/bulletin/2018.html index 5fc185d6..23d7f45f 100644 --- a/en/security/bulletin/2018.html +++ b/en/security/bulletin/2018.html @@ -37,6 +37,22 @@ of all bulletins, see the <a href="/security/bulletin/index.html">Android Securi <th>Security patch level</th> </tr> <tr> + <td><a href="/security/bulletin/2018-07-01.html">July 2018</a></td> + <td>Coming soon + <!-- + <a href="/security/bulletin/2018-07-01.html">English</a> / + <a href="/security/bulletin/2018-07-01.html?hl=ja">日本語</a> / + <a href="/security/bulletin/2018-07-01.html?hl=ko">한국어</a> / + <a href="/security/bulletin/2018-07-01.html?hl=ru">ру́сский</a> / + <a href="/security/bulletin/2018-07-01.html?hl=zh-cn">中文 (中国)</a> / + <a href="/security/bulletin/2018-07-01.html?hl=zh-tw">中文 (台灣)</a> + --> + </td> + <td>July 2, 2018</td> + <td>2018-07-01<br> + 2018-07-05</td> + </tr> + <tr> <td><a href="/security/bulletin/2018-06-01.html">June 2018</a></td> <td> <a href="/security/bulletin/2018-06-01.html">English</a> / diff --git a/en/security/bulletin/index.html b/en/security/bulletin/index.html index 17d6cc2e..68baf356 100644 --- a/en/security/bulletin/index.html +++ b/en/security/bulletin/index.html @@ -69,6 +69,22 @@ Android Open Source Project (AOSP), the upstream Linux kernel, and system-on-chi <th>Security patch level</th> </tr> <tr> + <td><a href="/security/bulletin/2018-07-01.html">July 2018</a></td> + <td>Coming soon + <!-- + <a href="/security/bulletin/2018-07-01.html">English</a> / + <a href="/security/bulletin/2018-07-01.html?hl=ja">日本語</a> / + <a href="/security/bulletin/2018-07-01.html?hl=ko">한국어</a> / + <a href="/security/bulletin/2018-07-01.html?hl=ru">ру́сский</a> / + <a href="/security/bulletin/2018-07-01.html?hl=zh-cn">中文 (中国)</a> / + <a href="/security/bulletin/2018-07-01.html?hl=zh-tw">中文 (台灣)</a> + --> + </td> + <td>July 2, 2018</td> + <td>2018-07-01<br> + 2018-07-05</td> + </tr> + <tr> <td><a href="/security/bulletin/2018-06-01.html">June 2018</a></td> <td> <a href="/security/bulletin/2018-06-01.html">English</a> / @@ -81,6 +97,7 @@ Android Open Source Project (AOSP), the upstream Linux kernel, and system-on-chi <td>June 4, 2018</td> <td>2018-06-01<br> 2018-06-05</td> + </tr> <tr> <td><a href="/security/bulletin/2018-05-01.html">May 2018</a></td> <td> diff --git a/en/security/bulletin/pixel/2018-07-01.html b/en/security/bulletin/pixel/2018-07-01.html new file mode 100644 index 00000000..9adab9c2 --- /dev/null +++ b/en/security/bulletin/pixel/2018-07-01.html @@ -0,0 +1,509 @@ +<html devsite> + <head> + <title>Pixel / Nexus Security Bulletin—July 2018</title> + <meta name="project_path" value="/_project.yaml" /> + <meta name="book_path" value="/_book.yaml" /> + </head> + <body> + <!-- + Copyright 2018 The Android Open Source Project + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + //www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + --> + +<p><em>Published July 2, 2018</em></p> + +<p> +The Pixel / Nexus Security Bulletin contains details of security +vulnerabilities and functional improvements affecting +<a href="https://support.google.com/pixelphone/answer/4457705#pixel_phones&nexus_devices">supported +Google Pixel and Nexus devices</a> (Google devices). +For Google devices, security patch levels of 2018-07-05 or later address all +issues in this bulletin and all issues in the July 2018 Android Security +Bulletin. To learn how to check a device's security patch level, see +<a href="https://support.google.com/pixelphone/answer/4457705">Check & update your +Android version</a>. +</p> +<p> +All supported Google devices will receive an update to the 2018-07-05 patch +level. We encourage all customers to accept these updates to their devices. +</p> +<p class="note"> +<strong>Note:</strong> The Google device firmware images are available on the +<a href="https://developers.google.com/android/images">Google Developer +site</a>. +</p> + +<h2 id="announcements">Announcements</h2> +<p>In addition to the security vulnerabilities described in the July 2018 +Android Security Bulletin, Pixel and Nexus devices also contain patches for the +security vulnerabilities described below. Partners were notified of these issues +at least a month ago and may choose to incorporate them as part of their device +updates.</p> + +<h2 id="security-patches">Security patches</h2> +<p> +Vulnerabilities are grouped under the component that they affect. There is a +description of the issue and a table with the CVE, associated references, +<a href="#type">type of vulnerability</a>, +<a href="https://source.android.com/security/overview/updates-resources.html#severity">severity</a>, +and updated Android Open Source Project (AOSP) versions (where applicable). When +available, we link the public change that addressed the issue to the bug ID, +like the AOSP change list. When multiple changes relate to a single bug, +additional references are linked to numbers following the bug ID. +</p> + +<h3 id="framework">Framework</h3> + +<table> + <col width="21%"> + <col width="21%"> + <col width="14%"> + <col width="14%"> + <col width="30%"> + <tr> + <th>CVE</th> + <th>References</th> + <th>Type</th> + <th>Severity</th> + <th>Updated AOSP versions</th> + </tr> + <tr> + <td>CVE-2018-9426</td> + <td>A-79148652</td> + <td>ID</td> + <td>Moderate</td> + <td>7.0, 7.1.1, 7.1.2, 8.0, 8.1</td> + </tr> + <tr> + <td>CVE-2018-9376</td> + <td>A-69981755</td> + <td>EoP</td> + <td>Moderate</td> + <td>6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1</td> + </tr> + <tr> + <td>CVE-2018-9434</td> + <td>A-29833520</td> + <td>ID</td> + <td>Moderate</td> + <td>6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1</td> + </tr> +</table> + + +<h3 id="media-framework">Media framework</h3> + +<table> + <col width="21%"> + <col width="21%"> + <col width="14%"> + <col width="14%"> + <col width="30%"> + <tr> + <th>CVE</th> + <th>References</th> + <th>Type</th> + <th>Severity</th> + <th>Updated AOSP versions</th> + </tr> + <tr> + <td>CVE-2018-9429</td> + <td>A-73927042</td> + <td>ID</td> + <td>Moderate</td> + <td>8.1</td> + </tr> + <tr> + <td>CVE-2018-9423</td> + <td>A-77599438</td> + <td>ID</td> + <td>Moderate</td> + <td>7.0, 7.1.1, 7.1.2, 8.0, 8.1</td> + </tr> +</table> + + +<h3 id="system">System</h3> + +<table> + <col width="21%"> + <col width="21%"> + <col width="14%"> + <col width="14%"> + <col width="30%"> + <tr> + <th>CVE</th> + <th>References</th> + <th>Type</th> + <th>Severity</th> + <th>Updated AOSP versions</th> + </tr> + <tr> + <td>CVE-2018-9413</td> + <td>A-73782082</td> + <td>RCE</td> + <td>Moderate</td> + <td>7.0, 7.1.1, 7.1.2, 8.0, 8.1</td> + </tr> + <tr> + <td>CVE-2018-9418</td> + <td>A-73824150</td> + <td>RCE</td> + <td>Moderate</td> + <td>7.0, 7.1.1, 7.1.2, 8.0, 8.1</td> + </tr> + <tr> + <td>CVE-2018-9430</td> + <td>A-73963551</td> + <td>RCE</td> + <td>Moderate</td> + <td>6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1</td> + </tr> + <tr> + <td>CVE-2018-9414</td> + <td>A-78787521</td> + <td>EoP</td> + <td>Moderate</td> + <td>6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1</td> + </tr> + <tr> + <td>CVE-2018-9431</td> + <td>A-77600924</td> + <td>EoP</td> + <td>Moderate</td> + <td>8.0, 8.1</td> + </tr> +</table> + + +<h3 id="kernel-components">Kernel components</h3> + +<table> + <col width="21%"> + <col width="21%"> + <col width="14%"> + <col width="14%"> + <col width="30%"> + <tr> + <th>CVE</th> + <th>References</th> + <th>Type</th> + <th>Severity</th> + <th>Component</th> + </tr> + <tr> + <td>CVE-2018-9416</td> + <td>A-75300370<a href="#asterisk">*</a></td> + <td>EoP</td> + <td>Moderate</td> + <td>SCSI driver</td> + </tr> + + <tr> + <td>CVE-2018-9415</td> + <td>A-69129004<br> + <a href="https://patchwork.kernel.org/patch/9946759/">Upstream kernel</a></td> + <td>EoP</td> + <td>Moderate</td> + <td>AMBA driver</td> + </tr> + + <tr> + <td>CVE-2018-7995</td> + <td>A-77694092<br> +<a href="https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?id=b3b7c4795ccab5be71f080774c45bbbcc75c2aaf">Upstream kernel</a></td> + <td>EoP</td> + <td>Moderate</td> + <td>mcheck</td> + </tr> + + <tr> + <td>CVE-2018-1065</td> + <td>A-76206188<br> +<a href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=57ebd808a97d7c5b1e1afb937c2db22beba3c1f8">Upstream kernel</a></td> + <td>EoP</td> + <td>Moderate</td> + <td>netfilter</td> + </tr> + + <tr> + <td>CVE-2017-1821</td> + <td>A-76874268<br> +<a href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=27463ad99f738ed93c7c8b3e2e5bc8c4853a2ff2">Upstream kernel</a></td> + <td>EoP</td> + <td>Moderate</td> + <td>Ethernet</td> + </tr> + + <tr> + <td>CVE-2017-1000</td> + <td>A-68806309<br> +<a href="https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa">Upstream kernel</a></td> + <td>EoP</td> + <td>Moderate</td> + <td>Linux kernel</td> + </tr> +</table> + + +<h3 id="qualcomm-components">Qualcomm components</h3> + +<table> + <col width="21%"> + <col width="21%"> + <col width="14%"> + <col width="14%"> + <col width="30%"> + <tr> + <th>CVE</th> + <th>References</th> + <th>Type</th> + <th>Severity</th> + <th>Component</th> + </tr> + <tr> + <td>CVE-2018-5865</td> + <td>A-77528512<br> + <a href="https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=8fb4202e3bb8cfbbb9f9f0e8695891c9971cfcc2">QC-CR#2179937</a></td> + <td>ID</td> + <td>Moderate</td> + <td>fwlog</td> + </tr> + <tr> + <td>CVE-2018-5864</td> + <td>A-77528805<br> + <a href="https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=9c042f7827e0d21e5b93c04b418bca0230de91dc">QC-CR#2170392</a></td> + <td>ID</td> + <td>Moderate</td> + <td>WMA</td> + </tr> + <tr> + <td>CVE-2018-11304</td> + <td>A-73242483<a href="#asterisk">*</a><br> + QC-CR#2209291</td> + <td>EoP</td> + <td>Moderate</td> + <td>Sound driver</td> + </tr> + <tr> + <td>CVE-2018-5907</td> + <td>A-72710411<a href="#asterisk">*</a><br> + QC-CR#2209291</td> + <td>EoP</td> + <td>Moderate</td> + <td>sound driver</td> + </tr> + <tr> + <td>CVE-2018-5862</td> + <td>A-77528300<br> + <a href="https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=41ad3f76792e08a84962a0b8e9cfb1ba6c4c9ca6">QC-CR#2153343</a></td> + <td>EoP</td> + <td>Moderate</td> + <td>WLAN</td> + </tr> + <tr> + <td>CVE-2018-5859</td> + <td>A-77527701<br> + <a href="https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=36400a7fa3753028a3bf89a9cdb28c5e25693c59">QC-CR#2146486</a></td> + <td>EoP</td> + <td>Moderate</td> + <td>Video driver</td> + </tr> + <tr> + <td>CVE-2018-5858</td> + <td>A-77528653<br> + <a href="https://source.codeaurora.org/quic/la/platform/vendor/opensource/audio-kernel/commit/?id=78193fa06b267c1d6582e5e6f9fb779cf067015e">QC-CR#2174725</a> + [<a href="https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=cd1f0cdd4715e8eae4066bd34df2eef4cf94bd7f">2</a>]</td> + <td>EoP</td> + <td>Moderate</td> + <td>Audio</td> + </tr> + <tr> + <td>CVE-2018-3570</td> + <td>A-72956998<br> + <a href="https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=5f3b521525689671f2925a49121d0abe28a0a398">QC-CR#2149165</a></td> + <td>EoP</td> + <td>Moderate</td> + <td>cpuidle driver</td> + </tr> + <tr> + <td>CVE-2017-15851</td> + <td>A-38258851<a href="#asterisk">*</a><br> + QC-CR#2078155</td> + <td>EoP</td> + <td>Moderate</td> + <td>Camerav2</td> + </tr> + <tr> + <td>CVE-2017-0606</td> + <td>A-34088848<a href="#asterisk">*</a><br> + QC-CR#2148210<br> + QC-CR#2022490</td> + <td>EoP</td> + <td>Moderate</td> + <td>/dev/voice_svc driver</td> + </tr> +</table> + +<h2 id="functional-patches">Functional patches</h2> +<p> +These updates are included for affected Pixel devices to address functionality +issues not related to the security of Pixel devices. The table includes +associated references; the affected category, such as Bluetooth or mobile data; +improvements; and affected devices. +</p> + +<table> + <tr> + <th>References</th> + <th>Category</th> + <th>Improvements</th> + <th>Devices</th> + </tr> + <tr> + <td>A-73204553</td> + <td>Connectivity</td> + <td>Improve consistency of Wi-Fi connections with certain routers</td> + <td>Pixel 2, Pixel 2 XL</td> + </tr> +</table> + +<h2 id="common-questions-and-answers">Common questions and answers</h2> +<p> +This section answers common questions that may occur after reading this +bulletin. +</p> +<p> +<strong>1. How do I determine if my device is updated to address these issues? +</strong> +</p> +<p> +Security patch levels of 2018-07-05 or later address all issues associated with +the 2018-07-05 security patch level and all previous patch levels. To learn how +to check a device's security patch level, read the instructions on the <a +href="https://support.google.com/pixelphone/answer/4457705#pixel_phones&nexus_devices">Pixel +and Nexus update schedule</a>. +</p> +<p id="type"> +<strong>2. What do the entries in the <em>Type</em> column mean?</strong> +</p> +<p> +Entries in the <em>Type</em> column of the vulnerability details table reference +the classification of the security vulnerability. +</p> +<table> + <col width="25%"> + <col width="75%"> + <tr> + <th>Abbreviation</th> + <th>Definition</th> + </tr> + <tr> + <td>RCE</td> + <td>Remote code execution</td> + </tr> + <tr> + <td>EoP</td> + <td>Elevation of privilege</td> + </tr> + <tr> + <td>ID</td> + <td>Information disclosure</td> + </tr> + <tr> + <td>DoS</td> + <td>Denial of service</td> + </tr> + <tr> + <td>N/A</td> + <td>Classification not available</td> + </tr> +</table> +<p> +<strong>3. What do the entries in the <em>References</em> column mean?</strong> +</p> +<p> +Entries under the <em>References</em> column of the vulnerability details table +may contain a prefix identifying the organization to which the reference value +belongs. +</p> +<table> + <col width="25%"> + <col width="75%"> + <tr> + <th>Prefix</th> + <th>Reference</th> + </tr> + <tr> + <td>A-</td> + <td>Android bug ID</td> + </tr> + <tr> + <td>QC-</td> + <td>Qualcomm reference number</td> + </tr> + <tr> + <td>M-</td> + <td>MediaTek reference number</td> + </tr> + <tr> + <td>N-</td> + <td>NVIDIA reference number</td> + </tr> + <tr> + <td>B-</td> + <td>Broadcom reference number</td> + </tr> +</table> +<p id="asterisk"> +<strong>4. What does a * next to the Android bug ID in the <em>References</em> +column mean?</strong> +</p> +<p> +Issues that are not publicly available have a * next to the Android bug ID in +the <em>References</em> column. The update for that issue is generally contained +in the latest binary drivers for Pixel / Nexus devices available +from the <a href="https://developers.google.com/android/nexus/drivers">Google +Developer site</a>. +</p> +<p> +<strong>5. Why are security vulnerabilities split between this bulletin and the +Android Security Bulletins?</strong> +</p> +<p> +Security vulnerabilities that are documented in the Android Security Bulletins +are required in order to declare the latest security patch level on Android +devices. Additional security vulnerabilities, such as those documented in this +bulletin are not required for declaring a security patch level. +</p> +<h2 id="versions">Versions</h2> +<table> + <col width="25%"> + <col width="25%"> + <col width="50%"> + <tr> + <th>Version</th> + <th>Date</th> + <th>Notes</th> + </tr> + <tr> + <td>1.0</td> + <td>July 2, 2018</td> + <td>Bulletin published.</td> + </tr> +</table> + + </body> +</html> + diff --git a/en/security/bulletin/pixel/2018.html b/en/security/bulletin/pixel/2018.html index f78661eb..f41c9438 100644 --- a/en/security/bulletin/pixel/2018.html +++ b/en/security/bulletin/pixel/2018.html @@ -39,6 +39,21 @@ Bulletins</a> homepage.</p> <th>Security patch level</th> </tr> <tr> + <td><a href="/security/bulletin/pixel/2018-07-01.html">July 2018</a></td> + <td>Coming soon + <!-- + <a href="/security/bulletin/pixel/2018-07-01.html">English</a> / + <a href="/security/bulletin/pixel/2018-07-01.html?hl=ja">日本語</a> / + <a href="/security/bulletin/pixel/2018-07-01.html?hl=ko">한국어</a> / + <a href="/security/bulletin/pixel/2018-07-01.html?hl=ru">ру́сский</a> / + <a href="/security/bulletin/pixel/2018-07-01.html?hl=zh-cn">中文 (中国)</a> / + <a href="/security/bulletin/pixel/2018-07-01.html?hl=zh-tw">中文 (台灣)</a> + --> + </td> + <td>July 2, 2018</td> + <td>2018-07-05</td> + </tr> + <tr> <td><a href="/security/bulletin/pixel/2018-06-01.html">June 2018</a></td> <td> <a href="/security/bulletin/pixel/2018-06-01.html">English</a> / @@ -84,9 +99,7 @@ Bulletins</a> homepage.</p> <a href="/security/bulletin/pixel/2018-03-01.html?hl=ja">日本語</a> / <a href="/security/bulletin/pixel/2018-03-01.html?hl=ko">한국어</a> / <a href="/security/bulletin/pixel/2018-03-01.html?hl=ru">ру́сский</a> / - <!-- <a href="/security/bulletin/pixel/2018-03-01.html?hl=zh-cn">中文 (中国)</a> / - --> <a href="/security/bulletin/pixel/2018-03-01.html?hl=zh-tw">中文 (台灣)</a> </td> <td>March 2018</td> diff --git a/en/security/bulletin/pixel/index.html b/en/security/bulletin/pixel/index.html index 3d7100a8..146f4b33 100644 --- a/en/security/bulletin/pixel/index.html +++ b/en/security/bulletin/pixel/index.html @@ -59,6 +59,21 @@ AOSP 24–48 hours after the Pixel / Nexus bulletin is release <th>Security patch level</th> </tr> <tr> + <td><a href="/security/bulletin/pixel/2018-07-01.html">July 2018</a></td> + <td>Coming soon + <!-- + <a href="/security/bulletin/pixel/2018-07-01.html">English</a> / + <a href="/security/bulletin/pixel/2018-07-01.html?hl=ja">日本語</a> / + <a href="/security/bulletin/pixel/2018-07-01.html?hl=ko">한국어</a> / + <a href="/security/bulletin/pixel/2018-07-01.html?hl=ru">ру́сский</a> / + <a href="/security/bulletin/pixel/2018-07-01.html?hl=zh-cn">中文 (中国)</a> / + <a href="/security/bulletin/pixel/2018-07-01.html?hl=zh-tw">中文 (台灣)</a> + --> + </td> + <td>July 2, 2018</td> + <td>2018-07-05</td> + </tr> + <tr> <td><a href="/security/bulletin/pixel/2018-06-01.html">June 2018</a></td> <td> <a href="/security/bulletin/pixel/2018-06-01.html">English</a> / diff --git a/en/security/overview/acknowledgements.html b/en/security/overview/acknowledgements.html index a3934fee..5db2794e 100644 --- a/en/security/overview/acknowledgements.html +++ b/en/security/overview/acknowledgements.html @@ -37,6 +37,85 @@ Rewards</a> program.</p> <p>In 2018, the security acknowledgements are listed by month. In prior years, acknowledgements were listed together.</p> +<h4 id="july-2018">July</h4> + <table> + <col width="70%"> + <col width="30%"> + <tr> + <th>Researchers</th> + <th>CVEs</th> + </tr> + <tr> + <td>Baozeng Ding (丁保增) + (<a href="https://twitter.com/sploving1">@sploving</a>) + of Pandora Lab, Ali Security</td> + <td>CVE-2018-9422</td> + </tr> + <tr> + <td>Billy Lau of Android Security Research</td> + <td>CVE-2018-9416</td> + </tr> + <tr> + <td>Cusas of L.O. Team</td> + <td>CVE-2018-9412</td> + </tr> + <tr> + <td>En He (<a href="https://twitter.com/heeeeen4x">@heeeeen4x</a>) and + Bo Liu of <a href="http://www.ms509.com">MS509Team</a></td> + <td>CVE-2018-9432, CVE-2018-9414</td> + </tr> + <tr> + <td>Guang Gong of Alpha Team, Qihoo 360 Technology Co. Ltd.</td> + <td>CVE-2018-9433</td> + </tr> + <tr> + <td>Jann Horn of Google Project Zero</td> + <td>CVE-2018-9434</td> + </tr> + <tr> + <td>Jianjun Dai (<a href="https://twitter.com/Jioun_dai">@Jioun_dai</a>) and + Guang Gong (<a href="https://twitter.com/oldfresher">@oldfresher</a>) + of Alpha Team, Qihoo 360 Technology Co. Ltd.</td> + <td>CVE-2018-9418, CVE-2018-9413, CVE-2018-9365</td> + </tr> + <tr> + <td>Nathan Crandall (<a href="https://twitter.com/natecray">@natecray</a>) + of Tesla's Product Security Team</td> + <td>CVE-2017-0606</td> + </tr> + <tr> + <td>niky1235 (<a href="mailto:jiych.guru@gmail.com">jiych.guru@gmail.com</a>, + <a href="https://twitter.com/jiych_guru">@jiych_guru</a>)</td> + <td>CVE-2018-9423</td> + </tr> + <tr> + <td>Scott Bauer + (<a href="https://twitter.com/ScottyBauer1">@ScottyBauer1</a>)</td> + <td>CVE-2018-9430</td> + </tr> + <tr> + <td>Tamir Zahavi-Brunner + <a href="https://twitter.com/tamir_zb">(@tamir_zb</a>) + of Zimperium zLabs Team</td> + <td>CVE-2018-9411</td> + </tr> + <tr> + <td>Tencent Blade Team</td> + <td>CVE-2018-9421, CVE-2018-9420</td> + </tr> + <tr> + <td>Yonggang Guo (<a href="https://twitter.com/guoygang">@guoygang</a>) + of IceSword Lab, Qihoo 360 Technology Co. Ltd.</td> + <td>CVE-2018-9415</td> + </tr> + <tr> + <td>Zinuo Han (<a href="http://weibo.com/ele7enxxh">weibo.com/ele7enxxh</a>) + of Chengdu Security Response Center, Qihoo 360 Technology Co. Ltd.</td> + <td>CVE-2018-9410, CVE-2018-9424, CVE-2018-9431</td> + </tr> +</table> + + <h4 id="june-2018">June</h4> <table> <col width="70%"> @@ -46,32 +125,26 @@ acknowledgements were listed together.</p> <th>CVEs</th> </tr> <tr> - <td>Baozeng Ding (丁保增) (<a href="https://twitter.com/sploving1">@sploving1</a>), - Pandora Lab of Ali Security - </td> - <td>CVE-2018-5857, CVE-2018-9389 - </td> + <td>Baozeng Ding (丁保增) (<a href="https://twitter.com/sploving1">@sploving1</a>) + of Pandora Lab, Ali Security</td> + <td>CVE-2018-5857, CVE-2018-9389</td> </tr> <tr> - <td>Daniel Kachakil of IOActive - </td> - <td>CVE-2018-9375 - </td> + <td>Daniel Kachakil of IOActive</td> + <td>CVE-2018-9375</td> </tr> <tr> - <td>Elphet and Gong Guang of Alpha Team, Qihoo 360 Technology Co. Ltd. - </td> - <td>CVE-2018-9348 - </td> + <td>Elphet and Gong Guang of Alpha Team, Qihoo 360 Technology Co. Ltd.</td> + <td>CVE-2018-9348</td> </tr> <tr> <td>Hao Chen and Guang Gong of Alpha Team, Qihoo 360 Technology Co. Ltd.</td> - <td>CVE-2018-5899 - </td> + <td>CVE-2018-5899</td> </tr> <tr> - <td>Jianjun Dai (<a href="https://twitter.com/Jioun_dai">@Jioun_dai</a>) and Guang Gong - (<a href="https://twitter.com/oldfresher">@oldfresher</a>) of Alpha Team,<br /> + <td>Jianjun Dai (<a href="https://twitter.com/Jioun_dai">@Jioun_dai</a>) + and Guang Gong + (<a href="https://twitter.com/oldfresher">@oldfresher</a>) of Alpha Team, Qihoo 360 Technology Co. Ltd</td> <td>CVE-2018-9381, CVE-2018-9358,<br /> CVE-2018-9359, CVE-2018-9360,<br /> @@ -79,110 +152,79 @@ acknowledgements were listed together.</p> CVE-2018-9356</td> </tr> <tr> - <td>joe0x20@gmail.com - </td> - <td>CVE-2018-5898 - </td> + <td>joe0x20@gmail.com</td> + <td>CVE-2018-5898</td> </tr> <tr> <td><a href="https://www.linkedin.com/in/jose-maria-ariel-martinez-juarez-7910a189/"> - Jose Martinez</a> - </td> - <td>CVE-2018-5146 - </td> + Jose Martinez</a></td> + <td>CVE-2018-5146</td> </tr> <tr> - <td>Julien Thomas (<a href="https://twitter.com/julien_thomas">@Julien_Thomas</a>) of - <a href="http://protektoid.com/">Protektoid.com</a> - </td> - <td>CVE-2018-9374 - </td> + <td>Julien Thomas (<a href="https://twitter.com/julien_thomas">@Julien_Thomas</a>) + of <a href="http://protektoid.com/">Protektoid.com</a></td> + <td>CVE-2018-9374</td> </tr> <tr> - <td><a href="https://github.com/michalbednarski">Michał Bednarski</a> - </td> - <td>CVE-2018-9339 - </td> + <td><a href="https://github.com/michalbednarski">Michał Bednarski</a></td> + <td>CVE-2018-9339</td> </tr> <tr> <td>Mingjian Zhou (周明建) - (<a href="https://twitter.com/Mingjian_Zhou">@Mingjian_Zhou</a>) - of C0RE Team - </td> - <td>CVE-2018-9344 - </td> + (<a href="https://twitter.com/Mingjian_Zhou">@Mingjian_Zhou</a>) + of C0RE Team</td> + <td>CVE-2018-9344</td> </tr> <tr> - <td>Niky1235 (<a href="https://twitter.com/jiych_guru">@jiych_guru</a>) - </td> - <td>CVE-2017-13230, CVE-2018-9347 - </td> + <td>Niky1235 (<a href="https://twitter.com/jiych_guru">@jiych_guru</a>)</td> + <td>CVE-2017-13230, CVE-2018-9347</td> </tr> <tr> <td>Pengfei Ding (丁鹏飞), Chenfu Bao (包沉浮), and Lenx Wei (韦韬)<br /> - of Baidu X-Lab (百度安全实验室) - </td> - <td>CVE-2018-5832 - </td> + of Baidu X-Lab (百度安全实验室)</td> + <td>CVE-2018-5832</td> </tr> <tr> - <td>Qing Dong of 360 Beaconlab - </td> - <td>CVE-2018-9386 - </td> + <td>Qing Dong of 360 Beaconlab</td> + <td>CVE-2018-9386</td> </tr> <tr> - <td>Scott Bauer (<a href="https://twitter.com/ScottyBauer1">@ScottyBauer1</a>) - </td> + <td>Scott Bauer (<a href="https://twitter.com/ScottyBauer1">@ScottyBauer1</a>)</td> <td>CVE-2018-9388, CVE-2018-9355,<br /> - CVE-2018-9380 - </td> + CVE-2018-9380</td> </tr> <tr> <td><a href="https://github.com/stze">Stephan Zeisberg</a> of - <a href="https://srlabs.de/">Security Research Labs</a> - </td> + <a href="https://srlabs.de/">Security Research Labs</a></td> <td>CVE-2018-9350, CVE-2018-9352,<br /> - CVE-2018-9353, CVE-2018-9341 - </td> + CVE-2018-9353, CVE-2018-9341</td> </tr> <tr> - <td>Tencent Blade Team - </td> - <td>CVE-2018-9345, CVE-2018-9346 - </td> + <td>Tencent Blade Team</td> + <td>CVE-2018-9345, CVE-2018-9346</td> </tr> <tr> - <td>Yonggang Guo (<a href="https://twitter.com/guoygang">@guoygang</a>) - of IceSword Lab, Qihoo 360 Technology Co. Ltd. - </td> - <td>CVE-2017-0564 - </td> + <td>Yonggang Guo (<a href="https://twitter.com/guoygang">@guoygang</a>) + of IceSword Lab, Qihoo 360 Technology Co. Ltd.</td> + <td>CVE-2017-0564</td> </tr> <tr> - <td>Yuan-Tsung Lo of C0RE Team - </td> - <td>CVE-2017-13079, CVE-2017-13081 - </td> + <td>Yuan-Tsung Lo of C0RE Team</td> + <td>CVE-2017-13079, CVE-2017-13081</td> </tr> <tr> - <td>华为移动安全实验室的钱育波 - </td> - <td>CVE-2018-9363 - </td> + <td>华为移动安全实验室的钱育波</td> + <td>CVE-2018-9363</td> </tr> <tr> <td>Zinuo Han of Chengdu Security Response Center, - Qihoo 360 Technology Co. Ltd. - </td> + Qihoo 360 Technology Co. Ltd.</td> <td>CVE-2018-9340, CVE-2018-9338,<br /> - CVE-2018-9378 - </td> + CVE-2018-9378</td> </tr> </table> - - <h4 id="may-2018">May</h4> +<h4 id="may-2018">May</h4> <table> <col width="70%"> <col width="30%"> diff --git a/en/setup/start/build-numbers.html b/en/setup/start/build-numbers.html index 842d8f1a..13536d4e 100644 --- a/en/setup/start/build-numbers.html +++ b/en/setup/start/build-numbers.html @@ -235,6 +235,48 @@ following table. </thead> <tbody> <tr> + <td>OPM6.171019.030.E1</td> + <td>android-8.1.0_r41</td> + <td>Oreo</td> + <td>Nexus 5X and Nexus 6P</td> + </tr> + <tr> + <td>OPM4.171019.021.R1</td> + <td>android-8.1.0_r40</td> + <td>Oreo</td> + <td>Pixel 2 XL</td> + </tr> + <tr> + <td>OPM4.171019.021.Q1</td> + <td>android-8.1.0_r39</td> + <td>Oreo</td> + <td>Pixel 2</td> + </tr> + <tr> + <td>OPM4.171019.021.P1</td> + <td>android-8.1.0_r38</td> + <td>Oreo</td> + <td>Pixel, Pixel XL</td> + </tr> + <tr> + <td>OPM4.171019.021.N1</td> + <td>android-8.1.0_r37</td> + <td>Oreo</td> + <td>Pixel C</td> + </tr> + <tr> + <td>OPM2.171026.006.H1</td> + <td>android-8.1.0_r36</td> + <td>Oreo</td> + <td>Pixel 2 XL</td> + </tr> + <tr> + <td>OPM2.171026.006.G1</td> + <td>android-8.1.0_r35</td> + <td>Oreo</td> + <td>Pixel 2</td> + </tr> + <tr> <td>OPM6.171019.030.B1</td> <td>android-8.1.0_r33</td> <td>Oreo</td> |