From a3fbd262a4c93880822f89f27ec1ed9c53d9c840 Mon Sep 17 00:00:00 2001
From: Danielle Roberts <daroberts@google.com>
Date: Thu, 2 Mar 2017 17:03:14 -0800
Subject: Docs: March 2017 Security bulletin

Test: make online-sac-docs 13
Bug: 35634522
Change-Id: Id3a2907e648e6a71e83243845138ff55e056105a
---
 src/security/bulletin/2017-03-01.jd       | 3159 +++++++++++++++++++++++++++++
 src/security/bulletin/index.jd            |    8 +
 src/security/overview/acknowledgements.jd |   69 +-
 src/security/security_toc.cs              |    1 +
 4 files changed, 3233 insertions(+), 4 deletions(-)
 create mode 100644 src/security/bulletin/2017-03-01.jd

diff --git a/src/security/bulletin/2017-03-01.jd b/src/security/bulletin/2017-03-01.jd
new file mode 100644
index 00000000..064eebd9
--- /dev/null
+++ b/src/security/bulletin/2017-03-01.jd
@@ -0,0 +1,3159 @@
+page.title=Android Security Bulletin—March 2017
+@jd:body
+
+<!--
+    Copyright 2016 The Android Open Source Project
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+-->
+<p><em>Published March 06, 2017</em></p>
+<p>The Android Security Bulletin contains details of security vulnerabilities
+affecting Android devices. Alongside the bulletin, we have released a security
+update to Google devices through an over-the-air (OTA) update. The Google device
+firmware images have also been released to the <a
+href="https://developers.google.com/android/nexus/images">Google Developer
+site</a>. Security patch levels of March 05, 2017 or later address all of these
+issues. Refer to the <a
+href="https://support.google.com/pixelphone/answer/4457705#pixel_phones&nexus_devices">Pixel
+and Nexus update schedule</a> to learn how to check a device's security patch
+level.</p>
+<p>Partners were notified of the issues described in the bulletin on February 06,
+2017 or earlier. Source code patches for these issues have been released to the
+Android Open Source Project (AOSP) repository and linked from this bulletin.
+This bulletin also includes links to patches outside of AOSP.</p>
+<p>The most severe of these issues is a Critical security vulnerability that could
+enable remote code execution on an affected device through multiple methods such
+as email, web browsing, and MMS when processing media files.</p>
+<p>We have had no reports of active customer exploitation or abuse of these newly
+reported issues. Refer to the <a
+href="#mitigations">Android and Google service
+mitigations</a> section for details on the <a
+href="{@docRoot}security/enhancements/index.html">Android
+security platform protections</a> and service protections such as <a
+href="https://developer.android.com/training/safetynet/index.html">SafetyNet</a>,
+which improve the security of the Android platform.</p>
+<p>We encourage all customers to accept these updates to their devices.</p>
+<h2 id="announcements">Announcements</h2>
+<ul>
+<li>This bulletin has two security patch level strings to provide Android
+partners with the flexibility to more quickly fix a subset of vulnerabilities
+that are similar across all Android devices. See <a
+href="#common-questions-and-answers">Common questions and answers</a> for
+additional information:
+<ul>
+ <li><strong>2017-03-01</strong>: Partial security patch level string. This
+security patch level string indicates that all issues associated with 2017-03-01
+(and all previous security patch level strings) are addressed.</li>
+ <li><strong>2017-03-05</strong>: Complete security patch level string. This
+security patch level string indicates that all issues associated with 2017-03-01
+and 2017-03-05 (and all previous security patch level strings) are addressed.</li>
+</ul>
+</li>
+<li>Supported Google devices will receive a single OTA update with the March
+05, 2017 security patch level.</li>
+</ul>
+<h2 id="security-vulnerability-summary">Security vulnerability summary</h2>
+<p>The tables below contains a list of security vulnerabilities, the Common
+Vulnerability and Exposures ID (CVE), the assessed severity, and whether or not
+Google devices are affected. The <a
+href="{@docRoot}security/overview/updates-resources.html#severity">severity
+assessment</a> is based on the effect that exploiting the vulnerability would
+possibly have on an affected device, assuming the platform and service
+mitigations are disabled for development purposes or if successfully bypassed.</p>
+<h3 id="2017-03-01-summary">2017-03-01
+security patch level—Vulnerability summary</h3>
+<p>Security patch levels of 2017-03-01 or later must address the following issues.</p>
+<table>
+  <col width="55%">
+  <col width="20%">
+  <col width="13%">
+  <col width="12%">
+  <tr>
+   <th>Issue</th>
+   <th>CVE</th>
+   <th>Severity</th>
+   <th>Affects Google devices?</th>
+  </tr>
+  <tr>
+   <td>Remote code execution vulnerability in OpenSSL & BoringSSL</td>
+   <td>CVE-2016-2182</td>
+   <td>Critical</td>
+   <td>Yes</td>
+  </tr>
+  <tr>
+   <td>Remote code execution vulnerability in Mediaserver</td>
+   <td>CVE-2017-0466, CVE-2017-0467, CVE-2017-0468, CVE-2017-0469,
+CVE-2017-0470, CVE-2017-0471, CVE-2017-0472, CVE-2017-0473, CVE-2017-0474</td>
+   <td>Critical</td>
+   <td>Yes</td>
+  </tr>
+  <tr>
+   <td>Elevation of privilege vulnerability in recovery verifier</td>
+   <td>CVE-2017-0475</td>
+   <td>Critical</td>
+   <td>Yes</td>
+  </tr>
+  <tr>
+   <td>Remote code execution vulnerability in AOSP Messaging</td>
+   <td>CVE-2017-0476</td>
+   <td>High</td>
+   <td>Yes</td>
+  </tr>
+  <tr>
+   <td>Remote code execution vulnerability in libgdx</td>
+   <td>CVE-2017-0477</td>
+   <td>High</td>
+   <td>Yes</td>
+  </tr>
+  <tr>
+   <td>Remote code execution vulnerability in Framesequence library</td>
+   <td>CVE-2017-0478</td>
+   <td>High</td>
+   <td>Yes</td>
+  </tr>
+  <tr>
+   <td>Elevation of privilege vulnerability in Audioserver</td>
+   <td>CVE-2017-0479, CVE-2017-0480</td>
+   <td>High</td>
+   <td>Yes</td>
+  </tr>
+  <tr>
+   <td>Elevation of privilege vulnerability in NFC</td>
+   <td>CVE-2017-0481</td>
+   <td>High</td>
+   <td>Yes</td>
+  </tr>
+  <tr>
+   <td>Denial of service vulnerability in Mediaserver</td>
+   <td>CVE-2017-0482, CVE-2017-0483, CVE-2017-0484, CVE-2017-0485,
+CVE-2017-0486, CVE-2017-0487, CVE-2017-0488</td>
+   <td>High</td>
+   <td>Yes</td>
+  </tr>
+  <tr>
+   <td>Update: Denial of service vulnerability in Mediaserver</td>
+   <td>CVE-2017-0390</td>
+   <td>High</td>
+   <td>Yes</td>
+  </tr>
+  <tr>
+   <td>Update: Denial of service vulnerability in Mediaserver</td>
+   <td>CVE-2017-0392</td>
+   <td>High</td>
+   <td>Yes</td>
+  </tr>
+  <tr>
+   <td>Elevation of privilege vulnerability in Location Manager</td>
+   <td>CVE-2017-0489</td>
+   <td>Moderate</td>
+   <td>Yes</td>
+  </tr>
+  <tr>
+   <td>Elevation of privilege vulnerability in Wi-Fi</td>
+   <td>CVE-2017-0490</td>
+   <td>Moderate</td>
+   <td>Yes</td>
+  </tr>
+  <tr>
+   <td>Elevation of privilege vulnerability in Package Manager</td>
+   <td>CVE-2017-0491</td>
+   <td>Moderate</td>
+   <td>Yes</td>
+  </tr>
+  <tr>
+   <td>Elevation of privilege vulnerability in System UI</td>
+   <td>CVE-2017-0492</td>
+   <td>Moderate</td>
+   <td>Yes</td>
+  </tr>
+  <tr>
+   <td>Information disclosure vulnerability in AOSP Messaging</td>
+   <td>CVE-2017-0494</td>
+   <td>Moderate</td>
+   <td>Yes</td>
+  </tr>
+  <tr>
+   <td>Information disclosure vulnerability in Mediaserver</td>
+   <td>CVE-2017-0495</td>
+   <td>Moderate</td>
+   <td>Yes</td>
+  </tr>
+  <tr>
+   <td>Denial of service vulnerability in Setup Wizard</td>
+   <td>CVE-2017-0496</td>
+   <td>Moderate</td>
+   <td>Yes</td>
+  </tr>
+  <tr>
+   <td>Denial of service vulnerability in Mediaserver</td>
+   <td>CVE-2017-0497</td>
+   <td>Moderate</td>
+   <td>Yes</td>
+  </tr>
+  <tr>
+   <td>Denial of service vulnerability in Setup Wizard</td>
+   <td>CVE-2017-0498</td>
+   <td>Moderate</td>
+   <td>No*</td>
+  </tr>
+  <tr>
+   <td>Denial of service vulnerability in Audioserver</td>
+   <td>CVE-2017-0499</td>
+   <td>Low</td>
+   <td>Yes</td>
+  </tr>
+</table>
+<p>* Supported Google devices on Android 7.0 or later that have installed all
+available updates are not affected by this vulnerability.</p>
+<h3 id="2017-03-05-summary">2017-03-05
+security patch level—Vulnerability summary</h3>
+<p>Security patch levels of 2017-03-05 or later must address all of the 2017-03-01
+issues, as well as the following issues.</p>
+<table>
+  <col width="55%">
+  <col width="20%">
+  <col width="13%">
+  <col width="12%">
+  <tr>
+   <th>Issue</th>
+   <th>CVE</th>
+   <th>Severity</th>
+   <th>Affects Google devices?</th>
+  </tr>
+  <tr>
+   <td>Elevation of privilege vulnerability in MediaTek components</td>
+   <td>CVE-2017-0500, CVE-2017-0501, CVE-2017-0502, CVE-2017-0503,
+CVE-2017-0504, CVE-2017-0505, CVE-2017-0506</td>
+   <td>Critical</td>
+   <td>No*</td>
+  </tr>
+  <tr>
+   <td>Elevation of privilege vulnerability in NVIDIA GPU driver</td>
+   <td>CVE-2017-0337, CVE-2017-0338, CVE-2017-0333, CVE-2017-0306, CVE-2017-0335</td>
+   <td>Critical</td>
+   <td>Yes</td>
+  </tr>
+  <tr>
+   <td>Elevation of privilege vulnerability in kernel ION subsystem</td>
+   <td>CVE-2017-0507, CVE-2017-0508</td>
+   <td>Critical</td>
+   <td>Yes</td>
+  </tr>
+  <tr>
+   <td>Elevation of privilege vulnerability in Broadcom Wi-Fi driver</td>
+   <td>CVE-2017-0509</td>
+   <td>Critical</td>
+   <td>No*</td>
+  </tr>
+  <tr>
+   <td>Elevation of privilege vulnerability in kernel FIQ debugger</td>
+   <td>CVE-2017-0510</td>
+   <td>Critical</td>
+   <td>Yes</td>
+  </tr>
+  <tr>
+   <td>Elevation of privilege vulnerability in Qualcomm GPU driver</td>
+   <td>CVE-2016-8479</td>
+   <td>Critical</td>
+   <td>Yes</td>
+  </tr>
+  <tr>
+   <td>Elevation of privilege vulnerability in kernel networking subsystem</td>
+   <td>CVE-2016-9806, CVE-2016-10200</td>
+   <td>Critical</td>
+   <td>Yes</td>
+  </tr>
+  <tr>
+   <td>Vulnerabilities in Qualcomm components</td>
+   <td>CVE-2016-8484, CVE-2016-8485, CVE-2016-8486, CVE-2016-8487, CVE-2016-8488</td>
+   <td>Critical</td>
+   <td>No*</td>
+  </tr>
+  <tr>
+   <td>Elevation of privilege vulnerability in kernel networking subsystem</td>
+   <td>CVE-2016-8655, CVE-2016-9793</td>
+   <td>High</td>
+   <td>Yes</td>
+  </tr>
+  <tr>
+   <td>Elevation of privilege vulnerability in Qualcomm input hardware driver</td>
+   <td>CVE-2017-0516</td>
+   <td>High</td>
+   <td>Yes</td>
+  </tr>
+  <tr>
+   <td>Elevation of privilege vulnerability in MediaTek Hardware Sensor Driver</td>
+   <td>CVE-2017-0517</td>
+   <td>High</td>
+   <td>No*</td>
+  </tr>
+  <tr>
+   <td>Elevation of privilege vulnerability in Qualcomm ADSPRPC driver</td>
+   <td>CVE-2017-0457</td>
+   <td>High</td>
+   <td>Yes</td>
+  </tr>
+  <tr>
+   <td>Elevation of privilege vulnerability in Qualcomm fingerprint sensor
+driver</td>
+   <td>CVE-2017-0518, CVE-2017-0519</td>
+   <td>High</td>
+   <td>Yes</td>
+  </tr>
+  <tr>
+   <td>Elevation of privilege vulnerability in Qualcomm crypto engine driver</td>
+   <td>CVE-2017-0520</td>
+   <td>High</td>
+   <td>Yes</td>
+  </tr>
+  <tr>
+   <td>Elevation of privilege vulnerability in Qualcomm camera driver</td>
+   <td>CVE-2017-0458, CVE-2017-0521</td>
+   <td>High</td>
+   <td>Yes</td>
+  </tr>
+  <tr>
+   <td>Elevation of privilege vulnerability in MediaTek APK</td>
+   <td>CVE-2017-0522</td>
+   <td>High</td>
+   <td>No*</td>
+  </tr>
+  <tr>
+   <td>Elevation of privilege vulnerability in Qualcomm Wi-Fi driver</td>
+   <td>CVE-2017-0464, CVE-2017-0453, CVE-2017-0523</td>
+   <td>High</td>
+   <td>Yes</td>
+  </tr>
+  <tr>
+   <td>Elevation of privilege vulnerability in Synaptics touchscreen driver</td>
+   <td>CVE-2017-0524</td>
+   <td>High</td>
+   <td>Yes</td>
+  </tr>
+  <tr>
+   <td>Elevation of privilege vulnerability in Qualcomm IPA driver</td>
+   <td>CVE-2017-0456, CVE-2017-0525</td>
+   <td>High</td>
+   <td>Yes</td>
+  </tr>
+  <tr>
+   <td>Elevation of privilege vulnerability in HTC Sensor Hub Driver</td>
+   <td>CVE-2017-0526, CVE-2017-0527</td>
+   <td>High</td>
+   <td>Yes</td>
+  </tr>
+  <tr>
+   <td>Elevation of privilege vulnerability in NVIDIA GPU driver</td>
+   <td>CVE-2017-0307</td>
+   <td>High</td>
+   <td>No*</td>
+  </tr>
+  <tr>
+   <td>Elevation of privilege vulnerability in Qualcomm networking driver</td>
+   <td>CVE-2017-0463, CVE-2017-0460</td>
+   <td>High</td>
+   <td>Yes</td>
+  </tr>
+  <tr>
+   <td>Elevation of privilege vulnerability in kernel security subsystem</td>
+   <td>CVE-2017-0528</td>
+   <td>High</td>
+   <td>Yes</td>
+  </tr>
+  <tr>
+   <td>Elevation of privilege vulnerability in Qualcomm SPCom driver</td>
+   <td>CVE-2016-5856, CVE-2016-5857</td>
+   <td>High</td>
+   <td>No*</td>
+  </tr>
+  <tr>
+   <td>Information disclosure vulnerability in kernel networking subsystem</td>
+   <td>CVE-2014-8709</td>
+   <td>High</td>
+   <td>Yes</td>
+  </tr>
+  <tr>
+   <td>Information disclosure vulnerability in MediaTek driver</td>
+   <td>CVE-2017-0529</td>
+   <td>High</td>
+   <td>No*</td>
+  </tr>
+  <tr>
+   <td>Information disclosure vulnerability in Qualcomm bootloader</td>
+   <td>CVE-2017-0455</td>
+   <td>High</td>
+   <td>Yes</td>
+  </tr>
+  <tr>
+   <td>Information disclosure vulnerability in Qualcomm power driver</td>
+   <td>CVE-2016-8483</td>
+   <td>High</td>
+   <td>Yes</td>
+  </tr>
+  <tr>
+   <td>Information disclosure vulnerability in NVIDIA GPU driver</td>
+   <td>CVE-2017-0334, CVE-2017-0336</td>
+   <td>High</td>
+   <td>Yes</td>
+  </tr>
+  <tr>
+   <td>Denial of service vulnerability in kernel cryptographic subsystem</td>
+   <td>CVE-2016-8650</td>
+   <td>High</td>
+   <td>Yes</td>
+  </tr>
+  <tr>
+   <td>Elevation of privilege vulnerability in Qualcomm camera driver (device
+specific)</td>
+   <td>CVE-2016-8417</td>
+   <td>Moderate</td>
+   <td>Yes</td>
+  </tr>
+  <tr>
+   <td>Information disclosure vulnerability in Qualcomm Wi-Fi driver</td>
+   <td>CVE-2017-0461, CVE-2017-0459, CVE-2017-0531</td>
+   <td>Moderate</td>
+   <td>Yes</td>
+  </tr>
+  <tr>
+   <td>Information disclosure vulnerability in MediaTek video codec driver</td>
+   <td>CVE-2017-0532</td>
+   <td>Moderate</td>
+   <td>No*</td>
+  </tr>
+  <tr>
+   <td>Information disclosure vulnerability in Qualcomm video driver</td>
+   <td>CVE-2017-0533, CVE-2017-0534, CVE-2016-8416, CVE-2016-8478</td>
+   <td>Moderate</td>
+   <td>Yes</td>
+  </tr>
+  <tr>
+   <td>Information disclosure vulnerability in Qualcomm camera driver</td>
+   <td>CVE-2016-8413, CVE-2016-8477</td>
+   <td>Moderate</td>
+   <td>Yes</td>
+  </tr>
+  <tr>
+   <td>Information disclosure vulnerability in HTC sound codec driver</td>
+   <td>CVE-2017-0535</td>
+   <td>Moderate</td>
+   <td>Yes</td>
+  </tr>
+  <tr>
+   <td>Information disclosure vulnerability in Synaptics touchscreen driver</td>
+   <td>CVE-2017-0536</td>
+   <td>Moderate</td>
+   <td>Yes</td>
+  </tr>
+  <tr>
+   <td>Information disclosure vulnerability in kernel USB gadget driver</td>
+   <td>CVE-2017-0537</td>
+   <td>Moderate</td>
+   <td>Yes</td>
+  </tr>
+  <tr>
+   <td>Information disclosure vulnerability in Qualcomm camera driver</td>
+   <td>CVE-2017-0452</td>
+   <td>Low</td>
+   <td>Yes</td>
+  </tr>
+</table>
+<p>* Supported Google devices on Android 7.0 or later that have installed all
+available updates are not affected by this vulnerability.</p>
+<h2 id="mitigations">Android and Google service
+mitigations</h2>
+<p>This is a summary of the mitigations provided by the <a
+href="{@docRoot}security/enhancements/index.html">Android
+security platform</a> and service protections, such as SafetyNet. These
+capabilities reduce the likelihood that security vulnerabilities could be
+successfully exploited on Android.</p>
+<ul>
+<li>Exploitation for many issues on Android is made more difficult by
+enhancements in newer versions of the Android platform. We encourage all users
+to update to the latest version of Android where possible.</li>
+<li>The Android Security team actively monitors for abuse with <a
+href="http://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2015_Report_Final.pdf">Verify
+Apps and SafetyNet</a>, which are designed to warn users about <a
+href="http://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_PHA_classifications.pdf">Potentially
+Harmful Applications</a>. Verify Apps is enabled by default on devices with <a
+href="http://www.android.com/gms">Google Mobile Services</a> and is especially
+important for users who install applications from outside of Google Play. Device
+rooting tools are prohibited within Google Play, but Verify Apps warns users
+when they attempt to install a detected rooting application—no matter where it
+comes from. Additionally, Verify Apps attempts to identify and block
+installation of known malicious applications that exploit a privilege escalation
+vulnerability. If such an application has already been installed, Verify Apps
+will notify the user and attempt to remove the detected application.</li>
+<li>As appropriate, Google Hangouts and Messenger applications do not
+automatically pass media to processes such as Mediaserver.</li>
+</ul>
+<h2 id="acknowledgements">Acknowledgements</h2>
+<p>We would like to thank these researchers for their contributions:</p>
+<ul>
+<li>Alexander Potapenko of Google Dynamic Tools team: CVE-2017-0537
+<li>Baozeng Ding, Chengming Yang, Peng Xiao, and Yang Song of Alibaba Mobile
+Security Group: CVE-2017-0506
+<li>Baozeng Ding, Ning You, Chengming Yang, Peng Xiao, and Yang Song of Alibaba
+Mobile Security Group: CVE-2017-0463
+<li>Billy Lau of Android Security: CVE-2017-0335, CVE-2017-0336, CVE-2017-0338,
+CVE-2017-0460
+<li><a href="mailto:derrek.haxx@gmail.com">derrek</a> (<a
+href="https://twitter.com/derrekr6">@derrekr6</a>): CVE-2016-8413,
+CVE-2016-8477, CVE-2017-0531
+<li><a href="mailto:derrek.haxx@gmail.com">derrek</a> (<a
+href="https://twitter.com/derrekr6">@derrekr6</a>) and <a
+href="mailto:sbauer@plzdonthack.me">Scott Bauer</a> (<a
+href="https://twitter.com/ScottyBauer1">@ScottyBauer1</a>): CVE-2017-0521
+<li>Di Shen (<a href="https://twitter.com/returnsme">@returnsme</a>) of KeenLab
+(<a href="https://twitter.com/keen_lab">@keen_lab</a>), Tencent: CVE-2017-0334,
+CVE-2017-0456, CVE-2017-0457, CVE-2017-0525
+<li>En He (<a href="https://twitter.com/heeeeen4x">@heeeeen4x</a>) and Bo Liu of
+<a href="http://www.ms509.com">MS509Team</a>: CVE-2017-0490
+<li>Gengjia Chen (<a href="https://twitter.com/chengjia4574">@chengjia4574</a>)
+and <a href="http://weibo.com/jfpan">pjf</a> of IceSword Lab, Qihoo 360
+Technology Co. Ltd.: CVE-2017-0500, CVE-2017-0501, CVE-2017-0502, CVE-2017-0503,
+CVE-2017-0509, CVE-2017-0524, CVE-2017-0529, CVE-2017-0536
+<li>Hao Chen and Guang Gong of Alpha Team, Qihoo 360 Technology Co. Ltd.:
+CVE-2017-0453, CVE-2017-0461, CVE-2017-0464
+<li>Hiroki Yamamoto and Fang Chen of Sony Mobile Communications Inc.:
+CVE-2017-0481
+<li>IBM Security X-Force Researchers Sagi Kedmi and Roee Hay: CVE-2017-0510
+<li>Jianjun Dai (<a href="https://twitter.com/Jioun_dai">@Jioun_dai</a>) of <a
+href="https://skyeye.360safe.com">Qihoo 360 Skyeye Labs</a>: CVE-2017-0478
+<li>Jianqiang Zhao (<a
+href="https://twitter.com/jianqiangzhao">@jianqiangzhao</a>) and <a
+href="http://weibo.com/jfpan">pjf</a> of IceSword Lab, Qihoo 360: CVE-2016-8416,
+CVE-2016-8478, CVE-2017-0458, CVE-2017-0459, CVE-2017-0518, CVE-2017-0519,
+CVE-2017-0533, CVE-2017-0534
+<li><a href="mailto:zlbzlb815@163.com">Lubo Zhang</a>, <a
+href="mailto:segfault5514@gmail.com">Tong Lin</a>, <a
+href="mailto:computernik@gmail.com">Yuan-Tsung Lo</a>, and Xuxian Jiang of <a
+href="http://c0reteam.org">C0RE Team</a>: CVE-2016-8479
+<li>Makoto Onuki of Google: CVE-2017-0491
+<li>Mingjian Zhou (<a
+href="https://twitter.com/Mingjian_Zhou">@Mingjian_Zhou</a>), <a
+href="mailto:arnow117@gmail.com">Hanxiang Wen</a>, and Xuxian Jiang of <a
+href="http://c0reteam.org">C0RE Team</a>: CVE-2017-0479, CVE-2017-0480
+<li>Nathan Crandall (<a href="https://twitter.com/natecray">@natecray</a>):
+CVE-2017-0535
+<li>Nathan Crandall (<a href="https://twitter.com/natecray">@natecray</a>) of
+Tesla Motors Product Security Team: CVE-2017-0306
+<li>Pengfei Ding (丁鹏飞), Chenfu Bao (包沉浮), Lenx Wei (韦韬) of Baidu X-Lab
+(百度安全实验室): CVE-2016-8417
+<li>Qidan He (何淇丹) (<a href="https://twitter.com/flanker_hqd">@flanker_hqd</a>)
+of KeenLab, Tencent: CVE-2017-0337, CVE-2017-0476
+<li>Qing Zhang of Qihoo 360 and Guangdong Bai of Singapore Institute of
+Technology (SIT): CVE-2017-0496
+<li>Quhe and wanchouchou of Ant-financial Light-Year Security Lab
+(蚂蚁金服巴斯光年安全实验室): CVE-2017-0522
+<li><a href="mailto:keun-o.park@darkmatter.ae">Sahara</a> of Secure
+Communications in DarkMatter: CVE-2017-0528
+<li>salls (<a href="https://twitter.com/chris_salls">@chris_salls</a>) of
+Shellphish Grill Team, UC Santa Barbara: CVE-2017-0505
+<li><a href="mailto:sbauer@plzdonthack.me">Scott Bauer</a> (<a
+href="https://twitter.com/ScottyBauer1">@ScottyBauer1</a>): CVE-2017-0504,
+CVE-2017-0516
+<li>Sean Beaupre (beaups): CVE-2017-0455
+<li>Seven Shen (<a href="https://twitter.com/lingtongshen">@lingtongshen</a>) of
+Trend Micro: CVE-2017-0452
+<li>Shinichi Matsumoto of Fujitsu: CVE-2017-0498
+<li><a href="mailto:smarques84@gmail.com">Stéphane Marques</a> of <a
+href="http://www.byterev.com">ByteRev</a>: CVE-2017-0489
+<li>Svetoslav Ganov of Google: CVE-2017-0492
+<li><a href="mailto:segfault5514@gmail.com">Tong Lin</a>, <a
+href="mailto:computernik@gmail.com">Yuan-Tsung Lo</a>, and Xuxian Jiang of <a
+href="http://c0reteam.org">C0RE Team</a>: CVE-2017-0333
+<li>V.E.O (<a href="https://twitter.com/vysea">@VYSEa</a>) of <a
+href="http://blog.trendmicro.com/trendlabs-security-intelligence/category/mobile">Mobile
+Threat Response Team</a>, <a href="http://www.trendmicro.com">Trend Micro</a>:
+CVE-2017-0466, CVE-2017-0467, CVE-2017-0468, CVE-2017-0469, CVE-2017-0470,
+CVE-2017-0471, CVE-2017-0472, CVE-2017-0473, CVE-2017-0482, CVE-2017-0485,
+CVE-2017-0486, CVE-2017-0487, CVE-2017-0494, CVE-2017-0495
+<li>Wish Wu (吴潍浠 此彼) (<a href="https://twitter.com/wish_wu">@wish_wu</a>) of
+Ant-financial Light-Year Security Lab (蚂蚁金服巴斯光年安全实验室): CVE-2017-0477
+<li>Yu Pan of Vulpecker Team, Qihoo 360 Technology Co. Ltd: CVE-2017-0517,
+CVE-2017-0532
+<li><a href="mailto:computernik@gmail.com">Yuan-Tsung Lo</a>, and Xuxian Jiang
+of <a href="http://c0reteam.org">C0RE Team</a>: CVE-2017-0526, CVE-2017-0527
+<li>Yuqi Lu (<a href="https://twitter.com/nikos233__">@nikos233</a>), <a
+href="mailto:vancouverdou@gmail.com">Wenke Dou</a>, <a
+href="mailto:shaodacheng2016@gmail.com">Dacheng Shao</a>, Mingjian Zhou (<a
+href="https://twitter.com/Mingjian_Zhou">@Mingjian_Zhou</a>), and Xuxian Jiang
+of <a href="http://c0reteam.org">C0RE Team</a>: CVE-2017-0483</li></ul>
+
+<h2 id="2017-03-01-details">2017-03-01 security patch level—Vulnerability
+details</h2>
+<p>In the sections below, we provide details for each of the security
+vulnerabilities listed in the 
+<a href="#2017-03-01-summary">2017-03-01
+security patch level—Vulnerability summary</a> above. There is a description of
+the issue, a severity rationale, and a table with the CVE, associated
+references, severity, updated Google devices, updated AOSP versions (where
+applicable), and date reported. When available, we will link the public change
+that addressed the issue to the bug ID, like the AOSP change list. When multiple
+changes relate to a single bug, additional references are linked to numbers
+following the bug ID.</p>
+
+
+<h3 id="rce-in-openssl-&-boringssl">Remote code execution vulnerability in
+OpenSSL & BoringSSL</h3>
+<p>A remote code execution vulnerability in OpenSSL and BoringSSL could enable an
+attacker using a specially crafted file to cause memory corruption during file
+and data processing. This issue is rated as Critical due to the possibility of
+remote code execution within the context of a privileged process.</p>
+
+<table>
+  <col width="18%">
+  <col width="17%">
+  <col width="10%">
+  <col width="19%">
+  <col width="18%">
+  <col width="17%">
+  <tr>
+    <th>CVE</th>
+    <th>References</th>
+    <th>Severity</th>
+    <th>Updated Google devices</th>
+    <th>Updated AOSP versions</th>
+    <th>Date reported</th>
+  </tr>
+  <tr>
+    <td>CVE-2016-2182</td>
+    <td>A-32096880</td>
+    <td>Critical</td>
+    <td>All</td>
+    <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1</td>
+    <td>Aug 5, 2016</td>
+  </tr>
+</table>
+
+
+<h3 id="rce-in-mediaserver-">Remote code execution vulnerability in Mediaserver
+</h3>
+<p>A remote code execution vulnerability in Mediaserver could enable an attacker
+using a specially crafted file to cause memory corruption during media file and
+data processing. This issue is rated as Critical due to the possibility of
+remote code execution within the context of the Mediaserver process.</p>
+
+<table>
+  <col width="18%">
+  <col width="17%">
+  <col width="10%">
+  <col width="19%">
+  <col width="18%">
+  <col width="17%">
+  <tr>
+    <th>CVE</th>
+    <th>References</th>
+    <th>Severity</th>
+    <th>Updated Google devices</th>
+    <th>Updated AOSP versions</th>
+    <th>Date reported</th>
+  </tr>
+  <tr>
+    <td>CVE-2017-0466</td>
+    <td>A-33139050</td>
+    <td>Critical</td>
+    <td>All</td>
+    <td>6.0, 6.0.1, 7.0, 7.1.1</td>
+    <td>Nov 25, 2016</td>
+  </tr>
+  <tr>
+    <td>CVE-2017-0467</td>
+    <td>A-33250932</td>
+    <td>Critical</td>
+    <td>All</td>
+    <td>6.0, 6.0.1, 7.0, 7.1.1</td>
+    <td>Nov 30, 2016</td>
+  </tr>
+  <tr>
+    <td>CVE-2017-0468</td>
+    <td>A-33351708</td>
+    <td>Critical</td>
+    <td>All</td>
+    <td>6.0, 6.0.1, 7.0, 7.1.1</td>
+    <td>Dec 5, 2016</td>
+  </tr>
+  <tr>
+    <td>CVE-2017-0469</td>
+    <td>A-33450635</td>
+    <td>Critical</td>
+    <td>All</td>
+    <td>6.0, 6.0.1, 7.0, 7.1.1</td>
+    <td>Dec 8, 2016</td>
+  </tr>
+  <tr>
+    <td>CVE-2017-0470</td>
+    <td>A-33818500</td>
+    <td>Critical</td>
+    <td>All</td>
+    <td>6.0, 6.0.1, 7.0, 7.1.1</td>
+    <td>Dec 21, 2016</td>
+  </tr>
+  <tr>
+    <td>CVE-2017-0471</td>
+    <td>A-33816782</td>
+    <td>Critical</td>
+    <td>All</td>
+    <td>6.0, 6.0.1, 7.0, 7.1.1</td>
+    <td>Dec 21, 2016</td>
+  </tr>
+  <tr>
+    <td>CVE-2017-0472</td>
+    <td>A-33862021</td>
+    <td>Critical</td>
+    <td>All</td>
+    <td>6.0, 6.0.1, 7.0, 7.1.1</td>
+    <td>Dec 23, 2016</td>
+  </tr>
+  <tr>
+    <td>CVE-2017-0473</td>
+    <td>A-33982658</td>
+    <td>Critical</td>
+    <td>All</td>
+    <td>6.0, 6.0.1, 7.0, 7.1.1</td>
+    <td>Dec 30, 2016</td>
+  </tr>
+  <tr>
+    <td>CVE-2017-0474</td>
+    <td>A-32589224</td>
+    <td>Critical</td>
+    <td>All</td>
+    <td>7.0, 7.1.1</td>
+    <td>Google internal</td>
+  </tr>
+</table>
+
+
+<h3 id="eop-in-recovery-verifier">Elevation of privilege vulnerability in
+recovery verifier</h3>
+<p>An elevation of privilege vulnerability in the recovery verifier could enable a
+local malicious application to execute arbitrary code within the context of the
+kernel. This issue is rated as Critical due to the possibility of a local
+permanent device compromise, which may require reflashing the operating system
+to repair the device.</p>
+
+<table>
+  <col width="18%">
+  <col width="17%">
+  <col width="10%">
+  <col width="19%">
+  <col width="18%">
+  <col width="17%">
+  <tr>
+    <th>CVE</th>
+    <th>References</th>
+    <th>Severity</th>
+    <th>Updated Google devices</th>
+    <th>Updated AOSP versions</th>
+    <th>Date reported</th>
+  </tr>
+  <tr>
+    <td>CVE-2017-0475</td>
+    <td>A-31914369</td>
+    <td>Critical</td>
+    <td>All</td>
+    <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1</td>
+    <td>Oct 2, 2016</td>
+  </tr>
+</table>
+
+
+<h3 id="rce-in-aosp-messaging">Remote code execution vulnerability in AOSP
+Messaging</h3>
+<p>A remote code execution vulnerability in AOSP Messaging could enable an
+attacker using a specially crafted file to cause memory corruption during media
+file and data processing. This issue is rated as High due to the possibility of
+remote code execution within the context of an unprivileged process.</p>
+
+<table>
+  <col width="18%">
+  <col width="17%">
+  <col width="10%">
+  <col width="19%">
+  <col width="18%">
+  <col width="17%">
+  <tr>
+    <th>CVE</th>
+    <th>References</th>
+    <th>Severity</th>
+    <th>Updated Google devices</th>
+    <th>Updated AOSP versions</th>
+    <th>Date reported</th>
+  </tr>
+  <tr>
+    <td>CVE-2017-0476</td>
+    <td>A-33388925</td>
+    <td>High</td>
+    <td>All</td>
+    <td>6.0, 6.0.1, 7.0, 7.1.1</td>
+    <td>Dec 6, 2016</td>
+  </tr>
+</table>
+
+
+<h3 id="rce-in-libgdx">Remote code execution vulnerability in libgdx</h3>
+<p>A remote code execution vulnerability in libgdx could enable an attacker using
+a specially crafted file to execute arbitrary code within the context of an
+unprivileged process. This issue is rated as High due to the possibility of
+remote code execution in an application that uses this library.</p>
+
+<table>
+  <col width="18%">
+  <col width="17%">
+  <col width="10%">
+  <col width="19%">
+  <col width="18%">
+  <col width="17%">
+  <tr>
+    <th>CVE</th>
+    <th>References</th>
+    <th>Severity</th>
+    <th>Updated Google devices</th>
+    <th>Updated AOSP versions</th>
+    <th>Date reported</th>
+  </tr>
+  <tr>
+    <td>CVE-2017-0477</td>
+    <td>A-33621647</td>
+    <td>High</td>
+    <td>All</td>
+    <td>7.1.1</td>
+    <td>Dec 14, 2016</td>
+  </tr>
+</table>
+
+
+<h3 id="rce-in-framesequence-library">Remote code execution vulnerability in
+Framesequence library</h3>
+<p>A remote code execution vulnerability in the Framesequence library could enable
+an attacker using a specially crafted file to execute arbitrary code in the
+context of an unprivileged process. This issue is rated as High due to the
+possibility of remote code execution in an application that uses the
+Framesequence library.</p>
+
+<table>
+  <col width="18%">
+  <col width="17%">
+  <col width="10%">
+  <col width="19%">
+  <col width="18%">
+  <col width="17%">
+  <tr>
+    <th>CVE</th>
+    <th>References</th>
+    <th>Severity</th>
+    <th>Updated Google devices</th>
+    <th>Updated AOSP versions</th>
+    <th>Date reported</th>
+  </tr>
+  <tr>
+    <td>CVE-2017-0478</td>
+    <td>A-33718716</td>
+    <td>High</td>
+    <td>All</td>
+    <td>5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1</td>
+    <td>Dec 16, 2016</td>
+  </tr>
+</table>
+
+
+<h3 id="eop-in-audioserver">Elevation of privilege vulnerability in
+Audioserver</h3>
+<p>An elevation of privilege vulnerability in Audioserver could enable a local
+malicious application to execute arbitrary code within the context of a
+privileged process. This issue is rated as High because it could be used to
+gain local access to elevated capabilities, which are not normally accessible
+to a third-party application.</p>
+
+<table>
+  <col width="18%">
+  <col width="17%">
+  <col width="10%">
+  <col width="19%">
+  <col width="18%">
+  <col width="17%">
+  <tr>
+    <th>CVE</th>
+    <th>References</th>
+    <th>Severity</th>
+    <th>Updated Google devices</th>
+    <th>Updated AOSP versions</th>
+    <th>Date reported</th>
+  </tr>
+  <tr>
+    <td>CVE-2017-0479</td>
+    <td>A-32707507</td>
+    <td>High</td>
+    <td>All</td>
+    <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1</td>
+    <td>Nov 7, 2016</td>
+  </tr>
+  <tr>
+    <td>CVE-2017-0480</td>
+    <td>A-32705429</td>
+    <td>High</td>
+    <td>All</td>
+    <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1</td>
+    <td>Nov 7, 2016</td>
+  </tr>
+</table>
+
+
+<h3 id="eop-in-nfc">Elevation of privilege vulnerability in NFC</h3>
+<p>An elevation of privilege vulnerability in NFC could enable a proximate
+attacker to execute arbitrary code within the context of a privileged process.
+This issue is rated as High because it could be used to gain local access to
+elevated capabilities, which are not normally accessible to a third-party
+application.</p>
+
+<table>
+  <col width="18%">
+  <col width="17%">
+  <col width="10%">
+  <col width="19%">
+  <col width="18%">
+  <col width="17%">
+  <tr>
+    <th>CVE</th>
+    <th>References</th>
+    <th>Severity</th>
+    <th>Updated Google devices</th>
+    <th>Updated AOSP versions</th>
+    <th>Date reported</th>
+  </tr>
+  <tr>
+    <td>CVE-2017-0481</td>
+    <td>A-33434992</td>
+    <td>High</td>
+    <td>All</td>
+    <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1</td>
+    <td>Google internal</td>
+  </tr>
+</table>
+
+
+<h3 id="dos-in-mediaserver">Denial of service vulnerability in Mediaserver</h3>
+<p>A denial of service vulnerability in Mediaserver could enable an attacker to
+use a specially crafted file to cause a device hang or reboot. This issue is
+rated as High severity due to the possibility of remote denial of service.</p>
+
+<table>
+  <col width="18%">
+  <col width="17%">
+  <col width="10%">
+  <col width="19%">
+  <col width="18%">
+  <col width="17%">
+  <tr>
+    <th>CVE</th>
+    <th>References</th>
+    <th>Severity</th>
+    <th>Updated Google devices</th>
+    <th>Updated AOSP versions</th>
+    <th>Date reported</th>
+  </tr>
+  <tr>
+    <td>CVE-2017-0482</td>
+    <td>A-33090864</td>
+    <td>High</td>
+    <td>All</td>
+    <td>6.0, 6.0.1, 7.0, 7.1.1</td>
+    <td>Nov 22, 2016</td>
+  </tr>
+  <tr>
+    <td>CVE-2017-0483</td>
+    <td>A-33137046</td>
+    <td>High</td>
+    <td>All</td>
+    <td>5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1</td>
+    <td>Nov 24, 2016</td>
+  </tr>
+  <tr>
+    <td>CVE-2017-0484</td>
+    <td>A-33298089</td>
+    <td>High</td>
+    <td>All</td>
+    <td>6.0, 6.0.1, 7.0, 7.1.1</td>
+    <td>Dec 1, 2016</td>
+  </tr>
+  <tr>
+    <td>CVE-2017-0485</td>
+    <td>A-33387820</td>
+    <td>High</td>
+    <td>All</td>
+    <td>6.0, 6.0.1, 7.0, 7.1.1</td>
+    <td>Dec 6, 2016</td>
+  </tr>
+  <tr>
+    <td>CVE-2017-0486</td>
+    <td>A-33621215</td>
+    <td>High</td>
+    <td>All</td>
+    <td>6.0, 6.0.1, 7.0, 7.1.1</td>
+    <td>Dec 14, 2016</td>
+  </tr>
+  <tr>
+    <td>CVE-2017-0487</td>
+    <td>A-33751193</td>
+    <td>High</td>
+    <td>All</td>
+    <td>6.0, 6.0.1, 7.0, 7.1.1</td>
+    <td>Dec 19, 2016</td>
+  </tr>
+  <tr>
+    <td>CVE-2017-0488</td>
+    <td>A-34097213</td>
+    <td>High</td>
+    <td>All</td>
+    <td>6.0, 6.0.1, 7.0, 7.1.1</td>
+    <td>Google internal</td>
+  </tr>
+</table>
+
+
+<h3 id="update:-dos-in-mediaserver">Update: Denial of service vulnerability in
+Mediaserver</h3>
+<p>A denial of service vulnerability in Mediaserver could enable an attacker to
+use a specially crafted file to cause a device hang or reboot. This issue is
+rated as High due to the possibility of remote denial of service.</p>
+
+<table>
+  <col width="18%">
+  <col width="17%">
+  <col width="10%">
+  <col width="19%">
+  <col width="18%">
+  <col width="17%">
+  <tr>
+    <th>CVE</th>
+    <th>References</th>
+    <th>Severity</th>
+    <th>Updated Google devices</th>
+    <th>Updated AOSP versions</th>
+    <th>Date reported</th>
+  </tr>
+  <tr>
+    <td>CVE-2017-0390</td>
+    <td>A-31647370</td>
+    <td>High</td>
+    <td>All</td>
+    <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1</td>
+    <td>Sep 19, 2016</td>
+  </tr>
+</table>
+
+
+<h3 id="update:-dos-in-mediaserver-2">Update: Denial of service vulnerability
+in Mediaserver</h3>
+<p>A denial of service vulnerability in Mediaserver could enable an attacker to
+use a specially crafted file to cause a device hang or reboot. This issue is
+rated as High due to the possibility of remote denial of service.</p>
+
+<table>
+  <col width="18%">
+  <col width="17%">
+  <col width="10%">
+  <col width="19%">
+  <col width="18%">
+  <col width="17%">
+  <tr>
+    <th>CVE</th>
+    <th>References</th>
+    <th>Severity</th>
+    <th>Updated Google devices</th>
+    <th>Updated AOSP versions</th>
+    <th>Date reported</th>
+  </tr>
+  <tr>
+    <td>CVE-2017-0392</td>
+    <td>A-32577290</td>
+    <td>High</td>
+    <td>All</td>
+    <td>7.0, 7.1.1</td>
+    <td>Oct 29, 2016</td>
+  </tr>
+</table>
+
+
+<h3 id="eop-in-location-manager">Elevation of privilege vulnerability in
+Location Manager</h3>
+<p>An elevation of privilege vulnerability in Location Manager could enable a
+local malicious application to bypass operating system protections for location
+data. This issue is rated as Moderate because it could be used to generate
+inaccurate data.</p>
+
+<table>
+  <col width="18%">
+  <col width="17%">
+  <col width="10%">
+  <col width="19%">
+  <col width="18%">
+  <col width="17%">
+  <tr>
+    <th>CVE</th>
+    <th>References</th>
+    <th>Severity</th>
+    <th>Updated Google devices</th>
+    <th>Updated AOSP versions</th>
+    <th>Date reported</th>
+  </tr>
+  <tr>
+    <td>CVE-2017-0489</td>
+    <td>A-33091107</td>
+    <td>Moderate</td>
+    <td>All</td>
+    <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1</td>
+    <td>Nov 20, 2016</td>
+  </tr>
+</table>
+
+
+<h3 id="eop-in-wi-fi">Elevation of privilege vulnerability in Wi-Fi</h3>
+<p>An elevation of privilege vulnerability in Wi-Fi could enable a local malicious
+application to delete user data. This issue is rated as Moderate because it is
+a local bypass of user interaction requirements that would normally require
+either user initiation or user permission. </p>
+
+<table>
+  <col width="18%">
+  <col width="17%">
+  <col width="10%">
+  <col width="19%">
+  <col width="18%">
+  <col width="17%">
+  <tr>
+    <th>CVE</th>
+    <th>References</th>
+    <th>Severity</th>
+    <th>Updated Google devices</th>
+    <th>Updated AOSP versions</th>
+    <th>Date reported</th>
+  </tr>
+  <tr>
+    <td>CVE-2017-0490</td>
+    <td>A-33178389</td>
+    <td>Moderate</td>
+    <td>All</td>
+    <td>6.0, 6.0.1, 7.0, 7.1.1</td>
+    <td>Nov 25, 2016</td>
+  </tr>
+</table>
+
+
+<h3 id="eop-in-package-manager">Elevation of privilege vulnerability in Package
+Manager</h3>
+<p>An elevation of privilege vulnerability in Package Manager could enable a local
+malicious application to prevent users from uninstalling applications or
+removing permissions from applications. This issue is rated as Moderate because
+it is a local bypass of user interaction requirements.</p>
+
+<table>
+  <col width="18%">
+  <col width="17%">
+  <col width="10%">
+  <col width="19%">
+  <col width="18%">
+  <col width="17%">
+  <tr>
+    <th>CVE</th>
+    <th>References</th>
+    <th>Severity</th>
+    <th>Updated Google devices</th>
+    <th>Updated AOSP versions</th>
+    <th>Date reported</th>
+  </tr>
+  <tr>
+    <td>CVE-2017-0491</td>
+    <td>A-32553261</td>
+    <td>Moderate</td>
+    <td>All</td>
+    <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1</td>
+    <td>Google internal</td>
+  </tr>
+</table>
+
+
+<h3 id="eop-in-system-ui">Elevation of privilege vulnerability in System
+UI</h3>
+<p>An elevation of privilege vulnerability in the System UI could enable a local
+malicious application to create a UI overlay covering the entire screen. This
+issue is rated as Moderate because it is a local bypass of user interaction
+requirements that would normally require either user initiation or user
+permission.</p>
+
+<table>
+  <col width="18%">
+  <col width="17%">
+  <col width="10%">
+  <col width="19%">
+  <col width="18%">
+  <col width="17%">
+  <tr>
+    <th>CVE</th>
+    <th>References</th>
+    <th>Severity</th>
+    <th>Updated Google devices</th>
+    <th>Updated AOSP versions</th>
+    <th>Date reported</th>
+  </tr>
+  <tr>
+    <td>CVE-2017-0492</td>
+    <td>A-30150688</td>
+    <td>Moderate</td>
+    <td>All</td>
+    <td>7.1.1</td>
+    <td>Google internal</td>
+  </tr>
+</table>
+
+
+<h3 id="id-in-aosp-messaging">Information disclosure vulnerability in AOSP
+Messaging</h3>
+<p>An information disclosure vulnerability in AOSP Messaging could enable a remote
+attacker using a special crafted file to access data outside of its permission
+levels. This issue is rated as Moderate because it could be used to access
+sensitive data without permission.</p>
+
+<table>
+  <col width="18%">
+  <col width="17%">
+  <col width="10%">
+  <col width="19%">
+  <col width="18%">
+  <col width="17%">
+  <tr>
+    <th>CVE</th>
+    <th>References</th>
+    <th>Severity</th>
+    <th>Updated Google devices</th>
+    <th>Updated AOSP versions</th>
+    <th>Date reported</th>
+  </tr>
+  <tr>
+    <td>CVE-2017-0494</td>
+    <td>A-32764144</td>
+    <td>Moderate</td>
+    <td>All</td>
+    <td>6.0, 6.0.1, 7.0, 7.1.1</td>
+    <td>Nov 9, 2016</td>
+  </tr>
+</table>
+
+
+<h3 id="id-in-mediaserver">Information disclosure vulnerability in
+Mediaserver</h3>
+<p>An information disclosure vulnerability in Mediaserver could enable a local
+malicious application to access data outside of its permission levels. This
+issue is rated as Moderate because it could be used to access sensitive data
+without permission.</p>
+
+<table>
+  <col width="18%">
+  <col width="17%">
+  <col width="10%">
+  <col width="19%">
+  <col width="18%">
+  <col width="17%">
+  <tr>
+    <th>CVE</th>
+    <th>References</th>
+    <th>Severity</th>
+    <th>Updated Google devices</th>
+    <th>Updated AOSP versions</th>
+    <th>Date reported</th>
+  </tr>
+  <tr>
+    <td>CVE-2017-0495</td>
+    <td>A-33552073</td>
+    <td>Moderate</td>
+    <td>All</td>
+    <td>6.0, 6.0.1, 7.0, 7.1.1</td>
+    <td>Dec 11, 2016</td>
+  </tr>
+</table>
+
+
+<h3 id="dos-in-setup-wizard">Denial of service vulnerability in Setup
+Wizard</h3>
+<p>A denial of service vulnerability in Setup Wizard could allow a local malicious
+application to temporarily block access to an affected device. This issue is
+rated as Moderate because it may require a factory reset to repair the device.</p>
+
+<table>
+  <col width="18%">
+  <col width="17%">
+  <col width="10%">
+  <col width="19%">
+  <col width="18%">
+  <col width="17%">
+  <tr>
+    <th>CVE</th>
+    <th>References</th>
+    <th>Severity</th>
+    <th>Updated Google devices</th>
+    <th>Updated AOSP versions</th>
+    <th>Date reported</th>
+  </tr>
+  <tr>
+    <td>CVE-2017-0496</td>
+    <td>A-31554152*</td>
+    <td>Moderate</td>
+    <td>None*</td>
+    <td>5.0.2, 5.1.1, 6.0, 6.0.1</td>
+    <td>Sep 14, 2016</td>
+  </tr>
+</table>
+<p>* Supported Google devices on Android 7.0 or later that have installed all
+available updates are not affected by this vulnerability.</p>
+
+
+<h3 id="dos-in-mediaserver-2">Denial of service vulnerability in
+Mediaserver</h3>
+<p>A denial of service vulnerability in Mediaserver could enable an attacker to
+use a specially crafted file to cause a device hang or reboot. This issue is
+rated as Moderate because it requires an uncommon device configuration.</p>
+
+<table>
+  <col width="18%">
+  <col width="17%">
+  <col width="10%">
+  <col width="19%">
+  <col width="18%">
+  <col width="17%">
+  <tr>
+    <th>CVE</th>
+    <th>References</th>
+    <th>Severity</th>
+    <th>Updated Google devices</th>
+    <th>Updated AOSP versions</th>
+    <th>Date reported</th>
+  </tr>
+  <tr>
+    <td>CVE-2017-0497</td>
+    <td>A-33300701</td>
+    <td>Moderate</td>
+    <td>All</td>
+    <td>7.0, 7.1.1</td>
+    <td>Dec 2, 2016</td>
+  </tr>
+</table>
+
+
+<h3 id="dos-in-setup-wizard-2">Denial of service vulnerability in Setup
+Wizard</h3>
+<p>A denial of service vulnerability in Setup Wizard could allow a local attacker
+to require Google account sign-in after a factory reset. This issue is rated as
+Moderate because it may require a factory reset to repair the device. </p>
+
+<table>
+  <col width="18%">
+  <col width="17%">
+  <col width="10%">
+  <col width="19%">
+  <col width="18%">
+  <col width="17%">
+  <tr>
+    <th>CVE</th>
+    <th>References</th>
+    <th>Severity</th>
+    <th>Updated Google devices</th>
+    <th>Updated AOSP versions</th>
+    <th>Date reported</th>
+  </tr>
+  <tr>
+    <td>CVE-2017-0498</td>
+    <td>A-30352311</td>
+    <td>Moderate</td>
+    <td>All</td>
+    <td>5.1.1, 6.0, 6.0.1, 7.0, 7.1.1</td>
+    <td>Google internal</td>
+  </tr>
+</table>
+
+
+<h3 id="dos-in-audioserver">Denial of service vulnerability in Audioserver</h3>
+<p>A denial of service vulnerability in Audioserver could enable a local malicious
+application to cause a device hang or reboot. This issue is rated as Low due to
+the possibility of a temporary denial of service.</p>
+
+<table>
+  <col width="18%">
+  <col width="17%">
+  <col width="10%">
+  <col width="19%">
+  <col width="18%">
+  <col width="17%">
+  <tr>
+    <th>CVE</th>
+    <th>References</th>
+    <th>Severity</th>
+    <th>Updated Google devices</th>
+    <th>Updated AOSP versions</th>
+    <th>Date reported</th>
+  </tr>
+  <tr>
+    <td>CVE-2017-0499</td>
+    <td>A-32095713</td>
+    <td>Low</td>
+    <td>All</td>
+    <td>5.1.1, 6.0, 6.0.1, 7.0, 7.1.1</td>
+    <td>Oct 11, 2016</td>
+  </tr>
+</table>
+
+
+<h2 id="2017-03-05-details">2017-03-05 security patch level—Vulnerability
+details</h2>
+<p>In the sections below, we provide details for each of the security
+vulnerabilities listed in the 
+<a href="#2017-03-05-summary">2017-03-05
+security patch level—Vulnerability summary</a> above. There is a description of
+the issue, a severity rationale, and a table with the CVE, associated
+references, severity, updated Google devices, updated AOSP versions (where
+applicable), and date reported. When available, we will link the public change
+that addressed the issue to the bug ID, like the AOSP change list. When multiple
+changes relate to a single bug, additional references are linked to numbers
+following the bug ID.</p>
+
+
+<h3 id="eop-in-mediatek-components">Elevation of privilege vulnerability in
+MediaTek components</h3>
+<p>An elevation of privilege vulnerability in MediaTek components, including the
+M4U driver, sound driver, touchscreen driver, GPU driver, and Command Queue
+driver, could enable a local malicious application to execute arbitrary code
+within the context of the kernel. This issue is rated as Critical due to the
+possibility of a local permanent device compromise, which may require
+reflashing the operating system to repair the device.</p>
+
+<table>
+  <col width="19%">
+  <col width="20%">
+  <col width="10%">
+  <col width="23%">
+  <col width="17%">
+  <tr>
+    <th>CVE</th>
+    <th>References</th>
+    <th>Severity</th>
+    <th>Updated Google devices</th>
+    <th>Date reported</th>
+  </tr>
+  <tr>
+    <td>CVE-2017-0500</td>
+    <td>A-28429685*<br>
+        M-ALPS02710006</td>
+    <td>Critical</td>
+    <td>None**</td>
+    <td>Apr 27, 2016</td>
+  </tr>
+  <tr>
+    <td>CVE-2017-0501</td>
+    <td>A-28430015*<br>
+        M-ALPS02708983</td>
+    <td>Critical</td>
+    <td>None**</td>
+    <td>Apr 27, 2016</td>
+  </tr>
+  <tr>
+    <td>CVE-2017-0502</td>
+    <td>A-28430164*<br>
+        M-ALPS02710027</td>
+    <td>Critical</td>
+    <td>None**</td>
+    <td>Apr 27, 2016</td>
+  </tr>
+  <tr>
+    <td>CVE-2017-0503</td>
+    <td>A-28449045*<br>
+        M-ALPS02710075</td>
+    <td>Critical</td>
+    <td>None**</td>
+    <td>Apr 28, 2016</td>
+  </tr>
+  <tr>
+    <td>CVE-2017-0504</td>
+    <td>A-30074628*<br>
+        M-ALPS02829371</td>
+    <td>Critical</td>
+    <td>None**</td>
+    <td>Jul 9, 2016</td>
+  </tr>
+  <tr>
+    <td>CVE-2017-0505</td>
+    <td>A-31822282*<br>
+        M-ALPS02992041</td>
+    <td>Critical</td>
+    <td>None**</td>
+    <td>Sep 28, 2016</td>
+  </tr>
+  <tr>
+    <td>CVE-2017-0506</td>
+    <td>A-32276718*<br>
+        M-ALPS03006904</td>
+    <td>Critical</td>
+    <td>None**</td>
+    <td>Oct 18, 2016</td>
+  </tr>
+</table>
+<p>* The patch for this issue is not publicly available. The update is contained
+in the latest binary drivers for Nexus devices available from the
+<a href="https://developers.google.com/android/nexus/drivers">
+Google Developer site</a>.</p>
+<p>** Supported Google devices on Android 7.0 or later that have installed all
+available updates are not affected by this vulnerability.</p>
+
+
+<h3 id="eop-in-nvidia-gpu-driver">Elevation of privilege vulnerability in
+NVIDIA GPU driver</h3>
+<p>An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a
+local malicious application to execute arbitrary code within the context of the
+kernel. This issue is rated as Critical due to the possibility of a local
+permanent device compromise, which may require reflashing the operating system
+to repair the device.</p>
+
+<table>
+  <col width="19%">
+  <col width="20%">
+  <col width="10%">
+  <col width="23%">
+  <col width="17%">
+  <tr>
+    <th>CVE</th>
+    <th>References</th>
+    <th>Severity</th>
+    <th>Updated Google devices</th>
+    <th>Date reported</th>
+  </tr>
+  <tr>
+    <td>CVE-2017-0337</td>
+    <td>A-31992762*<br>
+        N-CVE-2017-0337</td>
+    <td>Critical</td>
+    <td>Pixel C</td>
+    <td>Oct 6, 2016</td>
+  </tr>
+  <tr>
+    <td>CVE-2017-0338</td>
+    <td>A-33057977*<br>
+        N-CVE-2017-0338</td>
+    <td>Critical</td>
+    <td>Pixel C</td>
+    <td>Nov 21, 2016</td>
+  </tr>
+  <tr>
+    <td>CVE-2017-0333</td>
+    <td>A-33899363*<br>
+        N-CVE-2017-0333</td>
+    <td>Critical</td>
+    <td>Pixel C</td>
+    <td>Dec 25, 2016</td>
+  </tr>
+  <tr>
+    <td>CVE-2017-0306</td>
+    <td>A-34132950*<br>
+        N-CVE-2017-0306</td>
+    <td>Critical</td>
+    <td>Nexus 9</td>
+    <td>Jan 6, 2017</td>
+  </tr>
+  <tr>
+    <td>CVE-2017-0335</td>
+    <td>A-33043375*<br>
+        N-CVE-2017-0335</td>
+    <td>Critical</td>
+    <td>Pixel C</td>
+    <td>Google internal</td>
+  </tr>
+</table>
+<p>* The patch for this issue is not publicly available. The update is contained
+in the latest binary drivers for Nexus devices available from the
+<a href="https://developers.google.com/android/nexus/drivers">
+Google Developer site</a>.</p>
+
+
+<h3 id="eop-in-kernel-ion-subsystem">Elevation of privilege vulnerability in
+kernel ION subsystem</h3>
+<p>An elevation of privilege vulnerability in the kernel ION subsystem could
+enable a local malicious application to execute arbitrary code within the
+context of the kernel. This issue is rated as Critical due to the possibility
+of a local permanent device compromise, which may require reflashing the
+operating system to repair the device.</p>
+
+<table>
+  <col width="19%">
+  <col width="20%">
+  <col width="10%">
+  <col width="23%">
+  <col width="17%">
+  <tr>
+    <th>CVE</th>
+    <th>References</th>
+    <th>Severity</th>
+    <th>Updated Google devices</th>
+    <th>Date reported</th>
+  </tr>
+  <tr>
+    <td>CVE-2017-0507</td>
+    <td>A-31992382*</td>
+    <td>Critical</td>
+    <td>Android One, Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Nexus Player, Pixel
+C, Pixel, Pixel XL</td>
+    <td>Oct 6, 2016</td>
+  </tr>
+  <tr>
+    <td>CVE-2017-0508</td>
+    <td>A-33940449*</td>
+    <td>Critical</td>
+    <td>Pixel C</td>
+    <td>Dec 28, 2016</td>
+  </tr>
+</table>
+<p>* The patch for this issue is not publicly available. The update is contained
+in the latest binary drivers for Nexus devices available from the
+<a href="https://developers.google.com/android/nexus/drivers">
+Google Developer site</a>.</p>
+
+
+<h3 id="eop-in-broadcom-wi-fi-driver">Elevation of privilege vulnerability in
+Broadcom Wi-Fi driver</h3>
+<p>An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could
+enable a local malicious application to execute arbitrary code within the
+context of the kernel. This issue is rated as Critical due to the possibility
+of a local permanent device compromise, which may require reflashing the
+operating system to repair the device.</p>
+
+<table>
+  <col width="19%">
+  <col width="20%">
+  <col width="10%">
+  <col width="23%">
+  <col width="17%">
+  <tr>
+    <th>CVE</th>
+    <th>References</th>
+    <th>Severity</th>
+    <th>Updated Google devices</th>
+    <th>Date reported</th>
+  </tr>
+  <tr>
+    <td>CVE-2017-0509</td>
+    <td>A-32124445*<br>
+        B-RB#110688</td>
+    <td>Critical</td>
+    <td>None**</td>
+    <td>Oct 12, 2016</td>
+  </tr>
+</table>
+<p>* The patch for this issue is not publicly available. The update is contained
+in the latest binary drivers for Nexus devices available from the
+<a href="https://developers.google.com/android/nexus/drivers">
+Google Developer site</a>.</p>
+<p>** Supported Google devices on Android 7.0 or later that have installed all
+available updates are not affected by this vulnerability.</p>
+
+
+<h3 id="eop-in-kernel-fiq-debugger">Elevation of privilege vulnerability in
+kernel FIQ debugger</h3>
+<p>An elevation of privilege vulnerability in the kernel FIQ debugger could enable
+a local malicious application to execute arbitrary code within the context of
+the kernel. This issue is rated as Critical due to the possibility of a local
+permanent device compromise, which may require reflashing the operating system
+to repair the device.</p>
+
+<table>
+  <col width="19%">
+  <col width="20%">
+  <col width="10%">
+  <col width="23%">
+  <col width="17%">
+  <tr>
+    <th>CVE</th>
+    <th>References</th>
+    <th>Severity</th>
+    <th>Updated Google devices</th>
+    <th>Date reported</th>
+  </tr>
+  <tr>
+    <td>CVE-2017-0510</td>
+    <td>A-32402555*</td>
+    <td>Critical</td>
+    <td>Nexus 9</td>
+    <td>Oct 25, 2016</td>
+  </tr>
+</table>
+<p>* The patch for this issue is not publicly available. The update is contained
+in the latest binary drivers for Nexus devices available from the
+<a href="https://developers.google.com/android/nexus/drivers">
+Google Developer site</a>.</p>
+
+
+<h3 id="eop-in-qualcomm-gpu-driver">Elevation of privilege vulnerability in
+Qualcomm GPU driver</h3>
+<p>An elevation of privilege vulnerability in the Qualcomm GPU driver could enable
+a local malicious application to execute arbitrary code within the context of
+the kernel. This issue is rated as Critical due to the possibility of a local
+permanent device compromise, which may require reflashing the operating system
+to repair the device.</p>
+
+<table>
+  <col width="19%">
+  <col width="20%">
+  <col width="10%">
+  <col width="23%">
+  <col width="17%">
+  <tr>
+    <th>CVE</th>
+    <th>References</th>
+    <th>Severity</th>
+    <th>Updated Google devices</th>
+    <th>Date reported</th>
+  </tr>
+  <tr>
+    <td>CVE-2016-8479</td>
+    <td>A-31824853*<br>
+        QC-CR#1093687</td>
+    <td>Critical</td>
+    <td>Android One, Nexus 5X, Nexus 6, Nexus 6P, Pixel, Pixel XL</td>
+    <td>Sep 29, 2016</td>
+  </tr>
+</table>
+<p>* The patch for this issue is not publicly available. The update is contained
+in the latest binary drivers for Nexus devices available from the
+<a href="https://developers.google.com/android/nexus/drivers">
+Google Developer site</a>.</p>
+
+
+<h3 id="eop-in-kernel-networking-subsystem">Elevation of privilege
+vulnerability in kernel networking subsystem</h3>
+<p>An elevation of privilege vulnerability in the kernel networking subsystem
+could enable a local malicious application to execute arbitrary code within the
+context of the kernel. This issue is rated as Critical due to the possibility
+of a local permanent device compromise, which may require reflashing the
+operating system to repair the device.</p>
+
+<table>
+  <col width="19%">
+  <col width="20%">
+  <col width="10%">
+  <col width="23%">
+  <col width="17%">
+  <tr>
+    <th>CVE</th>
+    <th>References</th>
+    <th>Severity</th>
+    <th>Updated Google devices</th>
+    <th>Date reported</th>
+  </tr>
+  <tr>
+    <td>CVE-2016-9806</td>
+    <td>A-33393474<br>
+        <a 
+href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=92964c79b357efd980812c4de5c1fd2ec8bb5520">
+Upstream kernel</a></td>
+    <td>Critical</td>
+    <td>Pixel C, Pixel, Pixel XL</td>
+    <td>Dec 4, 2016</td>
+  </tr>
+  <tr>
+    <td>CVE-2016-10200</td>
+    <td>A-33753815<br>
+        <a 
+href="https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=32c231164b762dddefa13af5a0101032c70b50ef">
+Upstream kernel</a></td>
+    <td>Critical</td>
+    <td>Nexus 5X, Nexus 6P, Pixel, Pixel XL</td>
+    <td>Dec 19, 2016</td>
+  </tr>
+</table>
+
+
+<h3 id="vulnerabilities-in-qualcomm-components">Vulnerabilities in Qualcomm
+components</h3>
+<p>The following vulnerability affects Qualcomm components and is described in
+further detail in Qualcomm AMSS September 2016 security bulletin.</p>
+
+<table>
+  <col width="19%">
+  <col width="20%">
+  <col width="10%">
+  <col width="23%">
+  <col width="17%">
+  <tr>
+    <th>CVE</th>
+    <th>References</th>
+    <th>Severity</th>
+    <th>Updated Google devices</th>
+    <th>Date reported</th>
+  </tr>
+  <tr>
+    <td>CVE-2016-8484</td>
+    <td>A-28823575**</td>
+    <td>Critical</td>
+    <td>None***</td>
+    <td>Qualcomm internal</td>
+  </tr>
+  <tr>
+    <td>CVE-2016-8485</td>
+    <td>A-28823681**</td>
+    <td>Critical</td>
+    <td>None***</td>
+    <td>Qualcomm internal</td>
+  </tr>
+  <tr>
+    <td>CVE-2016-8486</td>
+    <td>A-28823691**</td>
+    <td>Critical</td>
+    <td>None***</td>
+    <td>Qualcomm internal</td>
+  </tr>
+  <tr>
+    <td>CVE-2016-8487</td>
+    <td>A-28823724**</td>
+    <td>Critical</td>
+    <td>None***</td>
+    <td>Qualcomm internal</td>
+  </tr>
+  <tr>
+    <td>CVE-2016-8488</td>
+    <td>A-31625756**</td>
+    <td>Critical</td>
+    <td>None***</td>
+    <td>Qualcomm internal</td>
+  </tr>
+</table>
+<p>* The severity rating for these vulnerabilities was determined by the vendor.</p>
+<p>* The patch for this issue is not publicly available. The update is contained
+in the latest binary drivers for Nexus devices available from the
+<a href="https://developers.google.com/android/nexus/drivers">
+Google Developer site</a>.</p>
+<p>*** Supported Google devices on Android 7.0 or later that have installed all
+available updates are not affected by this vulnerability.</p>
+
+
+<h3 id="eop-in-kernel-networking-subsystem-2">Elevation of privilege
+vulnerability in kernel networking subsystem</h3>
+<p>An elevation of privilege vulnerability in the kernel networking subsystem
+could enable a local malicious application to execute arbitrary code within the
+context of the kernel. This issue is rated as High because it first requires
+compromising a privileged process.</p>
+
+<table>
+  <col width="19%">
+  <col width="20%">
+  <col width="10%">
+  <col width="23%">
+  <col width="17%">
+  <tr>
+    <th>CVE</th>
+    <th>References</th>
+    <th>Severity</th>
+    <th>Updated Google devices</th>
+    <th>Date reported</th>
+  </tr>
+  <tr>
+    <td>CVE-2016-8655</td>
+    <td>A-33358926<br>
+        <a 
+href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=84ac7260236a49c79eede91617700174c2c19b0c">
+Upstream kernel</a></td>
+    <td>High</td>
+    <td>Android One, Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Nexus Player, Pixel
+C, Pixel, Pixel XL</td>
+    <td>Oct 12, 2016</td>
+  </tr>
+  <tr>
+    <td>CVE-2016-9793</td>
+    <td>A-33363517<br>
+        <a 
+href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b98b0bc8c431e3ceb4b26b0dfc8db509518fb290">
+Upstream kernel</a></td>
+    <td>High</td>
+    <td>Android One, Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Nexus Player, Pixel
+C, Pixel, Pixel XL</td>
+    <td>Dec 2, 2016</td>
+  </tr>
+</table>
+
+
+<h3 id="eop-in-qualcomm-input-hardware-driver">Elevation of privilege
+vulnerability in Qualcomm input hardware driver</h3>
+<p>An elevation of privilege vulnerability in the Qualcomm input hardware driver
+could enable a local malicious application to execute arbitrary code within the
+context of the kernel. This issue is rated as High because it first requires
+compromising a privileged process.</p>
+
+<table>
+  <col width="19%">
+  <col width="20%">
+  <col width="10%">
+  <col width="23%">
+  <col width="17%">
+  <tr>
+    <th>CVE</th>
+    <th>References</th>
+    <th>Severity</th>
+    <th>Updated Google devices</th>
+    <th>Date reported</th>
+  </tr>
+  <tr>
+    <td>CVE-2017-0516</td>
+    <td>A-32341680*<br>
+        QC-CR#1096301</td>
+    <td>High</td>
+    <td>Android One, Pixel, Pixel XL</td>
+    <td>Oct 21, 2016</td>
+  </tr>
+</table>
+<p>* The patch for this issue is not publicly available. The update is contained
+in the latest binary drivers for Nexus devices available from the
+<a href="https://developers.google.com/android/nexus/drivers">
+Google Developer site</a>.</p>
+
+
+<h3 id="eop-in-mediatek-hardware-sensor-driver">Elevation of privilege
+vulnerability in MediaTek Hardware Sensor Driver</h3>
+<p>An elevation of privilege vulnerability in the MediaTek hardware sensor driver
+could enable a local malicious application to execute arbitrary code within the
+context of the kernel. This issue is rated as High because it first requires
+compromising a privileged process.</p>
+
+<table>
+  <col width="19%">
+  <col width="20%">
+  <col width="10%">
+  <col width="23%">
+  <col width="17%">
+  <tr>
+    <th>CVE</th>
+    <th>References</th>
+    <th>Severity</th>
+    <th>Updated Google devices</th>
+    <th>Date reported</th>
+  </tr>
+  <tr>
+    <td>CVE-2017-0517</td>
+    <td>A-32372051*<br>
+        M-ALPS02973195</td>
+    <td>High</td>
+    <td>None**</td>
+    <td>Oct 22, 2016</td>
+  </tr>
+</table>
+<p>* The patch for this issue is not publicly available. The update is contained
+in the latest binary drivers for Nexus devices available from the
+<a href="https://developers.google.com/android/nexus/drivers">
+Google Developer site</a>.</p>
+<p>** Supported Google devices on Android 7.0 or later that have installed all
+available updates are not affected by this vulnerability.</p>
+
+
+<h3 id="eop-in-qualcomm-adsprpc-driver">Elevation of privilege vulnerability in
+Qualcomm ADSPRPC driver</h3>
+<p>An elevation of privilege vulnerability in the Qualcomm ADSPRPC driver could
+enable a local malicious application to execute arbitrary code within the
+context of the kernel. This issue is rated as High because it first requires
+compromising a privileged process.</p>
+
+<table>
+  <col width="19%">
+  <col width="20%">
+  <col width="10%">
+  <col width="23%">
+  <col width="17%">
+  <tr>
+    <th>CVE</th>
+    <th>References</th>
+    <th>Severity</th>
+    <th>Updated Google devices</th>
+    <th>Date reported</th>
+  </tr>
+  <tr>
+    <td>CVE-2017-0457</td>
+    <td>A-31695439*<br>
+        QC-CR#1086123<br>
+        QC-CR#1100695</td>
+    <td>High</td>
+    <td>Nexus 5X, Nexus 6P, Pixel, Pixel XL</td>
+    <td>Sep 22, 2016</td>
+  </tr>
+</table>
+<p>* The patch for this issue is not publicly available. The update is contained
+in the latest binary drivers for Nexus devices available from the
+<a href="https://developers.google.com/android/nexus/drivers">
+Google Developer site</a>.</p>
+
+
+<h3 id="eop-in-qualcomm-fingerprint-sensor-driver">Elevation of privilege
+vulnerability in Qualcomm fingerprint sensor driver</h3>
+<p>An elevation of privilege vulnerability in the Qualcomm fingerprint sensor
+driver could enable a local malicious application to execute arbitrary code
+within the context of the kernel. This issue is rated as High because it first
+requires compromising a privileged process.</p>
+
+<table>
+  <col width="19%">
+  <col width="20%">
+  <col width="10%">
+  <col width="23%">
+  <col width="17%">
+  <tr>
+    <th>CVE</th>
+    <th>References</th>
+    <th>Severity</th>
+    <th>Updated Google devices</th>
+    <th>Date reported</th>
+  </tr>
+  <tr>
+    <td>CVE-2017-0518</td>
+    <td>A-32370896*<br>
+        QC-CR#1086530</td>
+    <td>High</td>
+    <td>Pixel, Pixel XL</td>
+    <td>Oct 24, 2016</td>
+  </tr>
+  <tr>
+    <td>CVE-2017-0519</td>
+    <td>A-32372915*<br>
+        QC-CR#1086530</td>
+    <td>High</td>
+    <td>Pixel, Pixel XL</td>
+    <td>Oct 24, 2016</td>
+  </tr>
+</table>
+<p>* The patch for this issue is not publicly available. The update is contained
+in the latest binary drivers for Nexus devices available from the
+<a href="https://developers.google.com/android/nexus/drivers">
+Google Developer site</a>.</p>
+
+
+<h3 id="eop-in-qualcomm-crypto-engine-driver">Elevation of privilege
+vulnerability in Qualcomm crypto engine driver</h3>
+<p>An elevation of privilege vulnerability in the Qualcomm crypto engine driver
+could enable a local malicious application to execute arbitrary code within the
+context of the kernel. This issue is rated as High because it first requires
+compromising a privileged process.</p>
+
+<table>
+  <col width="19%">
+  <col width="20%">
+  <col width="10%">
+  <col width="23%">
+  <col width="17%">
+  <tr>
+    <th>CVE</th>
+    <th>References</th>
+    <th>Severity</th>
+    <th>Updated Google devices</th>
+    <th>Date reported</th>
+  </tr>
+  <tr>
+    <td>CVE-2017-0520</td>
+    <td>A-31750232<br>
+        <a 
+href="https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=eb2aad752c43f57e88ab9b0c3c5ee7b976ee31dd">
+QC-CR#1082636</a></td>
+    <td>High</td>
+    <td>Nexus 5X, Nexus 6, Nexus 6P, Android One, Pixel, Pixel XL</td>
+    <td>Sep 24, 2016</td>
+  </tr>
+</table>
+
+
+<h3 id="eop-in-qualcomm-camera-driver">Elevation of privilege vulnerability in
+Qualcomm camera driver</h3>
+<p>An elevation of privilege vulnerability in the Qualcomm camera driver could
+enable a local malicious application to execute arbitrary code within the
+context of the kernel. This issue is rated as High because it first requires
+compromising a privileged process.</p>
+
+<table>
+  <col width="19%">
+  <col width="20%">
+  <col width="10%">
+  <col width="23%">
+  <col width="17%">
+  <tr>
+    <th>CVE</th>
+    <th>References</th>
+    <th>Severity</th>
+    <th>Updated Google devices</th>
+    <th>Date reported</th>
+  </tr>
+  <tr>
+    <td>CVE-2017-0458</td>
+    <td>A-32588962<br>
+        <a 
+href="https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=eba46cb98431ba1d7a6bd859f26f6ad03f1bf4d4">
+QC-CR#1089433</a></td>
+    <td>High</td>
+    <td>Pixel, Pixel XL</td>
+    <td>Oct 31, 2016</td>
+  </tr>
+  <tr>
+    <td>CVE-2017-0521</td>
+    <td>A-32919951<br>
+        <a 
+href="https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=dbe4f26f200db10deaf38676b96d8738afcc10c8">
+QC-CR#1097709</a></td>
+    <td>High</td>
+    <td>Nexus 5X, Nexus 6P, Android One, Pixel, Pixel XL</td>
+    <td>Nov 15, 2016</td>
+  </tr>
+</table>
+
+
+<h3 id="eop-in-mediatek-apk">Elevation of privilege vulnerability in MediaTek
+APK</h3>
+<p>An elevation of privilege vulnerability in a MediaTek APK could enable a local
+malicious application to execute arbitrary code within the context of a
+privileged process. This issue is rated as High due to the possibility of local
+arbitrary code execution in a privileged process.</p>
+
+<table>
+  <col width="19%">
+  <col width="20%">
+  <col width="10%">
+  <col width="23%">
+  <col width="17%">
+  <tr>
+    <th>CVE</th>
+    <th>References</th>
+    <th>Severity</th>
+    <th>Updated Google devices</th>
+    <th>Date reported</th>
+  </tr>
+  <tr>
+    <td>CVE-2017-0522</td>
+    <td>A-32916158*<br>
+        M-ALPS03032516</td>
+    <td>High</td>
+    <td>None**</td>
+    <td>Nov 15, 2016</td>
+  </tr>
+</table>
+<p>* The patch for this issue is not publicly available. The update is contained
+in the latest binary drivers for Nexus devices available from the
+<a href="https://developers.google.com/android/nexus/drivers">
+Google Developer site</a>.</p>
+<p>** Supported Google devices on Android 7.0 or later that have installed all
+available updates are not affected by this vulnerability.</p>
+
+
+<h3 id="eop-in-qualcomm-wi-fi-driver">Elevation of privilege vulnerability in
+Qualcomm Wi-Fi driver</h3>
+<p>An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could
+enable a local malicious application to execute arbitrary code within the
+context of the kernel. This issue is rated as High because it first requires
+compromising a privileged process.</p>
+
+<table>
+  <col width="19%">
+  <col width="20%">
+  <col width="10%">
+  <col width="23%">
+  <col width="17%">
+  <tr>
+    <th>CVE</th>
+    <th>References</th>
+    <th>Severity</th>
+    <th>Updated Google devices</th>
+    <th>Date reported</th>
+  </tr>
+  <tr>
+    <td>CVE-2017-0464</td>
+    <td>A-32940193<br>
+        <a 
+href="https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=051597a4fe19fd1292fb7ea2e627d12d1fd2934f">
+QC-CR#1102593</a></td>
+    <td>High</td>
+    <td>Nexus 5X, Pixel, Pixel XL</td>
+    <td>Nov 15, 2016</td>
+  </tr>
+  <tr>
+    <td>CVE-2017-0453</td>
+    <td>A-33979145<br>
+        <a 
+href="https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=05af1f34723939f477cb7d25adb320d016d68513">
+QC-CR#1105085</a></td>
+    <td>High</td>
+    <td>Nexus 5X, Android One</td>
+    <td>Dec 30, 2016</td>
+  </tr>
+  <tr>
+    <td>CVE-2017-0523</td>
+    <td>A-32835279<br>
+        <a 
+href="https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=5bb646471da76d3d5cd02cf3da7a03ce6e3cb582">
+QC-CR#1096945</a></td>
+    <td>High</td>
+    <td>None*</td>
+    <td>Google internal</td>
+  </tr>
+</table>
+<p>* Supported Google devices on Android 7.0 or later that have installed all
+available updates are not affected by this vulnerability.</p>
+
+
+<h3 id="eop-in-synaptics-touchscreen-driver">Elevation of privilege
+vulnerability in Synaptics touchscreen driver</h3>
+<p>An elevation of privilege vulnerability in the Synaptics touchscreen driver
+could enable a local malicious application to execute arbitrary code within the
+context of the kernel. This issue is rated as High because it first requires
+compromising a privileged process.</p>
+
+<table>
+  <col width="19%">
+  <col width="20%">
+  <col width="10%">
+  <col width="23%">
+  <col width="17%">
+  <tr>
+    <th>CVE</th>
+    <th>References</th>
+    <th>Severity</th>
+    <th>Updated Google devices</th>
+    <th>Date reported</th>
+  </tr>
+  <tr>
+    <td>CVE-2017-0524</td>
+    <td>A-33002026</td>
+    <td>High</td>
+    <td>Android One, Nexus 5X, Nexus 6P, Nexus 9, Pixel, Pixel XL</td>
+    <td>Nov 18, 2016</td>
+  </tr>
+</table>
+<p>* The patch for this issue is not publicly available. The update is contained
+in the latest binary drivers for Nexus devices available from the
+<a href="https://developers.google.com/android/nexus/drivers">
+Google Developer site</a>.</p>
+
+
+<h3 id="eop-in-qualcomm-ipa-driver">Elevation of privilege vulnerability in
+Qualcomm IPA driver</h3>
+<p>An elevation of privilege vulnerability in the Qualcomm IPA driver could enable
+a local malicious application to execute arbitrary code within the context of
+the kernel. This issue is rated as High because it first requires compromising
+a privileged process.</p>
+
+<table>
+  <col width="19%">
+  <col width="20%">
+  <col width="10%">
+  <col width="23%">
+  <col width="17%">
+  <tr>
+    <th>CVE</th>
+    <th>References</th>
+    <th>Severity</th>
+    <th>Updated Google devices</th>
+    <th>Date reported</th>
+  </tr>
+  <tr>
+    <td>CVE-2017-0456</td>
+    <td>A-33106520*<br>
+        QC-CR#1099598</td>
+    <td>High</td>
+    <td>Nexus 5X, Nexus 6P, Android One, Pixel, Pixel XL</td>
+    <td>Nov 23, 2016</td>
+  </tr>
+  <tr>
+    <td>CVE-2017-0525</td>
+    <td>A-33139056*<br>
+        QC-CR#1097714</td>
+    <td>High</td>
+    <td>Nexus 5X, Nexus 6P, Android One, Pixel, Pixel XL</td>
+    <td>Nov 25, 2016</td>
+  </tr>
+</table>
+<p>* The patch for this issue is not publicly available. The update is contained
+in the latest binary drivers for Nexus devices available from the
+<a href="https://developers.google.com/android/nexus/drivers">
+Google Developer site</a>.</p>
+
+
+<h3 id="eop-in-htc-sensor-hub-driver">Elevation of privilege vulnerability in
+HTC Sensor Hub Driver</h3>
+<p>An elevation of privilege vulnerability in the HTC Sensor Hub Driver could
+enable a local malicious application to execute arbitrary code within the
+context of the kernel. This issue is rated as High because it first requires
+compromising a privileged process.</p>
+
+<table>
+  <col width="19%">
+  <col width="20%">
+  <col width="10%">
+  <col width="23%">
+  <col width="17%">
+  <tr>
+    <th>CVE</th>
+    <th>References</th>
+    <th>Severity</th>
+    <th>Updated Google devices</th>
+    <th>Date reported</th>
+  </tr>
+  <tr>
+    <td>CVE-2017-0526</td>
+    <td>A-33897738*</td>
+    <td>High</td>
+    <td>Nexus 9</td>
+    <td>Dec 25, 2016</td>
+  </tr>
+  <tr>
+    <td>CVE-2017-0527</td>
+    <td>A-33899318*</td>
+    <td>High</td>
+    <td>Nexus 9, Pixel, Pixel XL</td>
+    <td>Dec 25, 2016</td>
+  </tr>
+</table>
+<p>* The patch for this issue is not publicly available. The update is contained
+in the latest binary drivers for Nexus devices available from the
+<a href="https://developers.google.com/android/nexus/drivers">
+Google Developer site</a>.</p>
+
+
+<h3 id="eop-in-nvidia-gpu-driver-2">Elevation of privilege vulnerability in
+NVIDIA GPU driver</h3>
+<p>An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a
+local malicious application to execute arbitrary code within the context of the
+kernel. This issue is rated as Critical due to the possibility of a local
+permanent device compromise, which may require reflashing the operating system
+to repair the device.</p>
+
+<table>
+  <col width="19%">
+  <col width="20%">
+  <col width="10%">
+  <col width="23%">
+  <col width="17%">
+  <tr>
+    <th>CVE</th>
+    <th>References</th>
+    <th>Severity</th>
+    <th>Updated Google devices</th>
+    <th>Date reported</th>
+  </tr>
+  <tr>
+    <td>CVE-2017-0307</td>
+    <td>A-33177895*<br>
+        N-CVE-2017-0307</td>
+    <td>High</td>
+    <td>None**</td>
+    <td>Nov 28, 2016</td>
+  </tr>
+</table>
+<p>* The patch for this issue is not publicly available. The update is contained
+in the latest binary drivers for Nexus devices available from the
+<a href="https://developers.google.com/android/nexus/drivers">
+Google Developer site</a>.</p>
+<p>** Supported Google devices on Android 7.0 or later that have installed all
+available updates are not affected by this vulnerability.</p>
+
+
+<h3 id="eop-in-qualcomm-networking-driver">Elevation of privilege vulnerability
+in Qualcomm networking driver</h3>
+<p>An elevation of privilege vulnerability in the Qualcomm networking driver could
+enable a local malicious application to execute arbitrary code within the
+context of the kernel. This issue is rated as High because it first requires
+compromising a privileged process.</p>
+
+<table>
+  <col width="19%">
+  <col width="20%">
+  <col width="10%">
+  <col width="23%">
+  <col width="17%">
+  <tr>
+    <th>CVE</th>
+    <th>References</th>
+    <th>Severity</th>
+    <th>Updated Google devices</th>
+    <th>Date reported</th>
+  </tr>
+  <tr>
+    <td>CVE-2017-0463</td>
+    <td>A-33277611<br>
+        <a 
+href="https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=955bd7e7ac097bdffbadafab90e5378038fefeb2">
+QC-CR#1101792</a></td>
+    <td>High</td>
+    <td>Nexus 5X, Nexus 6, Nexus 6P, Android One, Pixel, Pixel XL</td>
+    <td>Nov 30, 2016</td>
+  </tr>
+  <tr>
+    <td>CVE-2017-0460 </td>
+    <td>A-31252965*<br>
+        QC-CR#1098801</td>
+    <td>High</td>
+    <td>Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Pixel, Pixel XL</td>
+    <td>Google internal</td>
+  </tr>
+</table>
+<p>* The patch for this issue is not publicly available. The update is contained
+in the latest binary drivers for Nexus devices available from the
+<a href="https://developers.google.com/android/nexus/drivers">
+Google Developer site</a>.</p>
+
+
+<h3 id="eop-in-kernel-security-subsystem">Elevation of privilege vulnerability
+in kernel security subsystem</h3>
+<p>An elevation of privilege vulnerability in the kernel security subsystem could
+enable a local malicious application to to execute code in the context of a
+privileged process. This issue is rated as High because it is a general bypass
+for a kernel level defense in depth or exploit mitigation technology.</p>
+
+<table>
+  <col width="19%">
+  <col width="20%">
+  <col width="10%">
+  <col width="23%">
+  <col width="17%">
+  <tr>
+    <th>CVE</th>
+    <th>References</th>
+    <th>Severity</th>
+    <th>Updated Google devices</th>
+    <th>Date reported</th>
+  </tr>
+  <tr>
+    <td>CVE-2017-0528</td>
+    <td>A-33351919*</td>
+    <td>High</td>
+    <td>Pixel, Pixel XL</td>
+    <td>Dec 4, 2016</td>
+  </tr>
+</table>
+<p>* The patch for this issue is not publicly available. The update is contained
+in the latest binary drivers for Nexus devices available from the
+<a href="https://developers.google.com/android/nexus/drivers">
+Google Developer site</a>.</p>
+
+
+<h3 id="eop-in-qualcomm-spcom-driver">Elevation of privilege vulnerability in
+Qualcomm SPCom driver</h3>
+<p>An elevation of privilege vulnerability in the Qualcomm SPCom driver could
+enable a local malicious application to execute arbitrary code within the
+context of the kernel. This issue is rated as High because it first requires
+compromising a privileged process.</p>
+
+<table>
+  <col width="19%">
+  <col width="20%">
+  <col width="10%">
+  <col width="23%">
+  <col width="17%">
+  <tr>
+    <th>CVE</th>
+    <th>References</th>
+    <th>Severity</th>
+    <th>Updated Google devices</th>
+    <th>Date reported</th>
+  </tr>
+  <tr>
+    <td>CVE-2016-5856</td>
+    <td>A-32610665<br>
+        <a 
+href="https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=0c0622914ba53cdcb6e79e85f64bfdf7762c0368">
+QC-CR#1094078</a></td>
+    <td>High</td>
+    <td>None*</td>
+    <td>Google internal</td>
+  </tr>
+  <tr>
+    <td>CVE-2016-5857</td>
+    <td>A-34386529<br>
+        <a 
+href="https://source.codeaurora.org/quic/la/kernel/msm-4.4/commit/?id=d9d2c405d46ca27b25ed55a8dbd02bd1e633e2d5">
+QC-CR#1094140</a></td>
+    <td>High</td>
+    <td>None*</td>
+    <td>Google internal</td>
+  </tr>
+</table>
+<p>* Supported Google devices on Android 7.0 or later that have installed all
+available updates are not affected by this vulnerability.</p>
+
+
+<h3 id="id-in-kernel-networking-subsystem">Information disclosure vulnerability
+in kernel networking subsystem</h3>
+<p>An information disclosure vulnerability in the kernel networking subsystem
+could enable a local proximate attacker to gain access to sensitive
+information. This issue is rated as High because it could be used to access
+data without permission.</p>
+
+<table>
+  <col width="19%">
+  <col width="20%">
+  <col width="10%">
+  <col width="23%">
+  <col width="17%">
+  <tr>
+    <th>CVE</th>
+    <th>References</th>
+    <th>Severity</th>
+    <th>Updated Google devices</th>
+    <th>Date reported</th>
+  </tr>
+  <tr>
+    <td>CVE-2014-8709</td>
+    <td>A-34077221<br>
+        <a 
+href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=338f977f4eb441e69bb9a46eaa0ac715c931a67f">
+Upstream kernel</a></td>
+    <td>High</td>
+    <td>Nexus Player</td>
+    <td>Nov 9, 2014</td>
+  </tr>
+</table>
+
+
+<h3 id="id-in-mediatek-driver">Information disclosure vulnerability in MediaTek
+driver</h3>
+<p>An information disclosure vulnerability in the MediaTek driver could enable a
+local malicious application to access data outside of its permission levels.
+This issue is rated as High because it could be used to access sensitive data
+without explicit user permission.</p>
+
+<table>
+  <col width="19%">
+  <col width="20%">
+  <col width="10%">
+  <col width="23%">
+  <col width="17%">
+  <tr>
+    <th>CVE</th>
+    <th>References</th>
+    <th>Severity</th>
+    <th>Updated Google devices</th>
+    <th>Date reported</th>
+  </tr>
+  <tr>
+    <td>CVE-2017-0529</td>
+    <td>A-28449427*<br>
+        M-ALPS02710042</td>
+    <td>High</td>
+    <td>None**</td>
+    <td>Apr 27, 2016</td>
+  </tr>
+</table>
+<p>* The patch for this issue is not publicly available. The update is contained
+in the latest binary drivers for Nexus devices available from the
+<a href="https://developers.google.com/android/nexus/drivers">
+Google Developer site</a>.</p>
+<p>** Supported Google devices on Android 7.0 or later that have installed all
+available updates are not affected by this vulnerability.</p>
+
+
+<h3 id="id-in-qualcomm-bootloader">Information disclosure vulnerability in
+Qualcomm bootloader</h3>
+<p>An information disclosure vulnerability in the Qualcomm bootloader could help
+to enable a local malicious application to to execute arbitrary code within the
+context of the bootloader. This issue is rated as High because it is a general
+bypass for a bootloader level defense in depth or exploit mitigation
+technology.</p>
+
+<table>
+  <col width="19%">
+  <col width="20%">
+  <col width="10%">
+  <col width="23%">
+  <col width="17%">
+  <tr>
+    <th>CVE</th>
+    <th>References</th>
+    <th>Severity</th>
+    <th>Updated Google devices</th>
+    <th>Date reported</th>
+  </tr>
+  <tr>
+    <td>CVE-2017-0455</td>
+    <td>A-32370952<br>
+        <a 
+href="https://source.codeaurora.org/quic/la/kernel/lk/commit/?id=2c00928b4884fdb0b1661bcc530d7e68c9561a2f">
+QC-CR#1082755</a></td>
+    <td>High</td>
+    <td>Pixel, Pixel XL</td>
+    <td>Oct 21, 2016</td>
+  </tr>
+</table>
+
+
+<h3 id="id-in-qualcomm-power-driver">Information disclosure vulnerability in
+Qualcomm power driver</h3>
+<p>An information disclosure vulnerability in the Qualcomm power driver could
+enable a local malicious application to access data outside of its permission
+levels. This issue is rated as High because it could be used to access
+sensitive data without explicit user permission.</p>
+
+<table>
+  <col width="19%">
+  <col width="20%">
+  <col width="10%">
+  <col width="23%">
+  <col width="17%">
+  <tr>
+    <th>CVE</th>
+    <th>References</th>
+    <th>Severity</th>
+    <th>Updated Google devices</th>
+    <th>Date reported</th>
+  </tr>
+  <tr>
+    <td>CVE-2016-8483</td>
+    <td>A-33745862<br>
+        <a 
+href="https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=6997dcb7ade1315474855821e64782205cb0b53a">
+QC-CR#1035099</a></td>
+    <td>High</td>
+    <td>Nexus 5X, Nexus 6P</td>
+    <td>Dec 19, 2016</td>
+  </tr>
+</table>
+
+
+<h3 id="id-in-nvidia-gpu-driver">Information disclosure vulnerability in NVIDIA
+GPU driver</h3>
+<p>An information disclosure vulnerability in the NVIDIA GPU driver could enable a
+local malicious application to access data outside of its permission levels.
+This issue is rated as High because it could be used to access sensitive data
+without explicit user permission.</p>
+
+<table>
+  <col width="19%">
+  <col width="20%">
+  <col width="10%">
+  <col width="23%">
+  <col width="17%">
+  <tr>
+    <th>CVE</th>
+    <th>References</th>
+    <th>Severity</th>
+    <th>Updated Google devices</th>
+    <th>Date reported</th>
+  </tr>
+  <tr>
+    <td>CVE-2017-0334</td>
+    <td>A-33245849*<br>
+        N-CVE-2017-0334</td>
+    <td>High</td>
+    <td>Pixel C</td>
+    <td>Nov 30, 2016</td>
+  </tr>
+  <tr>
+    <td>CVE-2017-0336</td>
+    <td>A-33042679*<br>
+        N-CVE-2017-0336</td>
+    <td>High</td>
+    <td>Pixel C</td>
+    <td>Google internal</td>
+  </tr>
+</table>
+<p>* The patch for this issue is not publicly available. The update is contained
+in the latest binary drivers for Nexus devices available from the
+<a href="https://developers.google.com/android/nexus/drivers">
+Google Developer site</a>.</p>
+
+
+<h3 id="dos-in-kernel-cryptographic-subsystem">Denial of service vulnerability
+in kernel cryptographic subsystem</h3>
+<p>A denial of service vulnerability in the kernel cryptographic subsystem could
+enable a remote attacker to use a specially crafted network packet to cause a
+device hang or reboot. This issue is rated as High due to the possibility of
+remote denial of service.</p>
+
+<table>
+  <col width="19%">
+  <col width="20%">
+  <col width="10%">
+  <col width="23%">
+  <col width="17%">
+  <tr>
+    <th>CVE</th>
+    <th>References</th>
+    <th>Severity</th>
+    <th>Updated Google devices</th>
+    <th>Date reported</th>
+  </tr>
+  <tr>
+    <td>CVE-2016-8650</td>
+    <td>A-33401771<br>
+        <a 
+href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f5527fffff3f002b0a6b376163613b82f69de073">
+Upstream kernel</a></td>
+    <td>High</td>
+    <td>Nexus 5X, Nexus 6P, Pixel, Pixel XL</td>
+    <td>Oct 12, 2016</td>
+  </tr>
+</table>
+
+
+<h3 id="eop-in-qualcomm-camera-driver-(device-specific)">Elevation of privilege
+vulnerability in Qualcomm camera driver (device specific)</h3>
+<p>An elevation of privilege vulnerability in the Qualcomm camera driver could
+enable a local malicious application to execute arbitrary code within the
+context of the kernel. This issue is rated as Moderate because it first
+requires compromising a privileged process and is mitigated by current platform
+configurations.</p>
+
+<table>
+  <col width="19%">
+  <col width="20%">
+  <col width="10%">
+  <col width="23%">
+  <col width="17%">
+  <tr>
+    <th>CVE</th>
+    <th>References</th>
+    <th>Severity</th>
+    <th>Updated Google devices</th>
+    <th>Date reported</th>
+  </tr>
+  <tr>
+    <td>CVE-2016-8417</td>
+    <td>A-32342399<br>
+        <a 
+href="https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=01dcc0a7cc23f23a89adf72393d5a27c6d576cd0">
+QC-CR#1088824</a></td>
+    <td>Moderate</td>
+    <td>Nexus 5X, Nexus 6, Nexus 6P, Android One, Pixel, Pixel XL</td>
+    <td>Oct 21, 2016</td>
+  </tr>
+</table>
+
+
+<h3 id="id-in-qualcomm-wi-fi-driver">Information disclosure vulnerability in
+Qualcomm Wi-Fi driver</h3>
+<p>An information disclosure vulnerability in the Qualcomm Wi-Fi driver could
+enable a local malicious application to access data outside of its permission
+levels. This issue is rated as Moderate because it first requires compromising
+a privileged process.</p>
+
+<table>
+  <col width="19%">
+  <col width="20%">
+  <col width="10%">
+  <col width="23%">
+  <col width="17%">
+  <tr>
+    <th>CVE</th>
+    <th>References</th>
+    <th>Severity</th>
+    <th>Updated Google devices</th>
+    <th>Date reported</th>
+  </tr>
+  <tr>
+    <td>CVE-2017-0461</td>
+    <td>A-32073794<br>
+        <a 
+href="https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=ce5d6f84420a2e6ca6aad6b866992970dd313a65">
+QC-CR#1100132</a></td>
+    <td>Moderate</td>
+    <td>Android One, Nexus 5X, Pixel, Pixel XL</td>
+    <td>Oct 9, 2016</td>
+  </tr>
+  <tr>
+    <td>CVE-2017-0459</td>
+    <td>A-32644895<br>
+        <a 
+href="https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?h=rel/msm-3.18&id=ffacf6e2dc41b6063c3564791ed7a2f903e7e3b7">
+QC-CR#1091939</a></td>
+    <td>Moderate</td>
+    <td>Pixel, Pixel XL</td>
+    <td>Nov 3, 2016</td>
+  </tr>
+  <tr>
+    <td>CVE-2017-0531</td>
+    <td>A-32877245<br>
+        <a 
+href="https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=530f3a0fd837ed105eddaf99810bc13d97dc4302">
+QC-CR#1087469</a></td>
+    <td>Moderate</td>
+    <td>Android One, Nexus 5X, Nexus 6P, Pixel, Pixel XL</td>
+    <td>Nov 13, 2016</td>
+  </tr>
+</table>
+
+
+<h3 id="id-in-mediatek-video-codec-driver">Information disclosure vulnerability
+in MediaTek video codec driver</h3>
+<p>An information disclosure vulnerability in the MediaTek video codec driver
+could enable a local malicious application to access data outside of its
+permission levels. This issue is rated as Moderate because it first requires
+compromising a privileged process.</p>
+
+<table>
+  <col width="19%">
+  <col width="20%">
+  <col width="10%">
+  <col width="23%">
+  <col width="17%">
+  <tr>
+    <th>CVE</th>
+    <th>References</th>
+    <th>Severity</th>
+    <th>Updated Google devices</th>
+    <th>Date reported</th>
+  </tr>
+  <tr>
+    <td>CVE-2017-0532</td>
+    <td>A-32370398*<br>
+        M-ALPS03069985</td>
+    <td>Moderate</td>
+    <td>None**</td>
+    <td>Oct 22, 2016</td>
+  </tr>
+</table>
+<p>* The patch for this issue is not publicly available. The update is contained
+in the latest binary drivers for Nexus devices available from the
+<a href="https://developers.google.com/android/nexus/drivers">
+Google Developer site</a>.</p>
+<p>** Supported Google devices on Android 7.0 or later that have installed all
+available updates are not affected by this vulnerability.</p>
+
+
+<h3 id="id-in-qualcomm-video-driver">Information disclosure vulnerability in
+Qualcomm video driver</h3>
+<p>An information disclosure vulnerability in the Qualcomm video driver could
+enable a local malicious application to access data outside of its permission
+levels. This issue is rated as Moderate because it first requires compromising
+a privileged process.</p>
+
+<table>
+  <col width="19%">
+  <col width="20%">
+  <col width="10%">
+  <col width="23%">
+  <col width="17%">
+  <tr>
+    <th>CVE</th>
+    <th>References</th>
+    <th>Severity</th>
+    <th>Updated Google devices</th>
+    <th>Date reported</th>
+  </tr>
+  <tr>
+    <td>CVE-2017-0533</td>
+    <td>A-32509422<br>
+        <a 
+href="https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=e3af5e89426f1c8d4e703d415eff5435b925649f">
+QC-CR#1088206</a></td>
+    <td>Moderate</td>
+    <td>Pixel, Pixel XL</td>
+    <td>Oct 27, 2016</td>
+  </tr>
+  <tr>
+    <td>CVE-2017-0534</td>
+    <td>A-32508732<br>
+        <a 
+href="https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=e3af5e89426f1c8d4e703d415eff5435b925649f">
+QC-CR#1088206</a></td>
+    <td>Moderate</td>
+    <td>Pixel, Pixel XL</td>
+    <td>Oct 28, 2016</td>
+  </tr>
+  <tr>
+    <td>CVE-2016-8416</td>
+    <td>A-32510746<br>
+        <a 
+href="https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=e3af5e89426f1c8d4e703d415eff5435b925649f">
+QC-CR#1088206</a></td>
+    <td>Moderate</td>
+    <td>Pixel, Pixel XL</td>
+    <td>Oct 28, 2016</td>
+  </tr>
+  <tr>
+    <td>CVE-2016-8478</td>
+    <td>A-32511270<br>
+        <a 
+href="https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=e3af5e89426f1c8d4e703d415eff5435b925649f">
+QC-CR#1088206</a></td>
+    <td>Moderate</td>
+    <td>Pixel, Pixel XL</td>
+    <td>Oct 28, 2016</td>
+  </tr>
+</table>
+
+
+<h3 id="id-in-qualcomm-camera-driver">Information disclosure vulnerability in
+Qualcomm camera driver</h3>
+<p>An information disclosure vulnerability in the Qualcomm camera driver could
+enable a local malicious application to access data outside of its permission
+levels. This issue is rated as Moderate because it first requires compromising
+a privileged process.</p>
+
+<table>
+  <col width="19%">
+  <col width="20%">
+  <col width="10%">
+  <col width="23%">
+  <col width="17%">
+  <tr>
+    <th>CVE</th>
+    <th>References</th>
+    <th>Severity</th>
+    <th>Updated Google devices</th>
+    <th>Date reported</th>
+  </tr>
+  <tr>
+    <td>CVE-2016-8413</td>
+    <td>A-32709702<br>
+        <a 
+href="https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=bc77232707df371ff6bab9350ae39676535c0e9d">
+QC-CR#518731</a></td>
+    <td>Moderate</td>
+    <td>Nexus 5X, Nexus 6, Nexus 6P, Android One, Pixel, Pixel XL</td>
+    <td>Nov 4, 2016</td>
+  </tr>
+  <tr>
+    <td>CVE-2016-8477</td>
+    <td>A-32720522<br>
+        <a 
+href="https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=33c9042e38506b04461fa99e304482bc20923508">
+QC-CR#1090007</a>
+[<a href="https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=96145eb5f0631f0e105d47abebc8f940f7621eeb">2</a>]</td>
+    <td>Moderate</td>
+    <td>Nexus 5X, Nexus 6, Nexus 6P, Android One, Pixel, Pixel XL</td>
+    <td>Nov 7, 2016</td>
+  </tr>
+</table>
+
+
+<h3 id="id-in-htc-sound-codec-driver">Information disclosure vulnerability in
+HTC sound codec driver</h3>
+<p>An information disclosure vulnerability in the HTC sound codec driver could
+enable a local malicious application to access data outside of its permission
+levels. This issue is rated as Moderate because it first requires compromising
+a privileged process.</p>
+
+<table>
+  <col width="19%">
+  <col width="20%">
+  <col width="10%">
+  <col width="23%">
+  <col width="17%">
+  <tr>
+    <th>CVE</th>
+    <th>References</th>
+    <th>Severity</th>
+    <th>Updated Google devices</th>
+    <th>Date reported</th>
+  </tr>
+  <tr>
+    <td>CVE-2017-0535</td>
+    <td>A-33547247*</td>
+    <td>Moderate</td>
+    <td>Nexus 9</td>
+    <td>Dec 11, 2016</td>
+  </tr>
+</table>
+<p>* The patch for this issue is not publicly available. The update is contained
+in the latest binary drivers for Nexus devices available from the
+<a href="https://developers.google.com/android/nexus/drivers">
+Google Developer site</a>.</p>
+
+
+<h3 id="id-in-synaptics-touchscreen-driver">Information disclosure
+vulnerability in Synaptics touchscreen driver</h3>
+<p>An information disclosure vulnerability in the Synaptics touchscreen driver
+could enable a local malicious application to access data outside of its
+permission levels. This issue is rated as Moderate because it first requires
+compromising a privileged process.</p>
+
+<table>
+  <col width="19%">
+  <col width="20%">
+  <col width="10%">
+  <col width="23%">
+  <col width="17%">
+  <tr>
+    <th>CVE</th>
+    <th>References</th>
+    <th>Severity</th>
+    <th>Updated Google devices</th>
+    <th>Date reported</th>
+  </tr>
+  <tr>
+    <td>CVE-2017-0536</td>
+    <td>A-33555878*</td>
+    <td>Moderate</td>
+    <td>Android One, Nexus 5X, Nexus 6P, Nexus 9, Pixel, Pixel XL</td>
+    <td>Dec 12, 2016</td>
+  </tr>
+</table>
+<p>* The patch for this issue is not publicly available. The update is contained
+in the latest binary drivers for Nexus devices available from the
+<a href="https://developers.google.com/android/nexus/drivers">
+Google Developer site</a>.</p>
+
+
+<h3 id="id-in-kernel-usb-gadget-driver">Information disclosure vulnerability in
+kernel USB gadget driver</h3>
+<p>An information disclosure vulnerability in the kernel USB gadget driver could
+enable a local malicious application to access data outside of its permission
+levels. This issue is rated as Moderate because it first requires compromising
+a privileged process.</p>
+
+<table>
+  <col width="19%">
+  <col width="20%">
+  <col width="10%">
+  <col width="23%">
+  <col width="17%">
+  <tr>
+    <th>CVE</th>
+    <th>References</th>
+    <th>Severity</th>
+    <th>Updated Google devices</th>
+    <th>Date reported</th>
+  </tr>
+  <tr>
+    <td>CVE-2017-0537</td>
+    <td>A-31614969*</td>
+    <td>Moderate</td>
+    <td>Pixel C</td>
+    <td>Google internal</td>
+  </tr>
+</table>
+<p>* The patch for this issue is not publicly available. The update is contained
+in the latest binary drivers for Nexus devices available from the
+<a href="https://developers.google.com/android/nexus/drivers">
+Google Developer site</a>.</p>
+
+
+<h3 id="id-in-qualcomm-camera-driver-2">Information disclosure vulnerability in
+Qualcomm camera driver</h3>
+<p>An information disclosure vulnerability in the Qualcomm camera driver could
+enable a local malicious application to access data outside of its permission
+levels. This issue is rated as Low because it first requires compromising a
+privileged process.</p>
+
+<table>
+  <col width="19%">
+  <col width="20%">
+  <col width="10%">
+  <col width="23%">
+  <col width="17%">
+  <tr>
+    <th>CVE</th>
+    <th>References</th>
+    <th>Severity</th>
+    <th>Updated Google devices</th>
+    <th>Date reported</th>
+  </tr>
+  <tr>
+    <td>CVE-2017-0452</td>
+    <td>A-32873615*<br>
+        QC-CR#1093693</td>
+    <td>Low</td>
+    <td>Nexus 5X, Nexus 6P, Android One</td>
+    <td>Nov 10, 2016</td>
+  </tr>
+</table>
+<p>* The patch for this issue is not publicly available. The update is contained
+in the latest binary drivers for Nexus devices available from the
+<a href="https://developers.google.com/android/nexus/drivers">
+Google Developer site</a>.</p>
+<h2 id="common-questions-and-answers">Common Questions and Answers</h2>
+<p>This section answers common questions that may occur after reading this
+bulletin.</p>
+<p><strong>1. How do I determine if my device is updated to address these issues?
+</strong></p>
+<p>To learn how to check a device's security patch level, read the instructions on
+the <a
+href="https://support.google.com/pixelphone/answer/4457705#pixel_phones&nexus_devices">Pixel
+and Nexus update schedule</a>.</p>
+<ul>
+<li>Security patch levels of 2017-03-01 or later address all issues associated
+with the 2017-03-01 security patch level.</li>
+<li>Security patch levels of 2017-03-05 or later address all issues associated
+with the 2017-03-05 security patch level and all previous patch levels.
+</li>
+</ul>
+<p>Device manufacturers that include these updates should set the patch string
+level to:</p>
+<ul>
+<li>[ro.build.version.security_patch]:[2017-03-01]</li>
+<li>[ro.build.version.security_patch]:[2017-03-05]</li>
+</ul>
+<p><strong>2. Why does this bulletin have two security patch levels?</strong></p>
+<p>This bulletin has two security patch levels so that Android partners have the
+flexibility to fix a subset of vulnerabilities that are similar across all
+Android devices more quickly. Android partners are encouraged to fix all issues
+in this bulletin and use the latest security patch level.</p>
+<ul>
+<li>Devices that use the March 1, 2017 security patch level must include all
+issues associated with that security patch level, as well as fixes for all
+issues reported in previous security bulletins.</li>
+<li>Devices that use the security patch level of March 5, 2017 or newer must
+include all applicable patches in this (and previous) security
+bulletins.</li>
+</ul>
+<p>Partners are encouraged to bundle the fixes for all issues they are addressing
+in a single update.</p>
+<p><strong>3. How do I determine which Google devices are affected by each
+issue?</strong></p>
+<p>In the <a href="#2017-03-01-details">2017-03-01</a> and
+<a href="#2017-03-05-details">2017-03-05</a>
+security vulnerability details sections, each table has an <em>Updated Google
+devices</em> column that covers the range of affected Google devices updated for
+each issue. This column has a few options:</p>
+<ul>
+<li><strong>All Google devices</strong>: If an issue affects All and Pixel
+devices, the table will have "All" in the <em>Updated Google devices</em>
+column. "All" encapsulates the following <a
+href="https://support.google.com/pixelphone/answer/4457705#pixel_phones&nexus_devices">supported
+devices</a>: Nexus 5X, Nexus 6, Nexus 6P, Nexus 7 (2013), Nexus 9, Android One,
+Nexus Player, Pixel C, Pixel, and Pixel XL.</li>
+<li><strong>Some Google devices</strong>: If an issue doesn't affect all Google
+devices, the affected Google devices are listed in the <em>Updated Google
+devices</em> column.</li>
+<li><strong>No Google devices</strong>: If no Google devices running Android 7.0
+are affected by the issue, the table will have "None" in the <em>Updated Google
+devices</em> column. </li>
+</ul>
+<p><strong>4. What do the entries in the references column map to?</strong></p>
+<p>Entries under the <em>References</em> column of the vulnerability details table
+may contain a prefix identifying the organization to which the reference value
+belongs. These prefixes map as follows:</p>
+<table>
+  <tr>
+   <th>Prefix</th>
+   <th>Reference</th>
+  </tr>
+  <tr>
+   <td>A-</td>
+   <td>Android bug ID</td>
+  </tr>
+  <tr>
+   <td>QC-</td>
+   <td>Qualcomm reference number</td>
+  </tr>
+  <tr>
+   <td>M-</td>
+   <td>MediaTek reference number</td>
+  </tr>
+  <tr>
+   <td>N-</td>
+   <td>NVIDIA reference number</td>
+  </tr>
+  <tr>
+   <td>B-</td>
+   <td>Broadcom reference number</td>
+  </tr>
+</table>
+<h2 id="revisions">Revisions</h2>
+<ul>
+<li>March 06, 2017: Bulletin published.</li>
+</ul>
+
diff --git a/src/security/bulletin/index.jd b/src/security/bulletin/index.jd
index 93f4f903..7ec2603e 100644
--- a/src/security/bulletin/index.jd
+++ b/src/security/bulletin/index.jd
@@ -75,6 +75,14 @@ Android Open Source Project (AOSP), the upstream Linux kernel, and system-on-chi
     <th>Published Date</th>
     <th>Security Patch Level</th>
  </tr>
+ <tr>
+    <td><a href="2017-03-01.html">March 2017</a></td>
+    <td>Coming soon
+    </td>
+    <td>March 6, 2017</td>
+    <td>2017-03-01<br>
+        2017-03-05</td>
+ </tr>
  <tr>
     <td><a href="2017-02-01.html">February 2017</a></td>
     <td>Coming soon
diff --git a/src/security/overview/acknowledgements.jd b/src/security/overview/acknowledgements.jd
index 3ddbd62f..00623b0f 100644
--- a/src/security/overview/acknowledgements.jd
+++ b/src/security/overview/acknowledgements.jd
@@ -38,13 +38,26 @@ Rewards</a> program.</p>
 <h2 id="2017">2017</h2>
 <div style="LINE-HEIGHT:25px;">
 
+<p>Alexander Potapenko of Google Dynamic Tools team</p>
+
 <p>Alexandru Blanda</p>
 
+<p>Baozeng Ding of Alibaba Mobile Security Group</p>
+
 <p>Ben Actis (<a href="https://twitter.com/ben_ra">@Ben_RA</a>)</p>
 
+<p>Billy Lau of Android Security</p>
+
+<p>Chenfu Bao (包沉浮) of Baidu X-Lab (百度安全实验室)</p>
+
+<p>Chengming Yang of Alibaba Mobile Security Group</p>
+
 <p>Chiachih Wu (<a href="https://twitter.com/chiachih_wu">@chiachih_wu</a>)
 of <a href="http://c0reteam.org">C0RE Team</a></p>
 
+<p><a href="mailto:shaodacheng2016@gmail.com">Dacheng Shao</a>
+of <a href="http://c0reteam.org">C0RE Team</a></p>
+
 <p>Daniel Dakhno</p>
 
 <p>Daniel Micay of Copperhead Security</p>
@@ -65,6 +78,8 @@ of <a href="http://c0reteam.org">C0RE Team</a></p>
 <p>En He (<a href="http://twitter.com/heeeeen4x">@heeeeen4x</a>) of
 <a href="http://www.ms509.com">MS509Team</a></p>
 
+<p>Fang Chen of Sony Mobile Communications Inc.</p>
+
 <p>Frank Liberato of Chrome</p>
 
 <p>Gal Beniamini of Project Zero</p>
@@ -77,11 +92,15 @@ of <a href="http://c0reteam.org">C0RE Team</a></p>
 <p>Guang Gong (龚广) (<a href="http://twitter.com/oldfresher">@oldfresher</a>) of
   Alpha Team, <a href="http://www.360.com">Qihoo 360 Technology Co. Ltd.</a></p>
 
+<p>Guangdong Bai of Singapore Institute of Technology (SIT)</p>
+
 <p><a href="mailto:arnow117@gmail.com">Hanxiang Wen</a> of <a
   href="http://c0reteam.org">C0RE Team</a></p>
 
 <p>Hao Chen of Alpha Team, Qihoo 360 Technology Co. Ltd.</p>
 
+<p>Hiroki Yamamoto of Sony Mobile Communications Inc.</p>
+
 <p><a href="mailto:hlhan@bupt.edu.cn">Hongli Han</a> of
    <a href="http://c0reteam.org">C0RE Team</a></p>
 
@@ -89,6 +108,9 @@ of <a href="http://c0reteam.org">C0RE Team</a></p>
 
 <p>Jeff Trim</p>
 
+<p>Jianjun Dai (<a href="https://twitter.com/Jioun_dai">@Jioun_dai</a>) of <a
+href="https://skyeye.360safe.com">Qihoo 360 Skyeye Labs</a></p>
+
 <p>Jianqiang Zhao (<a href="https://twitter.com/jianqiangzhao">@jianqiangzhao</a>)
    of IceSword Lab, Qihoo 360</p>
    
@@ -96,8 +118,15 @@ of <a href="http://c0reteam.org">C0RE Team</a></p>
 
 <p>Jun Cheng of Alibaba Inc.</p>
 
+<p>Lenx Wei (韦韬) of Baidu X-Lab (百度安全实验室)</p>
+
+<p><a href="mailto:zlbzlb815@163.com">Lubo Zhang</a>
+of <a href="http://c0reteam.org">C0RE Team</a></p>
+
 <p>ma.la of LINE Corporation</p>
 
+<p>Makoto Onuki of Google</p>
+
 <p>Max Spector of Google:</p>
 
 <p>Michael Goberman of IBM Security X-Force</p>
@@ -107,8 +136,17 @@ of <a href="http://c0reteam.org">C0RE Team</a></p>
 
 <p>Monk Avel</p>
 
+<p>Nathan Crandall (<a href="https://twitter.com/natecray">@natecray</a>)
+of Tesla Motors Product Security Team</p>
+
 <p>Nikolay Elenkov of LINE Corporation</p>
 
+<p>Ning You of Alibaba Mobile Security Group</p>
+
+<p>Peng Xiao of Alibaba Mobile Security Group</p>
+
+<p>Pengfei Ding (丁鹏飞) of Baidu X-Lab (百度安全实验室)</p>
+
 <p>Peter Pi (<a href="https://twitter.com/heisecode">@heisecode</a>)
    of Trend Micro</p>
   
@@ -117,26 +155,45 @@ of <a href="http://c0reteam.org">C0RE Team</a></p>
   
 <p>Qidan He (何淇丹) (<a href="https://twitter.com/flanker_hqd">@flanker_hqd</a>)
   of KeenLab, Tencent (腾讯科恩实验室)</p>
-  
+
+<p>Qing Zhang of Qihoo 360</p>
+
+<p>Quhe of Ant-financial Light-Year Security Lab (蚂蚁金服巴斯光年安全实验室)</p>
+ 
 <p>Roee Hay of IBM Security X-Force</p>
 
 <p>Sagi Kedmi of IBM X-Force Research</p>
 
+<p><a href="mailto:keun-o.park@darkmatter.ae">Sahara</a> of Secure
+Communications in DarkMatter</p>
+
+<p>salls (<a href="https://twitter.com/chris_salls">@chris_salls</a>) of
+Shellphish Grill Team, UC Santa Barbara</p>
+
 <p>Scott Bauer (<a href="http://twitter.com/ScottyBauer1">@ScottyBauer1</a>)</p>
 
 <p>Sean Beaupre (<a href="https://twitter.com/firewaterdevs">@firewaterdevs</a>)</p>
 
 <p>Seven Shen (<a href="https://twitter.com/lingtongshen">@lingtongshen</a>) of
   Trend Micro Mobile Threat Research Team</p>
-  
+
+<p>Shinichi Matsumoto of Fujitsu</p>
+
+<p><a href="mailto:smarques84@gmail.com">Stéphane Marques</a> of <a
+href="http://www.byterev.com">ByteRev</a></p>
+ 
 <p>Stephen Morrow</p>
 
+<p>Svetoslav Ganov of Google</p>
+
 <p><a href="mailto:segfault5514@gmail.com">Tong Lin</a>
 of <a href="http://c0reteam.org">C0RE Team</a></p>
 
 <p>V.E.O (<a href="https://twitter.com/vysea">@VYSEa</a>) of Mobile Threat
   Research Team, <a href="http://www.trendmicro.com">Trend Micro</a></p>
-  
+
+<p>wanchouchou of Ant-financial Light-Year Security Lab (蚂蚁金服巴斯光年安全实验室)</p>
+ 
 <p>Weichao Sun (<a href="https://twitter.com/sunblate">@sunblate</a>) of
   Alibaba Inc.</p>
   
@@ -155,12 +212,16 @@ of <a href="http://c0reteam.org">C0RE Team</a></p>
 <p><a href="mailto:bigwyfone@gmail.com">Yanfeng Wang</a>
 of <a href="http://c0reteam.org">C0RE Team</a></p>
 
+<p>Yang Song of Alibaba Mobile Security Group</p>
+
 <p><a href="mailto:yaojun8558363@gmail.com">Yao Jun</a> of
    <a href="http://c0reteam.org">C0RE Team</a></p>
    
 <p>Yong Wang (王勇) (<a href="https://twitter.com/ThomasKing2014">@ThomasKing2014</a>)
    of Alibaba Inc.</p>
-   
+  
+<p>Yu Pan of Vulpecker Team, Qihoo 360 Technology Co. Ltd</p>
+ 
 <p><a href="mailto:computernik@gmail.com">Yuan-Tsung Lo</a> of
    <a href="http://c0reteam.org">C0RE Team</a></p>
 
diff --git a/src/security/security_toc.cs b/src/security/security_toc.cs
index 3b5993b6..53aa8d31 100644
--- a/src/security/security_toc.cs
+++ b/src/security/security_toc.cs
@@ -62,6 +62,7 @@
            <li><a href="<?cs var:toroot ?>security/advisory/2016-03-18.html">2016-03-18</a></li>
          </ul>
       </li>
+      <li><a href="<?cs var:toroot ?>security/bulletin/2017-03-01.html">March 2017</a></li>
       <li><a href="<?cs var:toroot ?>security/bulletin/2017-02-01.html">February 2017</a></li>
       <li><a href="<?cs var:toroot ?>security/bulletin/2017-01-01.html">January 2017</a></li>
       <li class="nav-section">
-- 
cgit v1.2.3