Merge "Docs: February bulletin with AOSP links and typo cleanup Bug: 26411900"
diff --git a/src/security/bulletin/2016-02-01.jd b/src/security/bulletin/2016-02-01.jd
index b209d6e..3effe07 100644
--- a/src/security/bulletin/2016-02-01.jd
+++ b/src/security/bulletin/2016-02-01.jd
@@ -24,7 +24,7 @@
</div>
</div>
-<p><em>Published February 01, 2016</em></p>
+<p><em>Published February 01, 2016 | Updated February 2, 2016</em></p>
<p>We have released a security update to Nexus devices through an over-the-air
(OTA) update as part of our Android Security Bulletin Monthly Release process.
@@ -32,15 +32,15 @@
2016 or later address these issues. Refer to the <a href="https://support.google.com/nexus/answer/4457705">Nexus documentation</a> for instructions on how to check the security patch level.</p>
<p>Partners were notified about the issues described in the bulletin on January 4,
-2016 or earlier. Source code patches for these issues will be released to the
-Android Open Source Project (AOSP) repository over the next 48 hours. We will
-revise this bulletin with the AOSP links when they are available.</p>
+2016 or earlier. Where applicable, source code patches for these issues have been
+released to the Android Open Source Project (AOSP) repository.</p>
<p>The most severe of these issues is a Critical security vulnerability that could
enable remote code execution on an affected device through multiple methods
such as email, web browsing, and MMS when processing media files. The Remote Code
Execution Vulnerability in Broadcom’s Wi-Fi driver is also Critical severity as
-it could allow remote code execution on an affected device while in Wi-Fi radio range.</p>
+it could allow remote code execution on an affected device while connected to
+the same network as the attacker.</p>
<p>We have had no reports of active customer exploitation of these newly reported
issues. Refer to the <a href="#mitigations">Mitigations</a> section for details on the <a href="https://source.android.com/security/enhancements/">Android security platform protections</a> and service protections such as SafetyNet, which improve the security of the
@@ -150,11 +150,13 @@
<li> Broadgate Team: CVE-2016-0801, CVE-2015-0802
<li> David Riley of the Google Pixel C Team: CVE-2016-0812
<li> Dongkwan Kim (<a href="mailto:[email protected]">[email protected]</a>) of System Security Lab, KAIST: CVE-2015-6614
- <li> Gengjia Chen (<a href="https://twitter.com/@chengjia4574">@chengjia4574</a>) from Lab 0x031E of Qihoo 360 Technology Co. Ltd : CVE-2016-0805
+ <li> Gengjia Chen (<a href="https://twitter.com/@chengjia4574">@chengjia4574</a>)
+ from Lab 0x031E of Qihoo 360 Technology Co. Ltd: CVE-2016-0805
<li> Hongil Kim (<a href="mailto:[email protected]">[email protected]</a>) of System Security Lab, KAIST: CVE-2015-6614
<li> Qidan He (<a href="https://twitter.com/@Flanker_hqd">@Flanker_hqd</a>) of
KeenLab (<a href="https://twitter.com/keen_lab">@keen_lab</a>), Tencent: CVE-2016-0811
- <li> Seven Shen (<a href="https://twitter.com/@lingtongshen">@lingtongshen</a>) of Trend Micro (<a href="http://www.trendmicro.com">www.trendmicro.com</a>): CVE-2016-0803
+ <li> Seven Shen (<a href="https://twitter.com/@lingtongshen">@lingtongshen</a>)
+ of Trend Micro (<a href="http://www.trendmicro.com">www.trendmicro.com</a>): CVE-2016-0803
<li> Weichao Sun (<a href="https://twitter.com/sunblate">@sunblate</a>) of Alibaba Inc: CVE-2016-0808
<li> Zach Riggle (<a href="https://twitter.com/@ebeip90">@ebeip90</a>) of the Android Security Team: CVE-2016-0807
</ul>
@@ -183,27 +185,28 @@
<table>
<tr>
<th>CVE</th>
- <th>Bug(s)</th>
+ <th>Bugs</th>
<th>Severity</th>
<th>Updated versions</th>
<th>Date reported</th>
</tr>
<tr>
<td>CVE-2016-0801</td>
- <td>ANDROID-25662029</td>
+ <td>ANDROID-25662029*</td>
<td>Critical</td>
<td>4.4.4, 5.0, 5.1.1, 6.0, 6.0.1</td>
<td>Oct 25, 2015</td>
</tr>
<tr>
<td>CVE-2016-0802</td>
- <td>ANDROID-25306181</td>
+ <td>ANDROID-25306181*</td>
<td>Critical</td>
<td>4.4.4, 5.0, 5.1.1, 6.0, 6.0.1</td>
<td>Oct 26,2015</td>
</tr>
</table>
-
+<p>* The patch for this issue is not in AOSP. The update is contained in the
+latest binary drivers for Nexus devices available from the <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p>
<h3 id=remote_code_execution_vulnerability_in_mediaserver>Remote Code Execution Vulnerability in Mediaserver</h3>
@@ -223,21 +226,21 @@
<table>
<tr>
<th>CVE</th>
- <th>Bug(s)</th>
+ <th>Bugs with AOSP links</th>
<th>Severity</th>
<th>Updated versions</th>
<th>Date reported</th>
</tr>
<tr>
<td>CVE-2016-0803</td>
- <td>ANDROID-25812794</td>
+ <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/50270d98e26fa18b20ca88216c3526667b724ba7">ANDROID-25812794</a></td>
<td>Critical</td>
<td>4.4.4, 5.0, 5.1.1, 6.0, 6.0.1</td>
<td>Nov 19, 2015</td>
</tr>
<tr>
<td>CVE-2016-0804</td>
- <td>ANDROID-25070434</td>
+ <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/224858e719d045c8554856b12c4ab73d2375cf33">ANDROID-25070434</a></td>
<td>Critical</td>
<td>5.0, 5.1.1, 6.0, 6.0.1</td>
<td>Oct 12, 2015</td>
@@ -257,22 +260,24 @@
<table>
<tr>
<th>CVE</th>
- <th>Bug(s)</th>
+ <th>Bug</th>
<th>Severity</th>
<th>Updated versions</th>
<th>Date reported</th>
</tr>
<tr>
<td>CVE-2016-0805</td>
- <td>ANDROID-25773204</td>
+ <td>ANDROID-25773204*</td>
<td>Critical</td>
<td>4.4.4, 5.0, 5.1.1, 6.0, 6.0.1</td>
<td>Nov 15, 2015</td>
</tr>
</table>
+<p>* The patch for this issue is not in AOSP. The update is contained in the
+latest binary drivers for Nexus devices available from the <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p>
-<h3 id=elevation_of_privilege_vulnerability_in_qualcomm_wifi_driver>Elevation of Privilege Vulnerability in Qualcomm WiFi Driver</h3>
+<h3 id=elevation_of_privilege_vulnerability_in_qualcomm_wifi_driver>Elevation of Privilege Vulnerability in Qualcomm Wi-Fi Driver</h3>
<p>There is a vulnerability in the Qualcomm Wi-Fi driver that could enable a local
@@ -283,20 +288,22 @@
<table>
<tr>
<th>CVE</th>
- <th>Bug(s)</th>
+ <th>Bug</th>
<th>Severity</th>
<th>Updated versions</th>
<th>Date reported</th>
</tr>
<tr>
<td>CVE-2016-0806</td>
- <td>ANDROID-25344453</td>
+ <td>ANDROID-25344453*</td>
<td>Critical</td>
<td>4.4.4, 5.0, 5.1.1, 6.0, 6.0.1</td>
<td>Nov 15, 2015</td>
</tr>
</table>
+<p>* The patch for this issue is not in AOSP. The update is contained in the
+latest binary drivers for Nexus devices available from the <a href="https://developers.google.com/android/nexus/drivers">Google Developer site</a>.</p>
<h3 id=elevation_of_privilege_vulnerability_in_the_debuggerd>Elevation of Privilege Vulnerability in the Debuggerd </h3>
@@ -309,14 +316,14 @@
<table>
<tr>
<th>CVE</th>
- <th>Bug(s)</th>
+ <th>Bug with AOSP link</th>
<th>Severity</th>
<th>Updated versions</th>
<th>Date reported</th>
</tr>
<tr>
<td>CVE-2016-0807</td>
- <td>ANDROID-25187394</td>
+ <td><a href="https://android.googlesource.com/platform%2Fsystem%2Fcore/+/d917514bd6b270df431ea4e781a865764d406120">ANDROID-25187394</a></td>
<td>Critical</td>
<td>6.0 and 6.0.1</td>
<td>Google Internal</td>
@@ -335,14 +342,14 @@
<table>
<tr>
<th>CVE</th>
- <th>Bug(s)</th>
+ <th>Bug with AOSP link</th>
<th>Severity</th>
<th>Updated versions</th>
<th>Date reported</th>
</tr>
<tr>
<td>CVE-2016-0808</td>
- <td>ANDROID-25645298</td>
+ <td><a href="https://android.googlesource.com/platform/frameworks/minikin/+/ed4c8d79153baab7f26562afb8930652dfbf853b">ANDROID-25645298</a></td>
<td>High</td>
<td>5.0, 5.1.1, 6.0, 6.0.1</td>
<td>Nov 3, 2015</td>
@@ -361,14 +368,14 @@
<table>
<tr>
<th>CVE</th>
- <th>Bug(s)</th>
+ <th>Bug with AOSP link</th>
<th>Severity</th>
<th>Updated versions</th>
<th>Date reported</th>
</tr>
<tr>
<td>CVE-2016-0809</td>
- <td>ANDROID-25753768</td>
+ <td><a href="https://android.googlesource.com/platform/hardware/broadcom/wlan/+/2c5a4fac8bc8198f6a2635ede776f8de40a0c3e1%5E%21/#F0">ANDROID-25753768</a></td>
<td>High</td>
<td>6.0, 6.0.1</td>
<td>Google Internal</td>
@@ -389,14 +396,14 @@
<table>
<tr>
<th>CVE</th>
- <th>Bug(s)</th>
+ <th>Bug with AOSP link</th>
<th>Severity</th>
<th>Updated versions</th>
<th>Date reported</th>
</tr>
<tr>
<td>CVE-2016-0810</td>
- <td>ANDROID-25781119</td>
+ <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/19c47afbc402542720ddd280e1bbde3b2277b586">ANDROID-25781119</a></td>
<td>High</td>
<td>4.4.4, 5.0, 5.1.1, 6.0, 6.0.1</td>
<td>Google Internal</td>
@@ -414,14 +421,14 @@
<table>
<tr>
<th>CVE</th>
- <th>Bug(s)</th>
+ <th>Bug with AOSP link</th>
<th>Severity</th>
<th>Updated versions</th>
<th>Date reported</th>
</tr>
<tr>
<td>CVE-2016-0811</td>
- <td>ANDROID-25800375</td>
+ <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fav/+/22f824feac43d5758f9a70b77f2aca840ba62c3b">ANDROID-25800375</a></td>
<td>High</td>
<td>6.0, 6.0.1</td>
<td>Nov 16, 2015</td>
@@ -440,21 +447,21 @@
<table>
<tr>
<th>CVE</th>
- <th>Bug(s)</th>
+ <th>Bugs with AOSP links</th>
<th>Severity</th>
<th>Updated versions</th>
<th>Date reported</th>
</tr>
<tr>
<td>CVE-2016-0812</td>
- <td>ANDROID-25229538</td>
+ <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fbase/+/84669ca8de55d38073a0dcb01074233b0a417541">ANDROID-25229538</a></td>
<td>Moderate</td>
<td>5.1.1, 6.0</td>
<td>Google Internal</td>
</tr>
<tr>
<td>CVE-2016-0813</td>
- <td>ANDROID-25476219</td>
+ <td><a href="https://android.googlesource.com/platform%2Fframeworks%2Fbase/+/16a76dadcc23a13223e9c2216dad1fe5cad7d6e1">ANDROID-25476219</a></td>
<td>Moderate</td>
<td>5.1.1, 6.0, 6.0.1</td>
<td>Google Internal</td>
@@ -482,3 +489,4 @@
<ul>
<li> February 01, 2016: Bulletin published.
+ <li> February 02, 2016: Bulletin revised to include AOSP links.
