Docs: November 2016 Android security bulletin
Test: make online-sac-docs - tested on staging instance 13
Bug: 32348880
Change-Id: Ic104259f1ea7ed3bd5d425d584b298daf4652ab6
diff --git a/src/security/bulletin/2016-11-01.jd b/src/security/bulletin/2016-11-01.jd
new file mode 100644
index 0000000..53e225b
--- /dev/null
+++ b/src/security/bulletin/2016-11-01.jd
@@ -0,0 +1,2658 @@
+page.title=Android Security Bulletin—November 2016
+@jd:body
+
+<!--
+ Copyright 2016 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<p><em>Published November 07, 2016</em></p>
+<p>
+The Android Security Bulletin contains details of security vulnerabilities
+affecting Android devices. Alongside the bulletin, we have released a security
+update to Google devices through an over-the-air (OTA) update. The Google device
+firmware images have also been released to the
+<a href="https://developers.google.com/android/nexus/images">Google Developer
+site</a>. Security patch levels of November 06, 2016 or later address all of
+these issues. Refer to the
+<a href="https://support.google.com/pixelphone/answer/4457705#pixel_phones&nexus_devices">Pixel
+and Nexus update schedule</a> to learn how to check a device's security patch level.</p>
+<p>
+Partners were notified of the issues described in the bulletin on October 20,
+2016 or earlier. Source code patches for these issues will be released to the
+Android Open Source Project (AOSP) repository in the next 48 hours. We will
+revise this bulletin with the AOSP links when they are available. This bulletin
+also includes links to patches outside of AOSP.</p>
+<p>
+The most severe of these issues is a Critical security vulnerability that could
+enable remote code execution on an affected device through multiple methods such
+as email, web browsing, and MMS when processing media files.</p>
+<p>
+We have had no reports of active customer exploitation or abuse of these newly
+reported issues. Refer to the
+<a href="#mitigations">Android and Google service
+mitigations</a> section for details on the
+<a href="{@docRoot}security/enhancements/index.html">Android
+security platform protections</a> and service protections such as
+<a href="https://developer.android.com/training/safetynet/index.html">SafetyNet</a>,
+which improve the security of the Android platform.</p>
+<p>
+We encourage all customers to accept these updates to their devices.</p>
+<h2 id="announcements">Announcements</h2>
+<ul>
+ <li>With the introduction of the Pixel and Pixel XL devices, the term for
+ <a href="#google-devices">all devices supported by Google</a> is
+ "Google devices" instead of "Nexus devices."
+ </li>
+ <li>This bulletin has three security patch levels to provide Android partners
+ with the flexibility to more quickly fix a subset of vulnerabilities that are
+ similar across all Android devices. See
+ <a href="#common-questions-and-answers">Common questions and answers</a> for
+ additional information:
+ <ul>
+ <li><strong>2016-11-01</strong>: Partial security patch level. This security
+ patch level indicates that all issues associated with 2016-11-01 (and all
+ previous security patch level) are addressed.</li>
+ <li><strong>2016-11-05</strong>: Complete security patch level. This security
+ patch level indicates that all issues associated with 2016-11-01 and 2016-11-05
+ (and all previous security patch levels) are addressed.</li>
+ <li><strong>Supplemental security patch levels</strong>
+ <p>Supplemental security patch levels are provided to identify devices
+ that contain fixes for issues that were publicly disclosed after the
+ patch level was defined. Addressing these recently disclosed
+ vulnerabilities is not required until the 2016-12-01 security patch level.
+ </p>
+ <ul>
+ <li><strong>2016-11-06</strong>: This security patch level indicates that the
+ device has addressed all issues associated with 2016-11-05 and CVE-2016-5195,
+ which was publicly disclosed on October 19, 2016.</li>
+ </ul>
+ </li>
+ </ul>
+</li>
+<li>Supported Google devices will receive a single OTA update with the November
+05, 2016 security patch level.</li>
+</ul>
+
+<h2 id="security-vulnerability-summary">Security vulnerability summary</h2>
+<p>
+The tables below contains a list of security vulnerabilities, the Common
+Vulnerability and Exposures ID (CVE), the assessed severity, and whether or not
+Google devices are affected. The
+<a href="{@docRoot}security/overview/updates-resources.html#severity">severity
+assessment</a> is based on the effect that exploiting the vulnerability would
+possibly have on an affected device, assuming the platform and service
+mitigations are disabled for development purposes or if successfully bypassed.</p>
+<h3 id="2016-11-01-summary">2016-11-01
+security patch level—Vulnerability summary</h3>
+<p>
+Security patch levels of 2016-11-01 or later must address the following issues.</p>
+<table>
+ <col width="55%">
+ <col width="20%">
+ <col width="13%">
+ <col width="12%">
+ <tr>
+ <th>Issue</th>
+ <th>CVE</th>
+ <th>Severity</th>
+ <th>Affects Google devices?</th>
+ </tr>
+ <tr>
+ <td>Remote code execution vulnerability in Mediaserver</td>
+ <td>CVE-2016-6699</td>
+ <td>Critical</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Elevation of privilege vulnerability in libzipfile</td>
+ <td>CVE-2016-6700</td>
+ <td>Critical</td>
+ <td>No*</td>
+ </tr>
+ <tr>
+ <td>Remote code execution vulnerability in Skia</td>
+ <td>CVE-2016-6701</td>
+ <td>High</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Remote code execution vulnerability in libjpeg</td>
+ <td>CVE-2016-6702</td>
+ <td>High</td>
+ <td>No*</td>
+ </tr>
+ <tr>
+ <td>Remote code execution vulnerability in Android runtime</td>
+ <td>CVE-2016-6703</td>
+ <td>High</td>
+ <td>No*</td>
+ </tr>
+ <tr>
+ <td>Elevation of privilege vulnerability in Mediaserver</td>
+ <td>CVE-2016-6704, CVE-2016-6705, CVE-2016-6706</td>
+ <td>High</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Elevation of privilege vulnerability in System Server</td>
+ <td>CVE-2016-6707</td>
+ <td>High</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Elevation of privilege vulnerability in System UI</td>
+ <td>CVE-2016-6708</td>
+ <td>High</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Information disclosure vulnerability in Conscrypt and BoringSSL</td>
+ <td>CVE-2016-6709</td>
+ <td>High</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Information disclosure vulnerability in download manager</td>
+ <td>CVE-2016-6710</td>
+ <td>High</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Denial of service vulnerability in Bluetooth</td>
+ <td>CVE-2014-9908</td>
+ <td>High</td>
+ <td>No*</td>
+ </tr>
+ <tr>
+ <td>Denial of service vulnerability in OpenJDK</td>
+ <td>CVE-2015-0410</td>
+ <td>High</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Denial of service vulnerability in Mediaserver</td>
+ <td>CVE-2016-6711, CVE-2016-6712, CVE-2016-6713, CVE-2016-6714</td>
+ <td>High</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Elevation of privilege vulnerability in Framework APIs</td>
+ <td>CVE-2016-6715</td>
+ <td>Moderate</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Elevation of privilege vulnerability in AOSP Launcher</td>
+ <td>CVE-2016-6716</td>
+ <td>Moderate</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Elevation of privilege vulnerability in Mediaserver</td>
+ <td>CVE-2016-6717</td>
+ <td>Moderate</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Elevation of privilege vulnerability in Account Manager Service</td>
+ <td>CVE-2016-6718</td>
+ <td>Moderate</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Elevation of privilege vulnerability in Bluetooth</td>
+ <td>CVE-2016-6719</td>
+ <td>Moderate</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Information disclosure vulnerability in Mediaserver</td>
+ <td>CVE-2016-6720, CVE-2016-6721, CVE-2016-6722</td>
+ <td>Moderate</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Denial of service vulnerability in Proxy Auto Config</td>
+ <td>CVE-2016-6723</td>
+ <td>Moderate</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Denial of service vulnerability in Input Manager Service</td>
+ <td>CVE-2016-6724</td>
+ <td>Moderate</td>
+ <td>Yes</td>
+ </tr>
+</table>
+<p>
+* Supported Google devices on Android 7.0 or later that have installed all
+available updates are not affected by this vulnerability.</p>
+<h3 id="2016-11-05-summary">2016-11-05
+security patch level—Vulnerability summary</h3>
+<p>
+Security patch levels of 2016-11-05 or later must address all of the 2016-11-01
+issues, as well as the following issues.</p>
+<table>
+ <col width="55%">
+ <col width="20%">
+ <col width="13%">
+ <col width="12%">
+ <tr>
+ <th>Issue</th>
+ <th>CVE</th>
+ <th>Severity</th>
+ <th>Affects Google devices?</th>
+ </tr>
+ <tr>
+ <td>Remote code execution vulnerability in Qualcomm crypto driver</td>
+ <td>CVE-2016-6725</td>
+ <td>Critical</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Elevation of privilege vulnerability in kernel file system</td>
+ <td>CVE-2015-8961, CVE-2016-7910, CVE-2016-7911</td>
+ <td>Critical</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Elevation of privilege vulnerability in kernel SCSI driver</td>
+ <td>CVE-2015-8962</td>
+ <td>Critical</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Elevation of privilege vulnerability in kernel media driver</td>
+ <td>CVE-2016-7913</td>
+ <td>Critical</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Elevation of privilege vulnerability in kernel USB driver</td>
+ <td>CVE-2016-7912</td>
+ <td>Critical</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Elevation of privilege vulnerability in kernel ION subsystem</td>
+ <td>CVE-2016-6728</td>
+ <td>Critical</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Elevation of privilege vulnerability in Qualcomm bootloader</td>
+ <td>CVE-2016-6729</td>
+ <td>Critical</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Elevation of privilege vulnerability in NVIDIA GPU driver</td>
+ <td>CVE-2016-6730, CVE-2016-6731, CVE-2016-6732, CVE-2016-6733,
+ CVE-2016-6734, CVE-2016-6735, CVE-2016-6736</td>
+ <td>Critical</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Elevation of privilege vulnerability in kernel networking subsystem</td>
+ <td>CVE-2016-6828</td>
+ <td>Critical</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Elevation of privilege vulnerability in kernel sound subsystem</td>
+ <td>CVE-2016-2184</td>
+ <td>Critical</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Elevation of privilege vulnerability in kernel ION subsystem</td>
+ <td>CVE-2016-6737</td>
+ <td>Critical</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Vulnerabilities in Qualcomm components</td>
+ <td>CVE-2016-6726, CVE-2016-6727</td>
+ <td>Critical</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Remote code execution vulnerability in Expat</td>
+ <td>CVE-2016-0718, CVE-2012-6702, CVE-2016-5300, CVE-2015-1283</td>
+ <td>High</td>
+ <td>No*</td>
+ </tr>
+ <tr>
+ <td>Remote code execution vulnerability in Webview</td>
+ <td>CVE-2016-6754</td>
+ <td>High</td>
+ <td>No*</td>
+ </tr>
+ <tr>
+ <td>Remote code execution vulnerability in Freetype</td>
+ <td>CVE-2014-9675</td>
+ <td>High</td>
+ <td>No*</td>
+ </tr>
+ <tr>
+ <td>Elevation of privilege vulnerability in kernel performance subsystem</td>
+ <td>CVE-2015-8963</td>
+ <td>High</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Elevation of privilege vulnerability in kernel system-call auditing
+subsystem</td>
+ <td>CVE-2016-6136</td>
+ <td>High</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Elevation of privilege vulnerability in Qualcomm crypto engine driver</td>
+ <td>CVE-2016-6738</td>
+ <td>High</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Elevation of privilege vulnerability in Qualcomm camera driver</td>
+ <td>CVE-2016-6739, CVE-2016-6740, CVE-2016-6741</td>
+ <td>High</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Elevation of privilege vulnerability in Qualcomm bus driver</td>
+ <td>CVE-2016-3904</td>
+ <td>High</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Elevation of privilege vulnerability in Synaptics touchscreen driver</td>
+ <td>CVE-2016-6742, CVE-2016-6744, CVE-2016-6745, CVE-2016-6743</td>
+ <td>High</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Information disclosure vulnerability in kernel components</td>
+ <td>CVE-2015-8964, CVE-2016-7914, CVE-2016-7915, CVE-2016-7916</td>
+ <td>High</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Information disclosure vulnerability in NVIDIA GPU driver</td>
+ <td>CVE-2016-6746</td>
+ <td>High</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Denial of service vulnerability in Mediaserver</td>
+ <td>CVE-2016-6747</td>
+ <td>High</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Information disclosure vulnerability in kernel components</td>
+ <td>CVE-2016-6753, CVE-2016-7917</td>
+ <td>Moderate</td>
+ <td>Yes</td>
+ </tr>
+ <tr>
+ <td>Information disclosure vulnerability in Qualcomm components</td>
+ <td>CVE-2016-6748, CVE-2016-6749, CVE-2016-6750, CVE-2016-3906,
+CVE-2016-3907, CVE-2016-6698, CVE-2016-6751, CVE-2016-6752</td>
+ <td>Moderate</td>
+ <td>Yes</td>
+ </tr>
+</table>
+<p>
+* Supported Google devices on Android 7.0 or later that have installed all
+available updates are not affected by this vulnerability.</p>
+<h3 id="2016-11-06-summary">2016-11-06
+security patch level—Vulnerability summary</h3>
+<p>
+Security patch levels of 2016-11-06 or later must address all of the 2016-11-05
+and 2016-11-01 issues, as well as the following issues.</p>
+<table>
+ <col width="55%">
+ <col width="20%">
+ <col width="13%">
+ <col width="12%">
+ <tr>
+ <th>Issue</th>
+ <th>CVE</th>
+ <th>Severity</th>
+ <th>Affects Google devices?</th>
+ </tr>
+ <tr>
+ <td>Elevation of privilege vulnerability in kernel memory subsystem</td>
+ <td>CVE-2016-5195</td>
+ <td>Critical</td>
+ <td>Yes</td>
+ </tr>
+</table>
+
+<h2 id="mitigations">Android and Google service
+mitigations</h2>
+<p>
+This is a summary of the mitigations provided by the
+<a href="{@docRoot}security/enhancements/index.html">Android
+security platform</a> and service protections, such as SafetyNet. These
+capabilities reduce the likelihood that security vulnerabilities could be
+successfully exploited on Android.</p>
+<ul>
+ <li>Exploitation for many issues on Android is made more difficult by
+ enhancements in newer versions of the Android platform. We encourage all users
+ to update to the latest version of Android where possible.</li>
+ <li>The Android Security team actively monitors for abuse with
+ <a href="http://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2015_Report_Final.pdf">Verify
+ Apps and SafetyNet</a>, which are designed to warn users about
+ <a href="http://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_PHA_classifications.pdf">Potentially
+ Harmful Applications</a>. Verify Apps is enabled by default on devices with
+ <a href="http://www.android.com/gms">Google Mobile Services</a> and is especially
+ important for users who install applications from outside of Google Play. Device
+ rooting tools are prohibited within Google Play, but Verify Apps warns users
+ when they attempt to install a detected rooting application—no matter where it
+ comes from. Additionally, Verify Apps attempts to identify and block
+ installation of known malicious applications that exploit a privilege escalation
+ vulnerability. If such an application has already been installed, Verify Apps
+ will notify the user and attempt to remove the detected application.</li>
+ <li>As appropriate, Google Hangouts and Messenger applications do not
+ automatically pass media to processes such as Mediaserver.</li>
+</ul>
+<h2 id="acknowledgements">Acknowledgements</h2>
+<p>
+We would like to thank these researchers for their contributions:</p>
+<ul>
+ <li>Abhishek Arya, Oliver Chang, and Martin Barbella of Google Chrome Security
+ Team: CVE-2016-6722</li>
+ <li>Andrei Kapishnikov and Miriam Gershenson of Google: CVE-2016-6703</li>
+ <li>Ao Wang (<a href="http://twitter.com/@r4y2_wa">@r4y2_wa</a>) and
+ <a href="http://weibo.com/ele7enxxh">Zinuo Han</a> of
+ <a href="http://www.pkav.net">PKAV</a>, Silence Information Technology:
+ CVE-2016-6700, CVE-2016-6702</li>
+ <li>Askyshang of Security Platform Department, Tencent: CVE-2016-6713</li>
+ <li>Billy Lau of Android Security: CVE-2016-6737</li>
+ <li><a href="mailto:kpatsak@unipi.gr">Constantinos Patsakis</a> and
+ <a href="mailto:talepis@unipi.gr">Efthimios Alepis</a> of University of Piraeus:
+ CVE-2016-6715</li>
+ <li>dragonltx of Alibaba mobile security team: CVE-2016-6714</li>
+ <li>Gal Beniamini of Project Zero: CVE-2016-6707, CVE-2016-6717</li>
+ <li>Gengjia Chen (<a href="http://twitter.com/chengjia4574">@chengjia4574</a>)
+ and <a href="http://weibo.com/jfpan">pjf</a> of IceSword Lab,
+<a href="http://www.360.com">Qihoo 360 Technology Co. Ltd</a>.: CVE-2016-6725,
+ CVE-2016-6738, CVE-2016-6740, CVE-2016-6741, CVE-2016-6742, CVE-2016-6744,
+ CVE-2016-6745, CVE-2016-3906</li>
+ <li>Guang Gong (龚广) (<a href="http://twitter.com/oldfresher">@oldfresher</a>) of
+ Alpha Team, <a href="http://www.360.com">Qihoo 360 Technology Co. Ltd</a>.:
+ CVE-2016-6754</li>
+ <li>Jianqiang Zhao (<a
+ href="http://twitter.com/jianqiangzhao">@jianqiangzhao</a>) and
+<a href="http://weibo.com/jfpan">pjf</a> of IceSword Lab,
+<a href="http://www.360.com">Qihoo 360 Technology Co. Ltd</a>.: CVE-2016-6739,
+ CVE-2016-3904, CVE-2016-3907, CVE-2016-6698</li>
+ <li>Mark Brand of Project Zero: CVE-2016-6706</li>
+ <li>Mark Renouf of Google: CVE-2016-6724</li>
+ <li>Michał Bednarski (<a
+ href="https://github.com/michalbednarski">github.com/michalbednarski</a>):
+ CVE-2016-6710</li>
+ <li>Min Chong of Android Security: CVE-2016-6743</li>
+ <li>Peter Pi (<a href="http://twitter.com/heisecode">@heisecode</a>) of Trend
+ Micro: CVE-2016-6721</li>
+ <li>Qidan He (何淇丹) (<a href="http://twitter.com/flanker_hqd">@flanker_hqd</a>)
+ and Gengming Liu (刘耕铭) (<a href="http://twitter.com/dmxcsnsbh">@dmxcsnsbh</a>)
+ of KeenLab, Tencent: CVE-2016-6705</li>
+ <li>Robin Lee of Google: CVE-2016-6708</li>
+ <li><a href="mailto:sbauer@plzdonthack.me">Scott Bauer</a> (<a
+ href="http://twitter.com/ScottyBauer1">@ScottyBauer1</a>): CVE-2016-6751</li>
+ <li>Sergey Bobrov (<a href="http://twitter.com/Black2Fan">@Black2Fan</a>) of
+ Kaspersky Lab: CVE-2016-6716</li>
+ <li>Seven Shen (<a href="http://twitter.com/lingtongshen">@lingtongshen</a>) of
+ Trend Micro Mobile Threat Research Team: CVE-2016-6748, CVE-2016-6749,
+ CVE-2016-6750, CVE-2016-6753</li>
+ <li>Victor van der Veen, Herbert Bos, Kaveh Razavi, and Cristiano Giuffrida of
+ Vrije Universiteit Amsterdam and Yanick Fratantonio, Martina Lindorfer, and
+ Giovanni Vigna of University of California, Santa Barbara: CVE-2016-6728</li>
+ <li>Weichao Sun (<a href="https://twitter.com/sunblate">@sunblate</a>) of
+ Alibaba Inc: CVE-2016-6712, CVE-2016-6699, CVE-2016-6711</li>
+ <li>Wenke Dou (<a
+ href="mailto:vancouverdou@gmail.com">vancouverdou@gmail.com</a>), Chiachih Wu
+ (<a href="https://twitter.com/chiachih_wu">@chiachih_wu</a>), and Xuxian Jiang
+ of <a href="http://c0reteam.org">C0RE Team</a>: CVE-2016-6720</li>
+ <li>Wish Wu (吴潍浠) (<a href="http://twitter.com/wish_wu">@wish_wu</a>) of Trend
+ Micro Inc.: CVE-2016-6704</li>
+ <li>Yakov Shafranovich of
+<a href="https://wwws.nightwatchcybersecurity.com">Nightwatch Cybersecurity</a>:
+ CVE-2016-6723</li>
+ <li><a href="mailto:computernik@gmail.com">Yuan-Tsung Lo</a>,
+<a href="mailto:yaojun8558363@gmail.com">Yao Jun</a>,
+<a href="mailto:segfault5514@gmail.com">Tong Lin</a>, Chiachih Wu (<a
+ href="https://twitter.com/chiachih_wu">@chiachih_wu</a>), and Xuxian Jiang of
+<a href="http://c0reteam.org">C0RE Team</a>: CVE-2016-6730, CVE-2016-6732,
+ CVE-2016-6734, CVE-2016-6736</li>
+ <li><a href="mailto:computernik@gmail.com">Yuan-Tsung Lo</a>,
+<a href="mailto:yaojun8558363@gmail.com">Yao Jun</a>,
+<a href="mailto:wisedd@gmail.com">Xiaodong Wang</a>, Chiachih Wu (<a
+ href="https://twitter.com/chiachih_wu">@chiachih_wu</a>), and Xuxian Jiang of
+<a href="http://c0reteam.org">C0RE Team</a>: CVE-2016-6731, CVE-2016-6733,
+ CVE-2016-6735, CVE-2016-6746</li>
+</ul>
+<p>
+Additional thanks to Zach Riggle of Android Security for his contributions
+to several issues in this bulletin.</p>
+
+<h2 id="2016-11-01-details">2016-11-01 security patch level—Vulnerability details</h2>
+<p>
+In the sections below, we provide details for each of the security
+vulnerabilities listed in the
+<a href="#2016-11-01-summary">2016-11-01
+security patch level—Vulnerability summary</a> above. There is a description of
+the issue, a severity rationale, and a table with the CVE, associated
+references, severity, updated Google devices, updated AOSP versions (where
+applicable), and date reported. When available, we will link the public change
+that addressed the issue to the bug ID, like the AOSP change list. When multiple
+changes relate to a single bug, additional references are linked to numbers
+following the bug ID.</p>
+
+<h3 id="rce-in-mediaserver">Remote code execution vulnerability in Mediaserver</h3>
+<p>
+A remote code execution vulnerability in Mediaserver could enable an attacker
+using a specially crafted file to cause memory corruption during media file and
+data processing. This issue is rated as Critical due to the possibility of
+remote code execution within the context of the Mediaserver process.
+</p>
+<table>
+ <col width="18%">
+ <col width="18%">
+ <col width="10%">
+ <col width="19%">
+ <col width="17%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Google devices</th>
+ <th>Updated AOSP versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-6699</td>
+ <td>A-31373622</td>
+ <td>Critical</td>
+ <td>All</td>
+ <td>7.0</td>
+ <td>Jul 27, 2016</td>
+ </tr>
+</table>
+<h3 id="eop-in-libzipfile">Elevation of privilege vulnerability in libzipfile</h3>
+<p>
+An elevation of privilege vulnerability in libzipfile could enable a local
+malicious application to execute arbitrary code within the context of a
+privileged process. This issue is rated as Critical due to the possibility of a
+local permanent device compromise, which may require reflashing the operating
+system to repair the device.
+</p>
+<table>
+ <col width="18%">
+ <col width="18%">
+ <col width="10%">
+ <col width="19%">
+ <col width="17%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Google devices</th>
+ <th>Updated AOSP versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-6700</td>
+ <td>A-30916186</td>
+ <td>Critical</td>
+ <td>None*</td>
+ <td>4.4.4, 5.0.2, 5.1.1</td>
+ <td>Aug 17, 2016</td>
+ </tr>
+</table>
+<p>
+* Supported Google devices on Android 7.0 or later that have installed all
+available updates are not affected by this vulnerability.
+</p>
+<h3 id="rce-in-skia">Remote code execution vulnerability in Skia</h3>
+<p>
+A remote code execution vulnerability in libskia could enable an attacker using
+a specially crafted file to cause memory corruption during media file and data
+processing. This issue is rated as High due to the possibility of remote code
+execution within the context of the gallery process.
+</p>
+<table>
+ <col width="18%">
+ <col width="18%">
+ <col width="10%">
+ <col width="19%">
+ <col width="17%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Google devices</th>
+ <th>Updated AOSP versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-6701</td>
+ <td>A-30190637</td>
+ <td>High</td>
+ <td>All</td>
+ <td>7.0</td>
+ <td>Google internal</td>
+ </tr>
+</table>
+<h3 id="rce-in-libjpeg">Remote code execution vulnerability in libjpeg</h3>
+<p>
+A remote code execution vulnerability in libjpeg could enable an attacker using
+a specially crafted file to execute arbitrary code in the context of an
+unprivileged process. This issue is rated as High due to the possibility of
+remote code execution in an application that uses libjpeg.
+</p>
+<table>
+ <col width="18%">
+ <col width="18%">
+ <col width="10%">
+ <col width="19%">
+ <col width="17%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Google devices</th>
+ <th>Updated AOSP versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-6702</td>
+ <td>A-30259087</td>
+ <td>High</td>
+ <td>None*</td>
+ <td>4.4.4, 5.0.2, 5.1.1</td>
+ <td>Jul 19, 2016</td>
+ </tr>
+</table>
+<p>
+* Supported Google devices on Android 7.0 or later that have installed all
+available updates are not affected by this vulnerability.
+</p>
+<h3 id="rce-in-android-runtime">Remote code execution vulnerability in Android runtime</h3>
+<p>
+A remote code execution vulnerability in an Android runtime library could enable
+an attacker using a specially crafted payload to execute arbitrary code in the
+context of an unprivileged process. This issue is rated as High due to the
+possibility of remote code execution in an application that uses the Android
+runtime.
+</p>
+<table>
+ <col width="18%">
+ <col width="18%">
+ <col width="10%">
+ <col width="19%">
+ <col width="17%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Google devices</th>
+ <th>Updated AOSP versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-6703</td>
+ <td>A-30765246</td>
+ <td>High</td>
+ <td>None*</td>
+ <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
+ <td>Google internal</td>
+ </tr>
+</table>
+<p>
+* Supported Google devices on Android 7.0 or later that have installed all
+available updates are not affected by this vulnerability.
+</p>
+<h3 id="eop-in-mediaserver">Elevation of privilege vulnerability in Mediaserver</h3>
+<p>
+An elevation of privilege vulnerability in Mediaserver could enable a local
+malicious application to execute arbitrary code within the context of a
+privileged process. This issue is rated as High because it could be used to gain
+local access to elevated capabilities, which are not normally accessible to a
+third-party application.
+</p>
+<table>
+ <col width="18%">
+ <col width="18%">
+ <col width="10%">
+ <col width="19%">
+ <col width="17%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Google devices</th>
+ <th>Updated AOSP versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-6704</td>
+ <td>A-30229821</td>
+ <td>High</td>
+ <td>All</td>
+ <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td>
+ <td>Jul 19, 2016</td>
+ </tr>
+ <tr>
+ <td>CVE-2016-6705</td>
+ <td>A-30907212</td>
+ <td>High</td>
+ <td>All</td>
+ <td>5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td>
+ <td>Aug 16, 2016</td>
+ </tr>
+ <tr>
+ <td>CVE-2016-6706</td>
+ <td>A-31385713</td>
+ <td>High</td>
+ <td>All</td>
+ <td>7.0</td>
+ <td>Sep 8, 2016</td>
+ </tr>
+</table>
+<h3 id="eop-in-system-server">Elevation of privilege vulnerability in System Server</h3>
+<p>
+An elevation of privilege vulnerability in System Server could enable a local
+malicious application to execute arbitrary code within the context of a
+privileged process. This issue is rated as High because it could be used to gain
+local access to elevated capabilities, which are not normally accessible to a
+third-party application.
+</p>
+<table>
+ <col width="18%">
+ <col width="18%">
+ <col width="10%">
+ <col width="19%">
+ <col width="17%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Google devices</th>
+ <th>Updated AOSP versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-6707</td>
+ <td>A-31350622</td>
+ <td>High</td>
+ <td>All</td>
+ <td>6.0, 6.0.1, 7.0</td>
+ <td>Sep 7, 2016</td>
+ </tr>
+</table>
+<h3 id="eop-in-system-ui">Elevation of privilege vulnerability in System UI</h3>
+<p>
+An elevation of privilege in the System UI could enable a local malicious user
+to bypass the security prompt of a work profile in Multi-Window mode. This
+issue is rated as High because it is a local bypass of user interaction
+requirements for any developer or security setting modifications.
+</p>
+<table>
+ <col width="18%">
+ <col width="18%">
+ <col width="10%">
+ <col width="19%">
+ <col width="17%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Google devices</th>
+ <th>Updated AOSP versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-6708</td>
+ <td>A-30693465</td>
+ <td>High</td>
+ <td>All</td>
+ <td>7.0</td>
+ <td>Google internal</td>
+ </tr>
+</table>
+<h3 id="id-in-conscrypt-and-boringssl">Information disclosure vulnerability in
+Conscrypt and BoringSSL</h3>
+<p>
+An information disclosure vulnerability in Conscrypt and BoringSSL could enable
+a man-in-the middle attacker to gain access to sensitive information if a
+non-standard cipher suite is used by an application. This issue is rated as High
+because it could be used to access data without permission.
+</p>
+<table>
+ <col width="18%">
+ <col width="18%">
+ <col width="10%">
+ <col width="19%">
+ <col width="17%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Google devices</th>
+ <th>Updated AOSP versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-6709</td>
+ <td>A-31081987</td>
+ <td>High</td>
+ <td>All</td>
+ <td>6.0, 6.0.1, 7.0</td>
+ <td>Oct 9, 2015</td>
+ </tr>
+</table>
+<h3 id="id-in-download-manager">Information disclosure vulnerability in download
+manager</h3>
+<p>
+An information disclosure vulnerability in the download manager could enable a
+local malicious application to bypass operating system protections that isolate
+application data from other applications. This issue is rated as High because it
+could be used to gain access to data that the application does not have access
+to.
+</p>
+<table>
+ <col width="18%">
+ <col width="18%">
+ <col width="10%">
+ <col width="19%">
+ <col width="17%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Google devices</th>
+ <th>Updated AOSP versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-6710</td>
+ <td>A-30537115</td>
+ <td>High</td>
+ <td>All</td>
+ <td>5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td>
+ <td>Jul 30, 2016</td>
+ </tr>
+</table>
+<h3 id="dos-in-bluetooth">Denial of service
+vulnerability in Bluetooth</h3>
+<p>
+A denial of service vulnerability in Bluetooth could enable a proximate attacker
+to block Bluetooth access to an affected device. This issue is rated as High due
+to the possibility of remote denial of service.
+</p>
+<table>
+ <col width="18%">
+ <col width="18%">
+ <col width="10%">
+ <col width="19%">
+ <col width="17%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Google devices</th>
+ <th>Updated AOSP versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2014-9908</td>
+ <td>A-28672558</td>
+ <td>High</td>
+ <td>None*</td>
+ <td>4.4.4, 5.0.2, 5.1.1</td>
+ <td>May 5, 2014</td>
+ </tr>
+</table>
+<p>
+* Supported Google devices on Android 7.0 or later that have installed all
+available updates are not affected by this vulnerability.
+</p>
+<h3 id="dos-in-openjdk">Denial of service
+vulnerability in OpenJDK</h3>
+<p>
+A remote denial of service vulnerability in OpenJDK could enable an attacker to
+use a specially crafted file to cause a device hang or reboot. This issue is
+rated as High due to the possibility of remote denial of service.
+</p>
+<table>
+ <col width="18%">
+ <col width="18%">
+ <col width="10%">
+ <col width="19%">
+ <col width="17%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Google devices</th>
+ <th>Updated AOSP versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2015-0410</td>
+ <td>A-30703445</td>
+ <td>High</td>
+ <td>All</td>
+ <td>7.0</td>
+ <td>Jan 16, 2015</td>
+ </tr>
+</table>
+<h3 id="dos-in-mediaserver">Denial of service
+vulnerability in Mediaserver</h3>
+<p>
+A remote denial of service vulnerability in Mediaserver could enable an attacker
+to use a specially crafted file to cause a device hang or reboot. This issue is
+rated as High due to the possibility of remote denial of service.
+</p>
+<table>
+ <col width="18%">
+ <col width="18%">
+ <col width="10%">
+ <col width="19%">
+ <col width="17%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Google devices</th>
+ <th>Updated AOSP versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-6711</td>
+ <td>A-30593765</td>
+ <td>High</td>
+ <td>None*</td>
+ <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
+ <td>Aug 1, 2016</td>
+ </tr>
+ <tr>
+ <td>CVE-2016-6712</td>
+ <td>A-30593752</td>
+ <td>High</td>
+ <td>None*</td>
+ <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
+ <td>Aug 1, 2016</td>
+ </tr>
+ <tr>
+ <td>CVE-2016-6713</td>
+ <td>A-30822755</td>
+ <td>High</td>
+ <td>All</td>
+ <td>6.0, 6.0.1, 7.0</td>
+ <td>Aug 11, 2016</td>
+ </tr>
+ <tr>
+ <td>CVE-2016-6714</td>
+ <td>A-31092462</td>
+ <td>High</td>
+ <td>All</td>
+ <td>6.0, 6.0.1, 7.0</td>
+ <td>Aug 22, 2016</td>
+ </tr>
+</table>
+<p>
+* Supported Google devices on Android 7.0 or later that have installed all
+available updates are not affected by this vulnerability.
+</p>
+<h3 id="eop-in-framework-apis">Elevation of
+privilege vulnerability in Framework APIs</h3>
+<p>
+An elevation of privilege vulnerability in the Framework APIs could allow a
+local malicious application to record audio without the user's permission. This
+issue is rated as Moderate because it is a local bypass of user interaction
+requirements (access to functionality that would normally require either user
+initiation or user permission).
+</p>
+<table>
+ <col width="18%">
+ <col width="18%">
+ <col width="10%">
+ <col width="19%">
+ <col width="17%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Google devices</th>
+ <th>Updated AOSP versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-6715</td>
+ <td>A-29833954</td>
+ <td>Moderate</td>
+ <td>All</td>
+ <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td>
+ <td>Jun 28, 2016</td>
+ </tr>
+</table>
+<h3 id="eop-in-aosp-launcher">Elevation of
+privilege vulnerability in AOSP Launcher</h3>
+<p>
+An elevation of privilege vulnerability in the AOSP Launcher could allow a local
+malicious application to create shortcuts that have elevated privileges without
+the user's consent. This issue is rated as Moderate because it is a local bypass
+of user interaction requirements (access to functionality that would normally
+require either user initiation or user permission).
+</p>
+<table>
+ <col width="18%">
+ <col width="18%">
+ <col width="10%">
+ <col width="19%">
+ <col width="17%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Google devices</th>
+ <th>Updated AOSP versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-6716</td>
+ <td>A-30778130</td>
+ <td>Moderate</td>
+ <td>All</td>
+ <td>7.0</td>
+ <td>Aug 5, 2016</td>
+ </tr>
+</table>
+<h3 id="eop-in-mediaserver-1">Elevation of
+privilege vulnerability in Mediaserver</h3>
+<p>
+An elevation of privilege vulnerability in Mediaserver could enable a local
+malicious application to execute arbitrary code within the context of a
+privileged process. This issue is rated as Moderate because it first requires
+exploitation of a separate vulnerability.
+</p>
+<table>
+ <col width="18%">
+ <col width="18%">
+ <col width="10%">
+ <col width="19%">
+ <col width="17%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Google devices</th>
+ <th>Updated AOSP versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-6717</td>
+ <td>A-31350239</td>
+ <td>Moderate</td>
+ <td>All</td>
+ <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td>
+ <td>Sep 7, 2016</td>
+ </tr>
+</table>
+<h3
+id="eop-in-account-manager-service">Elevation
+of privilege vulnerability in Account Manager Service</h3>
+<p>
+An elevation of privilege vulnerability in the Account Manager Service could
+enable a local malicious application to retrieve sensitive information without
+user interaction. This issue is rated as Moderate because it is a local bypass
+of user interaction requirements (access to functionality that would normally
+require either user initiation or user permission.)
+</p>
+<table>
+ <col width="18%">
+ <col width="18%">
+ <col width="10%">
+ <col width="19%">
+ <col width="17%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Google devices</th>
+ <th>Updated AOSP versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-6718</td>
+ <td>A-30455516</td>
+ <td>Moderate</td>
+ <td>All</td>
+ <td>7.0</td>
+ <td>Google internal</td>
+ </tr>
+</table>
+<h3 id="eop-in-bluetooth">Elevation of
+privilege vulnerability in Bluetooth</h3>
+<p>
+An elevation of privilege vulnerability in the Bluetooth component could enable
+a local malicious application to pair with any Bluetooth device without user
+consent. This issue is rated as Moderate because it is a local bypass of user
+interaction requirements (access to functionality that would normally require
+either user initiation or user permission).
+</p>
+<table>
+ <col width="18%">
+ <col width="18%">
+ <col width="10%">
+ <col width="19%">
+ <col width="17%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Google devices</th>
+ <th>Updated AOSP versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-6719</td>
+ <td>A-29043989</td>
+ <td>Moderate</td>
+ <td>All</td>
+ <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td>
+ <td>Google internal</td>
+ </tr>
+</table>
+<h3 id="id-in-mediaserver">Information
+disclosure vulnerability in Mediaserver</h3>
+<p>
+An information disclosure vulnerability in Mediaserver could enable a local
+malicious application to access data outside of its permission levels. This
+issue is rated as Moderate because it could be used to access sensitive data
+without permission.
+</p>
+<table>
+ <col width="18%">
+ <col width="18%">
+ <col width="10%">
+ <col width="19%">
+ <col width="17%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Google devices</th>
+ <th>Updated AOSP versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-6720</td>
+ <td>A-29422020</td>
+ <td>Moderate</td>
+ <td>All</td>
+ <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td>
+ <td>Jun 15, 2016</td>
+ </tr>
+ <tr>
+ <td>CVE-2016-6721</td>
+ <td>A-30875060</td>
+ <td>Moderate</td>
+ <td>All</td>
+ <td>6.0, 6.0.1, 7.0</td>
+ <td>Aug 13, 2016</td>
+ </tr>
+ <tr>
+ <td>CVE-2016-6722</td>
+ <td>A-31091777</td>
+ <td>Moderate</td>
+ <td>All</td>
+ <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td>
+ <td>Aug 23, 2016</td>
+ </tr>
+</table>
+<h3 id="dos-in-proxy-auto-config">Denial of service
+vulnerability in Proxy Auto Config</h3>
+<p>
+A denial of service vulnerability in Proxy Auto Config could enable a remote
+attacker to use a specially crafted file to cause a device hang or reboot. This
+issue is rated as Moderate because it requires an uncommon device configuration.
+</p>
+<table>
+ <col width="18%">
+ <col width="18%">
+ <col width="10%">
+ <col width="19%">
+ <col width="17%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Google devices</th>
+ <th>Updated AOSP versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-6723</td>
+ <td>A-30100884</td>
+ <td>Moderate</td>
+ <td>All</td>
+ <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td>
+ <td>Jul 11, 2016</td>
+ </tr>
+</table>
+<h3 id="dos-in-input-manager-service">Denial of
+service vulnerability in Input Manager Service</h3>
+<p>
+A denial of service vulnerability in the Input Manager Service could enable a
+local malicious application to cause the device to continually reboot. This
+issue is rated as Moderate because it is a temporary denial of service that
+requires a factory reset to fix.
+</p>
+<table>
+ <col width="18%">
+ <col width="18%">
+ <col width="10%">
+ <col width="19%">
+ <col width="17%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Google devices</th>
+ <th>Updated AOSP versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-6724</td>
+ <td>A-30568284</td>
+ <td>Moderate</td>
+ <td>All</td>
+ <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0</td>
+ <td>Google internal</td>
+ </tr>
+</table>
+<h2 id="2016-11-05-details">2016-11-05 security patch level—Vulnerability details</h2>
+<p>
+In the sections below, we provide details for each of the security
+vulnerabilities listed in the <a href="#2016-11-05-summary">2016-11-05
+security patch level—Vulnerability summary</a> above. There is a description of
+the issue, a severity rationale, and a table with the CVE, associated
+references, severity, updated Google devices, updated AOSP versions (where
+applicable), and date reported. When available, we will link the public change
+that addressed the issue to the bug ID, like the AOSP change list. When multiple
+changes relate to a single bug, additional references are linked to numbers
+following the bug ID.
+</p>
+<h3 id="rce-in-qualcomm-crypto-driver">Remote
+code execution vulnerability in Qualcomm crypto driver</h3>
+<p>
+A remote code execution vulnerability in the Qualcomm crypto driver could enable
+a remote attacker to execute arbitrary code within the context of the kernel.
+This issue is rated as Critical due to the possibility of remote code execution
+in the context of the kernel.
+</p>
+<table>
+ <col width="19%">
+ <col width="20%">
+ <col width="10%">
+ <col width="23%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Google devices</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-6725</td>
+ <td>A-30515053<br>
+<a href="https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=cc95d644ee8a043f2883d65dda20e16f95041de3">QC-CR#1050970</a></td>
+ <td>Critical</td>
+ <td>Nexus 5X, Nexus 6, Nexus 6P, Android One, Pixel, Pixel XL</td>
+ <td>Jul 25, 2016</td>
+ </tr>
+</table>
+<h3 id="eop-in-kernel-file-system">Elevation of
+privilege vulnerability in kernel file system</h3>
+<p>
+An elevation of privilege vulnerability in the kernel file system could enable a
+local malicious application to execute arbitrary code within the context of the
+kernel. This issue is rated as Critical due to the possibility of a local
+permanent device compromise, which may require reflashing the operating system
+to repair the device.
+</p>
+<table>
+ <col width="19%">
+ <col width="20%">
+ <col width="10%">
+ <col width="23%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Google devices</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2015-8961</td>
+ <td>A-30952474
+<br>
+<a
+href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6934da9238da947628be83635e365df41064b09b">Upstream
+kernel</a></td>
+ <td>Critical</td>
+ <td>Pixel, Pixel XL</td>
+ <td>Oct 18, 2015</td>
+ </tr>
+ <tr>
+ <td>CVE-2016-7911</td>
+ <td>A-30946378
+<br>
+<a
+href="https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=8ba8682107ee2ca3347354e018865d8e1967c5f4">Upstream
+kernel</a></td>
+ <td>Critical</td>
+ <td>Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Pixel C, Nexus Player,
+Pixel, Pixel XL</td>
+ <td>Jul 01, 2016</td>
+ </tr>
+ <tr>
+ <td>CVE-2016-7910</td>
+ <td>A-30942273
+<br>
+<a
+href="https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=77da160530dd1dc94f6ae15a981f24e5f0021e84">Upstream
+kernel</a></td>
+ <td>Critical</td>
+ <td>Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Pixel C, Nexus Player,
+Pixel, Pixel XL</td>
+ <td>Jul 29, 2016</td>
+ </tr>
+</table>
+<h3 id="eop-in-kernel-scsi-driver">Elevation of
+privilege vulnerability in kernel SCSI driver</h3>
+<p>
+An elevation of privilege vulnerability in the kernel SCSI driver could enable a
+local malicious application to execute arbitrary code within the context of the
+kernel. This issue is rated as Critical due to the possibility of a local
+permanent device compromise, which may require reflashing the operating system
+to repair the device.
+</p>
+<table>
+ <col width="19%">
+ <col width="20%">
+ <col width="10%">
+ <col width="23%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Google devices</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2015-8962</td>
+ <td>A-30951599
+<br>
+<a
+href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f3951a3709ff50990bf3e188c27d346792103432">Upstream
+kernel</a></td>
+ <td>Critical</td>
+ <td>Pixel, Pixel XL</td>
+ <td>Oct 30, 2015</td>
+ </tr>
+</table>
+<h3 id="eop-in-kernel-media-driver">Elevation
+of privilege vulnerability in kernel media driver</h3>
+<p>
+An elevation of privilege vulnerability in the kernel media driver could enable
+a local malicious application to execute arbitrary code within the context of
+the kernel. This issue is rated as Critical due to the possibility of a local
+permanent device compromise, which may require reflashing the operating system
+to repair the device.
+</p>
+<table>
+ <col width="19%">
+ <col width="20%">
+ <col width="10%">
+ <col width="23%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Google devices</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-7913</td>
+ <td>A-30946097
+<br>
+<a
+href="https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=8dfbcc4351a0b6d2f2d77f367552f48ffefafe18">Upstream
+kernel</a></td>
+ <td>Critical</td>
+ <td>Nexus 6P, Android One, Nexus Player, Pixel, Pixel XL</td>
+ <td>Jan 28, 2016</td>
+ </tr>
+</table>
+<h3 id="eop-in-kernel-usb-driver">Elevation of
+privilege vulnerability in kernel USB driver</h3>
+<p>
+An elevation of privilege vulnerability in the kernel USB driver could enable a
+local malicious application to execute arbitrary code within the context of the
+kernel. This issue is rated as Critical due to the possibility of a local
+permanent device compromise, which may require reflashing the operating system
+to repair the device.
+</p>
+<table>
+ <col width="19%">
+ <col width="20%">
+ <col width="10%">
+ <col width="23%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Google devices</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-7912</td>
+ <td>A-30950866
+<br>
+<a
+href="https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=38740a5b87d53ceb89eb2c970150f6e94e00373a">Upstream
+kernel</a></td>
+ <td>Critical</td>
+ <td>Pixel C, Pixel, Pixel XL</td>
+ <td>Apr 14, 2016</td>
+ </tr>
+</table>
+<h3 id="eop-in-kernel-ion-subsystem">Elevation
+of privilege vulnerability in kernel ION subsystem</h3>
+<p>
+An elevation of privilege vulnerability in the kernel ION subsystem could enable
+a local malicious application to execute arbitrary code within the context of
+the kernel. This issue is rated as Critical due to the possibility of a local
+permanent device compromise, which may require reflashing the operating system
+to repair the device.
+</p>
+<table>
+ <col width="19%">
+ <col width="20%">
+ <col width="10%">
+ <col width="23%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Google devices</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-6728</td>
+ <td>A-30400942*</td>
+ <td>Critical</td>
+ <td>Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Nexus Player, Pixel C,
+Android One</td>
+ <td>Jul 25, 2016</td>
+ </tr>
+</table>
+<p>
+* The patch for this issue is not publicly available. The update is contained in
+the latest binary drivers for Google devices available from the <a
+href="https://developers.google.com/android/nexus/drivers">Google Developer
+site</a>.
+</p>
+<h3 id="eop-in-qualcomm-bootloader">Elevation
+of privilege vulnerability in Qualcomm bootloader</h3>
+<p>
+An elevation of privilege vulnerability in the Qualcomm bootloader could enable
+a local malicious application to execute arbitrary code within the context of
+the kernel. This issue is rated as Critical due to the possibility of a local
+permanent device compromise, which may require reflashing the operating system
+to repair the device.
+</p>
+<table>
+ <col width="19%">
+ <col width="20%">
+ <col width="10%">
+ <col width="23%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Google devices</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-6729</td>
+ <td>A-30977990*
+<br>
+QC-CR#977684</td>
+ <td>Critical</td>
+ <td>Nexus 5X, Nexus 6, Nexus 6P, Android One, Pixel, Pixel XL</td>
+ <td>Jul 25, 2016</td>
+ </tr>
+</table>
+<p>
+* The patch for this issue is not publicly available. The update is contained in
+the latest binary drivers for Google devices available from the <a
+href="https://developers.google.com/android/nexus/drivers">Google Developer
+site</a>.
+</p>
+<h3 id="eop-in-nvidia-gpu-driver">Elevation of
+privilege vulnerability in NVIDIA GPU driver</h3>
+<p>
+An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a
+local malicious application to execute arbitrary code within the context of the
+kernel. This issue is rated as Critical due to the possibility of a local
+permanent device compromise, which may require reflashing the operating system
+to repair the device.
+</p>
+<table>
+ <col width="19%">
+ <col width="20%">
+ <col width="10%">
+ <col width="23%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Google devices</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-6730</td>
+ <td>A-30904789*<br>
+ N-CVE-2016-6730</td>
+ <td>Critical</td>
+ <td>Pixel C</td>
+ <td>Aug 16, 2016</td>
+ </tr>
+ <tr>
+ <td>CVE-2016-6731</td>
+ <td>A-30906023*<br>
+ N-CVE-2016-6731</td>
+ <td>Critical</td>
+ <td>Pixel C</td>
+ <td>Aug 16, 2016</td>
+ </tr>
+ <tr>
+ <td>CVE-2016-6732</td>
+ <td>A-30906599*<br>
+ N-CVE-2016-6732</td>
+ <td>Critical</td>
+ <td>Pixel C</td>
+ <td>Aug 16, 2016</td>
+ </tr>
+ <tr>
+ <td>CVE-2016-6733</td>
+ <td>A-30906694*<br>
+ N-CVE-2016-6733</td>
+ <td>Critical</td>
+ <td>Pixel C</td>
+ <td>Aug 16, 2016</td>
+ </tr>
+ <tr>
+ <td>CVE-2016-6734</td>
+ <td>A-30907120*<br>
+ N-CVE-2016-6734</td>
+ <td>Critical</td>
+ <td>Pixel C</td>
+ <td>Aug 16, 2016</td>
+ </tr>
+ <tr>
+ <td>CVE-2016-6735</td>
+ <td>A-30907701*<br>
+ N-CVE-2016-6735</td>
+ <td>Critical</td>
+ <td>Pixel C</td>
+ <td>Aug 16, 2016</td>
+ </tr>
+ <tr>
+ <td>CVE-2016-6736</td>
+ <td>A-30953284*<br>
+ N-CVE-2016-6736</td>
+ <td>Critical</td>
+ <td>Pixel C</td>
+ <td>Aug 18, 2016</td>
+ </tr>
+</table>
+<p>
+* The patch for this issue is not publicly available. The update is contained in
+the latest binary drivers for Google devices available from the <a
+href="https://developers.google.com/android/nexus/drivers">Google Developer
+site</a>.
+</p>
+<h3
+id="eop-in-kernel-networking-subsystem">Elevation
+of privilege vulnerability in kernel networking subsystem</h3>
+<p>
+An elevation of privilege vulnerability in the kernel networking subsystem could
+enable a local malicious application to execute arbitrary code within the
+context of the kernel. This issue is rated as Critical due to the possibility of
+a local permanent device compromise, which may require reflashing the operating
+system to repair the device.
+</p>
+<table>
+ <col width="19%">
+ <col width="20%">
+ <col width="10%">
+ <col width="23%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Google devices</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-6828</td>
+ <td>A-31183296
+<br>
+<a
+href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/include/net/tcp.h?id=bb1fceca22492109be12640d49f5ea5a544c6bb4">Upstream
+kernel</a></td>
+ <td>Critical</td>
+ <td>Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Pixel C, Nexus Player,
+Pixel, Pixel XL</td>
+ <td>Aug 18, 2016</td>
+ </tr>
+</table>
+<h3
+id="eop-in-kernel-sound-subsystem">Elevation of
+privilege vulnerability in kernel sound subsystem</h3>
+<p>
+An elevation of privilege vulnerability in the kernel sound subsystem could
+enable a local malicious application to execute arbitrary code within the
+context of the kernel. This issue is rated as Critical due to the possibility of
+a local permanent device compromise, which may require reflashing the operating
+system to repair the device.
+</p>
+<table>
+ <col width="19%">
+ <col width="20%">
+ <col width="10%">
+ <col width="23%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Google devices</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-2184</td>
+ <td>A-30952477
+<br>
+<a
+href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=836b34a935abc91e13e63053d0a83b24dfb5ea78">Upstream
+kernel</a></td>
+ <td>Critical</td>
+ <td>Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Pixel C, Nexus Player,
+Pixel, Pixel XL</td>
+ <td>Mar 31, 2016</td>
+ </tr>
+</table>
+<h3 id="eop-in-kernel-ion-subsystem-1">Elevation
+of privilege vulnerability in kernel ION subsystem</h3>
+<p>
+An elevation of privilege vulnerability in the kernel ION subsystem could enable
+a local malicious application to execute arbitrary code within the context of
+the kernel. This issue is rated as Critical due to the possibility of a local
+permanent device compromise, which may require reflashing the operating system
+to repair the device.
+</p>
+<table>
+ <col width="19%">
+ <col width="20%">
+ <col width="10%">
+ <col width="23%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Google devices</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-6737</td>
+ <td>A-30928456*</td>
+ <td>Critical</td>
+ <td>Nexus 5X, Nexus 6, Nexus 6P, Android One, Pixel C, Nexus Player, Pixel,
+Pixel XL</td>
+ <td>Google internal</td>
+ </tr>
+</table>
+<p>
+* The patch for this issue is not publicly available. The update is contained in
+the latest binary drivers for Google devices available from the <a
+href="https://developers.google.com/android/nexus/drivers">Google Developer
+site</a>.
+</p>
+<h3 id="vulnerabilities-in-qualcomm-components">Vulnerabilities in Qualcomm
+components</h3>
+<p>
+The table below contains security vulnerabilities affecting Qualcomm components
+and are described in further detail in Qualcomm AMSS June 2016 security
+bulletin and Security Alert 80-NV606-17.
+</p>
+<table>
+ <col width="19%">
+ <col width="20%">
+ <col width="10%">
+ <col width="23%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity*</th>
+ <th>Updated Google devices</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-6727</td>
+ <td>A-31092400**</td>
+ <td>Critical</td>
+ <td>Android One</td>
+ <td>Qualcomm internal</td>
+ </tr>
+ <tr>
+ <td>CVE-2016-6726</td>
+ <td>A-30775830**</td>
+ <td>High</td>
+ <td>Nexus 6, Android One</td>
+ <td>Qualcomm internal</td>
+ </tr>
+</table>
+<p>* The severity rating for these vulnerabilities was determined by the vendor.</p>
+<p>
+** The patch for this issue is not publicly available. The update is contained in
+the latest binary drivers for Google devices available from the <a
+href="https://developers.google.com/android/nexus/drivers">Google Developer
+site</a>.
+</p>
+<h3 id="rce-in-expat">Remote code execution
+vulnerability in Expat</h3>
+<p>
+The table below contains security vulnerabilities affecting the Expat library.
+The most severe of these issues is an elevation of privilege vulnerability in
+the Expat XML parser, which could enable an attacker using a specially crafted
+file to execute arbitrary code in an unprivileged process. This issue is rated
+as High due to the possibility of arbitrary code execution in an application
+that uses Expat.
+</p>
+<table>
+ <col width="18%">
+ <col width="18%">
+ <col width="10%">
+ <col width="19%">
+ <col width="17%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Google devices</th>
+ <th>Updated AOSP versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-0718</td>
+ <td>A-28698301</td>
+ <td>High</td>
+ <td>None*</td>
+ <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
+ <td>May 10, 2016</td>
+ </tr>
+ <tr>
+ <td>CVE-2012-6702</td>
+ <td>A-29149404</td>
+ <td>Moderate</td>
+ <td>None*</td>
+ <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
+ <td>Mar 06, 2016</td>
+ </tr>
+ <tr>
+ <td>CVE-2016-5300</td>
+ <td>A-29149404</td>
+ <td>Moderate</td>
+ <td>None*</td>
+ <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
+ <td>Jun 04, 2016</td>
+ </tr>
+ <tr>
+ <td>CVE-2015-1283</td>
+ <td>A-27818751</td>
+ <td>Low</td>
+ <td>None*</td>
+ <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
+ <td>Jul 24, 2015</td>
+ </tr>
+</table>
+<p>
+* Supported Google devices on Android 7.0 or later that have installed all
+available updates are not affected by this vulnerability.
+</p>
+<h3 id="rce-in-webview">Remote code execution
+vulnerability in Webview</h3>
+<p>
+A remote code execution vulnerability in Webview could enable a remote attacker
+to execute arbitrary code when the user is navigating to a website. This issue
+is rated as High due to the possibility of remote code execution in an
+unprivileged process.
+</p>
+<table>
+ <col width="18%">
+ <col width="18%">
+ <col width="10%">
+ <col width="19%">
+ <col width="17%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Google devices</th>
+ <th>Updated AOSP versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-6754</td>
+ <td>A-31217937</td>
+ <td>High</td>
+ <td>None*</td>
+ <td>5.0.2, 5.1.1, 6.0, 6.0.1</td>
+ <td>Aug 23, 2016</td>
+ </tr>
+</table>
+<p>
+* Supported Google devices on Android 7.0 or later that have installed all
+available updates are not affected by this vulnerability.
+</p>
+<h3 id="rce-in-freetype">Remote code execution
+vulnerability in Freetype</h3>
+<p>
+A remote code execution vulnerability in Freetype could enable a local malicious
+application to load a specially crafted font to cause memory corruption in an
+unprivileged process. This issue is rated as High due to the possibility of
+remote code execution in applications that use Freetype.
+</p>
+<table>
+ <col width="18%">
+ <col width="18%">
+ <col width="10%">
+ <col width="19%">
+ <col width="17%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Google devices</th>
+ <th>Updated AOSP versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2014-9675</td>
+ <td>A-24296662</td>
+ <td>High</td>
+ <td>None*</td>
+ <td>4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1</td>
+ <td>Google internal</td>
+ </tr>
+</table>
+<p>
+* Supported Google devices on Android 7.0 or later that have installed all
+available updates are not affected by this vulnerability.
+</p>
+<h3
+id="eop-in-kernel-performance-subsystem">Elevation
+of privilege vulnerability in kernel performance subsystem</h3>
+<p>
+An elevation of privilege vulnerability in the kernel performance subsystem
+could enable a local malicious application to execute arbitrary code within the
+context of the kernel. This issue is rated as High because it first requires
+compromising a privileged process.
+</p>
+<table>
+ <col width="19%">
+ <col width="20%">
+ <col width="10%">
+ <col width="23%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Google devices</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2015-8963</td>
+ <td>A-30952077
+<br>
+<a
+href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=12ca6ad2e3a896256f086497a7c7406a547ee373">Upstream
+kernel</a></td>
+ <td>High</td>
+ <td>Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Pixel C, Nexus Player,
+Pixel, Pixel XL</td>
+ <td>Dec 15, 2015</td>
+ </tr>
+</table>
+<h3
+id="eop-in-kernel-system-call-auditing-subsystem">Elevation
+of privilege vulnerability in kernel system-call auditing subsystem</h3>
+<p>
+An elevation of privilege vulnerability in the kernel system-call auditing
+subsystem could enable a local malicious application to disrupt system-call
+auditing in the kernel. This issue is rated as High because it is a general
+bypass for a kernel-level defense in depth or exploit mitigation technology.
+</p>
+<table>
+ <col width="19%">
+ <col width="20%">
+ <col width="10%">
+ <col width="23%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Google devices</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-6136</td>
+ <td>A-30956807
+<br>
+<a
+href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=43761473c254b45883a64441dd0bc85a42f3645c">Upstream
+kernel</a></td>
+ <td>High</td>
+ <td>Android One, Pixel C, Nexus Player</td>
+ <td>Jul 1, 2016</td>
+ </tr>
+</table>
+<h3
+id="eop-in-qualcomm-crypto-engine-driver">Elevation
+of privilege vulnerability in Qualcomm crypto engine driver</h3>
+<p>
+An elevation of privilege vulnerability in the Qualcomm crypto engine driver
+could enable a local malicious application to execute arbitrary code within the
+context of the kernel. This issue is rated as High because it first requires
+compromising a privileged process.
+</p>
+<table>
+ <col width="19%">
+ <col width="20%">
+ <col width="10%">
+ <col width="23%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Google devices</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-6738</td>
+ <td>A-30034511
+<br>
+<a
+href="https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=a829c54236b455885c3e9c7c77ac528b62045e79">QC-CR#1050538</a></td>
+ <td>High</td>
+ <td>Nexus 5X, Nexus 6, Nexus 6P, Android One, Pixel, Pixel XL</td>
+ <td>Jul 7, 2016</td>
+ </tr>
+</table>
+<h3
+id="eop-in-qualcomm-camera-driver">Elevation of
+privilege vulnerability in Qualcomm camera driver</h3>
+<p>
+An elevation of privilege vulnerability in the Qualcomm camera driver could
+enable a local malicious application to execute arbitrary code within the
+context of the kernel. This issue is rated as High because it first requires
+compromising a privileged process.
+</p>
+<table>
+ <col width="19%">
+ <col width="20%">
+ <col width="10%">
+ <col width="23%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Google devices</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-6739</td>
+ <td>A-30074605*<br>
+ QC-CR#1049826</td>
+ <td>High</td>
+ <td>Nexus 5X, Nexus 6P, Pixel, Pixel XL</td>
+ <td>Jul 11, 2016</td>
+ </tr>
+ <tr>
+ <td>CVE-2016-6740</td>
+ <td>A-30143904
+<br>
+<a
+href="https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=ef78bd62f0c064ae4c827e158d828b2c110ebcdc">QC-CR#1056307</a></td>
+ <td>High</td>
+ <td>Nexus 5X, Nexus 6, Nexus 6P, Android One, Pixel, Pixel XL</td>
+ <td>Jul 12, 2016</td>
+ </tr>
+ <tr>
+ <td>CVE-2016-6741</td>
+ <td>A-30559423
+<br>
+<a
+href="https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=d291eebd8e43bba3229ae7ef9146a132894dc293">QC-CR#1060554</a></td>
+ <td>High</td>
+ <td>Nexus 5X, Nexus 6, Nexus 6P, Android One, Pixel, Pixel XL</td>
+ <td>Jul 28, 2016</td>
+ </tr>
+</table>
+<p>
+* The patch for this issue is not publicly available. The update is contained in
+the latest binary drivers for Google devices available from the <a
+href="https://developers.google.com/android/nexus/drivers">Google Developer
+site</a>.
+</p>
+<h3 id="eop-in-qualcomm-bus-driver">Elevation
+of privilege vulnerability in Qualcomm bus driver</h3>
+<p>
+An elevation of privilege vulnerability in the Qualcomm bus driver could enable
+a local malicious application to execute arbitrary code within the context of
+the kernel. This issue is rated as High because it first requires compromising a
+privileged process.
+</p>
+<table>
+ <col width="19%">
+ <col width="20%">
+ <col width="10%">
+ <col width="23%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Google devices</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-3904</td>
+ <td>A-30311977
+<br>
+<a
+href="https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=069683407ca9a820d05c914b57c587bcd3f16a3a">QC-CR#1050455</a></td>
+ <td>High</td>
+ <td>Nexus 5X, Nexus 6P, Pixel, Pixel XL</td>
+ <td>Jul 22, 2016</td>
+ </tr>
+</table>
+<h3
+id="eop-in-synaptics-touchscreen-driver">Elevation
+of privilege vulnerability in Synaptics touchscreen driver</h3>
+<p>
+An elevation of privilege vulnerability in the Synaptics touchscreen driver
+could enable a local malicious application to execute arbitrary code within the
+context of the kernel. This issue is rated as High because it first requires
+compromising a privileged process.
+</p>
+<table>
+ <col width="19%">
+ <col width="20%">
+ <col width="10%">
+ <col width="23%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Google devices</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-6742</td>
+ <td>A-30799828*</td>
+ <td>High</td>
+ <td>Nexus 5X, Android One</td>
+ <td>Aug 9, 2016</td>
+ </tr>
+ <tr>
+ <td>CVE-2016-6744</td>
+ <td>A-30970485*</td>
+ <td>High</td>
+ <td>Nexus 5X</td>
+ <td>Aug 19, 2016</td>
+ </tr>
+ <tr>
+ <td>CVE-2016-6745</td>
+ <td>A-31252388*</td>
+ <td>High</td>
+ <td>Nexus 5X, Nexus 6P, Nexus 9, Android One, Pixel, Pixel XL</td>
+ <td>Sep 1, 2016</td>
+ </tr>
+ <tr>
+ <td>CVE-2016-6743</td>
+ <td>A-30937462*</td>
+ <td>High</td>
+ <td>Nexus 9, Android One</td>
+ <td>Google internal</td>
+ </tr>
+</table>
+<p>
+* The patch for this issue is not publicly available. The update is contained in
+the latest binary drivers for Google devices available from the <a
+href="https://developers.google.com/android/nexus/drivers">Google Developer
+site</a>.
+</p>
+<h3 id="id-in-kernel-components">Information
+disclosure vulnerability in kernel components</h3>
+<p>
+An information disclosure vulnerability in kernel components, including the
+human interface device driver, file system, and Teletype driver, could enable a
+local malicious application to access data outside of its permission levels.
+This issue is rated as High because it could be used to access sensitive data
+without explicit user permission.
+</p>
+<table>
+ <col width="19%">
+ <col width="20%">
+ <col width="10%">
+ <col width="23%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Google devices</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2015-8964</td>
+ <td>A-30951112
+<br>
+<a
+href="https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=dd42bf1197144ede075a9d4793123f7689e164bc">Upstream
+kernel</a></td>
+ <td>High</td>
+ <td>Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Pixel C, Nexus Player,
+Pixel, Pixel XL</td>
+ <td>Nov 27, 2015</td>
+ </tr>
+ <tr>
+ <td>CVE-2016-7915</td>
+ <td>A-30951261
+<br>
+<a href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=50220dead1650609206efe91f0cc116132d59b3f">Upstream
+kernel</a></td>
+ <td>High</td>
+ <td>Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Pixel C, Nexus Player,
+Pixel, Pixel XL</td>
+ <td>Jan 19, 2016</td>
+ </tr>
+ <tr>
+ <td>CVE-2016-7914</td>
+ <td>A-30513364
+<br>
+<a href="https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=8d4a2ec1e0b41b0cf9a0c5cd4511da7f8e4f3de2">Upstream
+kernel</a></td>
+ <td>High</td>
+ <td>Pixel C, Pixel, Pixel XL</td>
+ <td>Apr 06, 2016</td>
+ </tr>
+ <tr>
+ <td>CVE-2016-7916</td>
+ <td>A-30951939
+<br>
+<a href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8148a73c9901a8794a50f950083c00ccf97d43b3">Upstream
+kernel</a></td>
+ <td>High</td>
+ <td>Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Pixel C, Nexus Player,
+Pixel, Pixel XL</td>
+ <td>May 05, 2016</td>
+ </tr>
+</table>
+<h3 id="id-in-nvidia-gpu-driver">Information
+disclosure vulnerability in NVIDIA GPU driver</h3>
+<p>
+An information disclosure vulnerability in the NVIDIA GPU driver could enable a
+local malicious application to access data outside of its permission levels.
+This issue is rated as High because it could be used to access sensitive data
+without explicit user permission.
+</p>
+<table>
+ <col width="19%">
+ <col width="20%">
+ <col width="10%">
+ <col width="23%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Google devices</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-6746</td>
+ <td>A-30955105*<br>
+ N-CVE-2016-6746</td>
+ <td>High</td>
+ <td>Pixel C</td>
+ <td>Aug 18, 2016</td>
+ </tr>
+</table>
+<p>
+* The patch for this issue is not publicly available. The update is contained in
+the latest binary drivers for Google devices available from the <a
+href="https://developers.google.com/android/nexus/drivers">Google Developer
+site</a>.
+</p>
+<h3 id="dos-in-mediaserver-1">Denial of service vulnerability in Mediaserver</h3>
+<p>
+A denial of service vulnerability in Mediaserver could enable an attacker to use
+a specially crafted file to cause a device hang or reboot. This issue is rated
+as High due to the possibility of remote denial of service.
+</p>
+<table>
+ <col width="19%">
+ <col width="20%">
+ <col width="10%">
+ <col width="23%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Google devices</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-6747</td>
+ <td>A-31244612*<br>
+ N-CVE-2016-6747</td>
+ <td>High</td>
+ <td>Nexus 9</td>
+ <td>Google internal</td>
+ </tr>
+</table>
+<p>
+* The patch for this issue is not publicly available. The update is contained in
+the latest binary drivers for Google devices available from the <a
+href="https://developers.google.com/android/nexus/drivers">Google Developer
+site</a>.
+</p>
+<h3 id="id-in-kernel-components-1">Information disclosure vulnerability in
+kernel components</h3>
+<p>
+An information disclosure vulnerability in kernel components, including the
+process-grouping subsystem and the networking subsystem, could enable a local
+malicious application to access data outside of its permission levels. This
+issue is rated as Moderate because it first requires compromising a privileged
+process.
+</p>
+<table>
+ <col width="19%">
+ <col width="20%">
+ <col width="10%">
+ <col width="23%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Google devices</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-7917</td>
+ <td>A-30947055
+<br>
+<a href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c58d6c93680f28ac58984af61d0a7ebf4319c241">Upstream
+kernel</a></td>
+ <td>Moderate</td>
+ <td>Pixel C, Pixel, Pixel XL</td>
+ <td>Feb 02, 2016</td>
+ </tr>
+ <tr>
+ <td>CVE-2016-6753</td>
+ <td>A-30149174*</td>
+ <td>Moderate</td>
+ <td>Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Pixel C, Nexus Player, Pixel, Pixel
+XL</td>
+ <td>Jul 13, 2016</td>
+ </tr>
+</table>
+<p>
+* The patch for this issue is not publicly available. The update is contained in
+the latest binary drivers for Google devices available from the <a
+href="https://developers.google.com/android/nexus/drivers">Google Developer
+site</a>.
+</p>
+<h3 id="id-in-qualcomm-components">Information
+disclosure vulnerability in Qualcomm components</h3>
+<p>
+An information disclosure vulnerability in Qualcomm components including the GPU
+driver, power driver, SMSM Point-to-Point driver, and sound driver, could enable
+a local malicious application to access data outside of its permission levels.
+This issue is rated as Moderate because it first requires compromising a
+privileged process.
+</p>
+<table>
+ <col width="19%">
+ <col width="20%">
+ <col width="10%">
+ <col width="23%">
+ <col width="17%">
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated Google devices</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-6748</td>
+ <td>A-30076504
+<br>
+<a href="https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=be651d020b122a1ba9410d23ca4ebbe9f5598df6">QC-CR#987018</a></td>
+ <td>Moderate</td>
+ <td>Nexus 5X, Nexus 6, Nexus 6P, Android One, Pixel, Pixel XL</td>
+ <td>Jul 12, 2016</td>
+ </tr>
+ <tr>
+ <td>CVE-2016-6749</td>
+ <td>A-30228438
+<br>
+<a href="https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=f9185dc83b92e7d1ee341e32e8cf5ed00a7253a7">QC-CR#1052818</a></td>
+ <td>Moderate</td>
+ <td>Nexus 5X, Nexus 6P, Pixel, Pixel XL</td>
+ <td>Jul 12, 2016</td>
+ </tr>
+ <tr>
+ <td>CVE-2016-6750</td>
+ <td>A-30312054
+<br>
+<a href="https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=34bda711a1c7bc7f9fd7bea3a5be439ed00577e5">QC-CR#1052825</a></td>
+ <td>Moderate</td>
+ <td>Nexus 5X, Nexus 6, Nexus 6P, Android One, Pixel, Pixel XL</td>
+ <td>Jul 21, 2016</td>
+ </tr>
+ <tr>
+ <td>CVE-2016-3906</td>
+ <td>A-30445973
+<br>
+<a href="https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=b333d32745fec4fb1098ee1a03d4425f3c1b4c2e">QC-CR#1054344</a></td>
+ <td>Moderate</td>
+ <td>Nexus 5X, Nexus 6P</td>
+ <td>Jul 27, 2016</td>
+ </tr>
+ <tr>
+ <td>CVE-2016-3907</td>
+ <td>A-30593266
+<br>
+<a href="https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=744330f4e5d70dce71c4c9e03c5b6a8b59bb0cda">QC-CR#1054352</a></td>
+ <td>Moderate</td>
+ <td>Nexus 5X, Nexus 6P, Pixel, Pixel XL</td>
+ <td>Aug 2, 2016</td>
+ </tr>
+ <tr>
+ <td>CVE-2016-6698</td>
+ <td>A-30741851
+<br>
+<a href="https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=de90beb76ad0b80da821c3b857dd30cd36319e61">QC-CR#1058826</a></td>
+ <td>Moderate</td>
+ <td>Nexus 5X, Nexus 6P, Android One, Pixel, Pixel XL</td>
+ <td>Aug 2, 2016</td>
+ </tr>
+ <tr>
+ <td>CVE-2016-6751</td>
+ <td>A-30902162*<br>
+ QC-CR#1062271</td>
+ <td>Moderate</td>
+ <td>Nexus 5X, Nexus 6, Nexus 6P, Android One, Pixel, Pixel XL</td>
+ <td>Aug 15, 2016</td>
+ </tr>
+ <tr>
+ <td>CVE-2016-6752</td>
+ <td>A-31498159
+<br>
+<a href="https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?h=0de2c7600c8f1f0152a2f421c6593f931186400a">QC-CR#987051</a></td>
+ <td>Moderate</td>
+ <td>Nexus 5X, Nexus 6, Nexus 6P, Android One, Pixel, Pixel XL</td>
+ <td>Google internal</td>
+ </tr>
+</table>
+<p>
+* The patch for this issue is not publicly available. The update is contained in
+the latest binary drivers for Google devices available from the <a
+href="https://developers.google.com/android/nexus/drivers">Google Developer
+site</a>.
+</p>
+
+<h2 id="2016-11-06-details">2016-11-06 security patch level—Vulnerability details</h2>
+<p>
+In the sections below, we provide details for each of the security
+vulnerabilities listed in the
+<a href="#2016-11-06-summary">2016-11-06 security patch level—Vulnerability
+summary</a> above. There is a description of
+the issue, a severity rationale, and a table with the CVE, associated
+references, severity, updated Google devices, updated AOSP versions (where
+applicable), and date reported. When available, we will link the public change
+that addressed the issue to the bug ID, like the AOSP change list. When multiple
+changes relate to a single bug, additional references are linked to numbers
+following the bug ID.
+</p>
+<h3
+id="eop-in-kernel-memory-subsystem">Elevation
+of privilege vulnerability in kernel memory subsystem</h3>
+<p>
+An elevation of privilege vulnerability in the kernel memory subsystem could
+enable a local malicious application to execute arbitrary code within the
+context of the kernel. This issue is rated as Critical due to the possibility of
+a local permanent device compromise, which may require reflashing the operating
+system to repair the device.
+</p>
+<p>
+<strong>Note:</strong> A security patch level of 2016-11-06 indicates that this
+issue, as well as all issues associated with 2016-11-01 and 2016-11-05 are
+addressed.
+</p>
+<table>
+ <tr>
+ <th>CVE</th>
+ <th>References</th>
+ <th>Severity</th>
+ <th>Updated kernel versions</th>
+ <th>Date reported</th>
+ </tr>
+ <tr>
+ <td>CVE-2016-5195</td>
+ <td>A-32141528<br>
+<a href="https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=9691eac5593ff1e2f82391ad327f21d90322aec1">Upstream kernel</a>
+[<a href="https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=e45a502bdeae5a075257c4f061d1ff4ff0821354">2</a>]</td>
+ <td>Critical</td>
+ <td>3.10, 3.18</td>
+ <td>Oct 12, 2016</td>
+ </tr>
+</table>
+<h2 id="common-questions-and-answers">Common Questions and Answers</h2>
+<p>
+This section answers common questions that may occur after reading this
+bulletin.
+</p>
+<p>
+<strong>1. How do I determine if my device is updated to address these issues?</strong>
+</p>
+<p>
+To learn how to check a device’s security patch level, read the instructions on the
+<a href="https://support.google.com/pixelphone/answer/4457705#pixel_phones&nexus_devices">Pixel
+and Nexus update schedule</a>.
+</p>
+<ul>
+ <li>Security patch levels of 2016-11-01 or later address all issues associated
+ with the 2016-11-01 security patch level.</li>
+ <li>Security patch levels of 2016-11-05 or later address all issues associated
+ with the 2016-11-05 security patch level and all previous patch levels.</li>
+ <li>Security patch levels of 2016-11-06 or later address all issues associated
+ with the 2016-11-06 security patch level and all previous patch
+ levels.</li>
+</ul>
+<p>
+Device manufacturers that include these updates should set the patch level
+string to:
+</p>
+<ul>
+ <li>[ro.build.version.security_patch]:[2016-11-01]</li>
+ <li>[ro.build.version.security_patch]:[2016-11-05]</li>
+ <li>[ro.build.version.security_patch]:[2016-11-06].</li>
+</ul>
+<p>
+<strong>2. Why does this bulletin have three security patch levels?</strong>
+</p>
+<p>
+This bulletin has three security patch levels so that Android partners have the
+flexibility to fix a subset of vulnerabilities that are similar across all
+Android devices more quickly. Android partners are encouraged to fix all issues
+in this bulletin and use the latest security patch level.
+</p>
+<ul>
+ <li>Devices that use the November 1, 2016 security patch level must include all
+ issues associated with that security patch level, as well as fixes for all
+ issues reported in previous security bulletins.</li>
+ <li>Devices that use the security patch level of November 5, 2016 or newer must
+ include all applicable patches in this (and previous) security bulletins.</li>
+ <li>Devices that use the security patch level of November 6, 2016 or newer must
+ include all applicable patches in this (and previous) security
+ bulletins.</li>
+</ul>
+<p>
+Partners are encouraged to bundle the fixes for all issues they are addressing
+in a single update.
+</p>
+<p id="google-devices">
+<strong>3. How do I determine which Google devices are affected by each
+issue?</strong>
+</p>
+<p>
+In the
+<a href="#2016-11-01-details">2016-11-01</a>,
+<a href="#2016-11-05-details">2016-11-05</a>,
+and
+<a href="#2016-11-06-details">2016-11-06</a>
+security vulnerability details sections, each table has an <em>Updated Google
+devices</em> column that covers the range of affected Google devices updated for
+each issue. This column has a few options:
+</p>
+<ul>
+ <li><strong>All Google devices</strong>: If an issue affects all Nexus and Pixel
+ devices, the table will have "All" in the <em>Updated Google devices</em>
+ column. "All" encapsulates the following
+ <a href="https://support.google.com/pixelphone/answer/4457705#pixel_phones&nexus_devices">supported
+ devices</a>: Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 7 (2013), Nexus 9,
+ Android One, Nexus Player, Pixel C, Pixel, and Pixel XL.</li>
+ <li><strong>Some Google devices</strong>: If an issue doesn't affect all Google
+ devices, the affected Google devices are listed in the <em>Updated Google
+ devices</em> column.</li>
+ <li><strong>No Google devices</strong>: If no Google devices running Android 7.0
+ are affected by the issue, the table will have "None" in the <em>Updated Google
+ devices</em> column.</li>
+</ul>
+<p>
+<strong>4. What do the entries in the references column map to?</strong>
+</p>
+<p>
+Entries under the <em>References</em> column of the vulnerability details table
+may contain a prefix identifying the organization to which the reference value
+belongs. These prefixes map as follows:
+</p>
+<table>
+ <tr>
+ <th>Prefix</th>
+ <th>Reference</th>
+ </tr>
+ <tr>
+ <td>A-</td>
+ <td>Android bug ID</td>
+ </tr>
+ <tr>
+ <td>QC-</td>
+ <td>Qualcomm reference number</td>
+ </tr>
+ <tr>
+ <td>M-</td>
+ <td>MediaTek reference number</td>
+ </tr>
+ <tr>
+ <td>N-</td>
+ <td>NVIDIA reference number</td>
+ </tr>
+ <tr>
+ <td>B-</td>
+ <td>Broadcom reference number</td>
+ </tr>
+</table>
+
+<h2 id="revisions">Revisions</h2>
+<ul>
+<li>November 07, 2016: Bulletin published.</li>
+</ul>
diff --git a/src/security/bulletin/index.jd b/src/security/bulletin/index.jd
index af1cf32..06f9a73 100644
--- a/src/security/bulletin/index.jd
+++ b/src/security/bulletin/index.jd
@@ -20,21 +20,32 @@
built from day one with security in mind. Monthly device updates are an
important tool to make and keep Android users safe. This page contains the
available Android Security Bulletins. These security bulletins also include
-information users can follow to ensure their Nexus device has the latest security
+information users can follow to ensure their device has the latest security
updates.</p>
-<p>To get notifications when we publish a new bulletin, join the
+<p>To get notifications when a new bulletin is published, join the
<a href="https://groups.google.com/forum/#!forum/android-security-updates">Android
Security Updates group</a>, and set your email delivery preference to receive
-all updates. Refer to the
-<a href="https://support.google.com/nexus/answer/4457705">Nexus documentation</a>
-for instructions on how to check the security patch level, using the security
-patch level provided below. In general, it takes about one and a half calendar
+all updates. To learn how to check if a device is up to date using the security
+patch level, read the instructions on the
+<a href="https://support.google.com/nexus/answer/4457705">Pixel and Nexus
+update schedule</a>. In general, it takes about one and a half calendar
weeks for the OTA to reach every Nexus device. The Nexus firmware images are
also released each month to the
<a href="https://developers.google.com/android/nexus/images">Google Developer
site</a>.
</p>
+<p>Fixes listed in the public bulletin come from various different sources: the
+Android Open Source Project (AOSP), the upstream Linux kernel, and system-on-chip
+(SOC) manufacturers. For device manufacturers:</p>
+<ul>
+ <li>Android platform fixes are merged into AOSP 24-48 hours after the security
+ bulletin is released and can be picked up directly from there.</li>
+ <li>Upstream linux kernel fixes are linked to directly from the bulletin on
+ release and can be picked up from there.</li>
+ <li>Fixes from SOC manfacturers are available directly from the manufacturers.</li>
+</ul>
+
<table>
<col width="19%">
@@ -48,6 +59,15 @@
<th>Security Patch Level</th>
</tr>
<tr>
+ <td><a href="2016-11-01.html">November 2016</a></td>
+ <td>Coming soon
+ </td>
+ <td>November 7, 2016</td>
+ <td>2016-11-01<br>
+ 2016-11-05<br>
+ 2016-11-06</td>
+ </tr>
+ <tr>
<td><a href="2016-10-01.html">October 2016</a></td>
<td>
<a href="2016-10-01.html">English</a> /
diff --git a/src/security/overview/acknowledgements.jd b/src/security/overview/acknowledgements.jd
index c9d6c7c..239c8e3 100644
--- a/src/security/overview/acknowledgements.jd
+++ b/src/security/overview/acknowledgements.jd
@@ -54,13 +54,21 @@
<p>Andrea Biondo</p>
+<p>Andrei Kapishnikov of Google</p>
+
<p>Andy Tyler (<a href="https://twitter.com/ticarpi">@ticarpi</a>) of
<a href="https://www.e2e-assure.com">e2e-assure</a></p>
<p>Anestis Bechtsoudis (<a href="https://twitter.com/anestisb">@anestisb</a>) of CENSUS S.A.</p>
+<p>Ao Wang (<a href="http://twitter.com/@r4y2_wa">@r4y2_wa</a>) of
+ <a href="http://www.pkav.net">PKAV</a>, Silence Information Technology</p>
+<p>Askyshang of Security Platform Department, Tencent</p>
+
<p>Ben Hawkes of Google Project Zero</p>
+<p>Billy Lau of Android Security</p>
+
<p>Brad Ebinger of Google Telecom Team</p>
<p>Broadgate Team</p>
@@ -76,8 +84,13 @@
<p>Christopher Tate of Google</p>
+<p><a href="mailto:kpatsak@unipi.gr">Constantinos Patsakis</a> of University
+ of Piraeus</p>
+
<p>Cory Pruce of Carnegie Mellon University</p>
+<p>Cristiano Giuffrida of Vrije Universiteit Amsterdam</p>
+
<p>Daniel Micay of Copperhead Security</p>
<p>David Benjamin of Google</p>
@@ -103,17 +116,29 @@
<p>dosomder</p>
+<p>dragonltx of Alibaba mobile security team</p>
+
<p>DS</p>
<p>Dzmitry Lukyanenka (<a href="http://www.linkedin.com/in/dzima">www.linkedin.com/in/dzima</a>)</p>
<p>Ecular Xu (徐健) of Trend Micro</p>
-<p>Gal Beniamini (<a href="https://twitter.com/@laginimaineb">@laginimaineb</a>, <a href="http://bits-please.blogspot.com/">http://bits-please.blogspot.com</a>)</p>
+<p><a href="mailto:talepis@unipi.gr">Efthimios Alepis</a> of University of Piraeus</p>
-<p>Gengjia Chen (<a href="https://twitter.com/@chengjia4574">@chengjia4574</a>) from Lab 0x031E of Qihoo 360 Technology Co. Ltd</p>
+<p>Gal Beniamini (<a href="https://twitter.com/@laginimaineb">@laginimaineb</a>,
+ <a href="http://bits-please.blogspot.com/">http://bits-please.blogspot.com</a>)</p>
-<p> <a href="mailto:gpiskas@gmail.com">George Piskas</a> of <a href="https://www.epfl.ch">École polytechnique fédérale de Lausanne</a></p>
+<p>Gengjia Chen (<a href="https://twitter.com/@chengjia4574">@chengjia4574</a>)
+ of Lab 0x031E, Qihoo 360 Technology Co. Ltd</p>
+
+<p>Gengming Liu (刘耕铭) (<a href="http://twitter.com/dmxcsnsbh">@dmxcsnsbh</a>)
+ of KeenLab, Tencent</p>
+
+<p><a href="mailto:gpiskas@gmail.com">George Piskas</a> of
+ <a href="https://www.epfl.ch">École polytechnique fédérale de Lausanne</a></p>
+
+<p>Giovanni Vigna of University of California, Santa Barbara</p>
<p>Greg Kaiser of Google Android Team</p>
@@ -126,6 +151,8 @@
<p>Hao Qin of Security Research Lab, <a href="http://www.cmcm.com">Cheetah Mobile</a></p>
+<p> Herbert Bos of Vrije Universiteit Amsterdam</p>
+
<p>Hongil Kim (<a href="mailto:hongilk@kaist.ac.kr">hongilk@kaist.ac.kr</a>) of System Security Lab, KAIST</p>
<p>Imre Rad of <a href="http://www.search-lab.hu/">Search-Lab Ltd.</a></p>
@@ -155,6 +182,8 @@
<p>Kandala Shivaram reddy</p>
+<p>Kaveh Razavi of Vrije Universiteit Amsterdam</p>
+
<p>Kenny Root of Google</p>
<p>Lee Campbell of Google</p>
@@ -172,13 +201,22 @@
<p>Mark Brand of Google Project Zero</p>
+<p>Mark Renouf of Google</p>
+
<p>Martin Barbella of Google Chrome Security Team</p>
+<p>Martina Lindorfer of University of California, Santa Barbara</p>
+
<p>Max Spector of Google</p>
<p>Michał Bednarski (<a href="https://github.com/michalbednarski">https://github.com/michalbednarski</a>)</p>
-<p>Mingjian Zhou (<a href="https://twitter.com/Mingjian_Zhou">@Mingjian_Zhou</a>) of <a href="http://c0reteam.org">C0RE Team</a> from <a href="http://www.360safe.com/">Qihoo 360</a></p>
+<p>Min Chong of Android Security</p>
+
+<p>Mingjian Zhou (<a href="https://twitter.com/Mingjian_Zhou">@Mingjian_Zhou</a>)
+ of <a href="http://c0reteam.org">C0RE Team</a>, <a href="http://www.360safe.com/">Qihoo 360</a></p>
+
+<p>Miriam Gershenson of Google</p>
<p>Nancy Wang of Vertu Corporation LTD</p>
@@ -218,6 +256,8 @@
<p>Ricky Wai of Google</p>
+<p>Robin Lee of Google</p>
+
<p>Roee Hay, IBM Security X-Force Researcher</p>
<p>Roeland Krak</p>
@@ -240,6 +280,9 @@
<p>Sen Nie (<a href="https://twitter.com/@nforest_">@nforest_</a>) of KEEN lab,
Tencent (<a href="https://twitter.com/k33nteam">@K33nTeam</a>)</p>
+<p>Sergey Bobrov (<a href="http://twitter.com/Black2Fan">@Black2Fan</a>) of
+ Kaspersky Lab</p>
+
<p>Seven Shen (<a href="https://twitter.com/@lingtongshen">@lingtongshen</a>)
of Trend Micro (<a href="http://www.trendmicro.com">www.trendmicro.com</a>)</p>
@@ -264,6 +307,9 @@
<p>Tom Rootjunky</p>
+<p><a href="mailto:segfault5514@gmail.com">Tong Lin</a> of
+<a href="http://c0reteam.org">C0RE Team</a></p>
+
<p><a href="mailto:litongxin1991@gmail.com">Tongxin Li</a> of Peking University</p>
<p>trotmaster (<a href="https://twitter.com/trotmaster99">@trotmaster99</a>)</p>
@@ -272,6 +318,8 @@
<p>Victor Chang of Google</p>
+<p>Victor van der Veen of Vrije Universiteit Amsterdam</p>
+
<p>Vignesh Venkatasubramanian of Google</p>
<p>Vishwath Mohan of Android Security</p>
@@ -292,6 +340,9 @@
<p>Wish Wu (<a href="https://twitter.com/@wish_wu">@wish_wu</a>) of Trend Micro Inc.</p>
+<p><a href="mailto:wisedd@gmail.com">Xiaodong Wang</a> of
+<a href="http://c0reteam.org">C0RE Team</a></p>
+
<p><a href="mailto:xw7@indiana.edu">Xiaofeng Wang</a> of Indiana University Bloomington</p>
<p>Xiling Gong of Tencent Security Platform Department</p>
@@ -301,14 +352,23 @@
<p><a href="mailto:hanxinhui@pku.edu.cn">Xinhui Han</a> of Peking University</p>
-<p>Xuxian Jiang of <a href="http://c0reteam.org">C0RE Team</a> from <a href="http://www.360safe.com/">Qihoo 360</a></p>
+<p>Xuxian Jiang of <a href="http://c0reteam.org">C0RE Team</a>,
+ <a href="http://www.360safe.com/">Qihoo 360</a></p>
<p>Yabin Cui from Android Bionic Team</p>
<p>Yacong Gu of TCA Lab, Institute of Software, Chinese Academy of Sciences</p>
+<p>Yakov Shafranovich of
+<a href="https://wwws.nightwatchcybersecurity.com">Nightwatch Cybersecurity</a></p>
+
<p>Yang Ssong of Alibaba Mobile Security Group</p>
+<p>Yanick Fratantonio of University of California, Santa Barbara</p>
+
+<p><a href="mailto:yaojun8558363@gmail.com">Yao Jun</a> of
+<a href="http://c0reteam.org">C0RE Team</a></p>
+
<p><a href="mailto:luc2yj@gmail.com">Yeonjoon Lee</a> of Indiana University Bloomington</p>
<p>Yingjiu Li of Singapore Management University</p>
@@ -334,6 +394,10 @@
<p><a href="mailto:zhiyunq@cs.ucr.edu">Zhiyun Qian</a> of UC Riverside</p>
+<p><a href="http://weibo.com/ele7enxxh">Zinuo Han</a> of
+ <a href="http://www.pkav.net">PKAV</a>, Silence Information Technology</p>
+
+
</div>
<h2 id=2015>2015</h2>
diff --git a/src/security/security_toc.cs b/src/security/security_toc.cs
index 4f89b74..4221216 100644
--- a/src/security/security_toc.cs
+++ b/src/security/security_toc.cs
@@ -62,6 +62,7 @@
<li><a href="<?cs var:toroot ?>security/advisory/2016-03-18.html">2016-03-18</a></li>
</ul>
</li>
+ <li><a href="<?cs var:toroot ?>security/bulletin/2016-11-01.html">November 2016</a></li>
<li><a href="<?cs var:toroot ?>security/bulletin/2016-10-01.html">October 2016</a></li>
<li><a href="<?cs var:toroot ?>security/bulletin/2016-09-01.html">September 2016</a></li>
<li><a href="<?cs var:toroot ?>security/bulletin/2016-08-01.html">August 2016</a></li>
