Today’s release of Android 7.1.1 Nougat brings with it the December security patch. For the last month of 2016, the company is releasing two patches, with one labeled 2016-12-01 and the other being 2016-12-05. These patches include various fixes between the two for a variety of issues and holes, with the most serious being a remote code execution vulnerability within CURL/LIBCURL and an “elevation of privilege” vulnerability in Android’s kernel memory subsystem. You can view full lists of all the bugs squashed within each patch below.
2016-12-01
| Issue | CVE | Severity | Affects Google devices? |
|---|---|---|---|
| Remote code execution vulnerability in CURL/LIBCURL | CVE-2016-5419, CVE-2016-5420, CVE-2016-5421 | High | Yes |
| Elevation of privilege vulnerability in libziparchive | CVE-2016-6762 | High | Yes |
| Denial of service vulnerability in Telephony | CVE-2016-6763 | High | Yes |
| Denial of service vulnerability in Mediaserver | CVE-2016-6766, CVE-2016-6765, CVE-2016-6764, CVE-2016-6767 | High | Yes |
| Remote Code Execution vulnerability in Framesequence library | CVE-2016-6768 | High | Yes |
| Elevation of privilege vulnerability in Smart Lock | CVE-2016-6769 | Moderate | No* |
| Elevation of privilege vulnerability in Framework APIs | CVE-2016-6770 | Moderate | Yes |
| Elevation of privilege vulnerability in Telephony | CVE-2016-6771 | Moderate | Yes |
| Elevation of privilege vulnerability in Wi-Fi | CVE-2016-6772 | Moderate | Yes |
| Information disclosure vulnerability in Mediaserver | CVE-2016-6773 | Moderate | Yes |
| Information disclosure vulnerability in Package Manager | CVE-2016-6774 | Moderate | Yes |
2016-12-05 (includes all fixes found in 2016-12-01 alongside the following)
| Issue | CVE | Severity | Affects Google devices? |
|---|---|---|---|
| Elevation of privilege vulnerability in kernel memory subsystem | CVE-2016-4794, CVE-2016-5195 | Critical | Yes |
| Elevation of privilege vulnerability in NVIDIA GPU driver | CVE-2016-6775, CVE-2016-6776, CVE-2016-6777 | Critical | Yes |
| Elevation of privilege vulnerability in kernel | CVE-2015-8966 | Critical | No* |
| Elevation of privilege vulnerability in NVIDIA video driver | CVE-2016-6915, CVE-2016-6916, CVE-2016-6917 | Critical | Yes |
| Elevation of privilege vulnerability in kernel ION driver | CVE-2016-9120 | Critical | Yes |
| Vulnerabilities in Qualcomm components | CVE-2016-8411 | Critical | Yes |
| Elevation of privilege vulnerability in kernel file system | CVE-2014-4014 | High | Yes |
| Elevation of privilege vulnerability in kernel | CVE-2015-8967 | High | Yes |
| Elevation of privilege vulnerability in HTC sound codec driver | CVE-2016-6778, CVE-2016-6779, CVE-2016-6780 | High | Yes |
| Elevation of privilege vulnerability in MediaTek driver | CVE-2016-6492, CVE-2016-6781, CVE-2016-6782, CVE-2016-6783, CVE-2016-6784, CVE-2016-6785 | High | No* |
| Elevation of privilege vulnerability in Qualcomm media codecs | CVE-2016-6761, CVE-2016-6760, CVE-2016-6759, CVE-2016-6758 | High | Yes |
| Elevation of privilege vulnerability in Qualcomm camera driver | CVE-2016-6755 | High | Yes |
| Elevation of privilege vulnerability in kernel performance subsystem | CVE-2016-6786, CVE-2016-6787 | High | Yes |
| Elevation of privilege vulnerability in MediaTek I2C driver | CVE-2016-6788 | High | No* |
| Elevation of privilege vulnerability in NVIDIA libomx library | CVE-2016-6789, CVE-2016-6790 | High | Yes |
| Elevation of privilege vulnerability in Qualcomm sound driver | CVE-2016-6791, CVE-2016-8391, CVE-2016-8392 | High | Yes |
| Elevation of privilege vulnerability in kernel security subsystem | CVE-2015-7872 | High | Yes |
| Elevation of privilege vulnerability in Synaptics touchscreen driver | CVE-2016-8393, CVE-2016-8394 | High | Yes |
| Elevation of privilege vulnerability in Broadcom Wi-Fi driver | CVE-2014-9909, CVE-2014-9910 | High | No* |
| Information disclosure vulnerability in MediaTek video driver | CVE-2016-8396 | High | No* |
| Information disclosure vulnerability in NVIDIA video driver | CVE-2016-8397 | High | Yes |
| Denial of service vulnerability in GPS | CVE-2016-5341 | High | Yes |
| Denial of service vulnerability in NVIDIA camera driver | CVE-2016-8395 | High | Yes |
| Elevation of privilege vulnerability in kernel networking subsystem | CVE-2016-8399 | Moderate | Yes |
| Information disclosure vulnerability in Qualcomm components | CVE-2016-6756, CVE-2016-6757 | Moderate | Yes |
| Information disclosure vulnerability in NVIDIA librm library | CVE-2016-8400 | Moderate | Yes |
| Information disclosure vulnerability in kernel components | CVE-2016-8401, CVE-2016-8402, CVE-2016-8403, CVE-2016-8404, CVE-2016-8405, CVE-2016-8406, CVE-2016-8407 | Moderate | Yes |
| Information disclosure vulnerability in NVIDIA video driver | CVE-2016-8408, CVE-2016-8409 | Moderate | Yes |
| Information disclosure vulnerability in Qualcomm sound driver | CVE-2016-8410 | Moderate | Yes |
If you’re looking for factory and OTA updates, you can find them on this page as they’re in the form of Android 7.1.1 Nougat. This means that you’ll have to update to the latest version of Android in order to get the security patch. However, this isn’t a bad thing as you’ll be up-to-date in a variety of ways, specifically system-wide security.
- SOURCE: Android Developers Blog
- VIA: Android Police
One Comment
You must log in to post a comment.