AOSP 4.4 security-changelog

The raw log was generated using a modified version of this script written by JBQ and improved by Al Sutton.

Please do not copy this without attribution to this site and JBQ for the original script.

+- Project: android_art

479fe13 : Finish fixing Zygote descriptor leakage problem

+- Project: android_bionic

daff42d : Update timezone data to 2017a
c3a4133 : Check for bad packets in getaddrinfo.c's getanswer.
410a6d5 : Fix overflow testing in sbrk.
b457cb7 : Fix brk/sbrk error checking.

+- Project: android_bootable_recovery

2dd650e : Add a checker for signature boundary in verifier
87bc27b : Track usage of Vector / SortedVector from libutils DO NOT MERGE

+- Project: android_build

dc745e3 : Update Security String to 2017-07-01
b2b22c0 : Update Security String to 2017-06-01
567e401 : Update Security String to 2017-05-01
a6ac59d : Update Security String to 2017-04-01
ae19637 : Update Security String to 2017-03-01
3fe1eea : Update Security String to 2017-02-01
8d4604a : Update Security string to 2017-01-01 in klp-dev
ebd65bb : Update Security String to 2016-12-01
7875151 : Update Security String to 2016-11-01 b/31618336
06f7985 : Update Security String to 2016-10-01 to platform and CTS for October
6593e96 : Updating security string to 2016-09-01 to platform and CTS in preparation for 2016 September OTA
5a56ae8 : Update security patch string to 2016-08-01 - For Partners only
9dcdc2e : Updating security string to 2016-07-01
7bade4d : Update security patch string to 2016-06-01
da03ce5 : Allow building with javac 1.7
43f238c : Some changes added to compile and run with Java 6 and Java 7.
e746334 : build: Allow building with OpenJDK
c2af00f : Support building with GNU make 4.0
b246e79 : Merge Conflict--Update Security String to 2016-05-01 in preparation for May 2016 Security OTA
c61a5c2 : Updating security string patch to 2016-04-01
1b11d53 : Updating security patch string to 2016-03-01
d7b4806 : DO NOT MERGE - Update security string to 2016-02-01
69b783f : Update Security String to 2016-01-01 - DO NOT MERGE
17c9809 : Update security string to 2015-12-01 - DO NOT MERGE
a232f4d : DO NOT MERGE - Backport of ag/748221 - Security Patch Level in Settings CL#2/3

+- Project: android_dalvik

9d90ae2 : Zygote: Additional whitelisting for legacy devices.
c113e5e : Zygote : Block SIGCHLD during fork.
3c26944 : Backport changes to whitelist sockets opened by the zygote.
98e6ecd : Fix potential buffer overrun.
29a0b87 : Remove old fork-and-specialize API
7004b0c : Finish fixing Zygote descriptor leakage problem

+- Project: android_external_aac

5157f83 : Fix aacDecoder_drcExtractAndMap()
df09a70 : Fix stack corruption happening in aacDecoder_drcExtractAndMap()

+- Project: android_external_bluetooth_bluedroid

52a228d : Check LE advertising data length before caching advertising records
905a778 : DO NOT MERGE Fix potential DoS caused by delivering signal to BT process
055cf78 : DO NOT MERGE btif: check overflow on create_pbuf size
0043c95 : Change pairing_cb to assume temporary pairing by default
260bf63 : DO NOT MERGE Check size of pin before replying
bb50d03 : DO NOT MERGE Remove Porsche car-kit pairing workaround
242b1e0 : Use 0000 as pin key for PORCHE_PAIRING_CONFLICT issue
a61bd41 : DO NOT MERGE - Add proper checks for PAN & BNEP in BD stack

+- Project: android_external_bouncycastle

19dac08 : DO NOT MERGE bouncycastle: limit input length as specified by the NIST spec

+- Project: android_external_chromium

7cbee04 : Remove SSLv3 fallback logic

+- Project: android_external_chromium_org

797ceca : Disable SPDY pooling
af8709f : Add client-side support for TLS_FALLBACK_SCSV
5dab2e1 : Disable SPDY pooling

+- Project: android_external_chromium_org_third_party_openssl

765b4c8 : CVE 2016-2109 fix
407ed3e : Add client-side support for TLS_FALLBACK_SCSV.
9b83937 : Only allow ephemeral RSA keys in export ciphersuites.

+- Project: android_external_dhcpcd

2a4c627 : Improve length checks in DHCP Options parsing of dhcpcd.
6f91ba0 : Really disable IPv6 RA processing in dhcpcd.
61ea854 : Fix DoS vulnerability in DHO_OPTIONSOVERLOADED.

+- Project: android_external_expat

6e35309 : Fix cast from pointer to integer of different size
1346b74 : Security Vulnerability - CVE-2012-6702 and CVE-2016-5300
51749fb : Fix CVE-2016-0718: Expat XML Parser Crashes on Malformed Input
b982292 : Upgrade to expat 2.1.1

+- Project: android_external_flac

732bd38 : src/libFLAC/stream_decoder.c : Fix NULL de-reference.
ad10b47 : Avoid free-before-initialize vulnerability in heap

+- Project: android_external_freetype

889104d : Update FreeType from 2.6.2 to c38be52bf8de (2.7 + a few post-2.7 CLs)
a2d2f3a : Update FreeType to 2.6.2+update from 2.4.12

+- Project: android_external_icu4c

452948d : Update timezone info to 2017a

+- Project: android_external_jhead

9a1a535 : Fix possible out of bounds accesses
96777bd : Fix possible out of bounds access

+- Project: android_external_jpeg

19a6799 : libjpeg should always use jmemnobs DO NOT MERGE

+- Project: android_external_libnfc-nci

dec857b : Fix native crash in nfc_ncif_proc_activate

+- Project: android_external_libvpx

413f1fd : Limit vpx decoder to 4K frames
7bc4b8b : vp8:fix threading issues
659e9d3 : DO NOT MERGE libvpx: Cherry-pick 8b4c315 from upstream
d827b1e : DO NOT MERGE | libvpx: Cherry-pick 0f42d1f from upstream
7bb0255 : DO NOT MERGE | libvpx: cherry-pick aa1c813 from upstream
9837fbc : DO NOT MERGE - external/libvpx/libwebm: Update snapshot
22abafc : DO NOT MERGE - libvpx: Pull from upstream

+- Project: android_external_libxml2

eb6c342 : DO NOT MERGE: Use correct limit for port values
784d91f : DO NOT MERGE: Apply upstream Chromium patch for encoding changes
feeb1ee : DO NOT MERGE: Add validation for eternal enities
f854f3d : DO NOT MERGE: fix for the XPath nodeTab use-after-free bug from nmehta@
3961607 : DO NOT MERGE: Heap buffer overflow in xmlAddID
d697903 : DO NOT MERGE: Disallow namespace nodes in XPointer ranges
f8ebef2 : DO NOT MERGE: Fix XPointer paths beginning with range-to

+- Project: android_external_okhttp

eae3944 : Fix a bug in OkHostnameVerifier wildcard handling.
b6b72da : SCSV support

+- Project: android_external_openssl

3587403 : CVE 2016-2109 fix
42437d1 : Fix overflow check in BN_bn2dec()
89b686c : Check for errors in BN_bn2dec()
a02d734 : Fix memory issues in BIO_*printf functions
47c113e : Check that we have enough padding characters.
18b642b : Constant-time utilities
86fbed9 : Fix encoding bug in i2c_ASN1_INTEGER
7b976ba : Fix double-free in DSA code (CVE-2016-0705)
ad41f66 : Add support for TLS_FALLBACK_SCSV
6b408ee : Fix for CVE-2014-0195
21fd5a0 : Fix CVE-2014-0221
7e12360 : Fix CVE-2014-3470
c785241 : Only allow ephemeral RSA keys in export ciphersuites.

+- Project: android_external_sepolicy

894c043 : Allow the zygote to stat all files it opens.

+- Project: android_external_skia

172db19 : Fix out of bounds memory read in GIFMovie.cpp
4a0fbab : Use min/max to pin value between 0 and 255.
d58a710 : Update SK_CRASH to default to abort().
d50f2b8 : Fix removal of SI8_opaque_D32_nofilter_DX_arm
02ce051 : Remove SI8_opaque_D32_nofilter_DX_arm DO NOT MERGE
1168aa4 : Prevent malformed ICO files from recursively decoding
968454f : Fix overflow when comparing two ints by promoting the sum to 64-bits.
3e9f006 : Handle bad ICO data better.
ae64a20 : SkScaledBitmapSampler: fix memory overwritten

+- Project: android_external_sonivox

6c241c3 : Check chunk size
1234ee6 : Fix infinite recursion
5e0e9db : eas_mdls: fix OOB read.
ba00921 : Fix NULL pointer dereference
8f43a5c : Sonivox: add SafetyNet log.
b026654 : Sonivox: sanity check numSamples.
161a3de : Check segments and libs
2f4af97 : Sonivox: check loopStart/loopLength against one specific wave, not whole wave pool.
8407cb0 : Sonivox: fix overflow in Parse_data in eas_mdls.c
6d9c04a : Sonivox: make sure waveIndex is valid in Parse_rgn() in eas_mdls.c.
ac4e1ec : DLS parser: fix wave pool size check.

+- Project: android_external_sqlite

c10cb2b : sqlite: upgrade to patched SQLite 3.7.11 - DO NOT MERGE
65efff0 : Fix world-readable permissions due to sqlite race condition

+- Project: android_external_tremolo

dc92d87 : Always use unsigned char
a91f49f : Tremolo: fix ARM assembly code for decode_map type 3 case
8b021d2 : Check partword is in range for # of partitions
7dedfd2 : libvorbisidec: sanity check index of marker.
b7a83c4 : Fix vorbis decoder crash due to out of bounds memory access
f22c84d : Fix allocation failure crash
c1be890 : Add sanity checks to fix crash

+- Project: android_external_wpa_supplicant_8

48e68b8 : WNM: Ignore Key Data in WNM Sleep Mode Response frame if no PMF in use
0ae423e : Guard against return value already being null
3fd5d95 : Remove newlines from config output
633c8ed : P2P: Validate SSID element length before copying it
2534946 : hostapd_cli: Use os_exec() for action script execution
e722e25 : wpa_cli: Use os_exec() for action script execution
3be0547 : Add os_exec() helper to run external programs

+- Project: android_frameworks_av

4ad5b91 : Fix memory leak in error case
b4469df : Limit ogg packet size
7c2ebab : Fix out of bounds access
e1f74f2 : codecs: handle onReset() for a few encoders
2e4a2f4 : Add bounds check in SoftAACEncoder2::onQueueFilled()
42735de : Fix integer overflow and divide-by-zero
6ef3d01 : Fix NPDs in h263 decoder
94bf86b : resolve merge conflicts of 79cf158c51 to mnc-dev
508a00c : Fix overflow check and check read result
b13d48e : CameraBase: Don't return an sp<> by reference
e27917e : DO NOT MERGE - improve audio effect framwework thread safety
30177e5 : DO NOT MERGE - audioflinger: fix recursive mutex lock in EffectHandle.
b317df8 : Fix security vulnerability: potential OOB write in audioserver
cf6aea2 : Effect: Use local cached data for Effect commit
2771e36 : DO NOT MERGE: Visualizer: Check capture size and latency parameters
98131c6 : Fix security vulnerability: Equalizer command might allow negative indexes
fc87cbc : DO NOT MERGE: defensive parsing of mp3 album art information
da37d26 : Effects: Check get parameter command size
17e982c : Make VBRISeeker more robust
b40f599 : Fix security vulnerability: Effect command might allow negative indexes
d5033f7 : Fix potential NULL dereference in Visualizer effect
355f9cc : DO NOT MERGE Fix divide by zero
463d1e7 : DO NOT MERGE - MPEG4Extractor: Check mLastTrack before dereferencing.
da2ccfe : IOMX: do not clear buffer if it's allocated by component
8f95332 : IOMX: allow configuration after going to loaded state
02db3ae : SampleIterator: clear members on seekTo error
ec6b7bf : DO NOT MERGE: IOMX: work against metadata buffer spoofing
beb5720 : Fix potential overflow in Visualizer effect
2b488eb : Check mprotect result
6516053 : Limit mp4 atom size to something reasonable
0a3a5db : MediaPlayerService: allow next player to be NULL
f131552 : DO NOT MERGE - Fix build breakage caused by commit 940829f69b52d6038db66a9c727534636ecc456d.
c76a4aa : DO NOT MERGE - SoftMPEG4: Check the buffer size before writing the reference frame.
a47471b : DO NOT MERGE MediaPlayerService: avoid invalid static cast
2761830 : Add EFFECT_CMD_SET_PARAM parameter checking
26d423c : DO NOT MERGE - stagefright: fix integer overflow error
47301ba : DO NOT MERGE - Fix build
0d7bf4c : DO NOT MERGE - SoftVPX: fix nFilledLen overflow
4349e23 : DO NOT MERGE stagefright: fix possible stack overflow in AVCC reassemble
25e8887 : DO NOT MERGE - SoftMP3: memset safely
366f16b : OMXCodec: check IMemory::pointer() before using allocation
276e314 : Impose a size bound for dynamically allocated tables in stbl.
013273d : omx: prevent input port enable/disable for software codecs
78c5bc5 : Fix corruption via buffer overflow in mediaserver
1d28916 : DO NOT MERGE: Camera: Adjust pointers to ANW buffers to avoid infoleak
c50e647 : DO NOT MERGE omx: check buffer port before using
65a5abb : Check effect command reply size in AudioFlinger
9b75782 : DO NOT MERGE SoftAAC2: fix crash on all-zero adts buffer
299015c : Fix potential overflow
6a3270e : Don't use sp<>&
2c87d9b : DO NOT MERGE MPEG4Extractor: ensure kKeyTrackID exists before creating an MPEG4Source as track.
411bf4c : DO NOT MERGE Check malloc result to avoid NPD
69d8a6a : DO NOT MERGE limit mediaserver memory
2a0367a : h264bsdActivateParamSets: Prevent multiplication overflow.
0d9071b : Fix security vulnerability in libstagefright
3303db0 : Clear unused pointer field when sending across binder
832d1c1 : DO NOT MERGE codecs: check OMX buffer size before use in vorbisdec
29a056f : DO NOT MERGE codecs: check OMX buffer size before use in (h263|h264)dec
23927df : SampleTable.cpp: Fixed a regression caused by a fix for bug 28076789.
1983979 : SampleTable.cpp: Prevent corrupted stts block from causing excessive memory allocation.
c6b9d96 : DO NOT MERGE Don't reject "thumbnail mode" setConfig
352b76d : DO NOT MERGE Verify OMX buffer sizes prior to access
c8ccb66 : AudioSource: initialize variables
32cf7c2 : Check mp3 output buffer size
b6237f7 : DO NOT MERGE codecs: check OMX buffer size before use in (gsm|g711)dec
66501a5 : h264dec: check for overflows when calculating allocation size.
e666550 : Fix AMR decoder
22720cf : SoftAMR: check input buffer size to avoid overflow.
c11c8d0 : SoftAMR: check output buffer size to avoid overflow.
7be9cb7 : DO NOT MERGE codecs: check OMX buffer size before use in VP8 encoder.
253ae23 : NuPlayerStreamListener: NULL and bounds check before memcpy
c0c1993 : Camera3Device: Validate template ID
217b421 : DO NOT MERGE Add VPX output buffer size check
3309d24 : stagefright: Remove assert for corrupt clips for AMRNB
56b2745 : Also fix out of bounds access for normal read
1ab00ce : Get service by value instead of reference
dd30f8d : Clear allocation to avoid info leak
c4cbc85 : DO NOT MERGE - Remove deprecated image defines
c92771e : Camera: Disallow dumping clients directly
adef7a9 : fix possible overflow in effect wrappers.
c0f6f46 : Fix out-of-bounds write
c70b5d0 : DO NOT MERGE - libstagefright: check requested memory size before allocation for SoftMPEG4Encoder and SoftVPXEncoder.
0474810 : DO NOT MERGE SoundPool: add lock for findSample access from SoundPoolThread
f6172fa : DO NOT MERGE - AudioFlinger: Clear record buffers when starting RecordThread
e174797 : DO NOT MERGE - OMX: allow only secure codec to remotely call allocateBuffer.
cb2c814 : ID3: check possible integer overflow for extendedHeaderSize and paddingSize.
c714ba4 : Check NAL size before use
673fa58 : MPEG4Extractor: ensure buffer size is not less than 8 for LastCommentData.
c9d549f : Don't crash when there's no conceal frame
1673e05 : DO NOT MERGE stagefright: fix AMessage::FromParcel
170139e : DO NOT MERGE Fix vulnerability in mediaserver
0702359 : DO NOT MERGE NuCachedSource2: fix possible erroneous early free
63f26e4 : Limit allocations to avoid out-of-memory
b820d9c : Fix heap data leak vulnerability
64ca46c : Fix for security vulnerability in media server DO NOT MERGE
741632c : DO NOT MERGE - IAudioFlinger: always initialize variables to ensure no info leak when writing them to Parcel.
95539e9 : Make IEffect command more robust (second try)
a164f44 : libmedia: clear reply data for IEffect command
bdabc96 : Fix timedtext parsing
575336a : DO NOT MERGE - libstagefright: sanity check size before dereferencing pointer in Utils.cpp
b22bb70 : DO NOT MERGE fix build
6a2c96d : DO NOT MERGE Avoid size_t overflow in base64 decoding once again
cfad707 : Ogg: avoid size_t overflow in base64 decoding
a832561 : DO NOT MERGE - IAudioFlinger: clear config before reading it from parcel.
86ba4be : Zero out return values in media binder calls
4ead418 : IMediaPlayer.cpp: make sure structures are initialized to 0
acb73db : stagefright: check IMemory::pointer() before using the allocation
0269d9c : Fail more gracefully on allocation failure
2365806 : Fix compile failure after rI431aa2b7d30a942350ab6d105451c6b77e2f99d4
2376346 : libstagefright: fix overflow in pvdec_api.cpp.
49cd07d : libstagefright: check memory size for overflow before allocation.
e8b6868 : Fix for memory corruption in ID3::removeUnsynchronizationV2_4(). Bug: 23227354
570756d : Fix build break DO NOT MERGE
deb39a9 : Fix crash on malformed id3
01c82e6 : libstagefright: fix possible overflow in amrwbenc.
1792dcc : DO NOT MERGE - audio flinger: fix fuzz test crash
c0bccf3 : DO NOT MERGE Part of fix for libmedia OOB write anywhere
4302151 : libstagefright: fix possible overflow in ID3.
fe33f86 : Prevent integer issues in ID3::Iterator::findFrame
5db1e75 : SampleTable: fix integer overflow checks.
59aed18 : Extra sanity checks on sample size and resolution
3b7cb64 : libstagefright: check overflow before memory allocation in OMXCodec.cpp
6032bae : Sanity check padding/delay values for gapless playback
febb4c9 : MatroskaExtractor: detect infinite loop when parsing NALs
36a8243 : DO NOT MERGE libstagefright: Fix crash in convertMetaDataToMessage
c10f497 : Fix Ogg album art
3cef83d : Fix comparison sign warnings.
7d90c96 : libstagefright: fix overflow in MPEG4Source::parseSampleAuxiliaryInformationOffsets.
53081ca : MPEG4Extractor.cpp: Add check for size == SIZE_MAX
6b72ea9 : Check RTSP payload length
11e66d1 : ABuffer: reset members when memory allocation fails.
41eb89f : DO NOT MERGE - Fix software video decoder buffer size calculation
0bd52e8 : DO NOT MERGE - SoftwareRenderer: sanity check buffer size before copying data.
0284ff4 : Check vector size before accessing
1616cf0 : SoftAVCEnc: check requested memory size before allocation.
21f2645 : Check buffer size before using it
c056476 : MPEG4Source::fragmentedRead: check range before writing into buffers
b425784 : do not dequeue from native window after we hit fatal error -- DO NOT MERGE
ebf71f0 : libstagefright: fix handling of mSampleTimeEntries and mNumSampleSizes in SampleTable.
8ab3245 : libstagefright: check remaining data size before parsing it.
fa16aa6 : Check integer overflow to prevent memory corruption
afcaff4 : Fix several ineffective integer overflow checks
3e66cda : SampleTable: check integer overflow during table alloc
21f648f : DO NOT MERGE - audio effects: fix heap overflow
1060675 : MPEG4Extractor.cpp: handle chunk_size > SIZE_MAX
fa46e35 : DO NOT MERGE - IOMX: Add buffer range check to emptyBuffer
67c8578 : HDCP: buffer over flow check -- DO NOT MERGE
abe438b : DO NOT MERGE: Add AUtils::isInRange, and use it to detect malformed MPEG4 nal sizes
32b89dd : Fix integer overflow when handling MPEG4 tx3g atom
a95f8ed : Fix integer underflow in covr MPEG4 processing
00b3442 : Prevent integer overflow when processing covr MPEG4 atoms
c88d6b7 : Fix integer underflow in ESDS processing
3701ee4 : Fix integer overflow during MP4 atom processing
ff687ba : Guard against codecinfo overflow

+- Project: android_frameworks_base

6a54f76 : [DO NOT MERGE] Check bounds in offsetToPtr
a8214b5 : Fix exploit where can hide the fact that a location was mocked am: a206a0f17e am: d417e54872 am: 3380a77516 am: 0a8978f04b am: 1684e5f344 am: d28eef0cc2 am: 1f458fdc66 am: d82f8a67fc am: 1ac8affd51 am: 56098f81b6 am: 7cec76de0f am: 2da05d0f9e
82f36d8 : DO NOT MERGE) ExifInterface: Close the file when an exception happens
fd63fd1 : DO NOT MERGE Isolated processes don't get precached system service binders
ede8b42 : DO NOT MERGE: Fix deadlock in AcitivityManagerService.
a7e8c2e : DO NOT MERGE: Catch all exceptions when parsing IME meta data
987cd73 : Fix setPairingConfirmation permissions issue (2/2)
42a6925 : Prevent FDs from being leaked when accepted sockets are closed
6494cbb : Avoid crashing when downloading MitM'd PAC that is too big
7e78207 : DO NOT MERGE) ExifInterface: Make saveAttributes throw an exception before change
7c3f662 : DO NOT MERGE Check caller for sending media key to telephony service
50e6269 : Fix vulnerability where large GPS XTRA data can be injected. -Can potentially crash system with OOM. Bug: 29555864
f7a2cb9 : DO NOT MERGE: Clean up when recycling a pid with a pending launch
53afaf4 : Process: Fix communication with zygote.
3f4deb3 : DO NOT MERGE: Fix CTS regression
dc9e10d : Fix string equality comparison
ac214f5 : WifiEnterpriseConfiguration: Do not print credentials in toString
d3674ea : DO NOT MERGE: Remove the use of JHEAD in ExifInterface
3e7694c : DO NOT MERGE: Don't trust callers to supply app info to bindBackupAgent()
ce65785 : Don't pass URL path and username/password to PAC scripts
55c1fe2 : DO NOT MERGE Fix intent filter priorities
f415bf5 : Fix issue #16794553: Duplicate ArrayMap entries in Bundle...
f702e7c : Do not persist and restore the media button event receiver
f225754 : Change permission guard on bindBackupAgent()
d1cf7a6 : Prevent system uid component from running in an app process
5d4d8d2 : Prevent insanely long passwords from crashing SystemUI
1eef089 : Finish fixing Zygote descriptor leakage problem
acb473a : DO NOT MERGE Redact Account info from getCurrentSyncs
268ddae : NPE fix for SyncStorageEngine read authority
41f642a : Sync extras bundle comparison can throw NPE
7c16306 : Make Bitmap_createFromParcel check the color count. DO NOT MERGE
bf1c34e : DO NOT MERGE - Backport of ag/748165 to klp-dev Security patch level in Settings
41d7f47 : Allow debugging only for apps forked from zygote
04463e6 : Ensure that unparcelling Region only reads the expected number of bytes
f0bc716 : Check that the parcel contained the expected amount of region data.

+- Project: android_frameworks_native

405a53d : Verify that the native handle was created
9ff0c94 : libgui: Check slot received from IGBP in Surface
3a7ede0 : ui: Fix bad size check in Fence::unflatten
5a8338e : Fix security vulnerability
8135304 : Correctly handle dup() failure in Parcel::readNativeHandle
d3a0834 : Fix issue #27252896: Security Vulnerability -- weak binder
1ad5757 : DO NOT MERGE BQ: fix some uninitialized variables
b016f87 : Merge conflict--DO NOT MERGE Add SN logging
072f129 : Sanity check IMemory access versus underlying mmap
04ee44c : DO NOT MERGE BQ: Add permission check to BufferQueueConsumer::dump
371f043 : IGraphicBufferProducer: fix QUEUE_BUFFER info leak
01fe256 : DO NOT MERGE: fix build try #2
891ddd2 : DO NOT MERGE: fix build breakage
188769e : add number constraint for samples per MotionEvent
57de8c5 : Disregard alleged binder entities beyond parcel bounds
229be7d : Update maxNumber to be smaller.
69cb285 : Fix for corruption when numFds or numInts is too large.
ed3f1ee : Initialize local variables to avoid data leak

+- Project: android_frameworks_opt_telephony

9a3eff3 : Do not allow premium SMS during SuW
4867eed : DO NOT MERGE fix build breakage
26a88c5 : DO NOT MERGE add private function converSafeLabel
b1488c9 : backport security fix: avoid set NITZ time to 2038
4770a87 : opt/telephony: Fix compile on JDK7
1eddbd9 : Externally-reported Moderate severity vulnerability in SMS

+- Project: android_hardware_libhardware

2d60b97 : Fix security vulnerability: potential OOB write in audioserver

+- Project: android_libcore

42e44ef : IDN: Fix handling of long domain names.
30d2012 : Use SSL_session_reused to check when a session was reused
1f1ef09 : art: Fix building under JDK7
feacaf7 : Fix compilation of Enum on JDK 7
c78565c : Locale: Retain compatibility with 4.4 APIs
833e901 : java7: Implement new Locale APIs.
1a65a30 : Remove old fork-and-specialize API
90c7c5d : DO NOT MERGE Prevent duplicate certificates in TrustedCertificateIndex
be492cb : DO NOT MERGE Cache intermediate CA separately
de823c2 : Finish fixing Zygote descriptor leakage problem
026c6fb : Add API to check certificate chain signatures
032ee01 : OpenSSLX509Certificate: mark mContext as transient
894c826 : Fix a bug in DefaultHostnameVerifier wildcard handling.
822236a : Add additional checks in ObjectInputStream
9562048 : Add additional field checks for deserialization.
39c70da : DO NOT MERGE: Add a way to get all values of an attribute of DN.
b99ad53 : Add support for TLS_FALLBACK_SCSV

+- Project: android_packages_apps_Bluetooth

ac35a97 : OPP: Restrict file based URI access to external storage
812499f : Bluetooth-OPP: Remove hashmap entry after Tx complete
c71db51 : Bluetooth: OPP Update progress in worker thread
1ae385d : Bluetooth: OPP: Display proper name while cancelling transfer
469ee95 : Fix setPairingConfirmation permissions issue (1/2)
32190b5 : DO NOT MERGE Fix security vulnerabilities in permission of deleting MMS/SMS

+- Project: android_packages_apps_CertInstaller

a8fcb2b : Trust CA certificates added for the whole OS only

+- Project: android_packages_apps_ContactsCommon

a4d49bc : Ask for confirmation before importing from vcard

+- Project: android_packages_apps_Email

8c8321e : DO NOT MERGE Limit account id and id to longs
8537547 : stop exporting EmailAccountCacheProvider

+- Project: android_packages_apps_Gallery2

ed8ff81 : util: Fix build of LinkNode.java.

+- Project: android_packages_apps_Mms

ea70340 : Fix a NPE when update message status

+- Project: android_packages_apps_Nfc

c71a5df : Verify setForegroundDispatch caller is in foreground. (DO NOT MERGE)

+- Project: android_packages_apps_PackageInstaller

47bc99a : Prioritize package installer intent filter

+- Project: android_packages_apps_Settings

639f203 : resolve merge conflicts of 3964c51bf2 to nyc-dev
7c97677 : SECURITY: Don't pass a usable Pending Intent to 3rd parties.
e022728 : Add translations for Security Patch Level.
a2d7427 : DO NOT MERGE - Backport of ag/748147 - Security Patch Level in Settings CL#3/3
169c0d5 : Check for special char when renaming device for Wi-Fi direct.

+- Project: android_packages_apps_UnifiedEmail

74bbf66 : Disallow attachments from file:///data/

+- Project: android_packages_providers_DownloadProvider

f8d5682 : Merge conflict--DO NOT MERGE. Use resolved path for both checking and opening.

+- Project: android_packages_providers_TelephonyProvider

a8a63e5 : 30481342: Security Vulnerability - TOCTOU in MmsProvider allows access to files as phone (radio) uid - DO NOT MERGE

+- Project: android_packages_services_Telephony

3668fe4 : Added permission check for setCellInfoListRate
a9cb611 : Restrict SipProfiles to profiles directory DO NOT MERGE
efd5646 : DO NOT MERGE Check caller for sending media key to telephony service
37eaff6 : DO NOT MERGE - Prevent "add-call" UI during setup wizard.

+- Project: android_system_media

4112455 : Fix potential overflow in Visualizer effect
c78a1c5 : Camera metadata: Check for inconsistent data count
f33d55e : Camera: Prevent data size overflow

+- Project: android_system_security

2693710 : Properly check for Blob max length
72eade5 : Fix unchecked length in Blob creation