Android Security Bulletins and Updated AOSP versions
983 views
Skip to first unread message
Raphael Garcia-Melgares
Nov 23, 2017, 3:37:27 PM11/23/17
to Android Building
Hello AOSP team,
I have a question about the security bulletins and the corresponding patches. I would like to make a marshmallow AOSP build with the latest security patches but it seems to me that the security patches were not backported to this version since a while.
For example if I take the recent KRACK vulnerability, I see 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0 in the list of of updated AOSP versions in the corresponding bulletin (https://source.android.com/security/bulletin/2017-11-01).
However when I look the android official wpa_supplicant repository ( https://android.googlesource.com/platform/external/wpa_supplicant_8/) I see that none of the marshmallow branches has been updated since a while.
marshmallow-release last commit 2015
marshmallow-mr3-release last commit 2016
marshmallow-mr2-release last commit mar 2017
marshmallow-mr1-release last commit 2016
marshmallow-dev last commit 2015
Am I looking at the wrong place ?
I fully realize that marshmallow is already an old version and that backporting security patches can represent a lot of work but then wouldn't "affected AOSP" versions be a better description ?
The goal here is not to undermine the awesome job done for security by providing these security bulletins but simply to try to make sense of this "updated AOSP version" mention.
Thanks,
Raphael
I have a question about the security bulletins and the corresponding patches. I would like to make a marshmallow AOSP build with the latest security patches but it seems to me that the security patches were not backported to this version since a while.
For example if I take the recent KRACK vulnerability, I see 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0 in the list of of updated AOSP versions in the corresponding bulletin (https://source.android.com/security/bulletin/2017-11-01).
However when I look the android official wpa_supplicant repository ( https://android.googlesource.com/platform/external/wpa_supplicant_8/) I see that none of the marshmallow branches has been updated since a while.
marshmallow-release last commit 2015
marshmallow-mr3-release last commit 2016
marshmallow-mr2-release last commit mar 2017
marshmallow-mr1-release last commit 2016
marshmallow-dev last commit 2015
Am I looking at the wrong place ?
I fully realize that marshmallow is already an old version and that backporting security patches can represent a lot of work but then wouldn't "affected AOSP" versions be a better description ?
The goal here is not to undermine the awesome job done for security by providing these security bulletins but simply to try to make sense of this "updated AOSP version" mention.
Thanks,
Raphael
Tobias Reike
Feb 22, 2018, 11:42:40 AM2/22/18
to Android Building
Same question for me. I am also looking to update an existing 5.1.1 AOSP version for our device (NanoPI 3). Which is by default using 5.1.1_r5
How can I integrate the patches? Do I have to lookup every patch file, or can I just use the latest wpa_supplicant_8 git and put the folder in my AOSP source?
Baran Jean-Marie
Feb 4, 2019, 1:17:25 PM2/4/19
to Android Building
Hello,
I have the same question too (for Android 7 in my case). The documentation says (e.g. for the Android Security Bulletin of January 2019):
Device manufacturers that include these updates should set the patch string level to:
- [ro.build.version.security_patch]:[2019-01-01]
- [ro.build.version.security_patch]:[2019-01-05]
And indeed the versions of the AOSP are listed for each fix (e.g. 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9) which let think that those patches are available for these versions. However the older versions (namely Android 7.x.x) have been a long time without update: the last of Android 7 for the Pixel was something like 7.1.2_r28 back in 2017. It's not clear what the "Updated AOSP versions" means here.
So how is this supposed to work? Are we to manually cherry-pick the fixes back to our version, or are those fixes available in some other place? What is the standard way of including those updates without updating the whole system to the next major release of Android?
A bit of clarification would be welcome here.
Thanks,
Jean-Marie.
Reply all
Reply to author
Forward
0 new messages