Where are security patches for older AOSP versions published?
827 views
Skip to first unread message
avk
Aug 12, 2016, 12:40:44 PM8/12/16
to android-porting
Hi,
I'd like to [try to] make a custom build of AOSP for my device, which does not receive security updates from vendor anymore. For this reason I'm looking for sources of Android 4.4 along with all the relevant security patches.
source.android.com mentions that KitKat still receives security updates:
Also latest security bulletin alongside many CVE's mentions 4.4.4 among "Updated AOSP versions". Yet when I go to appropriate reference
(for example, this commit for first CVE in the list), the appropriate commit seems to appear only in master branch. I'm not familiar with AOSP version control yet, but I checked list of branches for this particular framework here.
So, my question is: where do backported security patches go? If current googlegroup is not appropriate place for this question, please point me in the right direction.
Cheers,
I'd like to [try to] make a custom build of AOSP for my device, which does not receive security updates from vendor anymore. For this reason I'm looking for sources of Android 4.4 along with all the relevant security patches.
source.android.com mentions that KitKat still receives security updates:
The Android security team currently provides patches for Android versions 4.4 (KitKat), 5.0 (Lollipop), 5.1 (Lollipop MR1), and 6.0 (Marshmallow).
Also latest security bulletin alongside many CVE's mentions 4.4.4 among "Updated AOSP versions". Yet when I go to appropriate reference
(for example, this commit for first CVE in the list), the appropriate commit seems to appear only in master branch. I'm not familiar with AOSP version control yet, but I checked list of branches for this particular framework here.
So, my question is: where do backported security patches go? If current googlegroup is not appropriate place for this question, please point me in the right direction.
Cheers,
Arne-Christian Blystad
Sep 12, 2016, 4:32:55 PM9/12/16
to android-porting
After having spent a few hours backporting the latest security patches to Lollipop (with one of them I'm not sure it fixes the problem, but the CVE is empty), I have the same question.
Anyone from Google that could shed some light on this matter?
Thanks.
Arne-Christian Blystad
Nov 9, 2016, 12:33:15 PM11/9/16
to android-porting
Hello,
With the latest security bulletin ( https://source.android.com/security/bulletin/2016-11-01.html ) it's really difficult to update all components to the latest security patch without getting access to the patches.
E.g.
- A-30916186
- A-30259087
- A-30765246
- A-28672558
- A-31217937
We care about security on our products, and would love to provide our customers with a secure system.
Best regards,
Arne-Christian Blystad
On Friday, 12 August 2016 18:40:44 UTC+2, avk wrote:
Glenn Kasten
Nov 10, 2016, 8:47:52 PM11/10/16
to android-porting
You might want to ask on android-security-discuss, since they focus on this kind of topic.
But they don't seem to be active recently :-(
Arne-Christian Blystad
Nov 14, 2016, 10:55:00 AM11/14/16
to android-porting
Hey,
I can't even open a new topic there :/
- AC
Martin Kan
Aug 15, 2017, 11:16:40 AM8/15/17
to android-porting
Hi,
I am experiencing the same issue here - I need to find the latest patched version of the Android 5.1.1 source code with all of relevant security patches included. The latest version of the 5.1.1 source code I found on https://android.googlesource.com (r38) seem to be quite outdated (it is only up to date until mid 2016). Even the master version doesn't seem to have all of the security patches included (for example, to patch to this bug doesn't seem to be included in the master version of the source code).
Am I missing something here?
Any help is much appreciated.
Kind regards.
Martin
Reply all
Reply to author
Forward
0 new messages