The public Android security bulletins are not nearly as useful as they used to be since so much information was stripped out of them. Need to figure out even basic details entirely from the commit message and changes to the code. Internal bulletins still have more information.
Conversation
This makes it difficult to figure out when a bug was fixed with only the details of the bug including the impacted subsystem but not a CVE ID. threatpost.com/bluetooth-spoo says the issue is unpatched on Android but that seems based on the researchers testing a device without updates.
1
2
It's highly likely that android.googlesource.com/platform/syste is the fix for this issue since it's a fix for a security bug in pairing tied to authentication of a device that was previously paired. I'm not entirely sure it's the same bug since there aren't enough details available for the fix.
1
1
4
This fix is listed as CVE-2020-0379 as part of the 2019-09-01 patch level: source.android.com/security/bulle. The bulletin simply refers to it as a high severity Information Disclosure (ID) in "System". Are they seriously just categorizing by component based on top level AOSP directory?
Replying to
I could ask someone to check the internal bulletin, or I could ask someone at Google to check b/150156492. It seems strange that so little information is being provided now. Any resourceful adversary will be able to get access to the broadly distributed internal bulletins anyway.
1
1
6
I could post a few examples from a past month of the internal bulletin description vs. lack of any real public bulletin information. This just seems to make things much harder for external security researchers. They should want people verifying that fixes were done correctly.
1
4
Long-term support for older major versions in AOSP is also strange. AOSP has maintenance branches for the current major OS version with all kinds of bug fixes and other improvements. It's the same source tree they use to build the stock OS with their proprietary repos added in.
1
2
For previous major releases of AOSP, which now includes Android 10, they release tags for the monthly security updates based on the earliest tag for that major release. Those only include security patches added that month and an arbitrary assortment of previous security patches.
1
2
Internal security patch previews are a bundle of security patches to be applied consecutively onto the earliest tag for a major release without all non-security improvements in the AOSP maintenance releases. So, for past major releases, they're awkwardly publishing those via Git.
2