After reading el reg's
article regarding a cyanogenmod MITM flaw, I started looking through the code to see if I could find it. It didn't take long. This finding was not what users are led to believe by cyanogenmod's
blog post. I reported the issue to cyanogenmod, but got a rather unsatisfactory reply. They didn't seem willing to modify the blog post to more accurately reflect the problem. Below is my email exchange with cyanogenmod's security address:
Lord Tuskington,
Thank your for your response. Truth is we assumed as much,
but the lack of meaningful information in the Register's sensational
article didn't leave us much room to interpret it besides what it
presented at face value.
As you noted, this has already been addressed in our
shipping code branch (cm-11), prior to the article's publishing. This
was the net result of the messaging provided in the blog post, with CM
11 being 'safe' from this issue.
We normally do not patch non-shipping code (in this case 10.2 and prior), though we may in this case.
We do not expect to make a advisory on the 10.2 item at this time.
Thank you,
Abhisek Devkota
On Oct 17, 2014 8:50 PM, "Lord Tuskington" <
l.tuskington@gmail.com> wrote:
If you release an advisory, please credit "Lord Tuskington of TuskCorp" for reporting this vulnerability responsibly.
Regards
--
Lord Tuskington
Chief Financial Pinniped
TuskCorp