Not quite Lollipop, but POODLE is squished in the latest CyanogenMod M release

CyanogenMod has inherited Google's fixes for the massive SSL security flaw last month that left the web exposed to POODLE attacks.
Written by Liam Tung, Contributing Writer

CyanogenMod developers are urging users of its M builds to update to the latest version of its Android ROM, which fixes the POODLE SSL v3 bug that Google disclosed last month.

CyanogenMod's latest monthly M release — the most stable version of the Android ROM — is out and with this update comes an important fix its inherited from Google's upstream patches to the Android Open Source Project source code.

The version released yesterday is the KitKat-based CM11 M12, which may be its last M update as the CyanogenMod team looks towards sunsetting CM11.

"This release incorporates the upstream Google patches against last month's POODLE vulnerability in SSLv3," the CyanogenMod team wrote on Thursday, adding that “users are strongly encouraged to update to the latest available build”.

At the time, Google recommended others to support an IETF tool TLS_FALLBACK_SCSV that prevents protocol downgrade attacks, since disabling SSL 3.0 support was enough to mitigate the POODLE bug. The downgrade attack forces HTTPS servers and browsers on to legacy protocols, such as the 18 year old SSL 3.0, which Google's security team discovered was vulnerable to an attack that could expose cookies and passwords.

While Google Chrome and Google's servers supported TLS_FALLBACK_SCSV since February, the fix was merged in Android shortly after Google divulged details of the bug, roughly three weeks ago.

While the security fix is important, the millions of people who flash the CyanogenMod ROM on to their handsets are probably more interested to know when the first Lollipop-based ROM is available.

As ZDNetreported last week, work has already begun on CM12. However, there's no official word on release dates.

The CyanogenMod team is being a little coy about its timeline, but said it will have "something special to welcome the upcoming holidays and New Year", though it's not clear if that something will indeed be the new M build, nor is it clear which devices it will be available for, though presumably the Nexus 5 would be first up.

Nonetheless, for the more adventurous, the less stable nightly builds of CM12 should be available by the end of November or early December.

The main focus currently is incorporating the dozens of unique CM features into the new code base, and redesigning those features to flow better with Google's new Material design language.

The good news for the roughly 50 devices that CM11 supports is that it appears many of them should be able to transition to CM12.

"It is also currently too soon to tell how many devices will transition from 11 to 12, though early traction has this number higher than we had initially hypothesised," the CyanogenMod team wrote.

Read more on CyanogenMod

Editorial standards