Full change log: pastebin.com/ptatg6kh
Speaking of security, let’s touch on a few items. First, this release incoporates every Android security bulletin this year to-date, with a reported security patch level of August 5th, see source.android.com/security/bulletin/2016-08-01.html and prior bulletins on what this entails.
Second, many users have likely read about the Quadrooter vulnerability coming out of DEF CON. Here, we have a bit of bad news. Of the four reported CVEs, we’ve been able to plug the ones that affected OSS code (ie the kernel), specifically CVE-2016-2059 and CVE-2016-5340. However, some of the reported vulnerabilities lie within OEM binary blobs, meaning we don’t have source access to resolve them.
So what does this mean? Unfortunately, for many devices we may never be able to completely resolve the outstanding issues, as OEMs are unlikely to release updated blobs across the generations of devices CM 13.0 supports, many of which were end of lifed on Lollipop or even earlier. We’d like to take this opportunity to remind you to be smart about where you source your applications, whether the Play Store, a FOSS equivelent or elsewhere on the internet – we’ve done our part to ensure the security of your device, but this and other parts are entirely up to you.