T-Mobile began rolling out security-centric updates to Nexus devices yesterday. As we already know, there aren't any big changes due out in this release, but Google has pushed the latest code up to the Android Open Source Project (AOSP) for the world to see. As usual, we've put together a changelog for easy reading.

Updates for T-Mobile devices are built from a dedicated branch in AOSP with custom code to support the Wi-Fi calling feature. As it turns out, the list of changes for this update to LMY48M closely resembles the r6 to r9 update from last month, otherwise known as the update that (mostly) fixed Stagefright. Quite simply, T-Mobile didn't post OTAs for its devices when Google released its updates. We'll have to wait to see if updates will begin to follow the plan for monthly security updates from here on out.

Even though there is a lot of overlap with an older changelog, there are still a few brand new commits to look at. It's likely T-Mobile's update encompasses fixes from both last month and this month. The full changelog is linked below, but I've listed out just the items that are unique between the two updates:

platform/external/skia e28401b : DO NOT MERGE Prevent integer wrap around for malloc size when creating a SkRegion

platform/frameworks/av 6fe85f7 : MPEG4Extractor.cpp: handle chunk_size > SIZE_MAX 304ef91 : Guard against codecinfo overflow a5d9298 : Revert "DO NOT MERGE: Lock drm plugin API calls globally, not per MediaDrm instance" d776139 : DO NOT MERGE: Lock drm plugin API calls globally, not per MediaDrm instance

platform/frameworks/base 8fba7e6 : Prevent insanely long passwords from crashing SystemUI 1e72dc7 : DO NOT MERGE: Ensure that unparcelling Region only reads the expected number of bytes 4cff1f4 : Check that the parcel contained the expected amount of region data. DO NOT MERGE 0e40462 : Revert "DO NOT MERGE Backport of limited jank-tracking metrics d5a4a1a : DO NOT MERGE Backport of limited jank-tracking metrics

platform/frameworks/native e68cbc3 : Disregard alleged binder entities beyond parcel bounds 7dcd0ec : Verify that the native handle was created

platform/frameworks/opt/telephony df31d37 : Externally-reported Moderate severity vulnerability in SMS: Apps can bypass the SMS short code notification prompt

platform/system/core e8c62fb : Prevent integer overflow when allocating native_handle_t

platform/system/security bb9f439 : Fix unchecked length in Blob creation



Most of the changes are related to memory management and potential overflows, which means they're probably closing up some potential targets for malware. A few more bug fixes are mixed in for good measure, but nothing we're likely to notice in regular usage. At least T-Mobile is getting caught up and getting the fixes out there. I've got a hunch Google will have an update coming out shortly that looks eerily similar to the list above.

Android 5.1.1 r14 (LMY48M) - android-5.1.1_r3 -> android-5.1.1_r14 (Nexus 4, 5, 6, 9, and 7 Wi-Fi)

Android 5.1.1 r15 (LMY48N) - android-5.1.1_r14 -> android-5.1.1_r15 (Nexus Player)

Android 5.1.1 r16 (LMY48P) - android-5.1.1_r15 -> android-5.1.1_r16 (2013 Nexus 7 - deb)

Android 5.1.1 r17 (LYZ28K) - android-5.1.1_r12 -> android-5.1.1_r17 (T-Mobile Nexus 6)

Android 5.1.1 r18 (LVY48F) - android-5.1.1_r13 -> android-5.1.1_r18 (Project Fi Nexus 6)