Fairphone patch for the Stagefright vulnerability

It’s great to see that emojis can now be used in topic titles! :smiley:

1 Like

I am impressed, Fairphone achieved what the big companies fail to do.

To all Android smartphone manufacturers, take out your laptops and start making notes!
THIS is how it should be!


@urs_lesse: you can install Playstore free apps using BlankStore it’s very easy to setup and works quite well :smile:

@DjDas Thank you! However, I rarely have WLAN access, so for me being able to download an .apk on my computer (from a somewhat trusty source :wink: ) would be even handier.

I started this thread 18 days ago and now that the software update Kola Nut 1.8.7 is available, I would like to thank all people at Fairphone who have worked hard to make this happen. Great work. It makes me proud of using a Fairphone.


Since the old Stagefright thread has been locked a couple of minutes ago, I created this new thread.

Now the question: does the update you’ve prepared (1.8.7) already include the amended fix for the vulnerability? Because there have been new developments, see http://blog.exodusintel.com/2015/08/13/stagefright-mission-accomplished/ for why the initial fix was incomplete and allowed for DoSing Android phones with the initial fix. Google has commited a revised/additional fix.

Thanks for clearing this up.


P.S.: Can’t link to the original thread, since I’m not allowed more than two links…

1 Like

Thanks for the info. We reopened the thread and moved your post here.

1 Like

Hmmm, my Fairphone updater tells me the phone is up-to-date, but it is on 1.8.5

The 1.8.7 update is not an official release yet but can be manually installed. (by “advanced users”)

Strange: that is not reflected on https://fairphone.zendesk.com/hc/en-us/articles/205679425-Software-update-1-8-7-log-August-2015


There’s a twist to the story about security fixes to the Stagefright bug. Yesterday, security researchers from Exodus Intelligence reported that a security vulnerability related to Stagefright was not included with the official patches from Google. That means, the updates posted yesterday (and those sent to Google devices and other brands/operators) still have a vulnerability. Therefore, we are working on a new software update to incorporate these latest security patches. Luckily, they should be ready soon. Our estimate is that they will be ready early next week.

In the meantime, we are updating our support articles and removing the files of the 1.8.7 update that is missing the recently discovered security patch.

Once we have the final software update (expected early next week), we will write all Fairphone owners and be able to send the update over Wi-Fi. Thanks for your patience.


Thank god I did the upgrade to 1.8.7 already and have the “Firefox fix”. :smile:
I’ll be waiting for the 1.8.8. :smiley:


The build for next week will contains the latest fixes (and a new build number) but the name will remain 1.8.7. The process of creating a release, updating the documentation does not allow for us to increase version number and release on such short notice.

Current 1.8.7 users will also be prompted to upgrade their operating system.


That sounds like “We can release patches on quick notice, but our bureaucracy system forbids the quick increase in version numbers.” If it is so, you might need to think about changing some things…

Hi HackAR, as mentioned the process of creating a release does not only involve integrating a patch and sending it to our users. It also involves things like translation,testing, updating upgrade tutorials and such. I won’t go into discussion here and merely provided the required information to correct your wrong assumptions.


Ik get the same thing. Perhaps we will be able to update, when the 1.8.7 is definitive (see newer reactions)?

Yes, this it taking longer than expected as we are, among other things, running additional tests. Hence the delay.


It is great that Fairphone will be one of the first smartphones to get a patch for the Stagefright vulnerability. This is IMHO a really good customer service.
It seems that a new vulnerability (not related to Stagefright, though) has been found, which probably also affects the Fairphone:

The ID of this vulnerability is CVE-2015-3842. It does not seem to be listed (yet) under https://fairphone.zendesk.com/hc/en-us/articles/205679425-Software-update-1-8-7-log-August-2015 .
Will this vulnerability also be addressed in the coming security update, or do you think it is better to release the stagefright fix first?

Anyway, I think it is probably rather frustrating for the developers that security bugs seem to be popping up everywhere at the moment. I wish you the endurance and all the best to fix them. :smiley:


I take part in the closed beta. It seems that Fairphone plans to release an update with the fix for the stagefright issue over-theair (OTA) first, to not further delay this.

A fix for CVE-2015 will probably come later.

I applaud your positive attitude :wink:.


Well, a lot of other smartphones (albeit released more recently than the Fairphone) will probably not receive a fix at all, so I am quite happy that Fairphone is committed to the release of security fixes for the near future.