Maybe they did, that just have not published the code or the rom. But these issues are not that critical. There are worse CVEs out there right now, just check what google publishes each month.
I checked the repo today to check a few things @Roboe wrote. I did not see anything related to those CVEs in the old Changelogs.
But maybe I’m doing the checkout wrong. What I got looked old.
And I thought they use codeaurora as a basis? Or are they use just using a “fixed”[1] release of codeaurora and patch the rest back into the “stable” code to prevent the creation of new issues and firmware problems? It would be nice to know how the whole code workflow works.
[1]"Our code is based on Code Aurora code, with the manifest being LA.BF.1.1.1-03010-8x74.0"
Sadly, the new beta OS 1.6.2 is still vulnerable to quadroot CVE-2016- 2060, 2503 and 5340
On the positive side, 2504 and 2059 have been corrected
Though it says that Android security patches level is august 5th, which is quite nice !