# Critical Security Flaws still not fixed?



## chilinux (Sep 3, 2020)

Tivo Stream 4k seems to require BlueTooth to always be enabled (as the remote itself is a BT device). Also, several of the apps that can be installed in the Tivo Steam 4k seem to download and display images from a variety of sources from the Internet.

Due to this, I am interested in the status of the follow Critical Remote Code Execution security flaws for Android that Google has already released patches for:

CVE-2020-0103 Critical RCE Bluetooth vulnerability--patch to fix released May 2020
CVE-2020-0117 Critical RCE Bluetooth vulnerability--patch to fix released June 2020
CVE-2020-9589 Critical RCE Image profile decoding vulnerability--patch to fix release July 2020

The Tivo Stream 4k that I have indicates it is already "up-to-date" but the security patch level indicates it has April 2020. This seems to indicate the so-called up-to-date device may be missing the above critical security fixes. Is it possible to get details as to when these security fixes should be available for all Tivo Stream 4k device owners?


----------

