Description
Describe the bug
Our security team has identified two critical vulnerabilities in the current versions of OpenSSL and libvpx included in the Android Chime SDK:
libvpx (CVE-2023-44488):
Issue: VP9 in libvpx before version 1.13.1 mishandles widths, leading to a crash related to encoding.
Current Version Used (in SDK): 1.12.0
Recommended Version: 1.13.1 or higher
OpenSSL (CVE-2023-2650):
Issue: Processing some specially crafted ASN.1 object identifiers or data containing them may result in significantly slow performance.
Current Version Used (in SDK): 1.1.1s
Recommended Version: OpenSSL 3.1.1 or higher
Could you confirm the versions of these dependencies in the latest release of the Android Chime SDK? If the reported versions are still used, we request that you update them to mitigate the identified security risks.
These vulnerabilities impact the security and performance of our application, and an update would ensure compliance with modern security standards. Please let us know if there are any timelines for addressing this issue or if further information is required.