Request to Update libvpx Version in iOS Chime SDK Due to CVE-2023-44488 #698
Comments
|
The mobile SDK does not currently encode VP9, so it is not possible to run into this issue. However we can keep this issue open until we upgrade the underlying libvpx version. |
|
@hensmi-amazon do we have any timelines of upgrade? |
|
This should be available in the next release, which may be January or Febuary. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
Our security team has identified a critical vulnerability in the version of libvpx used in the iOS Chime SDK:
Vulnerability: CVE-2023-44488
Issue: VP9 in libvpx before version 1.13.1 mishandles widths, leading to a crash related to encoding.
Current Version Used (in SDK): 1.12.0
Recommended Version: 1.13.1 or higher
This vulnerability increases the risk of crashes in applications using the affected SDK version.
Could you confirm the version of libvpx currently integrated into the iOS Chime SDK? If version 1.12.0 is still in use, we request an update to version 1.13.1 or higher to address this security issue.
We would appreciate a timeline for when this update might be available or any additional guidance your team can provide.
The text was updated successfully, but these errors were encountered: