Hi, @SundoggyNew , @archurcode , I'd like to report a vulnerability issue in com.tencent.iot.thirdparty.android:ai-face-sdk_6.3.2.156.
Issue Description
com.tencent.iot.thirdparty.android:ai-face-sdk_6.3.2.156 directly or transitively depends on 54 C libraries (.so) cross many platforms(such as arm64-v8a, armeabi-v7a). However, I noticed that some C libraries are vulnerable, containing the following CVEs:
libjpeg-turbo has fixed the vulnerabilities in versions >=2.1.0libpng has fixed the vulnerabilities in versions >=1.6.37
Java build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Java projects.
Could you please upgrade the above shared libraries to their patch versions?
Hi, @SundoggyNew , @archurcode , I'd like to report a vulnerability issue in com.tencent.iot.thirdparty.android:ai-face-sdk_6.3.2.156.
Issue Description
com.tencent.iot.thirdparty.android:ai-face-sdk_6.3.2.156 directly or transitively depends on 54 C libraries (.so) cross many platforms(such as arm64-v8a, armeabi-v7a). However, I noticed that some C libraries are vulnerable, containing the following CVEs:
libYTUtils.so
from C project libjpeg-turbo(version:1.5.0) exposed 1 vulnerabilities: CVE-2018-14498libimisensor.so
from C project libpng(version:1.5.12) exposed 9 vulnerabilities: CVE-2014-9495, CVE-2013-7354, CVE-2013-7353, CVE-2017-12652, CVE-2015-8472, CVE-2016-10087, CVE-2016-3751, CVE-2015-0973, CVE-2015-8540Suggested Vulnerability Patch Versions
libjpeg-turbo has fixed the vulnerabilities in versions >=2.1.0 libpng has fixed the vulnerabilities in versions >=1.6.37
Java build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Java projects. Could you please upgrade the above shared libraries to their patch versions?
Thanks for your help~ Best regards, Helen Parr